Welcome to our community!

Support ALL Duo 2FA authentication methods

Avatar
pfp
  • updated
  • Considering for Future Release

The addition of Duo push 2FA is great but a bit puzzling. Why only support push when Duo supports so many authentication options and they make it easy to implement them all.


  • Some people don't have a smartphone where they can install the Duo app so push won't work for them but they can still receive a text message of phone call just fine. Duo supports both of these options for 2FA but Screenconnect's Control's integration was is implemented in a way that does not allow them.
  • Some people might have multiple devices with the Duo app installed and need to choose which one they want the push sent to. Duo allows users to choose which one they want to receive a push from, or which one they want to receive a text or call on. Again Control's integration does not allow this.
  • Ever forgotten your mobile phone at home? I have and that's why I've configured my Duo account with a hardware token too. Unfortunately Control's integration does not support this Duo 2FA method either.
  • Perhaps you are prone to forgetting your mobile device but don't want to have a hardware token. In this case Duo can be configured with bypass code (basically a OTP that you know beforehand). Well, you know the story.

I'd really like to see Control support the all the Duo authentication methods and for the looks of their documentation this should be relatively easy.

https://duo.com/docs/duoweb

As an added bonus this also provides a natural way to handle the 2FA logon rather then show the user a prompt for a code that they can't type (what your Duo 2FA currently does).


Image 77

Duplicates 2
Proper DUO integration

The current DUO integration is very hacked together. Having DUO integrated properly so that it is easy to connect and all of DUO's connect methods are supported. The login page should also automatically continue after a push is initiated without having to press the login button (almost all DUO integrations work this way).

Duo MFA Native Interface for Control - When Exactly Will Connectwise Make This Happen?

When will Control support offer Duo's native interface as an option, rather than the version of Auth API that is used now?  The current implementation gives off the impression that it is half-baked and not well thought out, not to mention insecure.   It looks like users have been asking for this for more than 2 years.  We really need for Connectwise to make this happen ASAP.

Pinned replies
Avatar
1
anonymous
  • Answer

Jay, It was great working with you yesterday. We will be looking at expanding support for Duo to include hardware tokens, but we do not have a timeframe on when we may make that available.

Also, I want to make it clear that this issue was not a Control vulnerability, but instead, the Duo App on the affected users phone was out of date. Once the Duo App was updated, the issue was resolved.

Thanks!

Sean White

Replies 35
Avatar
1
anonymous
  • Answer

Jay, It was great working with you yesterday. We will be looking at expanding support for Duo to include hardware tokens, but we do not have a timeframe on when we may make that available.

Also, I want to make it clear that this issue was not a Control vulnerability, but instead, the Duo App on the affected users phone was out of date. Once the Duo App was updated, the issue was resolved.

Thanks!

Sean White

Avatar
0
jeffshead
Quote from mpaul

Hi Bill, saw your comment, ScreenConnect supports the full DUO 2 Factor.  From the Push, to a one time password, to an sms on your phone, to the bypass code you are asking about.  We have it working internally for both the Cloud version of ScreenConnect and our Automate version of it.  We are using Duo on our Smart Phones, but the test with the bypass code doesn't rely on that.  If an engineer forgets their phone, we setup a bypass code for the day.  And they can work.  

@mpaul

So you are saying that you can set a bypass code in Duo and use it in the Connectwise Control login process and it works? It does NOT work for me. Are you sure this works for self-hosted installs? Can someone confirm?

Avatar
1
nsdave

Come ON!!!!!  My customers are: Capable:They can save passwords on their phones; Mobile: They can access Control from their phones; NOT Paranoid: If they misplace (or think they might have misplaced) their phones, they DO not first call and have the phone wiped, they go looking for it, and that can take precious time!  A compromised phone can easily be a ZERO FACTOR AUTHENTICATION METHOD.  Hardware tokens are one of the oldest 2fa methods around.  This seems to have become a lip service item.  Because of it, we have to go to other products to meet our customer's needs.  GET IT FIXED, PLEASE!!!!!!!!!

Avatar
0
Andrew Kraker

I would simply like the ability to use the OTP option through Duo.  The integration is confusing the way it is.  A user signs in and gets sent a push notification but is also presented with a OTP box that needs to be left empty.  

Avatar
0
J Johnson

How hard could this be? I am ScreenConnect customer and was looking at Automate. I think I will move on, based on the lack of movement on this issue.

Avatar
0
nsdave

Crickets.  They have it for Automate. 


Apparently somebody much smarter than the rest of us has determined that we don't really need this for Control. 

It's not like the program is a HIGH-RISK point of intrusion or anything.

Security??  Nah, your security is good enough...

Avatar
0
ComputerGuy
Quote from Andrew Kraker

I would simply like the ability to use the OTP option through Duo.  The integration is confusing the way it is.  A user signs in and gets sent a push notification but is also presented with a OTP box that needs to be left empty.  

Ooh, so that's what I'm supposed to do with the OTP box that is there for no reason after configuring duo

Thanks for helping me when support couldn't

Avatar
0
James Pulver

We cannot use Duo without more options than just push. We cannot require all users have smartphones. I can't believe this has sat for 5 years - Control is a web app for goodness sake! We need to implement 2FA, and so need to look for replacements for Control if this is not implemented soon.

Avatar
0
Ron Muttillo

Hurry on this too please !

Avatar
0
Justin Rosetto

+1



Top contributors
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar
Avatar