1) Duo is a commercial service that offers multi-factor authentication through a variety of means, one of which is the Phone Call.
2) This site lets you register them as your Duo phone number, when demanded to do so by someone who's trying to protect your high-value access from being hijacked (such as your employer).
3) This site provides you a phone number that auto-accepts all Duo authentication requests, even if you're asleep, offline, or otherwise not authorizing the hacking activity.
4) This site has zero contact information and accountability, and could very well be backed by a black market site that offers hackers lookup access for any Duo phone number for $50/number.
NOTE: I, personally, would absolutely push to fire anyone I found using this, no matter where I worked.
I dabbled at reversing their Android app, but I saw some references to key rotation and got disheartened -- I don't want to spend man-weeks on this. I was hoping to see some URL I could hit and just get a TOTP secret.
To my uni's credit, they offer support for hardware tokens, and maybe someday I'll get sick enough of the phone calls to start carrying one of those around.
Edit: Thanks to commenters in sibling threads with possible solutions to extracting the secret.
I can get that the phone part is annoying but DuoPosh/TOTP and now the TouchID are probably the smoothest FMA solution for the enterprise I ever used.
(Incidentally, Duo does support OATH-TOTP and Yubikeys in native mode.)
Some Yubikey models also store the secrets that generate the frustrating 6 character TOTP codes. A pairing a Yubikey with a desktop app, you can copy/paste the codes instead of the error-prone process of manually re-typing them.
...assuming the service in question accepts yubikeys, or even TOTPs. I've seen plenty of services (mostly financial) that only allow sms or voice calls.
On the computer I have ~/.totp/ which contains files like `github` with the secret key as the file content. In my bashrc I made a function which runs oathtool on the contents of the given filename to generate the 6 digit code and then copies it to the clipboard with xclip (run it like `$ totp github`).
For the duo thing, I had to make the same `name` file with the secret key as the content, and a `name-counter` file with an integer. I put a hotp function in bashrc, so running `hotp name` generates the 6 digit code, copies it to the clipboard, and increments the counter.
I had to tell Duo I was adding a tablet (since the emulator had no phone number), it gives a QR code with a URL as a backup; I opened the URL in the emulator which opened the Duo app in the emulator and finished the setup. Then on the host computer run adb shell and cat out /data/data/com.duosecurity.duomobile/files/duokit/accounts.json from the emulator shell (or the shell on your rooted Android)
Get the 'otpSecret' and counter, at the end of otpSecret replace the \u003d with its actual character: '=', then put the secret into the file ~/.otp/name and the counter into ~/.otp/name-counter
Turns out I actually put a tiny script in my PATH instead of adding a function to bashrc:
#!/bin/sh
typeset -i counter=$(<~/.otp/name-counter)
oathtool --hotp -b $(<~/.otp/name) -c $counter | xclip -selection clipboard
echo $((counter + 1)) >~/.otp/name-counter
I have saved a very old (2 years?) version of the Duo APK which works great for this (or at least was working great the last time I tried, 2 months ago). The newer app versions refuse to run without Google Play Services, but you can still make a throwaway andorid emulator with GPS. I'd like to share the APK I have, but no way to do so without linking this pseudonym to my real identity...
The most idiotic thing is that basically the entire 2FA ecosystem fucked up into turning 2FA into phoneFA. Your password is a secret, it can be guessed by some hacker on the other side of the world, so let's have two secrets, with the second one being unguessably long and only known to your hardware, so that it can make a human-sized login code. There are standards for this like TOTP and HOTP, but instead of having basically password managers for these secret keys, we get SMS auth and Duo and Authy, with no way for a normal person to generate otp codes on their actual computer. Google Authenticator and even the Duo app actually allow you to scan QR codes with TOTP secret keys and get the 6 digit OTPs from their app, but Duo itself won't let you use the standards to login, or to do it on your computer.
For completeness, here's the TOTP function in my bashrc:
function totp() {
oathtool --totp -b $(<~/".totp/${1}") | xclip -selection clipboard;
}
I have never used "duo" and it has taken me a few reads of this to understand exactly what this is, but I think it's worth pointing out that your own personal 'dontduo' service would be trivially simple to set up in a simple twiml bin, at twilio.
I think it would look something like this:
<?xml version="1.0" encoding="UTF-8"?>
<Response>
<play digits="1w2w3w4"></play>
<Hangup />
</Response>
https://www.twilio.com/docs/voice/twiml/play#attributes-digi...
2FA is one of those things that is nice when you want it but a huge PITA when it’s forced on you.
How do you give a person secret knowledge that they need to provide you to authenticate but can’t provide to something else?
Pretty sure a dev made this for themself and decided to share
Services like Duo and Okta are enabling your least favorite IT admin to put users in ‘S’SO hell.
Using this sounds like a good way to take liability when your account gets hacked. It will not look good to be fired for intentionally defeating corporate security systems.
By the way, I gotta say this project is pretty hilarious, and you're a true baller for trying to sell this to people.
Duo as in Google's Duo video calling? There's 2FA on that? I've never seen any.
Or is there some other Duo it's referring to?