Changes
Created page with "'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA is a good pra..."
'''DUO Two-Factor Authentication''' is a proprietary service which provides 2FA
through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA
is a good practice, DUO is an ineffective, buggy, and anti-freedom solution''.
== Issues ==
DUO 2FA has a number of disadvantages and issues. To list a few:
* A cellphone, compatible tablet, or landline is '''mandatory''' to enrollment in 2FA
* U2F is exclusively supported in the Chrome and [[Chromium]] browsers, despite the presence of a [https://github.com/prefiks/u2f4moz functional plugin] which provides the feature in [[Firefox]]
** Duo login page is actually '''broken''' by use of this plugin
* [https://duo.com/legal/privacy Privacy policy] is a joke, and implies almost no level of customer or customer data protection
=== Privacy Policy ===
They collect PII. Among this is:
''''Device-Specific Information''': ''We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:
* attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
* connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and
* device locations (e.g. internet protocol addresses and Wi-Fi).
We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.''
Other things they do:
* Collect data referencing users accessing services, ''the '''dates and times''' [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings''
They also '''will''' disclose PII to governments, if requested:
* ''(i) if we are required to do so by law or legal process;''
* ''(ii) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;''
* ''(iii) as may be required for the purposes of national security;''
* ''(iv) when we believe disclosure is necessary and appropriate to prevent physical, mental, financial or other harm, injury or loss;''
* ''(v) in connection with an investigation of suspect or actual illegal or inappropriate activity or exposure to liability''
[[category:Campus Computing Resources]]
through PAM modules and a web-browser login page. ''While VTLUUG concurs that 2FA
is a good practice, DUO is an ineffective, buggy, and anti-freedom solution''.
== Issues ==
DUO 2FA has a number of disadvantages and issues. To list a few:
* A cellphone, compatible tablet, or landline is '''mandatory''' to enrollment in 2FA
* U2F is exclusively supported in the Chrome and [[Chromium]] browsers, despite the presence of a [https://github.com/prefiks/u2f4moz functional plugin] which provides the feature in [[Firefox]]
** Duo login page is actually '''broken''' by use of this plugin
* [https://duo.com/legal/privacy Privacy policy] is a joke, and implies almost no level of customer or customer data protection
=== Privacy Policy ===
They collect PII. Among this is:
''''Device-Specific Information''': ''We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:
* attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
* connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number); and
* device locations (e.g. internet protocol addresses and Wi-Fi).
We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.''
Other things they do:
* Collect data referencing users accessing services, ''the '''dates and times''' [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings''
They also '''will''' disclose PII to governments, if requested:
* ''(i) if we are required to do so by law or legal process;''
* ''(ii) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;''
* ''(iii) as may be required for the purposes of national security;''
* ''(iv) when we believe disclosure is necessary and appropriate to prevent physical, mental, financial or other harm, injury or loss;''
* ''(v) in connection with an investigation of suspect or actual illegal or inappropriate activity or exposure to liability''
[[category:Campus Computing Resources]]
