Difference between revisions of "Duo 2FA"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Echarlie
(Created page with "'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA is a good pra...")
(No difference)

Revision as of 23:14, 18 April 2016

DUO Two-Factor Authentication is a proprietary service which provides 2FA through PAM modules and a web-browser login page. While VTLUUG concurs that 2FA is a good practice, DUO is an ineffective, buggy, and anti-freedom solution.

Issues

DUO 2FA has a number of disadvantages and issues. To list a few:

  • A cellphone, compatible tablet, or landline is mandatory to enrollment in 2FA
  • U2F is exclusively supported in the Chrome and Chromium browsers, despite the presence of a functional plugin which provides the feature in Firefox
    • Duo login page is actually broken by use of this plugin
  • Privacy policy is a joke, and implies almost no level of customer or customer data protection

Privacy Policy

They collect PII. Among this is:

'Device-Specific Information: We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:

  • attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
  • connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and
  • device locations (e.g. internet protocol addresses and Wi-Fi).

We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.

Other things they do:

  • Collect data referencing users accessing services, the dates and times [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings

They also will disclose PII to governments, if requested:

  • (i) if we are required to do so by law or legal process;
  • (ii) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
  • (iii) as may be required for the purposes of national security;
  • (iv) when we believe disclosure is necessary and appropriate to prevent physical, mental, financial or other harm, injury or loss;
  • (v) in connection with an investigation of suspect or actual illegal or inappropriate activity or exposure to liability