Changes
→Issues
'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA
through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA''''is a good practice, DUO is an ineffective, buggy, and anti-freedom solution''.VTLUUG opposes this outsourcing of important security functionality by the University.
== Issues ==
* A cellphone, compatible tablet, or landline is '''mandatory''' to enrollment in 2FA
* U2F is exclusively supported in the Chrome and [[Chromium]] browsers, despite the presence of a [https://github.com/prefiks/u2f4moz functional plugin] which provides the feature in [[Firefox]]
** A workaround for Firefox has been posted [[Yubikey#Using_with_Virginia_Tech_2-Factor_(Duo login page is actually '''broken''' by use of this plugin)|here]].
* [https://duo.com/legal/privacy Privacy policy] is a joke, and implies almost no level of customer or customer data protection
* Use of app isn't ''real'' 2 factor authentication, as it doesn't require the person initiating login to posses device
** Users may get into the habit of just "pushing the button" when it comes up.
=== Privacy Policy ===
They collect PII. Among this is:
* ''attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));''* ''connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and''* ''device locations (e.g. internet protocol addresses and Wi-Fi).''
''We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.''
Other things they do:
