duo_client_python icon indicating copy to clipboard operation
duo_client_python copied to clipboard

Published 20 hours ago verified publisher icon duosecurity

Support for FIDO U2F token

Open abrooks opened this issue 7 years ago • 7 comments

FIDO U2F tokens are currently supported via the browser but not via the client API.

cf. https://guide.duo.com/u2f

This renders the user experience (and in some cases security offered) inconsistent between authentication environments.

Python U2F device authentication could be done via https://github.com/Yubico/python-u2flib-host

abrooks avatar Dec 12 '17 17:12 abrooks

Hey Aaron,

Thanks for bringing this to our attention. We're tracking the issue internally now (and hopefully will put in changes soon). Alternatively, you could put in a PR and we'd be happy to take a look at it. :)

Thanks for using Duo!

adrikim avatar Dec 12 '17 23:12 adrikim

I'd love to file a PR but there's no public documentation of how to call the Duo API in a way supporting U2F. https://duo.com/docs/authapi

Publish that and I'll do it in a heartbeat! ;-D

abrooks avatar Dec 13 '17 22:12 abrooks

Ahh, you're right, my apologies. I've spoken with the rest of the team and it looks like this would be a larger undertaking than I originally thought it would be. It's not currently on our roadmap, but we're certainly open to the possibility of working on it- would you mind contacting us at [email protected] to provide us some more details on what your use case is? Thanks!

adrikim avatar Dec 14 '17 22:12 adrikim

Wanted to follow-up here and see if there were any plans on exposing U2F through the auth API. It's kinda against the spirit of U2F so we'd need some kind of redirect, right?

rmnoon avatar Apr 24 '19 20:04 rmnoon

Hi @rmnoon! There are sadly no new updates on exposing U2F through the auth API. If you haven't already, please reach out to our support team to add yourself onto the feature request for this. Doing that helps us gauge customer interest and allows us to prioritize new features like this better.

xdesai avatar Apr 24 '19 20:04 xdesai

Thanks for the quick reply! Just forwarded to [email protected] with the following message:

Forwarding as requested! We're heavy consumers of the Duo Auth API for out-of-band challenge workflows and it'd be great to support U2F mode on Yubikeys, etc. I assume it'd be kinda tricky given the browser but even some kind of API call to get a one-time redirect URL that handles token activation + redirect would be amazing.

Thanks for being awesome. Please don't stop working hard at Cisco.

rmnoon avatar Apr 24 '19 20:04 rmnoon

I modified viasat/alohomora to add support for U2F using the python-libu2f-host library. Perhaps my modifications can be a building block for this library? The auth API still needs to add support for the U2F challenge, but this does the response with a valid challenge.

gcochard avatar Nov 18 '19 17:11 gcochard