Our school has setup Duo 2FA for authentication. Is there any way to use freotp to generate the OTP codes that can authenticate to duo ? I already use freeotp for my other accounts. I would like to add the school's account to it instead of using the duo app. Scanning the duo generated barcode in freeotp crashes it. The barcode likely uses some internal format, but I'm not sure what the actual protocol used by duo is. If it's one of the standard ones that freeotp supports, it should be possible to import it in freeotp right ?
Not sure if the previous message was posted correctly to the list. Anyone know how duo works, and if it's possible to add support for it to freeotp ?
On Sat, Mar 12, 2016 at 2:08 AM, prasun.gera@gmail.com wrote:
Our school has setup Duo 2FA for authentication. Is there any way to use freotp to generate the OTP codes that can authenticate to duo ? I already use freeotp for my other accounts. I would like to add the school's account to it instead of using the duo app. Scanning the duo generated barcode in freeotp crashes it. The barcode likely uses some internal format, but I'm not sure what the actual protocol used by duo is. If it's one of the standard ones that freeotp supports, it should be possible to import it in freeotp right ? _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedorahosted....
I can report the scanning a duo qr code ( block picture ) will crash freeotp. :( But I have no details as to why or who's problem it is.
Sent from Yahoo Mail on Android
On Thu, Jun 16, 2016 at 14:12, Prasun Geraprasun.gera@gmail.com wrote: Not sure if the previous message was posted correctly to the list. Anyone know how duo works, and if it's possible to add support for it to freeotp ? On Sat, Mar 12, 2016 at 2:08 AM, prasun.gera@gmail.com wrote:
Our school has setup Duo 2FA for authentication. Is there any way to use freotp to generate the OTP codes that can authenticate to duo ? I already use freeotp for my other accounts. I would like to add the school's account to it instead of using the duo app. Scanning the duo generated barcode in freeotp crashes it. The barcode likely uses some internal format, but I'm not sure what the actual protocol used by duo is. If it's one of the standard ones that freeotp supports, it should be possible to import it in freeotp right ? _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedorahosted....
Can you decode the QR code and send it to me?
Make sure you disable that token in your server so that you don't leak information that could be used for authentication.
On Thu, 2016-06-16 at 19:09 +0000, Carey Matthew Black wrote:
I can report the scanning a duo qr code ( block picture ) will crash freeotp. :(
But I have no details as to why or who's problem it is.
Sent from Yahoo Mail on Android
On Thu, Jun 16, 2016 at 14:12, Prasun Gera prasun.gera@gmail.com wrote: Not sure if the previous message was posted correctly to the list. Anyone know how duo works, and if it's possible to add support for it to freeotp ?
On Sat, Mar 12, 2016 at 2:08 AM, prasun.gera@gmail.com wrote:
Our school has setup Duo 2FA for authentication. Is there any way to use freotp to generate the OTP codes that can authenticate to duo ? I already use freeotp for my other accounts. I would like to add the school's account to it instead of using the duo app. Scanning the duo generated barcode in freeotp crashes it. The barcode likely uses some internal format, but I'm not sure what the actual protocol used by duo is. If it's one of the standard ones that freeotp supports, it should be possible to import it in freeotp right ? _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedo rahosted.org
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org
I don't have any access to the duo console or server side of things. So I'm not sure if I can disable the token. Perhaps I'll have to setup some toy sandbox of my own and use duo in it to get some qr codes.
Btw, whenever someone uses the website to post to this list, it gets marked as spam/phishing by gmail.
On Thu, Jun 16, 2016 at 4:00 PM, Nathaniel McCallum npmccallum@redhat.com wrote:
Can you decode the QR code and send it to me?
Make sure you disable that token in your server so that you don't leak information that could be used for authentication.
On Thu, 2016-06-16 at 19:09 +0000, Carey Matthew Black wrote:
I can report the scanning a duo qr code ( block picture ) will crash freeotp. :(
But I have no details as to why or who's problem it is.
Sent from Yahoo Mail on Android
On Thu, Jun 16, 2016 at 14:12, Prasun Gera prasun.gera@gmail.com wrote: Not sure if the previous message was posted correctly to the list. Anyone know how duo works, and if it's possible to add support for it to freeotp ?
On Sat, Mar 12, 2016 at 2:08 AM, prasun.gera@gmail.com wrote:
Our school has setup Duo 2FA for authentication. Is there any way to use freotp to generate the OTP codes that can authenticate to duo ? I already use freeotp for my other accounts. I would like to add the school's account to it instead of using the duo app. Scanning the duo generated barcode in freeotp crashes it. The barcode likely uses some internal format, but I'm not sure what the actual protocol used by duo is. If it's one of the standard ones that freeotp supports, it should be possible to import it in freeotp right ? _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedo rahosted.org
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedorahosted....
