Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The usability of Duo Security's SSH two-factor and PAM two-factor make Google MFA look like an early beta of Microsoft Bob.

It's already in the most popular repos. It's used by the likes of NASA, Facebook, Box, Arbor Networks, Internet2, Twilio, Yelp, etc.

https://www.duosecurity.com/docs/duounix



Google Autenticator can't be bypassed by someone with access to Google's systems. Duo's two factor auth can be bypassed by someone with access to Duo's systems.

For what it's worth, I agree that Duo has better usability, and is probably the better solution in most cases. TOTP is the more paranoid option.


I believe that Google Authenticator uses TOTP. Six digit HMAC-SHA1 TOTP from a base32 encoded secret using a 30 second timestep. At least, that has been my experience. I wrote an OATH client and it works with Google Authenticator using those parameters. https://github.com/w8rbt/oathgen

Duo supports this as well (and also other TOTP/HOTP modes). If you have access to a Duo account, look at the 'Import Hardware Tokens' feature under 'Devices'. That's not named accurately. Really it should be named, 'Import TOTP/HOTP secrets' as that's what they ask you to import and those secrets can be used in OATH compliant HW fobs or any software that does standard TOTP/HOTP. They also allow you to import Yubikeys as well if you like (of course, that's not OATH).


TOTP relies on a shared secret. With Google Authenticator, the secret is shared between your phone and the SSH server you're logging into. With Duo, the secret is shared between your phone and Duo's API backend; the server has no independent way of authenticating it.


> Duo's two factor auth can be bypassed by someone with access to Duo's systems. This is interesting... why?


Use the source, Luke: https://github.com/duosecurity/duo_unix/blob/master/lib/duo....

Authorization is done by making a POST request to a Duo-controlled server. If the response is the string "allow", it lets you in; if it's "deny", it doesn't. Duo can make that server return whatever they want.


Duo Security looks nice - but don't you run the risk of getting locked out from your own servers if Duo is unavailable or suddenly closes down?

What's the contingency?


You can either use offline (SMS) codes or you can configure that it allows you to connect without duo if the system is offline.


How is SMS offline? If Duo isn't there, where is the SMS coming from?


Sorry for the late reply. You can basically set up to send yourself an SMS with codes that you can use offline I think. Actually, I am not quite sure if they would work offline. So I think you are right. Sorry.


The app still generates offline codes as a backup, iirc.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: