Welcome to our community!

Support ALL Duo 2FA authentication methods

Avatar
pfp
  • updated
  • Considering for Future Release

The addition of Duo push 2FA is great but a bit puzzling. Why only support push when Duo supports so many authentication options and they make it easy to implement them all.


  • Some people don't have a smartphone where they can install the Duo app so push won't work for them but they can still receive a text message of phone call just fine. Duo supports both of these options for 2FA but Screenconnect's Control's integration was is implemented in a way that does not allow them.
  • Some people might have multiple devices with the Duo app installed and need to choose which one they want the push sent to. Duo allows users to choose which one they want to receive a push from, or which one they want to receive a text or call on. Again Control's integration does not allow this.
  • Ever forgotten your mobile phone at home? I have and that's why I've configured my Duo account with a hardware token too. Unfortunately Control's integration does not support this Duo 2FA method either.
  • Perhaps you are prone to forgetting your mobile device but don't want to have a hardware token. In this case Duo can be configured with bypass code (basically a OTP that you know beforehand). Well, you know the story.

I'd really like to see Control support the all the Duo authentication methods and for the looks of their documentation this should be relatively easy.

https://duo.com/docs/duoweb

As an added bonus this also provides a natural way to handle the 2FA logon rather then show the user a prompt for a code that they can't type (what your Duo 2FA currently does).


Image 77

Duplicates 2
Proper DUO integration

The current DUO integration is very hacked together. Having DUO integrated properly so that it is easy to connect and all of DUO's connect methods are supported. The login page should also automatically continue after a push is initiated without having to press the login button (almost all DUO integrations work this way).

Duo MFA Native Interface for Control - When Exactly Will Connectwise Make This Happen?

When will Control support offer Duo's native interface as an option, rather than the version of Auth API that is used now?  The current implementation gives off the impression that it is half-baked and not well thought out, not to mention insecure.   It looks like users have been asking for this for more than 2 years.  We really need for Connectwise to make this happen ASAP.

Pinned replies
Avatar
1
anonymous
  • Answer

Jay, It was great working with you yesterday. We will be looking at expanding support for Duo to include hardware tokens, but we do not have a timeframe on when we may make that available.

Also, I want to make it clear that this issue was not a Control vulnerability, but instead, the Duo App on the affected users phone was out of date. Once the Duo App was updated, the issue was resolved.

Thanks!

Sean White

Replies 35
Avatar
0
Patrick Graber (pjgraber03)

ya kinda weird.  I got it to work.  It still shows the OTP but it does push an approval to the phone.  You just don't enter anything in there and hit login

Avatar
0
jeffshead
Quote from mpaul

So just mentioning this from previously.  With a Duo token on an IOS smartphone, (not the hardware token), you can support the push notification.  No need for an OTP.  My screen looks like this.  I hit connect with Duo 2FA at the bottom.  

If I have used the Duo SSO page to access, then it does SSO all the way in and I'm not prompted for approval, as I already did all of that with the Duo SSO page.  

  

If I navigate directly to the screenconnect web page, and do Login, I then see the screen shot 1 below.  Clicking on the "Connect with Duo 2FA" takes me to my Duo SSO web page.  Most of my users use the Duo SSO page to start though.  

In the Admin page in Duo you configure the SAML integration.  Second screenshot.  

I don't have any users with hardware tokens, and I know some folks were asking about that one.  

I keep mentioning Duo SSO, but this is the replacement to the Duo Access Gateway which was deprecated this past year (by Duo.)  It is a service hosted in your Duo portal.  You can add any SAML integrated apps, or bookmarks for your organization.  See third screenshot just an example.  

Image 1213

Image 1214

Image 1215

What about those that keep everything in-house and do not use the Duo SaaS SSO?

If a user does not receive the Duo push notification on his phone, he cannot login to ScreenConnect using the Passcodes from the Duo app. Why display the "One-time Password" form if you cannot use a Duo Passcode?

Image 1216

Image 1218

Avatar
0
mpaul

So just mentioning this from previously.  With a Duo token on an IOS smartphone, (not the hardware token), you can support the push notification.  No need for an OTP.  My screen looks like this.  I hit connect with Duo 2FA at the bottom.  

If I have used the Duo SSO page to access, then it does SSO all the way in and I'm not prompted for approval, as I already did all of that with the Duo SSO page.  

  

If I navigate directly to the screenconnect web page, and do Login, I then see the screen shot 1 below.  Clicking on the "Connect with Duo 2FA" takes me to my Duo SSO web page.  Most of my users use the Duo SSO page to start though.  

In the Admin page in Duo you configure the SAML integration.  Second screenshot.  

I don't have any users with hardware tokens, and I know some folks were asking about that one.  

I keep mentioning Duo SSO, but this is the replacement to the Duo Access Gateway which was deprecated this past year (by Duo.)  It is a service hosted in your Duo portal.  You can add any SAML integrated apps, or bookmarks for your organization.  See third screenshot just an example.  

Image 1213

Image 1214

Image 1215

Avatar
0
Patrick Graber (pjgraber03)

I see no one has posted here in a long time.  Did we ever get this fixed?  I'm still getting the OTP popup in screen connect.  I can ok the log in then hit login on screen connect but it would be nice if the duo prompt came up so you knew what was going on

Avatar
0
pday

It would be nice Push, a code or phone call integrated within ConnectWise.

Avatar
0
Justin Rosetto

+1

Avatar
0
Ron Muttillo

Hurry on this too please !

Avatar
0
James Pulver

We cannot use Duo without more options than just push. We cannot require all users have smartphones. I can't believe this has sat for 5 years - Control is a web app for goodness sake! We need to implement 2FA, and so need to look for replacements for Control if this is not implemented soon.

Avatar
0
ComputerGuy
Quote from Andrew Kraker

I would simply like the ability to use the OTP option through Duo.  The integration is confusing the way it is.  A user signs in and gets sent a push notification but is also presented with a OTP box that needs to be left empty.  

Ooh, so that's what I'm supposed to do with the OTP box that is there for no reason after configuring duo

Thanks for helping me when support couldn't

Avatar
0
nsdave

Crickets.  They have it for Automate. 


Apparently somebody much smarter than the rest of us has determined that we don't really need this for Control. 

It's not like the program is a HIGH-RISK point of intrusion or anything.

Security??  Nah, your security is good enough...



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar