From WHMCS Documentation

(Redirected from Duo Security)

< Back to Two-Factor Authentication

What is Duo Security

Duo Security increases security by adding a second identity verification to logins. By requiring two factors: First, your password (the thing you know) and then something unique (that you have) like your phone, it protects your WHMCS installation and login accounts against unauthorized access.

Why Duo Security?

Duo Security is free up to 10 users which makes it a perfect solution for securing administrator logins.

The Duo Mobile app is free and available on all major smartphone platforms, and lets users easily generate passcodes without the cost and hassle of hardware tokens.

iPhone, Android, BlackBerry, and Windows Phone users can also use Duo Push which “pushes” login or transaction details to the phone, allowing for immediate, one-tap approval.

You will require your own Duo Security account. A 'Duo MFA' or higher level account is required to access the Duo API: Click here to signup.

Configuring Duo Security

Protect an Application
Protect Auth API

To configure Duo Security in WHMCS, follow the steps below:

  1. Begin by logging in to your account at Duo Security
  2. Click Applications in the left sidebar
  3. Click Protect an Application
  4. Locate the Auth API option
    • If you are missing this option from your Duo account, you will need to contact Duo to have them activate this for your account
  5. Beneath it click Protect this Application
  6. Take note of following values:
  • Integration Key
  • Secret Key
  • API hostname

Now login to your WHMCS Admin area as a Full Administrator user:

Complete configuration in WHMCS
  1. Navigate to Configuration () > System Settings > Two Factor Authentication or, prior to WHMCS 8.0, Setup > Staff Management > Two-Factor Authentication.
  2. Click the "Activate" button next to Duo Security
  3. To enable Duo Security as a two-factor option for staff, tick the checkbox labelled Enable for Staff
  4. To enable Duo Security for customers, tick the checkbox labelled Enable for Clients
  5. Enter the Integration Key, Secret Key and API Hostname you noted down previously where requested
  6. Click Save Changes

Enabling Duo Security as an Admin User

To enable Duo Security for your admin user account, begin by configuring Duo Security as instructed above.

Once complete, navigate to the My Account page within the WHMCS admin area and from there you will see an option to enable Two-Factor Authentication.

You will then be guided through the setup process.

On all future login attempts, you will be asked to complete the Two-Factor Authentication process.

Enabling Duo Security as a Client

Login to the WHMCS client area and then navigate to Account > My Account > Security Settings or, prior to WHMCS 8.0, My Account > Security Settings.

From there, click Enable Two-Factor Authentication.

You will then be guided through the setup process.

On all future login attempts, you will be asked to complete the Two-Factor Authentication process.


The second factor you supplied was incorrect. Please try again

Seeing this error when activating the DuoSecurity method for the first time means that the code being entered does not match that which DuoSecurity expects. This is caused by the time on your server not matching DuoSecurity's clocks

You can see the time in the top-right corner of your WHMCS admin area, it's taken directly from your server's PHP configuration. So you must ensure the server time is synced exactly with UTC. For example if the server time is 00:01 and the time at DuoSecurity is 00:00 you will see this error. Syncing the server with NTP to ensure the time is exactly right will resolve this.

Different time-zones are taken into account, so time-zone differences won't cause a problem.