Duo Login for App

Hello, I was curious if Duo support for App logins is on the roadmap. I was thrilled to hear you were supporting Duo and migrated all my personal passwords to a Teams account because of this single announcement. However, I was disappointed to see it is only supported for Web based logins and not via the apps so I had to stop moving our business accounts over. I am happy you are embracing Duo, it is a fantastic product. I just think you have a large gap by only permitting it on web based logins. I read some other threads where some posters incorrectly state that the Account Key is two factor or "better than two factor" but I strongly disagree with that. While better than just a simple username and password it really is just a second password that can be intercepted by a MiTM attack, keystroke logger or data leak/compromise. Duo provides true two factor auth and would greatly enhance the security of app based logins.

Thank you.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • Roman
    Roman
    1Password Alumni
    edited February 2017

    Hi @dflo16 - Thank you for your suggestion! We have Duo support on our radar, but at this point I can't say anything specific about the ifs, whens, whys and whats. We're looking into it. :)

    ref: OPM-4282, OPI-3637, OPA-1030

  • tmeisy
    tmeisy
    Community Member

    I would +1 this request. Would be great to have Duo Security extend to the desktop app and chrome extension as well! Unless the 1P team would feel that it's unnecessary.

  • Frank
    edited March 2017

    Hi @tmeisy - We currently support Duo within the web app for 1Password Teams. We do feel your Secret Key in conjunction with your Master Password provide the best protection for the standalone apps.

    Your Secret Key and Master Password are never transmitted via the Internet. You can read a little more about how we protect your data here - https://support.1password.com/1password-security/

    Thank you again for taking the time to reach out and share some feedback with us. :+1:

  • dflo16
    dflo16
    Community Member

    @Frank I have read more about 1passwords auth mechanism and viewed this process with Burp interception proxy. I am impressed and do agree that the credentials do not get transmitted, however I still feel it is not a secure as Duo. With the AK and MP, you still run the risk of these being exposed in a data leak/compromise or obtained via keystroke logging. Duo would enhance this with true OTP or Push authentication.

  • AGKyle
    AGKyle
    1Password Alumni

    @dflo16

    There were was another discussion of this not too long ago here.

    Basically it boils down to Duo not being the answer that everyone expects it to be. Rick makes a fantastic set of explanations in that thread so I strongly recommend giving that a read.

This discussion has been closed.