Support ALL Duo 2FA authentication methods

Avatar
  • updated
  • Considering for Future Release

The addition of Duo push 2FA is great but a bit puzzling. Why only support push when Duo supports so many authentication options and they make it easy to implement them all.


  • Some people don't have a smartphone where they can install the Duo app so push won't work for them but they can still receive a text message of phone call just fine. Duo supports both of these options for 2FA but Screenconnect's Control's integration was is implemented in a way that does not allow them.
  • Some people might have multiple devices with the Duo app installed and need to choose which one they want the push sent to. Duo allows users to choose which one they want to receive a push from, or which one they want to receive a text or call on. Again Control's integration does not allow this.
  • Ever forgotten your mobile phone at home? I have and that's why I've configured my Duo account with a hardware token too. Unfortunately Control's integration does not support this Duo 2FA method either.
  • Perhaps you are prone to forgetting your mobile device but don't want to have a hardware token. In this case Duo can be configured with bypass code (basically a OTP that you know beforehand). Well, you know the story.

I'd really like to see Control support the all the Duo authentication methods and for the looks of their documentation this should be relatively easy.

https://duo.com/docs/duoweb

As an added bonus this also provides a natural way to handle the 2FA logon rather then show the user a prompt for a code that they can't type (what your Duo 2FA currently does).


Image 77

Duplicates 2
Proper DUO integration

The current DUO integration is very hacked together. Having DUO integrated properly so that it is easy to connect and all of DUO's connect methods are supported. The login page should also automatically continue after a push is initiated without having to press the login button (almost all DUO integrations work this way).

Duo MFA Native Interface for Control - When Exactly Will Connectwise Make This Happen?

When will Control support offer Duo's native interface as an option, rather than the version of Auth API that is used now?  The current implementation gives off the impression that it is half-baked and not well thought out, not to mention insecure.   It looks like users have been asking for this for more than 2 years.  We really need for Connectwise to make this happen ASAP.

Pinned replies
Avatar
1
anonymous
  • Answer

Jay, It was great working with you yesterday. We will be looking at expanding support for Duo to include hardware tokens, but we do not have a timeframe on when we may make that available.

Also, I want to make it clear that this issue was not a Control vulnerability, but instead, the Duo App on the affected users phone was out of date. Once the Duo App was updated, the issue was resolved.

Thanks!

Sean White

Avatar
2
anonymous
  • Considering for Future Release
Avatar
1
jrewolinski

We need to see duo properly implemented as soon as possible.  We're required to have 2FA for PCI-DSS compliance, and not all of our users have Smartphones.

Avatar
0
Curtis_NGIN

Also we would like duo integrated with the hosted version of Connectwise Control.

Avatar
1
DLZ

Would be great to see DUO fully implemented on Screenconnect ConnectWise on-premise, we currently have a few users that don't have a smartphone & can't use DUO to authenticate to Screenconnect Connectwise.

Avatar
2
mpaul

For anybody who hasn't upgraded to the latest release of Control, they do have DUO integration.  I have it working.  However if you use the Duo Access Gateway, and you click the link you setup on that page for Control, The expected behavior should prompt you with the screenshot above, (Send Me A Push), but it does not.  It requires you click the "login with external provider", then you are prompted with "Send me a Push."  We think there is a logout url missing in the metadata used when creating the configuration on the DAG.  Not 100% sure on that, just something we are speculating on that appears to be missing.  Hopefully they will resolve soon.  I am on cloud version 6.5.16479.  If you are looking to upgrade be cautious, we have Labtech 11 patch 19, and 6.5 is not officially supported on-prem, (but they can get it to work), but the hosted cloud version it definitely doesn't work.  


Hoping they resolve the issues soon.

Avatar
1
Jthom08d

Looking forward to having this available!

Avatar
1
Bill Splittgerber

This feature of being able to use the ONE-TIME passcodes is important to us to be able to use our DUO hard tokens. I see this thread was built about 2 years ago. We really need movement in this area. It would really boost security for all our MSPs.

Avatar
1
mpaul

Hi Bill, saw your comment, ScreenConnect supports the full DUO 2 Factor.  From the Push, to a one time password, to an sms on your phone, to the bypass code you are asking about.  We have it working internally for both the Cloud version of ScreenConnect and our Automate version of it.  We are using Duo on our Smart Phones, but the test with the bypass code doesn't rely on that.  If an engineer forgets their phone, we setup a bypass code for the day.  And they can work.  

Avatar
0
Bill Splittgerber

The issue we ran into today was regarding the one-time passcode. The Control integration to the best of my knowledge right now uses the PUSH method when you use the [duo: username] field in Active Directory. We tried to connect an AD user who only had access to a DUO HardToken. The hard-token only generates a 6-digit code, which you would assume would be able to be used in the One-Time Password field when authenticating. We went ahead and decided to use the SMS Email notification method, until we hear back regarding the ability to use hardtokens.

Avatar
0
Dominic Kirby

We used a workaround. We use DAG to sign on to Azure AD, and we setup SAML SSO with Control to Azure AD. Lot of steps but it works.



Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar