Prasun, given the timing of our mutual interest in the pile of fail
that
is Duo, I'm guessing we may attend the same large midwestern university.
Different schools, but similar problems. All the more relevant I guess
since large universities are deploying Duo. I mailed Duo regarding
technical documentation, and they said that their app is the only supported
way, which is not surprising. If someone has the ability to contact someone
higher up in Duo, that would be really helpful.
All the same, I'd rather spend my energy trying to convince IT
that they
should enable token types that are based on public cryptographic routines
combined in standard ways than on trying to reverse engineer the
proprietary Duo token type so we can emulate it in FreeOTP. That's better
for the school, and keeps FreeOTP from being in a position of trying to
maintain compatibility with a proprietary application with no published
specifications. (At least, none I have found yet.)
It may be the case that Duo uses HOTP internally, but with some closed
parts around it (such as the the phone home parts that you mentioned
earlier). Convincing either Duo or universities to do something differently
is likely not very easy.