MFA can be SFA :) Using firefox for android on the same phone I use duo push

RESOLVED WORKSFORME

Status

Infrastructure & Operations
Multi-Factor Authentication
RESOLVED WORKSFORME
2 years ago
15 days ago

People

(Reporter: jmaher, Unassigned)

Tracking

Details

(Reporter)

Description

2 years ago
I was checking my email on my phone using firefox for android.  this works great, but now with MFA, I needed to SSO via okta and use DUO Push (which is all I have setup).  Now I have a single device where I can get my email and very quickly approve it.

How would this really work if I was mobile and needed a second device?  A yubi-key won't work on my phone, should we require folks to carry a second phone?  

While this sounds like a rare case, it still breaks the entire purpose of MFA.  I can log into all my workday, wiki, bugzilla, gmail on my phone with a browser and many times I do that.  If my phone was lost or stolen then all access is theoretically granted to the daredevil thief.

Is this a concern?  It seems like a big hole and on a tablet device, I could have a more useful experience for using bugzilla as having a full keyboard and larger screen.
we recommend using separate devices and/or at least having a dedicated hardware solution (such as a strong TPM implementation) to store the 2nd factor
AFAIK yubikeys work on newer iphones and nearly all android devices, though you could potentially use a small standalone OTP generator and expense it, see https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods/security-tokens for some examples
Status: NEW → RESOLVED
Last Resolved: 15 days ago
QA Contact: jbryner
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.