Teams + Duo desktop 2FA options: Why only 'phone call' and 'push'?

For the windows desktop based integration of Duo, is there the possibility of having other MFA options exposed?

We do not want to require that employees install the Duo Security app on their phones, and the 'receive a phone call' option is less than optimal in our work environment.

Would you consider exposing U2F support and/or the text message option?

I had started using a U2F key during the beta and was surprised to see this not being supported when Duo became officially supported.

Thank you,
Darius


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • rickfillionrickfillion Junior Member

    Team Member

    Hi @DariusR,

    Those limitations are based on the fact that we're using Duo's Auth API in both the Windows app and our command-line tool as opposed to the recommended WebSDK method of doing Duo (used on the Web, Mac, iOS, Android). I'm not sure that we can make all of the Duo methods work with the Auth API, but I think we can add more than we currently support, we just need to get around to it. I doubt U2F would become an option in that case but it's something that I'd love for us to investigate.

    Rick

  • @rickfillion

    Glad to know it could be looked at. Having this limitation and no apparent indication of why it exists only on the Windows desktop client does seem to break the fluidity of the interaction staff have on other devices/platforms.

    We are 90% windows environment and rely heavily on what Duo offers. Looking forward to any small improvements :)

    I'll add one other 'dreamshot' request here instead of starting a new thread. Currently a failed MFA attempt still gives access to the 1Password database if a previous MFA attempt has succeeded. It only blocks 'syncing'. If there could eventually be a global ON/OFF option that would allow admins to decide if a user is locked out of their database upon a failed attempt, it would let us centralize access control and blocking inside Duo. I can see how this might not be a priority(or technically possible), but it would automate something that otherwise needs to be a procedural security mechanism, and manual in nature.

    Thank you,
    Darius

  • rickfillionrickfillion Junior Member

    Team Member

    Good morning @DariusR,

    We're still trying to figure out what the right approach is with failed MFA. As it stands doing what you're asking for would be a bit of security theatre, and so we're reluctant to take that approach. For someone to hit the scenario you're talking about, a couple things need to happen:

    • A bad actor has access to a device that has 1Password data
    • That bad actor also has the Master Password

    If I was that bad actor in that position I wouldn't be touching 1Password at all. I'd go to the filesystem and steal the SQLite database where all of the data is stored and ship that off to a computer I controlled. Then I'd put that computer offline, and unlock that database with the Master Password with 1Password, or keep the computer online and decrypt the data using another tool.

    That's where we are today. This isn't to say that things couldn't change to make this attack impossible, but it would likely come with concessions. For example if we allowed an admin to say that 1Password was no longer to function when offline then we could have the app never cache the vault keys to disk and that it needs to get them from the server every time you unlocked. This would mean that MFA would stand between the user and their vault keys and could in fact do something like you'd want. That would require an "online only" mode though. Once everything is cached locally MFA really isn't at play locally.

    I hope that makes sense.

    Rick

  • Just an update on this:

    I was able to work around the limitations of the DuoSecurity integration with 1Password.

    When setting up a new user in DuoSecurity upon their first login to 1Password, select 'other device' instead of iOS or Android.
    This will default the authentication to SMS instead of forcing either the phone call option or Duo App.

    It might be worth putting this in the documentation somewhere for how Duo is integrated.

  • brentybrenty

    Team Member
    edited July 3

    @DariusR: SMS is insecure. We're not going to promote or recommend it. It's something Duo can document if they want to though, since it's their service.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file