Manage phones, hardware tokens, and other two-factor authentication devices from the Duo Admin Panel.
To access the Admin Panel, navigate to https://admin.duosecurity.com , enter your administrator account email address and password, and click Log In. After your login is accepted, you then authenticate using a second factor. You must activate your administrator account for Duo Mobile separately from your user account to use Duo's push authentication. See Managing Duo Administrators for instructions.
The browser used to access the Admin Panel must support TLS 1.2, which most modern browsers do by default. If you are concerned about compatibility, please update your browser or check your browser’s SSL implementation here: https://www.ssllabs.com.
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. The default view called "Phones" also includes tablet devices. A list of phones and tablets is shown, along with the attached user(s), if any.
If you're using Duo's Duo Beyond or Duo Access plans, the default 2FA Devices view includes a number of selectable filters on the left side. You can narrow down the list of devices by OS platform, version, or security feature.
Click the Reports button in the upper right side of the devices list and select CSV or JSON to download a a list of devices. You can also select URL to obtain a direct link to your current view. If you've filtered your current view, the report only includes the filtered results.
Select a phone by clicking the identifier in the "Device" column. This loads the properties page for that phone or tablet. The device page lists the attached user (or users) information and other information and properties.
Duo Beyond and Duo Access plan customers see additional security status information when viewing an enrolled device.
To learn more about the additional 2FA device information visible in the Duo Beyond and Duo Access plans, see the Device Insight documentation.
Role required: Owner, Administrator, User Manager, or Help Desk.
Administrators can create a new phone or tablet device in Duo and attach it to an existing user. To do this:
Log in to the Duo Admin Panel and click Users in the left sidebar, or enter a username into the search bar at the top of the page.
Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and then click the Add Phone button.
Select the type of device. If you're adding a phone, you'll also need to enter the phone number.
Click the Add Phone button.
On the next page you'll be asked to add details, the most important being the device's "Type" and "Platform". You can also chose to assign a "Device name", which is very helpful when users have several numberless mobile devices (like tablets). When you've finished entering details, click Save Changes.
Administrators can also attach an existing device to multiple Duo users.
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar.
Select a phone by clicking the identifier in the "Device" column. Click the Attach a user link on the device's properties page.
Select a Duo user from the drop-down list and click Attach.
The additional user is attached to the 2FA device. A notification bar across the top alerts you that the device is shared between more than one user.
Adminsistrators can send Duo Mobile activation codes from the Admin Panel. See Managing Users: Activating Duo Mobile.
Role required: Owner, Administrator, User Manager, or Help Desk.
When using Duo's automatic push or phone call authentication the service contacts the first device listed in the user's Devices table (phone1). Attached devices can be reordered so that a different one is used for primary authentication.
Log in to the Duo Admin Panel and click Users in the left sidebar.
Select a user by clicking the username in the "Username" column. Scroll down to the Phones table on the user's properties page, click on the device that should be listed first and drag it into place.
The device aliases automatically update (e.g. phone2 becomes phone1).
Role required: Owner, Administrator, User Manager, or Help Desk.
If a user loses a mobile device or reports it stolen, you can entirely delete the device from Duo, simultaneously removing it from all associated users. Deleted devices can easily be added back later.
To delete a device:
Log in to the Duo Admin Panel and click Users in the left sidebar.
Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and then click on the Alias or Device of the phone to delete.
Click the Delete Phone button near the top of the phone properties page.
Confirm deletion of the phone.
Deleting a phone in this manner removes it from all associated users immediately. When the device is recovered, you can add it to the user again and re-activate Duo Mobile. If you have deployed a Duo application that uses inline enrollment, the user can self-enroll a replacement device. For extra security, you may want to disable the user in Duo until they are ready to enroll a replacement device.
If you only need to remove a shared device from a specific user's profile (leaving other users sharing the device unaffected), you can do so:
Log in to the Duo Admin Panel and click Users in the left sidebar.
Select a user by clicking their username. Scroll down to the Phones table on the user's properties page and click the Delete button next to the lost or stolen device.
You can later add the device to the user again and re-activate Duo Mobile. If you have deployed a Duo application that uses inline enrollment, the user can self-enroll a replacement device.
If a device is removed from all users sharing it, the device is deleted from Duo.
Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, then click Hardware Tokens. A list of hardware tokens is shown, along with the attached end user, if any.
Administrators with the Owner role see an additional column of administrators attached to hardware tokens.
Click the Reports button in the upper right side of the tokens list and select CSV or JSON to download a a list of tokens. You can also select URL to obtain a direct link to your current view. If you've filtered your current view, the report only includes the filtered results.
Select a token by clicking the identifier in the "Serial Number" column. This loads the properties page for that token. The token page lists the token type and attached end user information.
Administrators with the Owner role see an additional table with attached administrator user information.
Role required: Owner or Billing.
To purchase tokens from Duo, click Billing in the left sidebar of the Duo Admin Panel, click Hardware Tokens in the submenu, then click the Buy Hardware Tokens button. Enter your billing information if not already present, then select the number of tokens you wish to purchase and enter your shipping information and click the "Place Order" button.
Tokens purchased from Duo are automatically imported into your account, therefore Duo does not provide the token seeds directly to you (nor can you export the seed information from your account). This protects the integrity and confidentiality of your Duo token seeds and minimizes the likelihood of token compromise. If you wish to maintain control of your token seeds, please purchase third-party tokens from another vendor and import them into Duo.
Role required: Owner, Administrator, User Manager, or Help Desk.
