Duo Mobile version number

scintill / DuOTP-android

small GPL3+ Android app that allows you to log in to some Duo-protected services with a standard OTP app

https://f-droid.org/en/packages/net.scintill.duotp/

GNU General Public License v3.0

16 stars 3 forks source link

Duo Mobile version number #3

Open ropufu opened 3 years ago

ropufu commented 3 years ago

Apparently, the code(s) generated by an OTP app also carry a version number with them. I am using andOTP, and get the following error message from the login page:

Duo Mobile None is not allowed by your administrator. Please update to Duo Mobile 3.8 or above and try again.

I wonder if this is something that can be addressed in the future versions of DuOTP. Thank you!

scintill commented 3 years ago

Can you try the version branch? It sends version 3.37.1, which is apparently the latest. I hope it helps. The APK I built is at https://github.com/scintill/DuOTP-android/files/5286382/app-debug.apk.zip if you'd like.

ropufu commented 3 years ago

Thank you for the suggestion. I wish I could, but I need more help *^_^*

First, thank you for building it for me. I do not know how to build APK's (or anything for android), so that was really nice of you. Unfortunately, your APK won't install on my device. I did uninstall the F-Droid version of DuOTP before trying to install yours, but the installation fails---even after a reboot. Wish there was an error log that I could provide.

I am running Android 10 (07/01 security patch level) on a Moto G Power. Could that be relevant?

scintill commented 3 years ago

Thank you for the quick response. I think I figured out what I did wrong building the APK (it was built in a mode that can only be installed via adb.) Can you please try this one? Thank you.

ropufu commented 3 years ago

Bad news: although the installation went just fine, I get exact same error message complaining about version None :^(

jkelly99 commented 3 years ago

I am having the "version none" problem as well. Both with the f-droid version and the custom version above. LineageOS 16 and andOTP

scintill commented 3 years ago

Can you both try this one? (Rename without .zip to install as an apk, because GitHub doesn't allow me to post .apk files this way.) It adds another parameter to the URL it sends to Duo, that might be relevant.

ropufu commented 3 years ago

I am afraid it's bad news again (at least for me): same problem.

jkelly99 commented 3 years ago

The process for adding an entry to andOTP goes well. But, I still get "Duo Mobile None is not allowed by your administrator. Please update to Duo Mobile 3.12.0 or above and try again." when attempting to log in. Thanks for trying to figure this out.

scintill commented 3 years ago

Ahhh, somehow I misunderstood the problem, though in retrospect you had both communicated it well. I did not realize you were even successfully importing the secret into your OTP app. Sorry for my confusion.

Do you know if you have the ability to manually enter codes generated by the official Duo app? For me, I can tap my account name in the Duo app's accounts list, and it expands to show a 6-digit code that I can enter into the Duo login screen on my desktop. This code seems to be generated by the standard HOTP algorithm that andOTP etc support.

I am guessing your Duo administrators have disabled this, and only allow the push notification method?

jkelly99 commented 3 years ago

I normally log in with the 6 digit code from a supplied hardware token, no push notification. With your app; when I go through the setup process, an entry is supplied in andOTP. When I try to use that 6 digit code to verify my login with duo, that is when I get the above error.

ropufu commented 3 years ago

Same here. scintill, now that you mentioned it, I re-read my posts and disagree with you: I find them quite unspecific, haha.

All of the installation and setup (to get andOTP and DuOTP to communicate and start generating codes) works flawlessly.
When I get to my organization's login page, I do have the option to select my DuOTP device (I am using two different phones---one that works with the official app, and one that is F-Droid based). Then I have three options: Send Me a Push/Call Me/Enter a Passcode.
I choose Enter a Passcode.
I enter the passcode generated by andOTP and paste it in the box provided by the login page.
I click Log In---and that is where I get the message (from the login webpage) "Duo Mobile None is not allowed by your administrator. Please update to Duo Mobile 3.8 or above and try again."

Same happens if I generate more codes in andOTP: it offers an option to generate new codes for the DuOTP app; they do not expire, but neither of them works (I tried two this time around, and a couple more during our earlier conversation).

gsomlo commented 2 years ago

for whatever it's worth, I get the exact same behavior after having extracted the secret using https://github.com/WillForan/duo-hotp.git, using oathtool from the command line.

Rather than some version number being secretly encoded in the generated 6-digit codes, is it rather possible that administrators have disabled 6-digit passcode entry for "devices" otherwise known to support push? (The 6-digit codes should be the same regardless of whether they were issued by the Duo app, oathtool, andOTP or DuOTP, given the secret seed and an incrementing counter, or no?)

The interesting question is whether 6-digit codes work when issued by the Duo app itself, if one chooses not to use push mode? And whether that's because codes are "special", or because there's additional back-end communication between the duo app and your service, in spite of you having chosen to not use push mode...