Duo 2FA
DUO Two-Factor Authentication is a proprietary service which provides 2FA through PAM modules and a web-browser login page. While VTLUUG concurs that 2FA is a good practice, DUO is an ineffective, buggy, and anti-freedom solution. VTLUUG opposes this outsourcing of important security functionality by the University.
Issues
DUO 2FA has a number of disadvantages and issues. To list a few:
- A cellphone, compatible tablet, or landline is mandatory to enrollment in 2FA
- U2F is exclusively supported in the Chrome and Chromium browsers, despite the presence of a functional plugin which provides the feature in Firefox
- A workaround for Firefox has been posted here.
- Privacy policy is a joke, and implies almost no level of customer or customer data protection
- Use of app isn't real 2 factor authentication, as it doesn't require the person initiating login to posses device
- Users may get into the habit of just "pushing the button" when it comes up.
Privacy Policy
They collect PII. Among this is:
Device-Specific Information
We also collect device-specific information (e.g. mobile and desktop) from you in order to provide the Services. Device-specific information includes:
- attributes (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled));
- connection information (e.g. name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number);
- device locations (e.g. internet protocol addresses and Wi-Fi).
We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device.
Other things they do:
- Collect data referencing users accessing services, the dates and times [they] are accessing the Services, from where [they] are accessing the Services (by internet protocol address) and device event information such as crashes, system activity, and hardware settings
Disclosure of PII
They also will disclose PII to governments, if requested:
- (i) if we are required to do so by law or legal process;
- (ii) to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims;
- (iii) as may be required for the purposes of national security;
- (iv) when we believe disclosure is necessary and appropriate to prevent physical, mental, financial or other harm, injury or loss;
- (v) in connection with an investigation of suspect or actual illegal or inappropriate activity or exposure to liability