Add Google Authenticator compatible QR/code generator to login.mozilla.com Duo setup workflow

RESOLVED DUPLICATE of bug 1173553

Status

Infrastructure & Operations
Infrastructure: Other
RESOLVED DUPLICATE of bug 1173553
4 years ago
3 years ago

People

(Reporter: emorley, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
In bug 1065644, I started Duo enrolment to see what it involved - however found that you had to install another app in order to use it. It would be great if we could support the Google Authenticator style codes, seeing as many sites now support it in addition to Google's own services (eg Github, Facebook, several password managers). 

Also, seeing as Mozilla will be switching to Google Apps more later this year, a large proportion of employees will (hopefully) be using Google Authenticator.

It's also worth noting that there is a google authenticator app for Firefox OS, but not a Duo app.
We do support GAuth/etc. (and in fact, the Duo app does as well - the key icon generates numeric tokens when your phone doesn't have push, for both Duo and OATH-_OTP aka GAuth tokens). This has to be provisioned upon request, though.

(I personally verified around a month ago that the authenticator for Firefox OS app works for us.)
(Reporter)

Comment 2

4 years ago
(In reply to Richard Soderberg [:atoll] from comment #1)
> We do support GAuth/etc.

How do I set this up without installing the app? :-)
Flags: needinfo?(limed)
Flags: needinfo?(limed) → needinfo?(jdow)

Comment 3

4 years ago
There are docs here http://guide.duosecurity.com/third-party-accounts sort of, basically when you enable mfa on your account you will do it using your phone number first. Once you have it all setup you can click "Use app" and it will generate a QR code for you, use the duo app to scan the QR code to add it

Comment 4

4 years ago
Also, there is https://marketplace.firefox.com/app/firekey for FirefoxOS, which supposedly supports Duo now, but I'm not really sure all the variations on how to get things rolling, since I just use the Duo app.
Flags: needinfo?(jdow)
(Reporter)

Comment 5

4 years ago
(In reply to Ed Lim [:limed] from comment #3)
> There are docs here http://guide.duosecurity.com/third-party-accounts sort
> of, basically when you enable mfa on your account you will do it using your
> phone number first. Once you have it all setup you can click "Use app" and
> it will generate a QR code for you, use the duo app to scan the QR code to
> add it

This guide doesn't help unfortunately, it only explains how to add your google-authenticator style codes to the Duo app, whereas this bug is about the reverse.

Comment 6

4 years ago
:kang: can you help with this? I'm not familiar with this beyond using the Duo app.
Flags: needinfo?(gdestuynder)
There's 2 ways you can use Google Authenticator with Duo. Neither are easy right now, but they do work.

Methods
--------

1) "easiest"
You'll need the command line openssl tool and the OATH toolkit (http://www.nongnu.org/oath-toolkit/). This is command line stuff.

Ensure you are enrolled with Duo.
Once enrolled, add a new TOTP:
- Go to https://login.mozilla.com/duo_add_hardware_token/
- Click the drop down, select TOTP-6 hardware token
- As serial put your phone number followed by a number (really this can be an arbitrary serial number right now... it just ensures its unique) such as 41557015571
- As counter enter 30. For TOTP it means 30s window.
- Enter a secret you generate via the command "openssl rand -hex 12" (this is your TOTP secret and thus should be handled like a password)
- Convert the secret to base32 (ie Google Authenticator non-standard standard ;) via the command "oathtool -v your-secret" This will print something like:

oathtool -v 1530ed1c7d1b395b1f6a6ca3 # Do not use this secret !
Hex secret: 1530ed1c7d1b395b1f6a6ca3
Base32 secret: CUYO2HD5DM4VWH3KNSRQ====
Digits: 6
Window size: 0
Start counter: 0x0 (0)

611775

- Go to Google authenticator, select Add an account, and then Enter provided key.
- Type any account name you want and enter the base32 secret as key (CUYO2HD5DM4VWH3KNSRQ==== in the example)
- Make sure the drop down in Google authenticator says Time based
- Press add. done.

2) during enrollment, you can read the QR code with a regular QR code reader, convert it to base32 and use it like the above.


How to make this easier?
=========================
1) you can use a Yubikey or DuoPush directly. To be honest I find the Yubikey to be much more convenient, but this depends on your use case a bit. Note that Duo supports using all of them at the same time anyway.

2) modify the web interface on login.mozilla.com for non-yubikey tokens so that:
- Serial is auto generated and not prompted from the user
- Counter is auto set to 30 for TOTP, 0 for HOTP - and not prompted from the user
- One or two QR codes are provided with an automatically generated secret, the QR codes have to be Google Authenticator compatible (base32 secret value) and OATH standard compatible (hex secret value) (+ also have them displayed as text, with instruction to either scan the correct QR code (saying which is for GA which is for everything else) either enter secret by hand)
Flags: needinfo?(gdestuynder)
(Reporter)

Comment 8

4 years ago
Thank you for that! :-)

Morphing bug to be about:

(In reply to Guillaume Destuynder [:kang] from comment #7)
> 2) modify the web interface on login.mozilla.com for non-yubikey tokens so
> that:
> - Serial is auto generated and not prompted from the user
> - Counter is auto set to 30 for TOTP, 0 for HOTP - and not prompted from the
> user
> - One or two QR codes are provided with an automatically generated secret,
> the QR codes have to be Google Authenticator compatible (base32 secret
> value) and OATH standard compatible (hex secret value) (+ also have them
> displayed as text, with instruction to either scan the correct QR code
> (saying which is for GA which is for everything else) either enter secret by
> hand)
Summary: Mozilla 2FA/Duo should support Google Authenticator compatible codes → Add Google Authenticator compatible QR code generator to login.mozilla.com Duo setup workflow
(Reporter)

Updated

4 years ago
Summary: Add Google Authenticator compatible QR code generator to login.mozilla.com Duo setup workflow → Add Google Authenticator compatible QR/code generator to login.mozilla.com Duo setup workflow

Comment 9

4 years ago
(In reply to Ed Morley [:edmorley] from comment #8)
> - One or two QR codes are provided with an automatically generated secret,
> the QR codes have to be Google Authenticator compatible (base32 secret
> value) and OATH standard compatible (hex secret value) (+ also have them
> displayed as text, with instruction to either scan the correct QR code
> (saying which is for GA which is for everything else) either enter secret by
> hand)
Could the SQRL (Secure Quick Reliable Login) protocol be allowed here optionally? See
https://www.grc.com/sqrl/sqrl.htm
(Reporter)

Comment 10

3 years ago
This was fixed as part of bug 1173553.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1173553
You need to log in before you can comment on or make changes to this bug.