diff --git a/src/Core/Models/Api/Request/TwoFactorRequestModels.cs b/src/Core/Models/Api/Request/TwoFactorRequestModels.cs
index 5cd27a36f3..41929c5305 100644
--- a/src/Core/Models/Api/Request/TwoFactorRequestModels.cs
+++ b/src/Core/Models/Api/Request/TwoFactorRequestModels.cs
@@ -103,7 +103,7 @@ namespace Bit.Core.Models.Api
 
         public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
         {
-            if (!Host.StartsWith("api-") || !Host.EndsWith(".duosecurity.com"))
+            if (!Host.StartsWith("api-") || (!Host.EndsWith(".duosecurity.com") && !Host.EndsWith(".duofederal.com")))
             {
                 yield return new ValidationResult("Host is invalid.", new string[] { nameof(Host) });
             }
diff --git a/util/Setup/Configuration.cs b/util/Setup/Configuration.cs
index 879a026099..58eaac40c9 100644
--- a/util/Setup/Configuration.cs
+++ b/util/Setup/Configuration.cs
@@ -76,8 +76,9 @@ namespace Bit.Setup
             "WARNING: Reconfiguring this parameter may break features. By changing this parameter\n" +
             "you become responsible for maintaining this value.")]
         public string NginxHeaderContentSecurityPolicy { get; set; } = "default-src 'self'; style-src 'self' " +
-            "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " + 
-            "child-src 'self' https://*.duosecurity.com; frame-src 'self' https://*.duosecurity.com; " +
+            "'unsafe-inline'; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com; " +
+            "child-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
+            "frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; " +
             "connect-src 'self' wss://{0} https://api.pwnedpasswords.com " +
             "https://twofactorauth.org; object-src 'self' blob:;";