add support for providing a code to Duo ahead of time instead of using Push #84
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
what does it do?
This adds a new function,
SendMFACode
, to the Duo package, which allows a user to provide a multi-factor code. This could be solicited from terminal input before sending a request to Okta. Using this flow, the user is able to authenticate with Duo without having to use the Duo push flow.why should we do it?
Speed
Duo pushes are very slow. At Riot, we have frequently seen Duo pushes take 15-20 seconds to send, to the point where occasionally the request to KeyConjurer times out.
Rate limits
Duo has an invisible rate limit of 10 requests or so per minute. In some rare situations, engineers may need to authenticate into more than 10 applications per minute. While having to generate 10 codes and enter them one-by-one might be painful, it is surely better than getting opaque errors and being forced to wait.
Security
Recent news coverage has shown the vulnerability of push notifications: Primarily, that push notifications lead to fatigue and users may feel compelled to just hit "Yes" if they receive many push notifications rather than continuing to press "No" in the hopes of their phone no longer vibrating. This may lead to an attacker gaining access to a system.
With the option to provide codes, users may be able to become better conditioned to report Duo push notifications they did not initiate.
WIP
This branch is not finished. There needs to be tests, and much of the Duo code needs to have some slightly renamed types to better describe return values - for example,
sendMfaCode
does not actually return a Duo push response (as there was no push initiated), but a Duo status check.