The problem is that ManageWP does not use XML-RPC to log in. ManageWP uses request til wp-admin:
/wp-admin/?mwpredirect=1&auto_login=1&mwp_goto=%3F&signature=iEkIOCJObKk1cq8HWTkmAx17w14RvsjOUOIfeMkpzXbr73m2qXZJ54zKFgtR2Fk5SQmZGxfdC1413Q57tnQQ7peHLWXHVk0GQUhR1YBmoxryEQVuZWS2MWRFNsA8SEWpyr6bQyHOEnqK6CGghgVD4qmCdx7r%SJTxr2BuJJuxDNDk4mU%3D&message_id=fbc5ae0580261aba6cae316b74b38e5fbf53d819_2516141289&username=admin
Since it is not an XML-RPC reguest it is treated as normal user and subjected to two factor authentication.
A solution would be to have the ability to whitelist IP’s in the Duo plugin