Daily SMS Code?

Is it possible to send a daily SMS code at midnight that’s valid for 24hrs of use?

We have several services that could really use 2FA, but the operators of these services don’t want to install any new apps, a lot of them can’t due to company policy or simply having dumb phones.

It would be awesome if we could send users a daily code in the morning, that works for a day.

Hi @GNZ ,

SMS passcodes are for one-time use only (1 code = 1 auth). Using the Duo Auth API’s /auth endpoint, you could script a daily request to send a batch of SMS passcodes to these users. If SMS Auto Refresh is enabled, said users could have a new batch sent automatically to them once the last code is used. Please see SMS Passcode Settings.

Having a singular code to use throughout the day is possible via Bypass Codes, but these are typically given out to the user administratively (not via SMS or email, at least natively) if the user does not have access to their 2FA device (phone).

If your application(s) can support it, Remembered Devices would be the best way to securely perform a long-lived secondary authentication.

Hope this helps!

1 Like

Our integration is primarily with Ericom Connect, which uses Duo’s RADIUS based authentication, so unfortunately remembered devices isn’t an option for us. The SMS integration is unsupported too as Ericom only contacts the RADIUS server AFTER user 2FA input. Duo isn’t aware someone is trying to log in until after they’ve already entered their code.

The batch codes could possibly work for us, I’ll see what the rest of the team think.

In a perfect world, we would use nothing but Push, but this isn’t a perfect world… :upside_down_face:

2 Likes

With the Auth API, each POST to /auth requesting a new passcode would show up in your authentication logs as a user login. This could be potentially confusing to whomever reviews your logs for anomalous events.

It’s possible to use our Admin API to send SMS passcodes to user phone devices as well, with the advantage of getting logged as an administrative action event instead of as an end-user authentication event.

2 Likes