![]() Admins could opt for the current auto-push behavior or enable the "passcode reminder" for more authentication options. The displayed input box should accept an OTP (mobile, hard Token, SMS, YubikeyOTP, or Bypass code) or the string "push". A reasonable compromise would be to utilize the "Passcode reminder" box for UI logons. This my be difficult since underlying Vault code would be the same. This means users can securely log into their accounts with the built-in TouchID fingerprint reader on MacOS laptops. Additional notes: If you experience issues such as the YubiKey not generating passcodes, please see Yubicos troubleshooting guide. The expected behavior is different for text based CLI/API a web based (UI) authentications.įor CLI/API Authentications a common method is to prompt the user for input, if the user enters an OTP the OTP is is sent to DUO, if the user enters the string "push" a push is sent to the user's primary device.įor Web logins the user is typically presented a list of available devices to select from. WebAuthn WebAuthn (Web Authentication API) is an open standard that allows third parties like Duo to tap into built-in biometric authenticators on laptops and smartphones. YubiKey devices that support FIDO2/WebAuthn and FIDO U2F can be used as authentication methods with Duo Security. The typical login flow Duo users expect is to be able to select between multiple MFA authentication at login. This is important for Duo users, to maintain the login-flows they are accustomed to. I would rather see a standard command line duo dialog: (Of the three methods (Duo Push, app code or Yubikey), Duo Push is my least preferred. ![]() Imagine my irritation when my phone beeped for a Duo Push, which meant I had to fish it out, unlock it, and bring up the push app. Seeing this, I made sure that my Yubikey was plugged in and ready. Please login VAULT as vault user xxxxxxx with DUO device ready: It allows people who are in wireless dead zones or restricted "no-cell" areas to still authenticate with a code generated by the Duo app (dead zone) or a Yubikey (no cell service or wireless device required). Please add an option to enter a code (or select which device gets a push.) ![]() Heavy Duo/two-factor users often use the code generation app or, more commonly, a Yubikey. ![]() When doing the Vault login, there is only one two-factor method available: Duo Push to the default device.
0 Comments
Leave a Reply. |