[floatingatoll]

To explain what's going on here for the unaware —

1) Duo is a commercial service that offers multi-factor authentication through a variety of means, one of which is the Phone Call.

2) This site lets you register them as your Duo phone number, when demanded to do so by someone who's trying to protect your high-value access from being hijacked (such as your employer).

3) This site provides you a phone number that auto-accepts all Duo authentication requests, even if you're asleep, offline, or otherwise not authorizing the hacking activity.

4) This site has zero contact information and accountability, and could very well be backed by a black market site that offers hackers lookup access for any Duo phone number for $50/number.

NOTE: I, personally, would absolutely push to fire anyone I found using this, no matter where I worked.

[bscphil]

It would help if Duo wasn't a closed off trash fire that no one should be forced to use. I'm not condoning bypassing it if it's something your employer has required, but there's really no excuse for not supporting an open method like TOTP and/or security keys.

[zzrrt]

If it were free, I'd be pretty tempted to use it, and hope somebody would notice my protest. Duo is thrust upon me by my university. I don't want to install Duo's proprietary app for receiving pushes or generating codes (I effectively can't anyway because my phone is de-Googled), and getting cell reception to receive their call can be difficult in some buildings. The other day it took three calls until the system detected my DTMF press, maybe because I was sitting next to a loud fan.

I dabbled at reversing their Android app, but I saw some references to key rotation and got disheartened -- I don't want to spend man-weeks on this. I was hoping to see some URL I could hit and just get a TOTP secret.

To my uni's credit, they offer support for hardware tokens, and maybe someday I'll get sick enough of the phone calls to start carrying one of those around.

Edit: Thanks to commenters in sibling threads with possible solutions to extracting the secret.

[dogma1138]

It’s free for upto 10 users I actually use it on some of my machines, with the call back features disabled.

There should be a URL that gives you a QR code for the TOTP/DuoPush enrollment.

[bscphil]

Parent means the DontDuo service isn't free, not Duo itself.

[dogma1138]

Duo supports TOTP and U2F, it also supports now touchID on new Macs which makes it fairly easy to use.

I can get that the phone part is annoying but DuoPosh/TOTP and now the TouchID are probably the smoothest FMA solution for the enterprise I ever used.

[bscphil]

It doesn't support these at my institution. Maybe they haven't rolled out this version? (Technically you can get U2F to work, but they have a bright red warning that says it's unsupported when you do that.)

[w8rbt]

IT admins at your org can enable or disable 2FA methods allowed via the Duo administration console. Many US edus disable TOTP.

[dogma1138]

I think because they don’t want to deal with supporting the app and (almost) everyone has a phone that can receive calls.

[floatingatoll]

How does this problem relate to the post topic at hand? I can’t find the connection between “Duo doesn’t support TOTP and security keys” and “Duo phone method bypass for $4/mo”.

(Incidentally, Duo does support OATH-TOTP and Yubikeys in native mode.)

[bscphil]

It's related because it's very easy to empathize with people wanting to bypass Duo, when Duo is a crappy proprietary app built on top of an open standard that people are forced to use.

Your "incidentally" comment is actually important: organizations have to enable these additional auth methods; mine does not support TOTP. If it was the case that people weren't forced to either answer the phone or use a crappy app to log in (and own a smartphone), there would be much less impetus to bypass it. The point is not bypassing 2FA. The point is bypassing Duo.

[taneq]

Who on earth thought this was a good idea, at any level?

[abdullahkhalids]

You have an entire industry-ideology that says, "build things that people want and turn those wants into needs full stop". No mention of ethics at all [1]. Is it really surprising to see startups with blatant disregard for security and ethics?

[1] http://paulgraham.com/start.html

[zonidjan]

I, personally, would absolutely push to fire anyone who thinks that phone calls (or SMS) are reasonable second factors.