Support ALL Duo 2FA authentication methods

Avatar
  • updated
  • Considering for Future Release

The addition of Duo push 2FA is great but a bit puzzling. Why only support push when Duo supports so many authentication options and they make it easy to implement them all.


  • Some people don't have a smartphone where they can install the Duo app so push won't work for them but they can still receive a text message of phone call just fine. Duo supports both of these options for 2FA but Screenconnect's Control's integration was is implemented in a way that does not allow them.
  • Some people might have multiple devices with the Duo app installed and need to choose which one they want the push sent to. Duo allows users to choose which one they want to receive a push from, or which one they want to receive a text or call on. Again Control's integration does not allow this.
  • Ever forgotten your mobile phone at home? I have and that's why I've configured my Duo account with a hardware token too. Unfortunately Control's integration does not support this Duo 2FA method either.
  • Perhaps you are prone to forgetting your mobile device but don't want to have a hardware token. In this case Duo can be configured with bypass code (basically a OTP that you know beforehand). Well, you know the story.

I'd really like to see Control support the all the Duo authentication methods and for the looks of their documentation this should be relatively easy.

https://duo.com/docs/duoweb

As an added bonus this also provides a natural way to handle the 2FA logon rather then show the user a prompt for a code that they can't type (what your Duo 2FA currently does).


Image 77

Duplicates 2
Proper DUO integration

The current DUO integration is very hacked together. Having DUO integrated properly so that it is easy to connect and all of DUO's connect methods are supported. The login page should also automatically continue after a push is initiated without having to press the login button (almost all DUO integrations work this way).

Duo MFA Native Interface for Control - When Exactly Will Connectwise Make This Happen?

When will Control support offer Duo's native interface as an option, rather than the version of Auth API that is used now?  The current implementation gives off the impression that it is half-baked and not well thought out, not to mention insecure.   It looks like users have been asking for this for more than 2 years.  We really need for Connectwise to make this happen ASAP.

Pinned replies
Avatar
1
anonymous
  • Answer

Jay, It was great working with you yesterday. We will be looking at expanding support for Duo to include hardware tokens, but we do not have a timeframe on when we may make that available.

Also, I want to make it clear that this issue was not a Control vulnerability, but instead, the Duo App on the affected users phone was out of date. Once the Duo App was updated, the issue was resolved.

Thanks!

Sean White

Avatar
0
tony

Any progress on this feature request?  Even as simple as fixing the 2fa screen so it's not confusing to explain that you don't actually enter a OTP code but approve the duo push and click login.  Most implementation of duo push have a screen that states waiting for response from push approval then when you approve from device it auto proceeds.

Avatar
0
bshapiro

What is the latest with this feature?  Current dialog is really sketchy looking.

Avatar
1
B Martin

Connectwise as a whole REALLY needs to step up their security game within their products. They do a whole bunch of lip service to us buying products to SELL security products/services, but their own software is lacking in several areas.

Avatar
1
Brian Largent

Needed ASAP

Avatar
2
Brian Largent
Quote from anonymous

2 years in and still nothing?  Please hurry up as MFA is mandatory for MSP now.

Avatar
1
bshapiro

Any updates?

Avatar
0
Jay Mendes

at this point, MFA is mandatory for MSP and still, Control is unable to improve DUO integration. Today we found out the Control Integration is easy to bypass with a fake code(for security reasons We not sharing this method) I already reported this to CW support and what they told me "This function you are talking about is not in there. the only way to get that functionality is the thread" I request to escalate the ticket to report the vulnerability.

Control Support listening up We are the Good Guys and we Found a vulnerability and you Just Ignore us!

Avatar
0
Caitlin M Barnes Team Member
Quote from Jay Mendes

at this point, MFA is mandatory for MSP and still, Control is unable to improve DUO integration. Today we found out the Control Integration is easy to bypass with a fake code(for security reasons We not sharing this method) I already reported this to CW support and what they told me "This function you are talking about is not in there. the only way to get that functionality is the thread" I request to escalate the ticket to report the vulnerability.

Control Support listening up We are the Good Guys and we Found a vulnerability and you Just Ignore us!

Hi Jay, 

Can you please email the ticket number from that support discussion to cbarnes@connectwise.com? Thanks!

Avatar
0
bshapiro
Quote from Caitlin M Barnes

Hi Jay, 

Can you please email the ticket number from that support discussion to cbarnes@connectwise.com? Thanks!

I just sent you my ticket number  (#12324154) where I was told the exact same thing ("the best we can do there is add a comment or upvote the request")

Avatar
0
Jay Mendes

We have to contact the Chief Customer Officer to get this matter resolved


I get a call from the Support and Development team and we were able to identify the vulnerability and fixed the problem but still no support for a hardware token.
All our tech are unable to access Control at the moment(all our systems and app's are set to work with DUO hardware Tokens)



Top contributors

Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar