Show HN: DuoBreak: Python emulation of Duo push notifications and HOTP codes (github.com)
So I created DuoBreak such that it emulates the phones ability to accept push notifications and HOTP codes, which isn’t a feature that is documented, since you are actually supposed to use a phone. However, in DuoBreak you can manage multiple keys from different Duo Organizations or even the same one if you like to have multiple computers and offline backups of your key, so you can log into your account without going through the lengthy recovery process.
AES encryption is enabled thoughtfully, such that the vault for the keys are encrypted (the biggest worry is the key is left in ram until program close currently).
One of the biggest reasons to make this specifically for Duo is that they keep their authentication locked down, where the information they give the user isn’t an HOTP token from the QR code, but an API endpoint, so we would need to make an API call to get this information (that usually only the Duo App would know). Other authenticators allow you to get the key much more easily, which is why there isn’t a “MicrosoftBreak”.
1 comment
[ 2.8 ms ] story [ 11.4 ms ] threadDuo is able to support FIDO-compatible security keys, but it is something that has to be enabled by the institution's Duo admin (typically someone in an IT Security office). Once that's enabled, you can use something like a Yubikey, a Feitan key, or another FIDO-compatible key.
If you're using Duo in a situation where FIDO doesn't work (like SSH), and you have to use push or a code, it's possible to enroll a Yubikey in Duo with the Yubico OTP method. That's more labor-intensive, as it requires configuring one of the Yubikey's authentication slots, but it works everywhere.
That being said, I'm gonna let coworkers know about this!