Phone-less, Token-less Duo 2FA

So You Have to Use Duo 2FA…
It’s HOTP
Secrets, the Easy Way
pass on That
Hardware Keys
Secrets, the More ‘Interesting’ Way

Updates

2023-12-14: Note breakage
2023-10-15:: Note pass-otp possible breakage.
2023-04-11:: Expand on extracting from Duo app storage.
2022-06-21:: Add HOTP Duo reference and fix some formatting rubbish.
2021-12-30:: Another approach was advertised on Hacker News.
2022-03-10:: Small update on hardware keys, with Solo 2.
2022-12-09: Note Duo .apk is directly downloadable.

Unfortunately, the registration process has changed, and the ‘Easy Way’ to extract the secret no longer works. I haven’t yet investigated the ‘More Interesting’ way with the current app. It now looks important since the current Duo app only works on Android 12+.Obviously, in principle, you’d like to be running a non-EOL version of (a de-Googled) Android, but …

So You Have to Use Duo 2FA…

Your organization requires use of two-factor authenticationI assume only two factors are required, but this might extend to more.

with Duo. Suppose you don’t have — or wish to use for work — a smartphone to run the proprietary app, and don’t have a hardware token issued, or possibly want something you can automate.My site does, grudgingly, issue a limited supply of tokens (re-badged Vasco Digipass), but you’re asked to use your personal phone to save the organization expense. However, you don’t have the option to enrol a potentially more convenient Yubikey or similar hardware token if you have one and are prepared to use it for work.

All is not lost. It’s possible to set up passcode generation without a phone, using either a hardware key, a free phone app, or a Unix utility.

It’s HOTP

It’s not obvious from the ‘enrollment’ process, but the six-digit codes you get out of the Duo phone app or hardware token are actuallyE.g. this answer

generated by standard OATH HOTP, which involves a secret, a hash algorithm, and a counter of the number of iterations. So, given the parameters you can generate them with, say, a free software phone app like Aegis,If you’re interested in free software and avoiding surveillance capitalism like me, you’ll be using de-Googled Android like /e/ if not a GNU/Linux Pinephone, Librem 5, or UBports device.

, otherwise with something like oathtool, or a suitably programmed hardware key. What you need is essentially the secret shared with Duo.That the service stores the secret is a weakness of OATH compared with FIDO.

Note that you can only set up one ‘device’ with a given HOTP secret (unless you have some way of syncing devices, which implies a software ‘device’)Perhaps pass with a git commit hook.

because the state is incremented each time you generate/use a code. You can, however, enrol multiple devices into Duo.I don’t know if there’s a limit.

Secrets, the Easy Way

You probably want one of the two easy ways to extract the secret that I didn’t find before using the involved way below.

If you’re going to use a HOTP phone app anyway, you probably want to look at DuOTP. Install an app, like Aegis,Aegis seems the best option, free software or not.

install DuOTP, and follow the instructions with your site’s Duo enrolment page in the phone web browser.

If you’re not using the phone, or want to enrol another ‘device’, you can extract a secret using a Python program. Use an appropriate value of start.nyu.edu in the instructions, but you should be able to add another device rather than clobbering an existing one — at least, I could. If you have a packaged python3-pyotp, as Debian 12 does, install that and ignore the fir step here:Note that

$ pip3 install pyotp # if you trust a PyPi install...
$ wget https://github.com/simonseo/nyuad-spammer/raw/master/spammer/duo/duo.py
$ # ... give it a once-over for security
$ python3 duo.py <url-to-duo-qr>

`pass` on That

If you use the ‘standard Unix password manager’ (pass), you might like to store the secret in it and use the OTP extension to generate codes.If you don’t like the idea of storing 2FA codes like that, your PGP credentials for pass might be in a hardware token, used through gpg-agent.

Note pass-otp is broken for HOTP with Bash 5.2+ as of 2023-10.

pass otp does, however, generate a git commit each time, which may warrant squashing.

I haven’t looked into using that, or another mechanism for VPN access with openconnect, but it is possible to use it with ssh, if you’re expected to use 2FA directly with that,Rather than using sane SSO like Kerberos or Smallstep certificates, with which you’d only have to do the 2FA once a day or so.

with the aid of sshpass.

Hardware Keys

If, like ours, ‘your’ Duo installation doesn’t allow provisioning hardware keys, and you have a suitable one you’d like to use, you should be able to generate a secret for an extra device, as above, and set up your key according to the relevant instructions. For a Yubikey,Other suitable keys are available, as the BBC would say, like free software Nitrokeys, but I originally only had Yubikeys and mostly-FIDO Somus.

On Debian there are packages yubikey-manager and yubikey-personalization-gui; with either of those, you want the ‘OATH’ configuration to program one of the slots, not the ‘OTP’ one; if you don’t want to trash the setup for the (proprietary?) Yubico ‘OTP’, it needs to be slot 2.

You should be able to do this with any key which advertises it does ‘OTP’, but not with a (cheaper) FIDO-only one. The new free software and hardware Solo 2 and forthcoming Nitrokey 3 have firmware to store OATH keys, as does Nitrokey Pro, but at least the v0.1.1 CLI for the Solo 2s I recently got rejects a Duo secret. Also there seems to be no way to add PIN protection.

Secrets, the More ‘Interesting’ Way

I originally went the ‘phone app without a phone’ route (on principle). It might be useful in other situations, so here’s how, at least for GNU/Linux.I don’t know if it’s possible with MS Windows or MacOS.

You want AnboxOr maybe Waydroid; I don’t know how they compare.

and adb — from Debian’s contrib repo in my case, following /usr/share/doc/anbox/README.Debian. After downloading the image and starting the service, fire up Anbox on the desktop to be able to run apps phone-less.

You need the Duo .apk directly downloaded from duo.com, or a .apk for an interface to the ‘Play Store’ (ugh) to install. Alternatively, install Aurora Store and use that to install Duo in Anbox.You can side-load .apks with adb install from your desktop.

Go to your site’s Duo enrolment web page and follow the procedure for enrolling a device; select ‘Android tablet’ and get an activation code mailed to you. Open the Duo app in Anbox, select ‘+’ and ‘Duo security enabled account’, paste in the emailed key, and activate it. You could use that setup as-is to generate passcodes, but it’s obviously not convenient.

To use the secret with something else, you need to know how it’s stored. Get an Android shell with /usr/share/anbox/anbox-shell.sh on your desktop, and cat /data/data/com.duosecurity.duomobile/files/duokit/accounts.json. Obviously that’s also where to look (using an adb root shell) if you have the app installed on a phone.Only if the phone is rooted, unfortunately or not.

The items you need to enter into your OATH application of choice are otpSecret (probably without any trailing \u003ds) and counter, under otpGenerator, where counter is 1 if you haven’t used the app, and the hash algorithm is the default SHA1, after specifying HOTP, obviously.

Involved, but amusing, and the general technique might be more widely useful.