New Show Hacker News story: Show HN: DuoBreak: Python emulation of Duo push notifications and HOTP codes
Show HN: DuoBreak: Python emulation of Duo push notifications and HOTP codes
3 by jessenaser | 1 comments on Hacker News.
We use Duo at University and usually when I use Duo I am using it on my computer. Sometimes my phone gets out of charge, or is an unusable state (iPhone bricked until iTunes reset because no space left to update however it attempted an iTunes update, not OTA…) or we are in an exam that we should put our phones away… having Duo being tied to a phone is a single point of failure, since Duo keys are not exportable, and the phone call or text methods are disabled for our university or don’t work, one would need multiple phones or security keys to log in without waiting days for a reset from the office. Even resetting your iPhone removes the key. So I created DuoBreak such that it emulates the phones ability to accept push notifications and HOTP codes, which isn’t a feature that is documented, since you are actually supposed to use a phone. However, in DuoBreak you can manage multiple keys from different Duo Organizations or even the same one if you like to have multiple computers and offline backups of your key, so you can log into your account without going through the lengthy recovery process. AES encryption is enabled thoughtfully, such that the vault for the keys are encrypted (the biggest worry is the key is left in ram until program close currently). One of the biggest reasons to make this specifically for Duo is that they keep their authentication locked down, where the information they give the user isn’t an HOTP token from the QR code, but an API endpoint, so we would need to make an API call to get this information (that usually only the Duo App would know). Other authenticators allow you to get the key much more easily, which is why there isn’t a “MicrosoftBreak”.
3 by jessenaser | 1 comments on Hacker News.
We use Duo at University and usually when I use Duo I am using it on my computer. Sometimes my phone gets out of charge, or is an unusable state (iPhone bricked until iTunes reset because no space left to update however it attempted an iTunes update, not OTA…) or we are in an exam that we should put our phones away… having Duo being tied to a phone is a single point of failure, since Duo keys are not exportable, and the phone call or text methods are disabled for our university or don’t work, one would need multiple phones or security keys to log in without waiting days for a reset from the office. Even resetting your iPhone removes the key. So I created DuoBreak such that it emulates the phones ability to accept push notifications and HOTP codes, which isn’t a feature that is documented, since you are actually supposed to use a phone. However, in DuoBreak you can manage multiple keys from different Duo Organizations or even the same one if you like to have multiple computers and offline backups of your key, so you can log into your account without going through the lengthy recovery process. AES encryption is enabled thoughtfully, such that the vault for the keys are encrypted (the biggest worry is the key is left in ram until program close currently). One of the biggest reasons to make this specifically for Duo is that they keep their authentication locked down, where the information they give the user isn’t an HOTP token from the QR code, but an API endpoint, so we would need to make an API call to get this information (that usually only the Duo App would know). Other authenticators allow you to get the key much more easily, which is why there isn’t a “MicrosoftBreak”.
Comments
Post a Comment