# Duo Security MCP

> Duo Security (Two-Factor Authentication API) gives your AI agent full control over identity management and MFA workflows. You can manage user accounts, trigger Duo Push or SMS authentication requests, check account billing details, and run pre-auth checks—all without logging into the admin panel. It lets security teams handle complex provisioning tasks instantly.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** 2fa, mfa, authentication, identity-management, duo-security

## Description

Managing a large organization's digital identities means constant manual work: creating new users, resetting MFA credentials, checking if an account needs updating, or running through billing audits. This MCP connects your AI agent directly to Duo Security’s core APIs. Instead of navigating multiple dashboards and copy-pasting data, you just tell your agent what you need done—for example, 'Check user LKing's access factors.' It performs the checks and returns actionable status updates instantly. Whether you use a client like Claude or Cursor, Vinkius makes this entire suite available through one connection point. This capability means IT admins can handle complex account provisioning and security validation tasks in natural conversation.

## Tools

### auth_status
Checks the current status of an asynchronous authentication request you previously initiated.

### auth
Triggers a second-factor authentication request for a user via configured methods.

### bulk_create_users
Creates up to 100 new user accounts in a single API call, speeding up provisioning.

### check_auth
Verifies your integration keys and checks the signature generation capability for secure communication.

### create_account
Creates a new child account under an existing Duo partnership structure.

### create_user
Registers a single, brand-new user into the Duo system.

### delete_account
Removes a child account from the partnership structure.

### get_billing_edition
Retrieves specific billing information for an account to help with licensing checks.

### get_telephony_credits
Checks how many available phone call credits are remaining for a given account.

### list_accounts
Gets a list of all child accounts linked to an MSP partner.

### list_users
Retrieves a paged list of users, allowing filtering by email or username.

### modify_user
Updates existing details for an account or user profile.

### ping_auth
Performs a simple health check to confirm the Duo authentication API is active and responding.

### preauth
Determines if a user can log in, identifying all available MFA factors before triggering a challenge.

### restore_users
Reverts users that were previously sent to the trash/pending deletion state.

### set_billing_edition
Manually assigns or changes the billing edition for a specific account.

### set_telephony_credits
Adjusts the number of available phone call credits on an account for testing or correction.

### trash_users
Sends a user to a pending deletion status, keeping them recoverable for seven days.

## Prompt Examples

**Prompt:** 
```
List the first 10 users from our Duo directory.
```

**Response:** 
```
I've retrieved the user list. Found users: 'jdoe' (Active), 'asmith' (Bypass), and 8 others. Would you like to see details for a specific user?
```

**Prompt:** 
```
Send a Duo Push authentication request to username 'mrossi'.
```

**Response:** 
```
Authentication request sent to 'mrossi' via Push. Transaction ID: `TX123456`. I'll monitor the status for you.
```

**Prompt:** 
```
Check if user 'lking' is authorized to log in and what factors they can use.
```

**Response:** 
```
User 'lking' is authorized. Available factors: Duo Push, Phone Call, and SMS Passcode. Which one should we trigger?
```

## Capabilities

### Manage User Accounts
Create new user records, change existing details, or delete users for lifecycle management.

### Control Authentication Attempts
Initiate Duo Push, SMS, Phone, or Passcode requests directly through your agent when a user needs to log in.

### Validate Login Status
Check if a user is authorized for login and determine which MFA factors they can actually use.

### Audit User Lists and Accounts
Retrieve paginated lists of all users or child accounts associated with the organization.

### Monitor Billing Status
Check current billing editions or available telephony credits for specific accounts.

## Use Cases

### Onboarding a new team of 50 staff
The IT Admin needs to create fifty user accounts immediately. Instead of running half-dozen manual API calls, they prompt their agent: 'Use the `bulk_create_users` tool for these names.' The agent handles the entire batch upload in one go.

### Investigating a suspicious login attempt
The SecOps Analyst needs to know if user jdoe was authorized. They prompt their agent: 'Check ldoe's pre-auth status.' The agent uses `preauth` and reports back all available factors, allowing the analyst to decide whether to trigger an MFA challenge using `auth`.

### Cleaning up decommissioned accounts
The DevOps Engineer must remove a user account but can't delete them yet. They prompt: 'Move username jsmith to trash.' The agent uses the `trash_users` tool, marking it for deletion while keeping the data available for recovery.

## Benefits

- Streamlines user provisioning: Instead of running bulk scripts, use the `bulk_create_users` tool to add up to 100 users in one request.
- Reduces investigation time: Use `preauth` to check if a user is authorized and what factors they can use *before* sending an MFA challenge. This prevents failed logins.
- Simplifies account cleanup: If you need to remove old accounts, trigger the `trash_users` tool first, keeping them in a recoverable state for seven days.
- Automates security checks: For troubleshooting, run the `auth` tool or `ping_auth` to verify MFA credentials and ensure the API connection is live.
- Handles billing tasks instantly: Use tools like `get_billing_edition` or `set_telephony_credits` to audit account finances without logging into the finance portal.

## How It Works

The bottom line is that your AI client performs complex security actions using pre-configured keys, so you just talk to it instead of clicking through interfaces.

1. First, subscribe to this MCP and provide your Duo API Hostname, Integration Key, and Secret Key.
2. Next, prompt your AI client with the desired action—for example, 'Send a Duo Push authentication request for username mrossi.'
3. Your agent executes the necessary tool calls, retrieves the status (like a transaction ID), and reports back to you.

## Frequently Asked Questions

**How do I use the Duo Security MCP to create users?**
You can create a single user using `create_user` or provision many at once with `bulk_create_users`. Just tell your agent which tool to run and what details to include.

**What is the difference between `list_users` and `list_accounts`?**
`list_users` retrieves people accounts (the end-user profiles). `list_accounts` lists child accounts, which are usually used for partnership or billing structures.

**If I delete a user, can I get them back using the Duo Security MCP?**
Yes. The agent uses the `trash_users` tool to send users to pending deletion, and later you can use `restore_users` to bring them back online.

**Can I check if a user is allowed to log in with preauth?**
Absolutely. Use the `preauth` tool. It determines authorization status and lists every available factor, so you know exactly what challenge to send next.

**After triggering a Duo authentication request, how do I confirm success using `auth_status`?**
You use `auth_status` to poll for the result of an asynchronous authentication process. This is key because sometimes Duo Push or SMS requests take time; this tool confirms if the transaction succeeded or failed.

**What are the limits when I need to create many users at once using `bulk_create_users`?**
The tool allows you to create up to 100 new users in a single request. This is much faster than calling the individual user creation tool repeatedly, streamlining large-scale onboarding.

**How do I check Duo's available phone call capacity using `get_telephony_credits`?**
Running `get_telephony_credits` fetches the current credit balance for your account. This helps prevent service outages by letting you monitor resources before an automated workflow runs out of funds.

**Before I automate anything, how do I verify my Duo integration keys using the `check_auth` tool?**
Call `check_auth` to validate your API credentials and confirm signature generation. Running this first ensures your setup is correct before you attempt critical user management or authentication tasks.

**Can I trigger a Duo Push notification for a specific user?**
Yes. Use the `auth` tool and set the `factor` to 'push'. You can provide either the `username` or `user_id` to target the correct person.

**How do I check which authentication factors are available for a user?**
Run the `preauth` tool with the user's details. It will return whether the user is authorized and a list of supported factors like push, phone, or SMS.

**Is it possible to change a user's status to 'bypass' or 'disabled'?**
Yes, the `modify_user` tool allows you to update the `status` field to 'active', 'bypass', or 'disabled' using the user's unique ID.