Enabling DUO 2FA Phishing Simulations

How to enable DUO 2FA phishing

Enabling the DUO integration will allow CultureAI to monitor and assess how securely employees are using multi-factor authentication, by running duo push notification phishing simulations.

To enable DUO phishing, you will need to create an application with DUO for CultureAI. This will allow us to access your DUO users, and send them out notifications.


  • Owner, Administrator, or Application Manager user level in DUO
  • Platform Admin access in CultureAI
  • Push Notifications enabled on DUO

Good to know

  • If you don't have DUO push notifications enabled in your DUO application, our phishing simulations won't come through to your users. Please ensure you have this enabled.
  • The emails your users have in CultureAI, will need to match the username in DUO. If this doesn't match, we won't be able to send out our phishing simulations.


  1. Login to your DUO account
  2. Follow the steps on DUO's guide here to create a new application (DUO calls this 'Protecting')
  3. When you choose what application type you'd like to create, select the 'Auth API' option
    image (10)
  4. When you get to the 'Username normalization' section, choose the 'None' option
    image (11)
  5. Follow the steps in the guide till you reach the page that gives your App key, API URL/hostname and Secret key
    Application Information
  6. Copy these keys and save these keys
  7. Now head back to your CultureAI Admin dashboard
  8. Click on the cog symbol along the top bar of your dashboard
  9. Click into the 'Attack Simulations" section through and locate the 'Duo 2FA Phishing' integration
  10. Click on the 'Configure Duo' section and enter in the keys that you saved earlier
  11. Click "Save"

    Now it's time to configure your DUO Phishing settings
  12.  Click on the 'Assessment Frequency' tab
  13. Drag the two sliders around to choose the minimum and maximum amount of Phishes you'd like your users to receive over a 12-month period
    We recommend setting this at around 15-30, however, you can set this higher or lower
  14. Click 'Save'
  15. Next click on the 'Assessment Configuration' tab
  16. Here you choose how many points you'd like your users to awarded for reporting a DUO phishing login attempt. They will be deducted the same amount for approving a phishing attempt. 
    This will impact your users leaderboard score, if you're using it.
  17. Once you're happy, click 'Save'

    Lastly, you can configure what users should be included in DUO phishing
  18. Click on the 'Included Users' section 
  19. Press the drop-down to see your options, you can include all users, or choose certain groups to include
  20. If you want to only phish certain user groups, click the 'Include and/ or exclude users' option
  21. A new section will have appeared where you can choose which User Group you'd like to include or exclude
  22. Click on the red and green buttons to move users to the 'Disabled User Group', or the 'Enabled User Groups' boxes
    Any users in the 'Disabled' box, will not receive any DUO Phishing notifications, any in the 'Enabled' box will be sent DUO Phishing notifications 
  23. Once you're happy with your groups, click 'Save'
  24. Now you can enable DUO!
  25. Click the 'Enable' button at the top of the page
  26. You're done! The button should now be green, and your users will start to receive DUO phishing notifications