Duo 2FA
DUO Two-Factor Authentication is a proprietary service which provides 2FA through PAM modules and a web-browser login page. While VTLUUG concurs that 2FA is a good practice, DUO is an ineffective, buggy, and anti-freedom solution.
Issues
DUO 2FA has a number of disadvantages and issues. To list a few:
- A cellphone, compatible tablet, or landline is mandatory to enrollment in 2FA
- U2F is exclusively supported in the Chrome and Chromium browsers, despite the presence of a functional plugin which provides the feature in Firefox
- Duo login page is actually broken by use of this plugin
- Privacy policy is a joke, and implies almost no level of customer or customer data protection
Privacy Policy
They collect PII. Among this is:
'Device-Specific Information: We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:
- attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
- connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and
- device locations (e.g. internet protocol addresses and Wi-Fi).
We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.
Other things they do:
- Collect data referencing users accessing services, the dates and times [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings
They also will disclose PII to governments, if requested:
- (i) if we are required to do so by law or legal process;
- (ii) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
- (iii) as may be required for the purposes of national security;
- (iv) when we believe disclosure is necessary and appropriate to prevent physical, mental, financial or other harm, injury or loss;
- (v) in connection with an investigation of suspect or actual illegal or inappropriate activity or exposure to liability