Correlating phone/token/etc identifiers between authentication logs and users

trice · ‎06-02-2022

I’m trying to find unused devices (old phone, tokens, Yubi key, etc.) by correlating the information in /admin/v1/users with /admin/v2/logs/authentication but am a bit confused by identifiers.

The device field in the authentication logs matches up reasonably well with the number in the phones field (once you normalize the formatting of both). The device field also matches up with webauthnkey in the webauthncredentials field.

Should I expect to see the token_id in the tokens and u2ftokens fields showing up in the authentication logs? Or does the webauthncredentials and phones fields give me pretty much I need to identify when a device was registered and the last time it was used to answer a push>

DuoKristina · ‎06-02-2022

Hmm, I don’t actually think it will show you the token_id in the authlogs. I did a janky test where I imported Yubico soft authenticator as a HOTP token in Duo and logged in, and the token authlog even does not include the token ID.

a GET on /tokens with info about my token:

        "admins": [],
        "serial": "kristinasoftyubi",
        "token_id": "DHWTOKENID...",
        "totp_step": null,
        "type": "h6",
        "users": [
            {
                "alias1": null,
                "alias2": null,
                "alias3": null,
                "alias4": null,
                "aliases": {},
                "created": 1443208660,
                "email": "kristinaacme@duo.local",
                "firstname": "",
                "is_enrolled": true,
                "last_directory_sync": null,
                "last_login": 1654202814,
                "lastname": "",
                "notes": "",
                "realname": "",
                "status": "active",
                "user_id": "DUSERID...",
                "username": "kristina"
            }
        ]
    },

The v2 authlog event for an auth with that soft HOTP token - shows the token serial which is not the token_id (?) :

                "application": {
                    "key": "DIKEY...",
                    "name": "Acme Corp"
                },
                "auth_device": {
                    "ip": null,
                    "location": {
                        "city": null,
                        "country": null,
                        "state": null
                    },
                    "name": "HOTP 6-digit kristinasoftyubi"
                },
                "email": "kristinaacme@duo.local",
                "event_type": "authentication",
                "factor": "hardware_token",
                "isotimestamp": "2022-06-02T20:46:53.890860+00:00",
                "ood_software": null,
                "reason": "valid_passcode",
                "result": "success",
                "timestamp": 1654202813,
                "trusted_endpoint_status": "not trusted",
                "txid": "c3b91762-d3b1-4e05-bd36-36a575af885d",
                "user": {
                    "groups": [
                    ],
                    "key": "DUSERID...",
                    "name": "kristina"
                }
            },

I definitely recommend contacting Duo Support with this question! I’m not on the team that owns our authlogs but Support can route the question appropriately.

ETA I forgot to say this but I do think that the U2F token ID is shown in the same way the webauthn ID is shown.

Duo, not DUO.