Comment by paranoidrobot
7 years ago
> Can't get why large companies/universities have boners for proprietary crap like duo.
It's like the classic HN argument of "Why don't you just use rsync/sftp vs dropbox" - because it's easier. For users, for admins, for the business.
The biggest problem with rolling out 2FA is onboarding and adoption.
Onboarding people is a massive pain in the arse. Issuing hardware tokens to people is even more of a giant pain in the arse, particularly if you have more than a handful of people in more than one city or country.
We deployed Duo because it allowed us to add 2FA reasonably easy to a wide range of services. It allowed us to require our contractors in countries like India and the Philippines to use it. They all have phones, even basic android devices can run it.
Rolling out physical tokens requires us to mail them out to people. Everything we sent to our offices in Spain larger than a letter got caught in customs for three months and/or "lost". Even USB thumb drives.
I've worked with people who are continually losing or destroying phones, keys, wallets, etc. Making them carry a hardware token, which will also get lost/destroyed means you're now constantly issuing them a new one.
On the systems side of things - it allowed us to add 2FA to devices that don't support it, or don't support the same 2FA you've chosen for everything else.
On the support side of things, it was dead easy to have automatic enrolment/signup based on existing processes (eg read LDAP/AD group membership), and it has a UI that actually allows us to properly delegate access to support staff.
Could we have rolled our own? Absolutely. But we'd have had to spend a lot more time, and a lot more money setting it up and maintaining it, and it gives good enough security.
Our biggest threat isn't a nation state or directed attack where someone can steal your phone and pull the token secrets.
Our biggest threat is Jim from Marketing who used the same damn password for his corporate email as he used when signing up for MarketingCon, and then having that registrant database leak.
I don't even have a strong objection to Duo or their offerings. If they can make a buck by automating stuff or reducing friction, that's fine. The only part I hate is the artificial end-user lock in. If they just called it HOTP and let the users use whatever client they want, that would be ok. Instead, they have this artificial wrapper around HOTP and make people use their app.