Login through Duo Mobile in your browser.
The Duo Mobile app can be a nuisance; you might've lost your phone or maybe you're prone to getting distracted by Instagram. Now you can login with just a click.
Duochrome is currently on Chrome, Edge, and Firefox. Safari was considered, but there's no way I'm paying $100/yr to be an Apple Developer. Outdated Safari source is available on this page if you would like to build it yourself, but it won't be on the App Store unless someone with a developer membership wants to publish it. If you'd like to see Duochrome added to another browser, open an issue.
Duochrome utilizes the knowledge gained from reverse engineering the official phone app (checkout this repo). Turns out it's a simple process:
- Activate Duochrome as a new Duo Mobile device. Duochrome will communicate with Duo's API activation endpoint and register itself as your new Android device. "Device information" is created during this, and it's synced to your browser account if your settings allow it (see Privacy).
- Approve transactions. A transaction, or a push request, represents a login attempt. When clicked, Duochrome approves a single transaction without asking you for approval for a seamless login (see Login Clicks). If there are multiple push requests, you'll compare their details to weed out old or malicious ones.
Duochrome can only approve push requests sent to the device it created during activation, meaning it can't approve a push request sent to the user's phone. This is not my decision, this is Duo's security. With this in mind, don't make Duochrome your only device capable of logging you in. It should be used as another option, not as the only option.
Caution
This extension is experimental! Duochrome relies entirely on the security of your browser. If a malicious party got access to your browser and you have syncing enabled for both Duochrome and your passwords, they could log in to your Duo Mobile protected service.
To preface, I am not a cyber security expert. I have a basic understanding of 2FA. I do not recommend using this extension if Duo is protecting access to the nuclear football. Duochrome should only be used when both the risk and cost of compromising an account are practically zero.
Duochrome is a practical secure alternative to the Duo Mobile app. For typical Duo Mobile users, this extension strikes a great balance between security and convenience.
2-step verification is something you know, and something you have. The premise of this extension is that you know your password, and you have Duochrome. But by using Duochrome, you're introducing new risks to your Duo Mobile protected account being compromised. Here's some examples:
- Your browser account (such as your Google profile if you're on Chrome) is hacked because you have a poor password, no 2FA, and syncing is enabled.
- You signed into a public machine, synced all your data to it, and walked away.
- Someone, who already has your Duo Mobile account password, and who also knows you use Duochrome, decides to steal your exported login data off your computer when you're away from the machine.
- You are socially engineered to export your own Duo Mobile device information to an unauthorized party.
- You click Duochrome by accident, and as it just so happens, someone who knows your username and your password tried to login at the same time and you just approved their login.
What should be clear is that these kinds of attacks are pretty unlikely to happen to someone who has a basic sense of security. As a result of this reasoning, and in my humble (and biased) opinion, you can rest easy knowing using Duochrome won't practically increase your chances of being the victim of any related cyber-attacks, and can safely use this extension.
No. Duochrome establishes itself as a new device using the same process as the phone app.
Yes. Extensions rely on the security of the browser they reside in. If the browser account is secure, then you shouldn't have anything to worry about. Modern browsers also protect extensions by using a system of Isolated Worlds to separate them from each other and malicious web page JavaScript.
If 2 or more push requests are active, they are presented to you to filter out the suspicious login attempts by comparing their details.
- Use two-click logins. This allows you to review every login attempt without auto-approving.
- Disable syncing extension/add-on data with your account. Device information will stay local to your machine in case your browser account is compromised.
- Use strong passwords (duh).
If you keep seeing No logins found!, it means no push requests were sent to Duochrome. You probably sent the push request to another device (like your phone).
Duochrome can't approve a request sent to your phone. You need to select Other options on the Duo login page, and choose Android (default name created at activation) to send the push request to Duochrome. It's only then that you can click Duochrome and log in.
You can set the amount of clicks required to log you in with the slider in settings. If there are multiple active login attempts, Duochrome will always require you to review and select the correct one regardless of this setting.
Least safe, most convenient. When you browse to a Duo login page, Duochrome will start trying to approve a single login the moment it finds one. No click required. This is unsafe as it always approves a single login attempt, and it doesn't have to be yours. It will start checking for login attempts before yours fully loads. I'm considering requiring at least the IP addresses of the client and the transaction to match in order to approve this type of login.
The default behavior. Clicking on the extension will approve a single login.
Most safe, least convenient. This is the Duo Mobile app behavior. Every login attempt will require you to review it before it's approved.
Duochrome syncs its Duo Mobile device information to your browser's account, meaning it's accessible to all browsers that the user is signed into if their sync preferences support extensions/add-ons (this is usually on by default). This is convenient for most users, as wherever they log in, they still have Duochrome with them to log in through their Duo Mobile account. However, this setting allows your Duo Mobile account to be at risk if your browser account is compromised (see Security). You can disable syncing in your browser's settings.
No information created by this extension is sent anywhere but to Duo Mobile, and there are no outside servers involved. However, your Duo Mobile device information can be exported in settings. Do not send your data to anyone! This is strictly for manually transferring login data to other private machines.
Here are repositories that helped make Duochrome possible or achieve similar purposes:
- Ruo (Python program that approves Duo push requests)
- Bye DUO (Operates same as above)
- Duo One Time Password Generator (Python program for creating HOTPs)
Feel free to share security concerns or adapt Duochrome into a project of your own. If you encounter errors, dislike the UI, or otherwise need to share something, please open an issue.