Interesting. I always figured Google or Microsoft would offer a free push notification 2FA to help the Internet since FireBase Cloud Notifications are free. I will take a look at this, if they have a NodeJS SDK, that would be perfect. The MeshCentral 2FA login screen is not currently "live" (websocket), so I would have to do some work to change that. This said, it would be cool to tap ok on a mobile device for 2FA.

A quick google search yielded the below GitHub repository, which appears to be supported by duo directly. Hopefully this is relatively easy to implement.

https://github.com/duosecurity/duo_nodejs

Your fast. Yes, this is exactly what I need and being supported by Duo is excellent. It's also on NPM here, so exactly perfect. I will give this a try.

Wow, good feature .. I am awaiting for the same in MC.

Cant wait for this feature,
Would be a great addition to a greate piece of sofware.

Any update on this? Just curious

@CornHead764 - Duo MFA is not implemented, But same functionality enabled in Meshcentral Mobile app.

Please refer #2495

@CornHead764 - Duo MFA is not implemented, But same functionality enabled in Meshcentral Mobile app.

Please refer #2495

Looks like no dice for us iOS users :(

Oh well, I'll keep waiting :)

I am also waiting full of interest for the Duo MFA. We would like to use it aswell.

Any updates on this @Ylianst maybe?

Also would love top see Duo support.

I looked at Duo MFA support a long time ago and it's a paid service. If I remember correctly, I could get a free account and support a few users, but beyond this, you needed to pay a monthly fee so I focused on free 2FA solutions instead. I don't have much time these days since I am focused on starting up in a different job, but if someone has a pull request for Duo, I will certainly accept it.

is this still required?
the is a passportjs module we could try using https://github.com/basharal/passport-duo
also they offer 1-10 users FREE which might help us get started but its only MFA access, no passwordless or SSO

Just adding my two cents here.. I don't know how much work it would be to add it to MC as I am not a dev but, I use DUO (personal) for other things and would love to have the option in MeshCentral. Right now I use a YubiKey for my MFA into MC, but DUO would be a nice to have for when I do not have the yubikeys handy. We also use DUO for MFA at work too so I can only guess that this would be nice to have for larger companies using DUO as well.

i will have a look when i get chance!
the is a possability that the module passport-duo wont work because it used iframes
which from googling duo no longer support!

ok the passport-duo doesnt work anymore so we need a new way to implement their v4 sdk now

we would need to add another button after u login and get asked for 2fa, which u click to be diverted to duo to do 2fa

but also we need to create a panel in ur 'my user' page to create/add ur account to the duo servers and then keep a record of this

its similar to how we would do say the SMS, but it means more fields in the database that would need adding

so its very complex and not simple

Ok so i have done some testing and I just need some input on the matter

When u setup duo u need an id, secret and servername, u get these from duo in applications

Should we setup a single duo credentials which the whole server would use? (So a single person/company would pay for each of there users that use duo)

Or do we do it like bitwarden where each user has there own credentials etc? Then the fee/burden is on the end user/staff member?

Also when the staff member logs in, do we redirect to duo automatically OR do we have a button like we do with messaging/sms which the user clicks then we divert to duo for auth?

Also we need to assign a username to duo, I was going to use the useridentifier for uniqueness as using the username isn't really unique
And we can't use the email address because multiple users can have the same email address

Well I can only speak for my own use case and that may or may not best suit others. I use MC at home to support family, friends, and a few clients. For stuff like this I have a personal DUO account since it is only me using it. So for me personally it makes sense to do it like Bitwarden does.

OTH, at work, we have a paid DUO account and all employees are using the company DUO account. While we are not currently using MC at work, I am trying to slowly sell the idea of it. In that case, option one would be better.

So I guess it really depends on how others see it. I feel like I could make it work for me either way.

@Br0kenSilos ok thank u for ur input, i will think on it,
ive started to implement it like ur works method,
where work has a main account/control but each user has a duo account under them,
which would be like $3/$6/$9 a month depending on their plan,
so currently each meshcentral user that enables the option in the My User panel will be charged a fee, like the pic below

thankfully, duo offers 10 users free! which is what im using to test!

Yep. That makes sense to me. I too use the free 10 user account at home and then use work's larger corporate account for work things. The nice thing is that the DUO phone app allows multiple accounts (work and personal) on it so it all stays together.
Thanks for all the work you do!!

@Br0kenSilos I tested here and it's the same thing which is nice!
Only thing I spotted was I couldn't use the same mobile number on multiple accounts but I think that's a duo limitation not something I'm doing wrong haha

Only final question,
Do I display a button underneath the token box like we do for messaging/email/sms which takes us to duo,
Or
Do i just automatically divert the user to duo?

I would say a button u click to use duo because u can still setup additional 2fa like email or sms or messaging as well as duo and they will need the token message box

Also if i got really fancy I can even integrate the raw api from duo and then let the user enter the code that's displayed in the app directly into the token box and let it do the authentication but they would prefer I used the still redirect method instead

Oh man.. Well again.. For me personally.. I would display a button / icon along with whatever other 2FA methods might be enabled. In my case, I typically use my Yubikey. But if I am mobile on my laptop, DUO would be my next best choice. Also, thats cool you can use the token box. NORMALLY, I use DUO push notifications that I approve on the phone instead of keying in the code. But thats more of a personal preference.

@Br0kenSilos thank you
I think i will do the button.
It is the best option because as u explained u can use other 2fa methods too rather than forcing duo upon somebody all the time!

sample teasers ive been working on all day hehe

  "domains": {
    "": {
      "passwordRequirements": {
        "duo2factor": {
          "apihostname": "api-xxxxxx.duosecurity.com",
          "integrationkey": "DIQxxxxxxxxxxxxxxxxx",
          "secretkey": "vkg2Cxxxxxxxxxxxxxxxxxxxxxxxxx"
        }
      }
    }

HAH! I am loving it man. Great work for sure. I'm going to buy you a beer (or two).

ta-da! #6609
need to get @Ylianst just to verify the security side of things and no expliots but all works here no issues!

Heck yah! Can't wait.

IF you wanted to test

1. stop meshcentral
2. BACKUP YOUR SETUP/VM/SERVER/ETC!!!!!!!!!!!
3. npm install Ylianst/MeshCentral#duo-mobile <- remember NO TRANSLATIONS ONLY ENGLISH!
4. set credentials like above from duo (you must create the application as web sdk)
5. start meshcentral
6. try letting a user enable it!