Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
598
Views
0
Helpful
0
Replies

How to: Auth a user with Google Authenticator

jldavis02
Level 1
Level 1

‎09-02-2022 10:25 AM

Technically should work with any other MFA application like Microsoft Authenticator, I would expect, as I’m pretty sure they all use the same URI formatting for TOTP/HOTP syntax.

Preliminary - I have a user that just does not want to cooperate with installing the Duo app, and the Yubikey has lead to the discovery of an issue with a system maxing out at 64 character passwords, which led to the rabbit hole of Google authenticator and Duo.

Step 1: using the rootprojects site below, or by hand, create a secret key and build your OTP URL. Secrets should be 32 characters, all upper case and numbers for consistency. As an example URL using TOTP:

otpauth://totp/Duo:user@example.com?secret=ZW6SONMEFKMGFKKXPJE2SGZKMXWISO5Q&issuer=Duo&algorithm=SHA1&digits=6&period=30

Step 2: Using the google chart URL below, or another QR application, create a QR code, or if using the rootprojects page use the QR code that was generated on the page. An example google charts URL for the URI in step 1:

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/Duo:user@example.com?secret=ZW6SONMEFKMGFKKXPJE2SGZKMXWISO5Q&issuer=Duo&algorithm=SHA1&digits=6&period=30

Step 3: Translate the secret from base32 to hexadecimal using something like the cryptii site above (encoded on left, set to decode, Base32 (RFC 3548, 4648), Bytes, Hexadecimal, group by – none):

ZW6SONMEFKMGFKKXPJE2SGZKMXWISO5Q → cdbd2735842a9862a9577a49a91b2a65ec893bb0

Step 4: Go to Duo admin panel, click on Import Hardware Token. For the serial number put in the [user@example.com] portion, then a comma followed by the hexadecimal secret from step 3.

Step 5: Assign the hardware token to the user.

Links/Helpful details:

https://rootprojects.org/authenticator/

Syntax for Google auth token:

Otpauth://[totp or hotp]/[issuer]:[Account detail, such as user@example.com]?secret=[secret key]&issuer=[issuer]

https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=[above OTP Path]

This has been tested using Duo proxy auth with comma delimited code and seems to work so far.

Labels:
0 Helpful
0 Replies 0
Quick Links
     
                  Duo Release Notes   Duo Discussion Forums      
 
 
Customers Also Viewed These Support Documents