Google authenticator uses HOTP and TOTP algorithm for TFA. What is the basic working principle of DUO push? What brings security to DUO push?
1 Answers
For push, Duo uses HOTP. It also supports TOTP when available.
What brings security to DUO push?
Quoted from the Duo website:
Duo Push, authentication requests approved in the Duo Mobile app, provides an extremely secure and user-friendly mobile authentication experience.
Duo Push is an out-of-band authentication mechanism over a mutually-authenticated secure transport and is resilient against even the most sophisticated credential-stealing attacks. Duo Push authentication requests are signed with an asymmetric key pair to ensure end-to-end integrity. Transaction details are displayed to the user for verification, and any discrepancies or unexpected authentication requests can be flagged with the tap of a button.
While operating over a TLS transport to protect confidentiality, the integrity of Duo Push transactions does not fully rely on TLS. Instead, an asymmetric signature scheme provides message-level authenticity and integrity on top of the transport channel. Therefore, even in the face of implementation-or-protocol-level attacks against TLS, Duo Push remains uncompromised and transaction approvals cannot be forged.
During Duo Mobile account activation, an asymmetric key pair is generated, which acts as the primary identifying credential for the user when responding to Duo Push requests. The private key is stored securely on the mobile device while the public key is maintained in Duo’s cloud service.
Source: https://duo.com/product/trusted-users/two-factor-authentication/authentication-methods
- 923
- 1
- 5
- 7