Closed Bug 1201116 Opened 9 years ago Closed 9 years ago

remove the duo mobile client from suggested apps due to its lack of handling of expired codes

Categories

(bugzilla.mozilla.org :: General, defect)

Product:
bugzilla.mozilla.org
Component:
General
Version:
Production
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: glob, Assigned: glob)

References

Details

the duo mobile client doesn't appear to work with our totp implementation.

i'll investigate and if there isn't a quick fix i'll remove it from the recommend client list.

we plan on adding native duo 2fa in bug 1199089.
this works, however there's a signification issue with how the duo mobile app the code:

each code is valid for a period of 30 seconds, however that time doesn't start at the point of registration.  this means it's possible for a code to be generate and then invalidated within a few seconds as totp rolls over to the next 30 second block.

google's app displays a pie chart as a countdown, and will update the displayed code when it expires.

duo's app displays the initial code, but does not update the displayed code when it expires, nor does it provide any indication that the visible code is about to, or has, expired.

i'll remove it from the list of suggested apps.
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   3eec411..9c2c816  master -> master
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Summary: the duo mobile client doesn't appear to work with our totp implementation → remove the duo mobile client from suggested apps due to its lack of handling of expired codes
That's pretty awful! I wonder if we can get whomever deals with them for Duo to get them to fix this - to save people having to use two apps. I've also left a comment in bug 1173553.
i've just fixed bug 1201422, which extends our valid code period by +/- 30 seconds, which should help deal with this (note that as of the time of this comment that fix hasn't landed on production yet).
Spoke with Duo - Duo mobile does NOT support TOTP, so these are seen as HOTP. This explains the UI and so on.
Note: the duo service itself DOES support TOTP, it's only the mobile app that does not support it right now.
the qr code identifies itself as totp, and i've definitely used their app to log in to bugzilla.  they should probably reject totp urls if they don't support it.
You need to log in before you can comment on or make changes to this bug.