Just thought I would share this with you guys. Not sure if it works: https://github.com/revalo/duo-bypass/blob/master/duo_bypass.py , but if it does, it would be straightforward to add support.
On Sat, Jun 25, 2016 at 1:06 PM, Nathaniel McCallum npmccallum@redhat.com wrote:
http://security.stackexchange.com/questions/47901/how-does- authys-2fa-work-if-it-doesnt-connect-to-the-server This response, from a person who claims to be a former Duo employee, claims that they use asymmetric crypto. This is not surprising.
On Fri, 2016-06-24 at 18:15 +0000, Carey Matthew Black wrote:
Since we are speculatating....
What if that value in the url is only a temp key(one time password) to establish their apps connection to the mothership. Then under a seperate ( call home) conversation the real keys are exchanged. Just a thought.
On Fri, Jun 24, 2016 at 11:40 AM, Andrew C. Dingman andrew+fedora@dingman.org wrote: I've got no Duo contacts. I do have some up the chain at my university, so I'm trying to get them to enable standard tokens rather than just the Duo app, Duo hard token, and SMS.
If Duo uses HOTP internally I'd be surprised at this point. The QR codes only have 20 characters that vary between tokens issued to the same user, which suggests that portion is the equivalent of the "shared secret" in the HOTP specification. Given its length and the observation that the character set appears limited to [A-Za-z0-9], they've got at best 119 bits[1]. HOTP requires at least 128 [2]. So either they are re-using keys between tokens, which would be bad, or they aren't using stands-compliant HOTP. Since TOTP is basically HOTP with the counter incremented on a clock tick rather than an event count, it also can't be compliant TOTP.
[1] 62 possible symbols in a 20 character string. => log(62^20) / log(2) = 119.083926208... [2] https://tools.ietf.org/html/rfc4226#section-4 requirement 6
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@ lists.fedorahosted.org