Duo® Security

Duo® Security increases security with Two-Factor Authentication (2FA). 2FA using Duo Security combines traditional account credentials (like a username and password) with a code or other verification from a device like a smart phone. Requiring both to log in decreases the threat of a leaked password.

Use of Duo Security is free for up to 10 accounts, and the Duo® Mobile app is available on all major smartphone platforms.

In WHMCS 8.9 and later, our Duo Security integration supports Duo Universal Prompt, which uses Duo Push by default. This pushes login or transaction details to your phone, allowing for immediate one-tap approval.

  • If you already used Duo Security with the previous integration, you must log in to the Duo portal and upgrade your API credentials to use Duo Universal Prompt.
  • Duo has announced that support for the previous iframe-based Duo Prompt will end on March 30, 2024.
    • Duo’s support teams will no longer be able to troubleshoot issues with the previous Duo Prompt after this date.
    • After you upgrade to WHMCS 8.9 or later, we strongly recommend activating Universal Prompt in your Duo admin portal to ensure continued functionality. If you do not do this, your customers may experience problems.

You can configure Duo Security as a 2FA service at Configuration () > System Settings > Two Factor Authentication.

For steps and more information about enabling 2FA globally, see Enable 2FA Globally.

Configuring Duo Security

Before you can configure Duo Security globally in WHMCS, you must perform additional steps to retrieve your Duo credentials.

To retrieve your credentials from Duo and configure Duo Security:

  1. Log in to your Duo Security account.
    You must create a Duo Security account with an account level of Duo MFA or higher in order to access the Duo API.
  2. Click Applications in the left side menu.
  3. Click Protect an Application.
    • For WHMCS 8.9 and later, under Web SDK, click Protect this Application.
    • For WHMCS 8.8 and earlier, under Auth API, click Protect this Application.
      If you don’t see this option, contact Duo support.
  4. Retrieve the following values:
    • For WHMCS 8.9 and later, retrieve the Client ID, Client Secret, and API hostname values.
    • For WHMCS 8.8 and earlier, retrieve the Integration Key, Secret Key, and API hostname values.
  5. Enter these values at Configuration () > System Settings > Two Factor Authentication when you configure Duo Security.
    Configuring Duo Security in WHMCS 8.9 and later

Using Existing Duo Accounts

The WHMCS Duo integration uses the following format for admins that it transmits to Duo:


You can use existing Duo accounts or users to complete 2FA into the Admin Area. To do this, use the alias function in Duo to create an alias for the admin.

For more information, see Duo’s Aliases Guide documentation.

Reactivating a user

When a user replaces or loses a 2FA device, they will need to reauthenticate Duo Security in order to enable the prompt. To achieve this, an admin will need to delete and restore the users from within the Duo dashboard.

For more information, see Duo’s documentation.

Last modified: May 29, 2024