[warhorse10_9]

This is a horrible idea. I just can't. Why does this service even exist. I seriously hope duo figures out the numbers this site is using and blacklists them.

[w8rbt]

I think the point is that relying on phone calls and DTMF tones for two factor authentication is trivial to bypass. Anyone can record DTMF tones in a voicemail message and forward calls to that number.

[rsync]

"Anyone can record DTMF tones in a voicemail message and forward calls to that number."

I have never used "duo" and it has taken me a few reads of this to understand exactly what this is, but I think it's worth pointing out that your own personal 'dontduo' service would be trivially simple to set up in a simple twiml bin, at twilio.

I think it would look something like this:

  <?xml version="1.0" encoding="UTF-8"?>
  <Response>
  <play digits="1w2w3w4"></play>
  <Hangup />
  </Response>

"Include w to introduce a 0.5s pause between DTMF tones. For example, 1w2 will tell Twilio to pause 0.5s before playing DTMF tone 2. To include 1s of pause, simply add ww."

https://www.twilio.com/docs/voice/twiml/play#attributes-digi...

[Thorrez]

What do you mean trivial to bypass? If I have an account secured with a password and with Duo, then I give you my password, can you get into my account? How?

[notatoad]

A "sim hijacking" attack is where an attacker calls your phone company and pretends to be you. They claim to have lost their phone, and get a new sim card issued to them with your phone number. when they put the sim in their phone, the duo authentication message goes to their phone instead of yours.

any 2-factor system based on the phone system is no more secure than your phone company's willingness to give away your phone number, and they're usually pretty willing. I actually had this happen to me, in a benign way: my employer started paying my phone bill, they transfered my phone number from my personal plan on one carrier to the company plan with a different carrier. Somebody at the office just handed me a new sim card and told me my old SIM didn't work anymore - it required no interaction on my part to transfer my number to a new plan with a new company. that's apparently just normal procedure.

[empath75]

i worked at a voip company and we were once slammed by another voip company who stole a block of 1500 of our phone numbers. It took 3 days to get them back.

POTS telephones are a mess and should just be deprecated.

[Spivak]

This is brilliant! BRB gonna set that up right now.

2FA is one of those things that is nice when you want it but a huge PITA when it’s forced on you.

[closeparen]

To prove to you that PSTN based 2FA is never a reasonable idea.

[Spivak]

What is a reasonable idea when your adversary is the user?

How do you give a person secret knowledge that they need to provide you to authenticate but can’t provide to something else?

[closeparen]

TPMs built into managed devices; USB hardware tokens for others.

[dwheeler]

I agree, this is a site that shouldn't exist, it's security disaster. Duo should blacklist all their numbers. One easy way would be to detect which accounts consistently confirm instantly; since humans can't do that, those accounts almost certainly must be connected to a subverting bot like this.

[Spivak]

I mean it’s really no different than a password manager that stores both your password and your OTP key.

[amingilani]

Those are strong words for a service that claims to save 3 frustrating hours a month. Let it be, it's how capitalism works — solving needs, no matter how tiny.

Pretty sure a dev made this for themself and decided to share

[Spivak]

Having lived under a terrible bureaucracy that rolled out Duo to everything but make sure to set it up so that every. single. auth. required entering credentials and 2FA and expired all sessions every 12 hours I would have paid anything to get around it.

Services like Duo and Okta are enabling your least favorite IT admin to put users in ‘S’SO hell.