Before you can enable two-factor authentication, you must first set up an account with Duo Security, enable that account for the appropriate API access, and generate the access keys. Dayforce uses these APIs to allow users to log in using the Duo provided UI workflow process for enrolling users the first time, and for authenticating them on subsequent logins.
The type of Duo Security account depends on the size of your organization, and must be arranged by you and Duo Security.
It's critical that the account must support Web SDK integration and Admin API Integration. At the time of writing, this is a Duo Security “Enterprise” account. You must ask Duo Security to specifically enable Admin API integration because it isn't enabled by default. Duo does this because enabling it can allow customers to make large and irreversible changes to their account programmatically. Dayforce uses the Admin API integration to enable the two-factor authentication functionality in System Admin > User.
Web SDK Integration
This integration is required to allow users to log in using the Duo provided UI workflow process for enrolling users the first time, and for authenticating them on subsequent logins.
Admin API Integration
This integration is required to enable functionality on the User Admin page to reset (delete) users in the Duo system. This integration is also used on the Admin page where the TFA configuration keys are entered to verify the keys are correct.