[Jarwain]

It was probably the worst way they could have implemented 2FA; we're still vulnerable to a MITM attack.

One of the more annoying things is that the codes are sent from a random 386 number. Out of the 7+ texts I've received thus far, only 2 were from the same number.

Apparently the company they're using is named https://duo.com/

[grivescorbett]

That's odd, we use duo at work and it's great. Every user is configured to get a push notification directly to the device which bypasses the issues with SMS.

[Jarwain]

That requires the user to use the Duo app though, right?

I don't recall whether I had the option to use the app when I enabled MFA initially. However, after the fact, and as far as I can find, I cannot go back and enable the app.

[grivescorbett]

That's correct, of course without having the app installed there is no option other than SMS or a hardware token.

I remember that configuring this is tricky, but I did eventually get user self enrollment configured with push being the default. Happy to dig more into my config, if you're curious: gabe@untapt.com

[Jarwain]

Totally curious, unfortunately it'd probably go in one eye and out the other since I'm not involved in the Uni's implementation.

[nerdponx]

Huh, I've heard good things about Duo. They're not a nobody at any rate.

[hobarrera]

We have security experts developing 2fa techniques, and then we have these sort of people.