I think the point is that relying on phone calls and DTMF tones for two factor authentication is trivial to bypass. Anyone can record DTMF tones in a voicemail message and forward calls to that number.
"Anyone can record DTMF tones in a voicemail message and forward calls to that number."
I have never used "duo" and it has taken me a few reads of this to understand exactly what this is, but I think it's worth pointing out that your own personal 'dontduo' service would be trivially simple to set up in a simple twiml bin, at twilio.
"Include w to introduce a 0.5s pause between DTMF tones. For example, 1w2 will tell Twilio to pause 0.5s before playing DTMF tone 2. To include 1s of pause, simply add ww."
What do you mean trivial to bypass? If I have an account secured with a password and with Duo, then I give you my password, can you get into my account? How?
A "sim hijacking" attack is where an attacker calls your phone company and pretends to be you. They claim to have lost their phone, and get a new sim card issued to them with your phone number. when they put the sim in their phone, the duo authentication message goes to their phone instead of yours.
any 2-factor system based on the phone system is no more secure than your phone company's willingness to give away your phone number, and they're usually pretty willing. I actually had this happen to me, in a benign way: my employer started paying my phone bill, they transfered my phone number from my personal plan on one carrier to the company plan with a different carrier. Somebody at the office just handed me a new sim card and told me my old SIM didn't work anymore - it required no interaction on my part to transfer my number to a new plan with a new company. that's apparently just normal procedure.
rsync|6 years ago
I have never used "duo" and it has taken me a few reads of this to understand exactly what this is, but I think it's worth pointing out that your own personal 'dontduo' service would be trivially simple to set up in a simple twiml bin, at twilio.
I think it would look something like this:
"Include w to introduce a 0.5s pause between DTMF tones. For example, 1w2 will tell Twilio to pause 0.5s before playing DTMF tone 2. To include 1s of pause, simply add ww."https://www.twilio.com/docs/voice/twiml/play#attributes-digi...
Thorrez|6 years ago
notatoad|6 years ago
any 2-factor system based on the phone system is no more secure than your phone company's willingness to give away your phone number, and they're usually pretty willing. I actually had this happen to me, in a benign way: my employer started paying my phone bill, they transfered my phone number from my personal plan on one carrier to the company plan with a different carrier. Somebody at the office just handed me a new sim card and told me my old SIM didn't work anymore - it required no interaction on my part to transfer my number to a new plan with a new company. that's apparently just normal procedure.
Spivak|6 years ago
2FA is one of those things that is nice when you want it but a huge PITA when it’s forced on you.