Using Duo MFA with Devise in a Rails app

.env

DUO_INT_KEY=your_identity_key_from_duo
DUO_SECRET_KEY=your_secret_key_from_duo
DUO_APP_KEY=your_secret_string # Generatie with SecureRandom.gen_random(40)
DUO_HOST=api-123abc.duosecurity.com

connect_with_duo.html.erb

<script src="https://api.duosecurity.com/frame/hosted/Duo-Web-v2.js" type="text/javascript"></script>
<iframe id="connect_with_duo" data-host="<%= ENV["DUO_HOST"] %>" data-sig-request="<%= @sig_request %>" data-post-action="/registrations/verify_duo"></iframe>

duo-devise-setup.rb

# Gemfile
gem 'duo_web'

# routes.rb
devise_scope :user do
  post 'registrations/verify_duo', to: 'registrations#verify_duo', as: :verify_duo
  get 'registrations/connect_with_duo', to: 'registrations#connect_with_duo', as: :connect_with_duo

  authenticated do
    root :to => "registrations#connect_with_duo"
  end
end

# registrations_controller.rb
class RegistrationsController < Devise::RegistrationsController
  skip_before_action :require_no_authentication, only: [:verify_duo]
  skip_before_action :verify_authenticity_token

  def connect_with_duo
    @sig_request = Duo.sign_request(ENV["DUO_INT_KEY"], ENV["DUO_SECRET_KEY"], ENV["DUO_APP_KEY"], current_user.email)
  end

  def verify_duo
    @authenticated_user = Duo.verify_response(ENV["DUO_INT_KEY"], ENV["DUO_SECRET_KEY"], ENV["DUO_APP_KEY"], params['sig_response'])
    if @authenticated_user
      session[:duo_authentication] = true
      redirect_to some_path_you_want
    else
      redirect_to some_other_path_you_want
    end
  end
end

# application_controller.rb
before_action :confirm_duo_authentication # Use this on whatever controllers you want to exempt

def confirm_duo_authentication
  if !session[:duo_authentication]
    redirect_to connect_with_duo_path
  end
end