All Collections
Support for Integrations
Setting up Traceless with Duo
Setting up Traceless with Duo

Step-by-step instructions to use Traceless to send Duo MFA push notifications

Peter avatar
Written by Peter
Updated over a week ago

Traceless allows you to effortlessly send identity verification requests to your customers and teammates via Duo and other channels. Our tool also allows your team transmit data and files leaving nothing at rest.

Following these steps, you will be able to use Traceless to seamlessly send Duo MFA push notifications directly from your Chat Client (Teams, Slack) or PSA (CW PSA, Autotask, ServiceNow, etc).

Outline: To get Duo set up with Traceless follow these steps:

  1. Generate an Accounts API key from your Duo MSP Parent Account (You must be an owner of this account for the Accounts API to appear in search under "Applications To Protect").

  2. Enter in credentials in Traceless and select which child accounts you would like to create Auth API integrations for

  3. Verify that your child accounts have usernames or aliases that will align with email addresses in your Chat Client or PSA

  4. Test Traceless by sending an mfa challenge via Duo

NOTE: If you have tenants that are "reparented" to your MSP account you can create accounts for these directly using Admin API Keys instead of the Accounts API in the "Add Account" section. You will commonly see a 40002 error saying "Invalid Request Parameters" because it doesn't have the correct permissions.

NOTE: Please limit access to the IP list we provide when you are logged into Traceless and setting up Duo.

Step 1. Generate your Accounts API key

You will need to be in the parent Duo tenant that manages all your child accounts. If you do not manage your customers this way, contact us and we can manually onboard you.

  • Search for "Accounts API" after clicking "Protect an Appication" in "Applications" section

  • Copy the Integration Key, Secret Key and Api Hostname details locally

  • Click "Save Changes"

Step 2. Enter the credentials in Traceless

Navigate to and enter your credentials

  • Click "Connect." This will retrieve every Child Duo account you have access to.

  • Select which accounts to create an Auth API key for in Traceless.

  • Click "Submit." This will generate integrations for all selected Child Duo accounts. If there are errors the system will relay what the issue is. The primary issue that Traceless looks for is if you have users that have no email addresses assigned at all.

  • Once the process is complete you should be ready to test Duo in your PSA or Chat.

  • If you have questions about any errors you see, please contact us

3. Verify all accounts have accessible usernames

Traceless has a utility built in that will allow you to ensure that all your users have usernames or aliases that align with their work email. This way we can use the Auth API to associate their identities across applications. If you have seen errors for child accounts that read: "No email in aliases or username" this can be resolved by this step.

  • Click "Create Aliases." The UI will show all Child Accounts that you have added to Traceless. You can now select which account you'd like to add aliases for.

  • Click "Submit." The system will show you what accounts had aliases add and which accounts failed if any.

With this process complete, we can deliver push notifications to your customers with much higher confidence.

4. Test it out! Go to your PSA where you have already integrated Traceless and send a test Duo push to a customer or teammate that has it implemented.

That's it! If you have questions, please reach out to us using or clicking on the chat icon right over there --->

Did this answer your question?