Skip to content
CMS Max Documentation

Duo Security

Add two-factor authentication to your admin login with Duo Security.

Overview

The Duo Security plugin adds two-factor authentication (2FA) to your CMS Max admin panel login. After entering your username and password, you complete a second verification step through Duo, which can be a push notification to your phone, a passcode, or a biometric check. This significantly reduces the risk of unauthorized access to your admin panel.

Prerequisites

You need a Duo Security account with an application configured for your site. Visit the Duo Admin Panel to set one up.

Setting Up Duo Security

Step 1: Create a Duo Application

  1. Log in to the Duo Admin Panel
  2. Navigate to Applications and click Protect an Application
  3. Find Web SDK and click Protect
  4. Note the Client ID, Client Secret, and API Hostname shown on the application page

Step 2: Configure the Plugin

Duo Security plugin settings page

  1. In your CMS Max admin panel, go to Settings > Plugins
  2. Find Duo Security and open the settings page
  3. Enter the credentials from your Duo application:
    • Client ID
    • Client Secret
    • API Hostname (e.g., api-XXXXXXXX.duosecurity.com)
  4. Click Save and Install

Step 3: Enroll Users

Each admin user needs to be enrolled in Duo. When a user logs in for the first time after Duo is enabled, they will be guided through the enrollment process to set up their authentication device.

How Login Works with Duo

  1. Enter your username and password on the CMS Max login page
  2. You are redirected to the Duo prompt
  3. Approve the login using one of these methods:
    • Push notification -- Tap "Approve" on the Duo Mobile app
    • Passcode -- Enter a code from the Duo Mobile app or a hardware token
    • Biometric -- Use fingerprint or face recognition (if supported by your device)
  4. After approval, you are logged into the admin panel

Troubleshooting

Duo prompt is not appearing after login:

  • Verify the plugin is installed and active in Settings > Plugins
  • Confirm the Client ID, Client Secret, and API Hostname are entered correctly
  • Check that the API Hostname follows the format api-XXXXXXXX.duosecurity.com

Users cannot enroll:

  • Verify the application in the Duo Admin Panel is active and not in a restricted policy
  • Check that the user's email in CMS Max matches what Duo expects

Locked out of the admin panel:

  • Contact your CMS Max administrator to temporarily disable the Duo plugin