remove the duo mobile client from suggested apps due to its lack of handling of expired codes

RESOLVED FIXED

Status

()

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: glob, Assigned: glob)

Tracking

Production

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

4 years ago
the duo mobile client doesn't appear to work with our totp implementation.

i'll investigate and if there isn't a quick fix i'll remove it from the recommend client list.

we plan on adding native duo 2fa in bug 1199089.
(Assignee)

Comment 1

4 years ago
this works, however there's a signification issue with how the duo mobile app the code:

each code is valid for a period of 30 seconds, however that time doesn't start at the point of registration.  this means it's possible for a code to be generate and then invalidated within a few seconds as totp rolls over to the next 30 second block.

google's app displays a pie chart as a countdown, and will update the displayed code when it expires.

duo's app displays the initial code, but does not update the displayed code when it expires, nor does it provide any indication that the visible code is about to, or has, expired.

i'll remove it from the list of suggested apps.
(Assignee)

Comment 2

4 years ago
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   3eec411..9c2c816  master -> master
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Summary: the duo mobile client doesn't appear to work with our totp implementation → remove the duo mobile client from suggested apps due to its lack of handling of expired codes
That's pretty awful! I wonder if we can get whomever deals with them for Duo to get them to fix this - to save people having to use two apps. I've also left a comment in bug 1173553.
(Assignee)

Comment 4

4 years ago
i've just fixed bug 1201422, which extends our valid code period by +/- 30 seconds, which should help deal with this (note that as of the time of this comment that fix hasn't landed on production yet).
Spoke with Duo - Duo mobile does NOT support TOTP, so these are seen as HOTP. This explains the UI and so on.
Note: the duo service itself DOES support TOTP, it's only the mobile app that does not support it right now.
(Assignee)

Comment 6

4 years ago
the qr code identifies itself as totp, and i've definitely used their app to log in to bugzilla.  they should probably reject totp urls if they don't support it.
You need to log in before you can comment on or make changes to this bug.