Closed Bug 1238628 Opened 8 years ago Closed 6 years ago

MFA can be SFA :) Using firefox for android on the same phone I use duo push

Categories

(Infrastructure & Operations :: Multi-Factor Authentication, task)

Product:
Infrastructure & Operations
Component:
Multi-Factor Authentication
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: jmaher, Unassigned)

Details

I was checking my email on my phone using firefox for android.  this works great, but now with MFA, I needed to SSO via okta and use DUO Push (which is all I have setup).  Now I have a single device where I can get my email and very quickly approve it.

How would this really work if I was mobile and needed a second device?  A yubi-key won't work on my phone, should we require folks to carry a second phone?  

While this sounds like a rare case, it still breaks the entire purpose of MFA.  I can log into all my workday, wiki, bugzilla, gmail on my phone with a browser and many times I do that.  If my phone was lost or stolen then all access is theoretically granted to the daredevil thief.

Is this a concern?  It seems like a big hole and on a tablet device, I could have a more useful experience for using bugzilla as having a full keyboard and larger screen.
we recommend using separate devices and/or at least having a dedicated hardware solution (such as a strong TPM implementation) to store the 2nd factor
AFAIK yubikeys work on newer iphones and nearly all android devices, though you could potentially use a small standalone OTP generator and expense it, see https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/security-tokens for some examples
Status: NEW → RESOLVED
Closed: 6 years ago
QA Contact: jbryner
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.