cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
840
Views
0
Helpful
0
Replies

App as virtual token

erich2
Level 1
Level 1

As I understand it, the logon passcode is generated from a standardized hashing algorithm based on the security key and either a counter (for HOTP) or the time (for TOTP). (It also must know it is SHA1 and how many digits, etc…) It must be standard because Duo can import third-party tokens knowing only the serial number and the security key.

That said, I can’t seem to get the single (non-Duo) app I use for all other MFA to have the correct passcode for Duo. I’ve tried both the TOTP and HOTP version. I know that the key is case sensitive, (although I was surprised/disappointed that Duo limited it to hex characters), but adjusting the case hasn’t worked either.

Does anyone know if the algorithm folds in the serial number too? I entered a (made-up) serial number into Duo when importing the token, but I thought that was just for identification purposes. I don’t include that in the key entered into the app.

Just for reference, I’m currently testing against OTP Auth (by Roland Moers) on the iPhone, but eventually will move to a different OTP app when I get my Librem5 (for which there is no Duo Mobile app).

Thanks.

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Quick Links