Since we are speculatating....

What if that value in the url is only a temp key(one time password) to establish their apps connection to the mothership. Then under a seperate ( call home) conversation the real keys are exchanged.  Just a thought.

On Fri, Jun 24, 2016 at 11:40 AM, Andrew C. Dingman
<> wrote:
I've got no Duo contacts. I do have some up the chain at my university, so I'm trying to get them to enable standard tokens rather than just the Duo app, Duo hard token, and SMS.

If Duo uses HOTP internally I'd be surprised at this point. The QR codes only have 20 characters that vary between tokens issued to the same user, which suggests that portion is the equivalent of the "shared secret" in the HOTP specification. Given its length and the observation that the character set appears limited to [A-Za-z0-9], they've got at best 119 bits[1]. HOTP requires at least 128 [2]. So either they are re-using keys between tokens, which would be bad, or they aren't using stands-compliant HOTP. Since TOTP is basically HOTP with the counter incremented on a clock tick rather than an event count, it also can't be compliant TOTP.

[1] 62 possible symbols in a 20 character string. => log(62^20) / log(2) = 119.083926208...
[2] requirement 6