diff --git a/README.md b/README.md
index d98936e32..ad4e1861c 100644
--- a/README.md
+++ b/README.md
@@ -8,8 +8,9 @@
[](https://gitter.im/authelia/general?utm_source=share-link&utm_medium=link&utm_campaign=share-link)
[](https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=clement%2emichaud34%40gmail%2ecom&lc=FR&item_name=Authelia¤cy_code=EUR&bn=PP%2dDonationsBF%3abtn_donate_SM%2egif%3aNonHosted)
-**Authelia** is an open-source authentication and authorization providing
- 2-factor authentication and single sign-on (SSO) for your applications.
+**Authelia** is an open-source authentication and authorization server
+providing 2-factor authentication and single sign-on (SSO) for your
+applications.
It acts as a companion of reverse proxies by handling authentication and
authorization requests.
@@ -20,15 +21,17 @@ for specific services in only few seconds.
- 
+ 
## Features summary
Here is the list of the main available features:
-* **[U2F] - Universal 2-Factor -** support with [Yubikey].
-* **[TOTP] - Time-Base One Time password -** support with [Google Authenticator].
+* Several kind of second factor:
+ * **[Security Key (U2F)](./docs/2factor/security-key.md)** support with [Yubikey].
+ * **[Time-based One-Time password](./docs/2factor/time-based-one-time-password.md)** support with [Google Authenticator].
+ * **[Mobile Push Notifications](./docs/2factor/duo-push-notifications.md)** with [Duo](https://duo.com/).
* Password reset with identity verification using email.
* Single-factor only authentication method available.
* Access restriction after too many authentication attempts.
@@ -43,6 +46,7 @@ For more details about the features, follow [Features](./docs/features.md).
You can start off with
+ git clone https://github.com/clems4ever/authelia.git
source bootstrap.sh
If you want to go further, please read [Getting Started](./docs/getting-started.md).
@@ -113,8 +117,8 @@ Wanna see more features? Then fuel us with a few beers!
[MIT License]: https://opensource.org/licenses/MIT
[TOTP]: https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
-[U2F]: https://www.yubico.com/about/background/fido/
+[Security Key]: https://www.yubico.com/about/background/fido/
[Yubikey]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
[auth_request]: http://nginx.org/en/docs/http/ngx_http_auth_request_module.html
[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
-[config.template.yml]: https://github.com/clems4ever/authelia/blob/master/config.template.yml
+[config.template.yml]: https://github.com/clems4ever/authelia/blob/master/config.template.yml
\ No newline at end of file
diff --git a/config.template.yml b/config.template.yml
index 0587fa530..727858bf9 100644
--- a/config.template.yml
+++ b/config.template.yml
@@ -34,7 +34,7 @@ totp:
# Parameters used to contact the Duo API. Those are generated when you protect an application
# of type "Partner Auth API" in the management panel.
duo_api:
- hostname: api-123456789.duosecurity.com
+ hostname: api-123456789.example.com
integration_key: ABCDEF
secret_key: 1234567890abcdefghifjkl
diff --git a/docs/2factor/duo-push-notifications.md b/docs/2factor/duo-push-notifications.md
new file mode 100644
index 000000000..7b2eaf59a
--- /dev/null
+++ b/docs/2factor/duo-push-notifications.md
@@ -0,0 +1,47 @@
+# Duo Push Notification
+
+Using mobile push notifications is becoming the new trendy way to validate
+the second factor of a 2FA authentication process. [Duo](https://duo.com/) is offering an API
+to integrate this kind validation and **Authelia** leverages this mechanism
+so that you can simply push a button on your smartphone to be securely granted
+access to your services.
+
+
+ 
+
+
+In order to use this feature, you should first create a free account on Duo
+(up to 10 users), create a user account and attach it a mobile device. The name
+of the user must match the name of the user in your internal database.
+Then, click on *Applications* and *Protect an Application*. Then select the option
+called *Partner Auth API*. This will generate an integration key, a secret key and
+a hostname. You can set the name of the application to **Authelia** and then you
+must add the generated information to your configuration as:
+
+ duo_api:
+ hostname: api-123456789.example.com
+ integration_key: ABCDEF
+ secret_key: 1234567890abcdefghifjkl
+
+This can be seen in [config.template.yml](../../config.template.yml) file.
+
+When selecting *Duo Push Notification* at the second factor stage, you will
+automatically receive a push notification on your phone to grant or deny access.
+
+
+ 
+ 
+
+
+## Limitations
+
+Users must be enrolled via the Duo Admin panel, they cannot enroll a device from
+**Authelia** yet.
+
+
+## FAQ
+
+### Why don't I have access to the *Duo Push Notification* option?
+
+It's likely that you have not configured **Authelia** correctly. Please read this
+documentation again and be sure you had a look at [config.template.yml](../../config.template.yml).
\ No newline at end of file
diff --git a/docs/2factor/security-key.md b/docs/2factor/security-key.md
new file mode 100644
index 000000000..c1f748cf9
--- /dev/null
+++ b/docs/2factor/security-key.md
@@ -0,0 +1,40 @@
+# Security Keys (U2F)
+
+**Authelia** also offers authentication using Security Keys supporting U2F
+like [Yubikey](Yubikey) USB devices. U2F is one of the most secure
+authentication protocol and is already available for Google, Facebook, Github
+accounts and more.
+
+The protocol requires your security key being enrolled before authenticating.
+
+
+ 
+
+
+To do so, select the *Security Key* method in the second factor page and click
+on the *register new device* link. This will send a link to the
+user email address. This e-mail will likely be sent to https://mail.example.com:8080/
+if you're testing Authelia and you've not configured anything.
