
Leveraging Duo Security’s Default Configuration to Bypass SSH Two-Factor Auth - tompic823
https://www.appsecconsulting.com/blog/leveraging-duo-securitys-default-configuration-to-bypass-two-factor-authent
======
toast0
The secure configuration means when Duo is down, you can't login, unless you
have some out of band login method that's not protected by Duo. That is a
pretty big commitment to Duo's uptime, and it makes sense that it's not the
default.

~~~
jessaustin
Have Duo had big outages? I don't think it's reasonable to expect end users to
be unaffected in those situations, especially if it implies this sort of
insecurity in normal situations... If the default were to fail closed, then
Duo customers could _choose_ to fail open instead, but it would be a
conscious, aware choice.

~~~
GalacticDomin8r
> Have Duo had big outages?

I imagine a more relevant question for most is could Duo have a big outage.

~~~
warbiscuit
As the article points out, in a directed attack it just has to be an outage
which affects the target server: e.g. compromise a firewall, lan DNS, or
managed switch in front of the server and "block" duo.

------
graton
Personally I use the google-authenticator PAM module for two factor
authentication for SSH.

[https://github.com/google/google-authenticator-
libpam](https://github.com/google/google-authenticator-libpam)