Re-initializing a Duo device does not produce an entirely different string in the new QR code, so just in case I'm not going to post a real decoded string on a public list. However, I will attempt to describe what I see experimenting with this.
The three codes I have gotten so far are all mixed-case alpha-numeric strings 59 characters long, with a hyphen at character 21. The first 20 characters vary between QR codes. The 38 characters after the hyphen are constant even when Duo believes it is configuring different devices. I hope this means that the constant string is an account identifier of some kind rather than key material, but so far I can't be certain.
The Duo soft token application also clearly phones home to activate the toek after scanning a QR code, so it would be necessary to reverse engineer the phone-home protocol to make FreeOTP work with QR codes intended for the Duo app. According to their web site Duo allows for the use of HOTP tokens, so there's probably not much benefit to reverse engineering their proprietary token type.
According to their web site Duo allows for the use of HOTP tokens, so there's probably not much benefit to reverse engineering their proprietary token type.
I think what they mean is that the duo app can support HOTP. i.e. The duo app can act as a replacement for freeotp or google authenticator. However, if your organization uses Duo, you are stuck with the duo app for now.
Upon reading the duo documentation, it appears that there is some support for HOTP tokens and other third party devices such as the yubikey. Tokens can only be added by "Owner, Administrator, User Manager, or Help Desk" though, which will likely be impractical for most users since very few people, if any, in the support dept. will know about this, and will probably be reluctant to approve this even if the issue reaches the right level of authorization.
On Wed, Jun 22, 2016 at 1:20 PM, Prasun Gera prasun.gera@gmail.com wrote:
According to their web site Duo allows for the use of HOTP tokens, so
there's probably not much benefit to reverse engineering their proprietary token type.
I think what they mean is that the duo app can support HOTP. i.e. The duo app can act as a replacement for freeotp or google authenticator. However, if your organization uses Duo, you are stuck with the duo app for now.
Prasun, given the timing of our mutual interest in the pile of fail that is Duo, I'm guessing we may attend the same large midwestern university. If so, you are correct that helpdesk has no interest in enabling decent tokens.
All the same, I'd rather spend my energy trying to convince IT that they should enable token types that are based on public cryptographic routines combined in standard ways than on trying to reverse engineer the proprietary Duo token type so we can emulate it in FreeOTP. That's better for the school, and keeps FreeOTP from being in a position of trying to maintain compatibility with a proprietary application with no published specifications. (At least, none I have found yet.)
Prasun, given the timing of our mutual interest in the pile of fail that is Duo, I'm guessing we may attend the same large midwestern university.
Different schools, but similar problems. All the more relevant I guess since large universities are deploying Duo. I mailed Duo regarding technical documentation, and they said that their app is the only supported way, which is not surprising. If someone has the ability to contact someone higher up in Duo, that would be really helpful.
All the same, I'd rather spend my energy trying to convince IT that they should enable token types that are based on public cryptographic routines combined in standard ways than on trying to reverse engineer the proprietary Duo token type so we can emulate it in FreeOTP. That's better for the school, and keeps FreeOTP from being in a position of trying to maintain compatibility with a proprietary application with no published specifications. (At least, none I have found yet.)
It may be the case that Duo uses HOTP internally, but with some closed parts around it (such as the the phone home parts that you mentioned earlier). Convincing either Duo or universities to do something differently is likely not very easy.
I've got no Duo contacts. I do have some up the chain at my university, so I'm trying to get them to enable standard tokens rather than just the Duo app, Duo hard token, and SMS.
If Duo uses HOTP internally I'd be surprised at this point. The QR codes only have 20 characters that vary between tokens issued to the same user, which suggests that portion is the equivalent of the "shared secret" in the HOTP specification. Given its length and the observation that the character set appears limited to [A-Za-z0-9], they've got at best 119 bits[1]. HOTP requires at least 128 [2]. So either they are re-using keys between tokens, which would be bad, or they aren't using stands-compliant HOTP. Since TOTP is basically HOTP with the counter incremented on a clock tick rather than an event count, it also can't be compliant TOTP.
[1] 62 possible symbols in a 20 character string. => log(62^20) / log(2) = 119.083926208... [2] https://tools.ietf.org/html/rfc4226#section-4 requirement 6
Since we are speculatating.... What if that value in the url is only a temp key(one time password) to establish their apps connection to the mothership. Then under a seperate ( call home) conversation the real keys are exchanged. Just a thought.
