![]() ![]() To prevent replay attacks, you would also need to add a constraint that the keys be newer than one ones last used for a sucessful login, but it should be doable. If the server sees (f.ex) three sequential login attempts with valid-but-stale keys, with the proper order and timing pattern, then it accepts them and resynchronizes the key window. Just like the IT guys can do, but over-the-wire. The hardware tokens are not reliable, in my book.Įdit: The fix for me would be for the token to automatically resynchronize on the fly. ![]() It would be bad if I had an after-hours emergency with my Duo token, I do not trust it. I'm an "occasional sysadmin" who administrates several stable servers that mostly don't need to be touched.Īs I don't need to use it day-to-day, my key desynchronizes quite often for me, I have had it happen at least 3 times. Use-case: We don't have Duo tokens rolled out system-wide, they are only issued for admin tasks and we have separate admin accounts for these with the Duo attached. If your IT desk is open, they can "resync" it by typing in a couple numbers in a row, which lets the server scan the key sequence and find where your token is. But if you don't use it for a long time (more than 30 days in my experience), the clock drifts, you start going outside the window and it refuses to let you log in. ![]() There is probably a sliding window of N valid keys (say 10) and using one of them tells the server what the internal clock state is. Normally, if you log in on a regular basis the server corrects for this drift. The internal clock gets off, so it drifts in what token it returns vs what the server thinks it should be returning, and then it stops working. Of course these methods don't have push requests that you can just approve rather than type in the code.Ĭc: Duo hardware token (the code generator with the button and the LCD) tends to "desynchronize" after long periods where you don't use it. Other two factor methods, like the one's used by Google and Facebook, allow clients to install their own code generators that don't collect personal data or even need access to the internet. The policy continues to state that Duo may use this data for analytic/advertising purposes (although only in-house) as well as to comply with legal requests, subpoenas, NSLs etc.ĭuo isn't collecting your data for nefarious purposes or to sell it to other companies but they still are collecting A LOT of it. ![]() We may need to associate your device-specific information with your Personal Information on a periodic basis in order to confirm you as a user and to check the security on your device." name of your mobile operator or ISP, browser type, language and time zone, and mobile phone number) andĭevice locations (e.g. hardware model, operating system, web browser version, as well as unique device identifiers and characteristics (such as, whether your device is “jailbroken,” whether you have a screen lock in place and whether your device has full disk encryption enabled)) Ĭonnection information (e.g. Device-specific information includes:Īttributes (e.g. mobile and desktop) from you in order to provide the Services. "Device-Specific Information: We also collect device-specific information (e.g. Tldr: "Duo Security does not sell, rent, or trade and, except as described in this Privacy Policy, does not share any Personal Information with third parties for their promotional purposes." But Duo still collects A LOT of data on you. Duo does work as advertised, and my uni uses it, but the privacy policy allows for a lot of personal data collection. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |