Difference between revisions of "Duo 2FA"

From the Linux and Unix Users Group at Virginia Teck Wiki
Jump to: navigation, search
imported>Echarlie
(Created page with "'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA is a good pra...")
 
imported>Bgregos
(Issues)
 
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA
 
'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA
through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA
+
through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA''
is a good practice, DUO is an ineffective, buggy, and anti-freedom solution''.
+
''is a good practice, DUO is an ineffective, buggy, and anti-freedom solution''.
 +
VTLUUG opposes this outsourcing of important security functionality by the University.
  
 
== Issues ==
 
== Issues ==
Line 7: Line 8:
 
* A cellphone, compatible tablet, or landline is '''mandatory''' to enrollment in 2FA
 
* A cellphone, compatible tablet, or landline is '''mandatory''' to enrollment in 2FA
 
* U2F is exclusively supported in the Chrome and [[Chromium]] browsers, despite the presence of a [https://github.com/prefiks/u2f4moz functional plugin] which provides the feature in [[Firefox]]
 
* U2F is exclusively supported in the Chrome and [[Chromium]] browsers, despite the presence of a [https://github.com/prefiks/u2f4moz functional plugin] which provides the feature in [[Firefox]]
** Duo login page is actually '''broken''' by use of this plugin
+
** A workaround for Firefox has been posted [[Yubikey#Using_with_Virginia_Tech_2-Factor_(Duo)|here]].
 
* [https://duo.com/legal/privacy Privacy policy] is a joke, and implies almost no level of customer or customer data protection
 
* [https://duo.com/legal/privacy Privacy policy] is a joke, and implies almost no level of customer or customer data protection
 +
* Use of app isn't ''real'' 2 factor authentication, as it doesn't require the person initiating login to posses device
 +
** Users may get into the habit of just "pushing the button" when it comes up.
  
 
=== Privacy Policy ===
 
=== Privacy Policy ===
 
They collect PII. Among this is:
 
They collect PII. Among this is:
  
''''Device-Specific Information''': ''We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:
+
==== Device-Specific Information ====
 +
''We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:
  
* attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
+
* ''attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));''
* connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and
+
* ''connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number);''
* device locations (e.g. internet protocol addresses and Wi-Fi).
+
* ''device locations (e.g. internet protocol addresses and Wi-Fi).''
  
We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.''
+
''We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.''
  
 
Other things they do:
 
Other things they do:
Line 25: Line 29:
 
* Collect data referencing users accessing services, ''the '''dates and times''' [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings''
 
* Collect data referencing users accessing services, ''the '''dates and times''' [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings''
  
 +
==== Disclosure of PII ====
 
They also '''will''' disclose PII to governments, if requested:
 
They also '''will''' disclose PII to governments, if requested:
  
Line 34: Line 39:
  
  
[[category:Campus Computing Resources]]
+
[[category:Campus computing resources]]

Latest revision as of 04:40, 5 September 2016

DUO Two-Factor Authentication is a proprietary service which provides 2FA through PAM modules and a web-browser login page. While VTLUUG concurs that 2FA is a good practice, DUO is an ineffective, buggy, and anti-freedom solution. VTLUUG opposes this outsourcing of important security functionality by the University.

Issues

DUO 2FA has a number of disadvantages and issues. To list a few:

  • A cellphone, compatible tablet, or landline is mandatory to enrollment in 2FA
  • U2F is exclusively supported in the Chrome and Chromium browsers, despite the presence of a functional plugin which provides the feature in Firefox
    • A workaround for Firefox has been posted here.
  • Privacy policy is a joke, and implies almost no level of customer or customer data protection
  • Use of app isn't real 2 factor authentication, as it doesn't require the person initiating login to posses device
    • Users may get into the habit of just "pushing the button" when it comes up.

Privacy Policy

They collect PII. Among this is:

Device-Specific Information

We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:

  • attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
  • connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number);
  • device locations (e.g. internet protocol addresses and Wi-Fi).

We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.

Other things they do:

  • Collect data referencing users accessing services, the dates and times [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings

Disclosure of PII

They also will disclose PII to governments, if requested:

  • (i) if we are required to do so by law or legal process;
  • (ii) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
  • (iii) as may be required for the purposes of national security;
  • (iv) when we believe disclosure is necessary and appropriate to prevent physical, mental, financial or other harm, injury or loss;
  • (v) in connection with an investigation of suspect or actual illegal or inappropriate activity or exposure to liability