On Fri, Jun 24, 2016 at 11:40 AM, Andrew C. Dingmanandrew+fedora@dingman.org wrote: I've got no Duo contacts. I do have some up the chain at my university, so I'm trying to get them to enable standard tokens rather than just the Duo app, Duo hard token, and SMS.
If Duo uses HOTP internally I'd be surprised at this point. The QR codes only have 20 characters that vary between tokens issued to the same user, which suggests that portion is the equivalent of the "shared secret" in the HOTP specification. Given its length and the observation that the character set appears limited to [A-Za-z0-9], they've got at best 119 bits[1]. HOTP requires at least 128 [2]. So either they are re-using keys between tokens, which would be bad, or they aren't using stands-compliant HOTP. Since TOTP is basically HOTP with the counter incremented on a clock tick rather than an event count, it also can't be compliant TOTP.
[1] 62 possible symbols in a 20 character string. => log(62^20) / log(2) = 119.083926208... [2] https://tools.ietf.org/html/rfc4226#section-4 requirement 6 _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedorahosted....
http://security.stackexchange.com/questions/47901/how-does-authys-2fa-work-i... This response, from a person who claims to be a former Duo employee, claims that they use asymmetric crypto. This is not surprising.
On Fri, 2016-06-24 at 18:15 +0000, Carey Matthew Black wrote:
Since we are speculatating....
What if that value in the url is only a temp key(one time password) to establish their apps connection to the mothership. Then under a seperate ( call home) conversation the real keys are exchanged. Just a thought.
On Fri, Jun 24, 2016 at 11:40 AM, Andrew C. Dingman andrew+fedora@dingman.org wrote: I've got no Duo contacts. I do have some up the chain at my university, so I'm trying to get them to enable standard tokens rather than just the Duo app, Duo hard token, and SMS.
If Duo uses HOTP internally I'd be surprised at this point. The QR codes only have 20 characters that vary between tokens issued to the same user, which suggests that portion is the equivalent of the "shared secret" in the HOTP specification. Given its length and the observation that the character set appears limited to [A-Za-z0-9], they've got at best 119 bits[1]. HOTP requires at least 128 [2]. So either they are re-using keys between tokens, which would be bad, or they aren't using stands-compliant HOTP. Since TOTP is basically HOTP with the counter incremented on a clock tick rather than an event count, it also can't be compliant TOTP.
[1] 62 possible symbols in a 20 character string. => log(62^20) / log(2) = 119.083926208... [2] https://tools.ietf.org/html/rfc4226#section-4 requirement 6
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org
Just thought I would share this with you guys. Not sure if it works: https://github.com/revalo/duo-bypass/blob/master/duo_bypass.py , but if it does, it would be straightforward to add support.
On Sat, Jun 25, 2016 at 1:06 PM, Nathaniel McCallum npmccallum@redhat.com wrote:
http://security.stackexchange.com/questions/47901/how-does- authys-2fa-work-if-it-doesnt-connect-to-the-server This response, from a person who claims to be a former Duo employee, claims that they use asymmetric crypto. This is not surprising.
On Fri, 2016-06-24 at 18:15 +0000, Carey Matthew Black wrote:
Since we are speculatating....
What if that value in the url is only a temp key(one time password) to establish their apps connection to the mothership. Then under a seperate ( call home) conversation the real keys are exchanged. Just a thought.
On Fri, Jun 24, 2016 at 11:40 AM, Andrew C. Dingman andrew+fedora@dingman.org wrote: I've got no Duo contacts. I do have some up the chain at my university, so I'm trying to get them to enable standard tokens rather than just the Duo app, Duo hard token, and SMS.
If Duo uses HOTP internally I'd be surprised at this point. The QR codes only have 20 characters that vary between tokens issued to the same user, which suggests that portion is the equivalent of the "shared secret" in the HOTP specification. Given its length and the observation that the character set appears limited to [A-Za-z0-9], they've got at best 119 bits[1]. HOTP requires at least 128 [2]. So either they are re-using keys between tokens, which would be bad, or they aren't using stands-compliant HOTP. Since TOTP is basically HOTP with the counter incremented on a clock tick rather than an event count, it also can't be compliant TOTP.
[1] 62 possible symbols in a 20 character string. => log(62^20) / log(2) = 119.083926208... [2] https://tools.ietf.org/html/rfc4226#section-4 requirement 6
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org _______________________________________________ freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@lists.fedora hosted.org
freeotp-devel mailing list freeotp-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/freeotp-devel@ lists.fedorahosted.org
freeotp-devel@lists.fedorahosted.org