Order of DUO Devices Displayed Incorrectly for Users with 10 or More Devices
Closed this issue · 3 comments
Description
When a user is assigned 10 or more devices in DUO, the order in which the devices are displayed on the SSH session is incorrect. Instead of following the same order as in the admin UI (push1, push2, push3...push10, push11, etc.), the devices are shown as push1, push11, push12, push2, push3, and so on. This sorting issue causes confusion, especially when users rely on the displayed order to pass the DUO_PASSCODE variable during authentication. Users may select what they believe to be the correct device based on the SSH session order, but in reality, the authentication request is sent to the wrong device. This discrepancy creates usability problems.
Expected Behavior
The DUO devices should be displayed in a logical and sequential order, same as they are displayed on the DUO Admin UI(push1, push2, push3...push10, push11, etc.) during the SSH session, ensuring that users can easily identify and select the correct device for authentication.
Actual Behavior
The DUO devices are displayed in an incorrect order (push1, push11, push12, push2, push3, and so on) during the SSH session, leading to confusion and potential authentication errors. DUO_PASSCODE as a result doesn't work as expected.
Steps to Reproduce
- Assign 10 or more devices to a user in DUO.
- Initiate an SSH session that triggers DUO authentication.
- Observe the order in which DUO devices are displayed during authentication. Compare this with the order displayed on the DUO Admin UI.
Workarounds
A DUO Admin has to identify the correct number for a device from the Admin UI and provide it to the user.
Notes to self, it looks like the options are being ordered strictly as strings, the numeric part is not being considered separately. However, this might be an issue with the preauth API, not duo unix specifically. Need to look into that.
I have confirmed that this is an issue with the underlying Auth API, not Duo Unix specifically. I will see if I can get this fixed on the Duo side.
@pushpinderbal The API-side fix has been released - this issue should be resolved now