- Download the binary or compile it your self
- Audit the code, reverse the binary (seriously, don't just trust me)
- Go to the website that manages 2FA
- e.g. not-start-portal, not-some-university portals
- Add a new tablet
- Just choose Android (you are gonna use a different 2FA client anyway)
- Do not scan the QR code. Choose the option which sends the activation link to your email (don't open the link on your phone with Duo installed either)
- The continue button is disabled, for now
- In your email, you should see the link of the form
https://m-xxxxxxxx.duosecurity.com/android/XXXXXXXXXXXXXXXXXXXX- If you don't, just click on the link and check the url bar
- Copy it
- Run the application (in the
bindirectory)- Paste the link in
- Wait
- Click continue on the web page (it should be enabled if everything so far is correct)
- Copy the secret key and use it with whatever authenticator you
want. (Note: Duo uses counter based hotp)
- Example: you can use
this extension
in browser
- Edit -> Manual Entry
- Counter based; name = any thing; secret is the hotp secret you get from the app
- Done. You can get your passcode right in your browser
- Example: you can use
this extension
in browser
No. Just like the Duo App (you should not use the browser extension by the way; but if you do, set the password and/or encrypt sensitive data)
Duo allows using FIDO devices for 2FA (that is actually more secure than
using phones tbh). It also supports TouchID (only Apple and Chrome).
However, i am broke another solution supporting all platforms is
using an u2f emulation -> add u2f devices to Duo
- Linux: https://github.com/danstiner/rust-u2f (remember to set udev rules depending on your distro)
- Win: https://github.com/SoftU2F/SoftU2F-Win
- Mac: https://github.com/github/SoftU2F
The post request is constructed without any reverse engineering involved. NYU Duo 2FA uses hotp, counter based, and Sha1 hash function.