Configure Supported Multi-Factor Authentication Providers

This section contains configuration options and sample usages of supported MFA providers.

All provider configurations require the following top-level items:

  • Name: The name of the configuration. This must be unique across all MFA configurations.
  • Type: The provider type.

The configuration for the provider type is described below.


      "type": "duo",
      "name": "My company Duo application",
      "options": {
         "IntegrationKey": "qeetyitqrtqkjpohgdjag03?=",
         "SecretKey": "j#lfae2df$?==",
         "Host": ""

Options for Duo are:

  • Host: (String, required). URL for the Duo applications authentication API.
  • IntegrationKey: (String, required). The Duo application integration key to be used.
  • SecretKey: (String, required). The Duo application secret key.


DevOps Secrets Safe supports generic TOTP that can be used with any TOTP provider that adheres to RFC 6238, such as Google Authenticator. Because TOTP is symmetric and both parties hold a shared secret key, each principal has its own secret key provided when running ssrun mfa assign-principal. Optionally, you can omit the -m in ssrun mfa assign-principal and a TOTP secret is generated and assigned to the principal as well as returned from the command.

TOTP configurations are very simple, requiring only a name with the type totp.

Sample TOTP multi-factor authentication configuration:
  "type": "totp",
  "name": "TotpDemoConfig"

Because, as shown above, TOTP configurations are simple, DSS has a default TOTP configuration, with the name totp. The default TOTP configuration is enabled by default but can be turned off via the setting MultiFactor:DefaultTotpEnabled. While the default TOTP configuration is enabled, principals can be assigned multi-factor authentication using the configuration name totp without having to explicity create the configuration.