Duo also works with third-party one-time password (OTP) hardware tokens, such as YubiKey OTP or any other SHA-1 OATH HOTP-compatible tokens. TOTP tokens are not recommended for use with Duo, as full support for TOTP token drift and TOTP resync is not available.
Admins need to manually import third-party OTP token information into Duo. When importing tokens, keep in mind that tokens should be unique between Duo accounts.
Protect your third-party token seed information as sensitive and confidential information. A compromise of your token seeds could potentially result in 2FA bypass.
To import third-party OTP tokens into Duo:
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens in the submenu.
Click the Import Hardware Tokens button.
Select the type of token to import from the drop-down menu and then paste in the token information in CSV format. This information is provided by the hardware token manufacturer or vendor. The token serial number cannot exceed 128 characters. Click Import Hardware Tokens.
The tokens are immediately imported and listed in the "Hardware Tokens" table.
If you need to import a large number of YubiKey tokens you can use Yubico's personalization tool to configure multiple tokens quickly and export a CSV file with the serial number and key information you need to import the YubiKeys into Duo. Deploying more than 500 YubiKeys? Contact us for more information about how to make it easier.
Role required: Owner, Administrator, User Manager, or Help Desk.
To assign an OTP token to an end user:
Click Users in the left sidebar. Select a user by clicking their username. Scroll down to the "Hardware Tokens" table on the user's properties page and then click the Add Hardware Token button.
Click the drop-down menu to see a list of available tokens. You can also search for a token by typing in the serial number.
Click a token to select it, and then click Add Hardware Token.
The user's properties page now lists the newly added token.
OTP Tokens can also be associated with users from the token's properties page. A hardware token may be assigned to multiple end users.
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar, then click Hardware Tokens.
Click on the Serial Number of a token to access the token's properties page. On the token's properties page, scroll down to the Users table and click the Attach User button.
Select a Duo user from the drop-down list and click Attach.
The token's properties page now lists the attached user.
Role required: Owner.
Assigning a hardware token to an Administrator permits token passcode authentication when logging in to the Duo Admin Panel. OTP hardware tokens (but not U2F tokens) may be used for administrator logins.
Only account owners may modify other administrator accounts to add hardware token authenticators. A hardware token may be assigned to multiple administrator users.
To attach a token to an administrator:
Log in to the Duo Admin Panel and click Administrators in the left sidebar.
Click on the administrator's user name to view details.
Click the drop-down menu to see a list of available hardware tokens. You can also search for a token by typing in the serial number.
Click a token to select it, and then click Save Changes at the bottom of the page.
The administrator's properties page shows the newly added token. Click the Remove link to the right to remove the hardware token from the administrator's account.
Before your users can utilize U2F tokens or security keys for authentication, make sure you've enabled U2F authentication in your Duo global settings.
Unlike OTP hardware tokens, users can self-enroll the U2F token via the Duo enrollment prompt or device management portal. See the U2F enrollment process for end users to learn more.
You might want to enroll a security key or U2F token on behalf of a Duo user (for example, if you're on-boarding new hires ahead of their start dates). You can do this from the Admin Panel. Before you start, you need to have the security key to be assigned as you'll need to physically tap it to complete registration.
Role required: Owner, Administrator, User Manager, or Help Desk.
To assign a U2F token to an end user:
Insert the U2F token into an available slot on your computer.
Log in to the Duo Admin Panel and click Users in the left sidebar.
Select a user by clicking their username. Scroll down to the "U2F Token" table on the user's properties page and then click the Add U2F Token button.
A pop-up dialog asks you to touch the U2F token to enroll it.
Tap the token inserted in your computer to complete enrollment.
The user's properties page now lists the newly added U2F token.
Remove the U2F token or security key from your computer and deliver it to the end user.
Duo admins can only enroll one security key on behalf of a user, but end users can enroll additional tokens themselves via self-service device management.
It's not possible to move existing enrolled U2F tokens or security keys between Duo users. If you want to reassign a U2F token from one user to another, you must delete the token from the first user, and then perform enrollment again on behalf of the second user.
Hardware tokens may occasionally become out of sync with Duo's service. When this happens, passcodes generated by the token fail to authenticate the user. You can manually resynchronize HOTP hardware tokens purchased from Duo or third-party vendors from the Admin Panel. TOTP tokens imported into Duo cannot be resynchronized.
To resynchronize a HOTP hardware token:
Log in to the Duo Admin Panel, click 2FA Devices in the left sidebar, and then click Hardware Tokens.
Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Resync Token button near the top of the token's properties page.
Enter the code displayed on the token as the 1st code. Advance to the next token code and enter that number as the 2nd code. Advance to the next token code one more time and enter that number as the 3rd code. Click the Resync Hardware Token button after entering all three token codes.
You may delete third-party hardware tokens you previously imported into Duo (but not D100 tokens purchased from Duo), as well as U2F tokens and security keys associated with end users.
Deleting a token in this manner removes it from all associated users immediately. If those users still need to authenticate to Duo, ensure that they have another authentication device attached to their user accounts.
To delete a third-party hardware token:
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar. Then click Hardware Tokens.
Click on the Serial Number of a token to access the token's properties page. Once on the token's properties page, click the Delete Hardware Token button near the top of the token's properties page.
Confirm deletion of the hardware token.
To delete a U2F token:
Log in to the Duo Admin Panel and click 2FA Devices in the left sidebar; then click U2F Tokens.
Locate the registration ID or user whose U2F token you want to delete in the table, and then click the Remove button on the right.
Confirm deletion of the U2F token.
Need some help? Try searching our Knowledge Base articles or Community discussions. For further assistance, contact Support.