+50
Completed

Add support for Duosecurity 2 factor tech login

Michael Bannerman 8 years ago updated by Craig Silver 7 years ago 36 1 duplicate

I would like to see support for
Duosecurity 2 factor tech login
www.duosecurity.com
they offer push support . it would be nice to see this on screenconnect.

Answer

+3
Answer
Started

Hi All,

A quick announcement for anyone who may have missed the news posted on the output stream:

There will be support for Duo Security as a 2FA provider in 6.2. The release should be out mid-April.

Duplicates 1

Been hoping for Duo 2FA for awhile now!

Yes please! One of our most desired features.

+1

Duo Security +1 We are an MSP and use Duo for most logins. ScreenConnect with native Duo integration would be wonderful. In the meantime, if you could publish a "how to" article to integrate it using existing LDAP/Active Directory, that would be very helpful to a lot of people.


Thank you

Fingers crossed, thank you for continuing to improve and consider additional features for ScreenConnect!

Can you use the Authproxy option for this purpose until official support? I'd prefer something native as well but this is what I was planning on doing.

https://duo.com/docs/authproxy_reference

with push support please, easy to use and add security

+2

Would be great to have Duo support natively, but we currently have Duo implemented using the LDAP Proxy. Supports push, SMS, and phone.


Native would be a lot easier to figure out though! :)

Leah,


We have tried the LDAP Proxy unsuccessfully. Would you mind if I emailed you to see how you were able to get it working successfully?

Not at all, Sean! What's your email address? I can email you what we did.

Leah, will you be so kind and include us? info@integra-systems.net


Thank you

sernst at centrexit dot com


Thanks so much!!

My team would also be interested in adding that to our server here

We would love Duo support as well!

Another request here. Step 1 would be Duo auth as a technician just to log in to Screenconnect (with local accounts an with LDAP/AD integrated accounts).


Phase 2 I think would be Duo 2FA into customer systems that are on-access - as well as the ability to toggle on/off 2FA based on subgroup. Example, for customer A we want 2FA required, for customer B we don't.

To put a little more fire under you guys for this feature, one of your competitors, Bomgar, already supports Duo.

Well now let's be honest here. Screenconnect > Bomgar.


That said yea, we really need MFA for Screenconnect. And the current MFA options are lacking imo.

Bump number 2 - any update from Screenconnect on ETA on this?

One of the decision factors is whether the system is secure. 2FA should be considered as a must have nowadays. Duo seems to be the easiest to integrate. Any timeline for supporting Duo?

No ETA on a Duo integration.

@Stuart ScreenConnect currently offers four 2FA methods: https://help.screenconnect.com/Enabling_two-factor_authentication. The above request for Duo is just a request for an additional method.


There are architectural changes that would need to be made to add DUO support, so it's more of a scheduling thing at the moment as we have high value enhancements taking precedence at the moment. It is still under consideration, and will most likely occur.

Increased security isn't considered a high value enhancement? Any good tech company knows IT needs to operate with a "security first" policy these days. Considering this is one of the top feature requests and it involves security it should be at the top of the list.


I'm sure ConnectWise doesn't want to end up like TeamViewer and end up having compromised accounts getting easy access to organization's PCs.

+3
Answer
Started

Hi All,

A quick announcement for anyone who may have missed the news posted on the output stream:

There will be support for Duo Security as a 2FA provider in 6.2. The release should be out mid-April.

That's great news, thanks Kirsten!

Very excited to see this finally become a priority.

3 cheers for Screenconnect! Hip hip hurray!

I noticed that and I am using the pre-release version. Unfortunately there is no indication of how to use the Duo authentication.

Are there any plans to support the all the Duo 2FA methods? Right now only push is supported but Duo can use many more methods (multiple mobile devices, OTP, SMS, phone call, bypass code, hardware token, etc) and their API makes it very easy for the user to choose the device and method they want to use to authenticate with.

Hi pfp,

We can sure look into adding those additional methods. Please register your request separately since this request is closed internally as it's complete.

I am using version 6.3.13446.6374, self-hosted, Linux.


I just set up Duo and I do get a push but accepting it never completes the login; I must always ask my DuoMobile app for a one-time number and enter it into my Control login web page. Is it not possible for the application to complete the login after I accept the Duo push to my phone?


Also, I tried out the "Trust this device" checkbox but even after changing web.config's "TrustDeviceExpireDays" to 0 and restarting the service, I no longer get the Duo prompt from the machine that I originally trusted. Do I have to wait for a day or something before the 0 value kicks in? (According to this forum thread, the default is 30 but setting it to 0 disables it.)

Hi Craig,


After you accept the push request on your phone, you just leave the 2FA field empty in Control and submit; it doesn't check what you put in that field when using Duo.


When you log in and check the "Trust this device" checkbox, it saves the expiration of the trust within the cookie based on the current TrustDeviceExpireDays setting. So the device you clicked "Trust this device" on will be trusted for 30 days. If you set TrustDeviceExpireDays to 0, it disables trusting new devices from that point forward.

Thanks for the quick reply, Mayfield. Odd, I did clear my browser's cookies for the past hour when I was testing but it was only when I explicitly deleted the two for the domain that I got the DUO prompt back.


It's too bad that the application does not automatically respond once I accept the phone's prompt but it's not a big deal. I'm just glad that push works. :)