Skip to content

Authenticate to Duo 2FA systems without the Duo Mobile app

License

Notifications You must be signed in to change notification settings

evan-goode/duolibre

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Duolibre

Duolibre lets you authenticate to Duo 2FA systems without the proprietary Duo Mobile app. It forges an activation request from Duo Mobile to Duo's servers and hands the resulting HOTP secret over to you. You can use this secret to generate HOTP codes programmatically, or import it into the two-factor authenticator of your choice; for Android users, I recommend Aegis or FreeOTP+ from F-Droid. Note that Duolibre doesn't provide a reverse-engineered alternative to Duo Push, so you'll have to use one-time passwords.

Getting started

Install via pip:

pip install --user git+https://github.com/evan-goode/duolibre.git

Or, using Nix, start a shell with Duolibre

nix shell github:evan-goode/duolibre

Run Duolibre against the activation URL that was sent to your phone via SMS, or the URL of the QR code displayed on the web interface:

duolibre https://m-XXXXXXXX.duosecurity.com/android/XXXXXXXXXXXXXXXXXXXX

If you'd rather save the generated provisioning QR code to an SVG file instead of printing it to the terminal, pass --output-file:

duolibre https://m-XXXXXXXX.duosecurity.com/android/XXXXXXXXXXXXXXXXXXXX --output-file ./qr-code.svg

Background

The Duo Mobile app collects a considerable amount of analytics data from its users. Privacy-conscious folks and those who simply do not wish to run proprietary software on their phones should have a way to opt-out without special intervention from their organization. Duolibre makes it easy to use an alternative authenticator that's more respectful of one's privacy and freedoms.

I developed Duolibre by man-in-the-middling communication between the Duo Mobile client and Duo's servers. Duo Mobile for Android implements certificate pinning to defend against this reverse-engineering technique, but I was able to circumvent that using the Xposed module JustTrustMe.

Usage

Usage: duolibre [OPTIONS] ACTIVATION_URI

Options:
  --output-file TEXT
  --help              Show this message and exit.

License

The Unlicense

About

Authenticate to Duo 2FA systems without the Duo Mobile app

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •