from Hacker News

DontDuo: Bypass 2FA with DTMF Tones

by _wldu on 9/11/19, 1:17 AM with 59 comments

  • by floatingatoll on 9/11/19, 4:34 AM

    To explain what's going on here for the unaware —

    1) Duo is a commercial service that offers multi-factor authentication through a variety of means, one of which is the Phone Call.

    2) This site lets you register them as your Duo phone number, when demanded to do so by someone who's trying to protect your high-value access from being hijacked (such as your employer).

    3) This site provides you a phone number that auto-accepts all Duo authentication requests, even if you're asleep, offline, or otherwise not authorizing the hacking activity.

    4) This site has zero contact information and accountability, and could very well be backed by a black market site that offers hackers lookup access for any Duo phone number for $50/number.

    NOTE: I, personally, would absolutely push to fire anyone I found using this, no matter where I worked.

  • by markstos on 9/11/19, 2:44 AM

    Or instead of handing over your second factor authentication to a startup web service, you could buy a Yubikey, leave it on your keyring or plugged into your laptop and just touch it.

    Some Yubikey models also store the secrets that generate the frustrating 6 character TOTP codes. A pairing a Yubikey with a desktop app, you can copy/paste the codes instead of the error-prone process of manually re-typing them.

  • by warhorse10_9 on 9/11/19, 2:23 AM

    This is a horrible idea. I just can't. Why does this service even exist. I seriously hope duo figures out the numbers this site is using and blacklists them.

  • by snek on 9/11/19, 3:57 AM

    Remove your account defenses while simultaneously giving authentication information to a third party? What could go wrong‽

  • by morpheuskafka on 9/11/19, 3:00 AM

    If you fill this out with the same email as the protected account, you're basically inviting an untrusted third party to launch a brute-force attack on your now-defenseless account.

    Using this sounds like a good way to take liability when your account gets hacked. It will not look good to be fired for intentionally defeating corporate security systems.

  • by goode on 9/11/19, 6:15 AM

    Duo was one of the last things keeping me from switching to Google-free AOSP, and I toyed with a similar idea while trying to reverse-engineer a free software replacement. Instead, I ended up writing a small tool that allows you to use any old HOTP authenticator with Duo. I use FreeOTP+ on my phone, but you could just as easily stick that HOTP secret in a script or onto a Yubikey. You might find it useful if you're working your way up to 100% Stallman status: https://github.com/evan-goode/duolibre.

    By the way, I gotta say this project is pretty hilarious, and you're a true baller for trying to sell this to people.

  • by keyle on 9/11/19, 4:27 AM

    The website is strangely sparse. Just trust us. We're a website, we have https. All I could work out is that they're apparently from Georgia according to their generated T&C.

  • by DKnoll on 9/11/19, 4:08 AM

    I got the trial. Gave me a 201 area code number. Called it and it waited some seconds after answering, played a DTMF tone and hung up. No, I didn't test it with Duo (lol). Every time this number receives a phone call it increments a login counter on the dashboard.

  • by ars on 9/11/19, 2:32 AM

    I'm very confused about what this is.

    Duo as in Google's Duo video calling? There's 2FA on that? I've never seen any.

    Or is there some other Duo it's referring to?