Configure Duo MFA for portal sign-ins.
Use this guide when a partner or client account needs Duo Enterprise MFA instead of email verification.
Before starting, make sure the Duo account can authenticate the same username used to sign in to the Aditum™/BuildingISP portal. If needed, create matching Duo users or add the portal username as an alias on the correct Duo user.
Before you begin.
Confirm the correct portal access.
Partner MFA requires Partner Admin credentials. Client MFA requires Property Admin credentials.
Confirm Duo user matching.
The user authenticating the setup must exist in Duo as the portal username or as an alias on the correct Duo account.
Setup steps.
Create the Duo application.
In the Duo Admin Panel, open Applications, choose Protect an Application, search for Web SDK, and select Protect.
- Use the Universal Prompt option. Traditional Prompt is not supported.
- Change the display name from Web SDK to something clear, such as BuildingISP.
Copy the Duo application values.
Keep the Client ID, Client Secret, and API Hostname available. These values will be entered into the portal security settings.
Open the portal security settings.
Sign in to the BuildingISP portal with the appropriate admin credentials, then navigate to the Security tab on either the Partner Admin page or the Client Settings page.
Switch MFA mode to Duo.
Change Multi Factor Mode from Email to Duo, enter the Client ID, Client Secret, and API Hostname, then click Save MFA Settings.
Complete the validation prompt.
The portal opens a Duo MFA prompt to validate the configuration. Some browsers may block the popup, so allow the popup if needed.
- Authenticate successfully within 30 seconds and the settings will be saved automatically.
- If authentication fails, no settings are saved.
- The most common failure is a portal username that does not exist in Duo and is not configured as an alias.
Confirm future sign-in behavior.
New sign-ins will use Duo going forward. Users re-authenticate with Duo when more than 6 hours have passed since the last Duo MFA event.
Important transition note.
Existing 30-day remembered-device periods from prior email MFA events may remain valid until the remainder of that window expires, the user password is reset, or the user signs out. Clicking Log Off clears the remembered MFA status for that computer and removes the 6-hour reactivation window.