+
+Confirm your identity by clicking on **Continue** and you'll be asked to
+touch the token of your security key to enroll.
+
+
+ 
+
+
+Upon successful registration, you can authenticate using your security key by simply
+touching the token again.
+
+Easy, right?!
+
+## FAQ
+
+### Why don't I have access to the *Security Key* option?
+
+U2F protocol is a new protocol that is only supported by recent browser
+and must even be enabled on some of them like Firefox. Please be sure
+your browser supports U2F and that the feature is enabled to make the
+option available in **Authelia**.
+
+[Yubikey]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
diff --git a/docs/2factor/time-based-one-time-password.md b/docs/2factor/time-based-one-time-password.md
new file mode 100644
index 000000000..2ef9bbf72
--- /dev/null
+++ b/docs/2factor/time-based-one-time-password.md
@@ -0,0 +1,29 @@
+# One-Time Passwords
+
+In **Authelia**, your users can use [Google Authenticator] for generating unique
+tokens that they can use to pass the second factor.
+
+
+ 
+
+
+Select the *One-Time Password method* and click on the *register new device* link.
+Then, check the email sent by **Authelia** to your email address
+to validate your identity. If you're testing **Authelia**, it's likely
+that this e-mail has been sent to https://mail.example.com:8080/
+
+Confirm your identity by clicking on **Continue** and you'll get redirected
+on a page where your secret will be displayed as QRCode and in Base32 formats.
+
+
+ 
+
+
+You can use [Google Authenticator] to store it.
+
+From now on, you'll get generated
+tokens from your phone that you can use to validate the second factor in **Authelia**.
+
+
+
+[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
\ No newline at end of file
diff --git a/docs/features.md b/docs/features.md
index b601cda9a..f811973ee 100644
--- a/docs/features.md
+++ b/docs/features.md
@@ -15,39 +15,16 @@ You can find an example of the configuration of the LDAP backend in
-## Second factor with TOTP
+## Second factor
-In **Authelia**, you can register a per user TOTP (Time-Based One Time
-Password) secret before being being able to authenticate. Click on the
-register button and check the email **Authelia** sent to your email address
-to validate your identity.
+**Authelia** comes with three kind of second factor.
-Confirm your identity by clicking on **Continue** and you'll get redirected
-on a page where your secret will be displayed in QRCode and Base32 formats.
-You can use [Google Authenticator] to store it and get the generated tokens.
+* Security keys like [Yubikey]. More info [here](./2factor/security-key.md).
+* One-Time Passwords generated by [Google Authenticator]. More info [here](./2factor/time-based-one-time-password.md).
+* Duo Push Notifications to use with [Duo mobile application](https://play.google.com/store/apps/details?id=com.duosecurity.duomobile&hl=en) available on Android, iOS and Windows. More info [here](./2factor/duo-push-notifications.md).
- 
-
-
-## Second factor with U2F security keys
-
-**Authelia** also offers authentication using U2F (Universal 2-Factor) devices
-like [Yubikey](Yubikey) USB security keys. U2F is one of the most secure
-authentication protocol and is already available for Google, Facebook, Github
-accounts and more.
-
-Like TOTP, U2F requires you register your security key before authenticating.
-To do so, click on the register button. This will send a link to the
-user email address.
-Confirm your identity by clicking on **Continue** and you'll be asked to
-touch the token of your device to register. Upon successful registration,
-you can authenticate using your U2F device by simply touching the token.
-
-Easy, right?!
-
-
- 
+ 
## Password reset
@@ -96,5 +73,5 @@ Redis key/value store. You can specify your own Redis instance in
[basic authentication]: https://en.wikipedia.org/wiki/Basic_access_authentication
[config.template.yml]: https://github.com/clems4ever/authelia/blob/master/config.template.yml
-[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
[Yubikey]: https://www.yubico.com/products/yubikey-hardware/yubikey4/
+[Google Authenticator]: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en
\ No newline at end of file
diff --git a/images/2factor_duo.png b/images/2factor_duo.png
new file mode 100644
index 000000000..f68d1b48d
Binary files /dev/null and b/images/2factor_duo.png differ
diff --git a/images/2factor_totp.png b/images/2factor_totp.png
new file mode 100644
index 000000000..d09a8f2ea
Binary files /dev/null and b/images/2factor_totp.png differ
diff --git a/images/2factor_u2f.png b/images/2factor_u2f.png
new file mode 100644
index 000000000..8cdd2d838
Binary files /dev/null and b/images/2factor_u2f.png differ
diff --git a/images/duo-push-1.jpg b/images/duo-push-1.jpg
new file mode 100644
index 000000000..d1a74a8cb
Binary files /dev/null and b/images/duo-push-1.jpg differ
diff --git a/images/duo-push-2.png b/images/duo-push-2.png
new file mode 100644
index 000000000..23b5d73e3
Binary files /dev/null and b/images/duo-push-2.png differ
diff --git a/images/first_factor.png b/images/first_factor.png
index c6821ca5d..603301184 100644
Binary files a/images/first_factor.png and b/images/first_factor.png differ
diff --git a/images/use-another-method.png b/images/use-another-method.png
new file mode 100644
index 000000000..560679b63
Binary files /dev/null and b/images/use-another-method.png differ
diff --git a/test/suites/.gitignore b/test/suites/.gitignore
index 4df2d1dca..83d1ce3ce 100644
--- a/test/suites/.gitignore
+++ b/test/suites/.gitignore
@@ -1 +1,3 @@
-users_database.test.yml
\ No newline at end of file
+users_database.test.yml
+
+private-*/
\ No newline at end of file