Duo Mobile on Android does not have PIN security?


#1

I put Duo Mobile on our Google Fi Nexus 5X Android Nougat phones, and added a slew of accounts. We already have two Google Authenticators, but I thought the push feature of Duo would be worthwhile.

However, unlike some other apps we have, Duo does not offer a PIN access, so I uninstalled it from our accounts. Other apps we use have PIN access without requiring admin access to our phone (which messes up Google policies).


#2

Could you please explain further what you mean by:

Other apps we use have PIN access without requiring admin access to our phone (which messes up Google policies).

From our current understanding of your request, our recommended approach would be to require a device screen lock for users. You can read more about using a policy to achieve this here: https://duo.com/docs/policy#screen-lock.


#3

I don’t think you really mean “Screen Lock” (Settings -> Security -> Screen lock) which gives a toggle for “Power button instantly locks”.

If Duo had a setting as you describe, as with other apps, it likely would require Settings -> Security -> “Apps with usage access” to toggle Duo if it would appear there. (That’s how other Apps work.) However, as I said, this really messes up Google Apps Policy settings and the password has to be reset, etc.

Some apps, including 2 other 2fa apps, come with options to set PINs without the “access” hassles.


#4

Hi Ingber,

I think I understand what you’re asking for: when an Android user goes to launch the Duo Mobile app, Duo Mobile would prompt them for a PIN before allowing them to approve a push authentication request. Correct? The desire is to minimize the vulnerability of an attack-scenario where the attacker has physical access to the user’s 2FA device.

Instead of requiring a PIN to launch Duo Mobile, our approach to solve for this scenario is slightly different - with a PIN-protected screen lock on the device.

Enabling screen lock with passcode on iOS or with PIN on Android secures devices by requiring input of a numeric code when turning on your device or unlocking the screen. If the screen is locked when a Duo Mobile push authentication request is received, then the screen must be unlocked before approving the authentication request.

Note that this does not force the user to set up a screen lock, it merely prevents them from approving a push authentication request authentication until they do. Google Apps Policy settings do not need to be adjusted and passwords will not need to be reset.

If you already have an MDM policy in place that requires a screen lock, great. If you have a BYOD user population, adding a screen lock with PIN would be something they could voluntarily opt into for the added convenience of approving push authentication requests from their personal phones. We’d love to hear more about how this intersects with your Google Apps Policy and password resets.


#5

Yes, the PIN feature in your first paragraph is what I am talking about.

We already have screen lock set up fine, and it can work using a fingerprint, PIN or password. We prefer the fingerprints.

The PIN lock per selected apps also is available under Avast! but as I mentioned that messes with the Google Apps Policies by permitting apps special access.


#6

To be clear, the “push” feature should not be PIN locked; that would defeat its purpose.

The insecure feature of the app is in the presentation of the accounts and their current 2FA codes. The presentation of the accounts, to view current accounts or to enter new ones, should be PIN locked.