Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/evan-goode/duolibre
Authenticate to Duo 2FA systems without the Duo Mobile app
https://github.com/evan-goode/duolibre
Last synced: about 2 months ago
JSON representation
Authenticate to Duo 2FA systems without the Duo Mobile app
- Host: GitHub
- URL: https://github.com/evan-goode/duolibre
- Owner: evan-goode
- License: unlicense
- Created: 2019-07-05T03:28:12.000Z (about 5 years ago)
- Default Branch: master
- Last Pushed: 2024-07-06T00:28:46.000Z (3 months ago)
- Last Synced: 2024-07-27T17:32:25.854Z (about 2 months ago)
- Language: Python
- Size: 67.4 KB
- Stars: 36
- Watchers: 3
- Forks: 2
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Duolibre
Duolibre lets you authenticate to Duo 2FA systems without the proprietary Duo Mobile app. It forges an activation request from Duo Mobile to Duo's servers and hands the resulting HOTP secret over to you. You can use this secret to generate HOTP codes programmatically, or import it into the two-factor authenticator of your choice; for Android users, I recommend [Aegis](https://f-droid.org/app/com.beemdevelopment.aegis) or [FreeOTP+](https://f-droid.org/app/org.liberty.android.freeotpplus) from F-Droid. Note that Duolibre doesn't provide a reverse-engineered alternative to Duo Push, so you'll have to use one-time passwords.
## Getting started
Install via pip:
```
pip install --user git+https://github.com/evan-goode/duolibre.git
```Or, using Nix, start a shell with Duolibre
```
nix shell github:evan-goode/duolibre
```Run Duolibre against the activation URL that was sent to your phone via SMS, or the URL of the QR code displayed on the web interface:
```
duolibre https://m-XXXXXXXX.duosecurity.com/android/XXXXXXXXXXXXXXXXXXXX
```If you'd rather save the generated provisioning QR code to an SVG file instead of printing it to the terminal, pass `--output-file`:
```
duolibre https://m-XXXXXXXX.duosecurity.com/android/XXXXXXXXXXXXXXXXXXXX --output-file ./qr-code.svg
```## Background
The Duo Mobile app [collects](https://help.duo.com/s/article/2939?language=en_US) a considerable amount of analytics data from its users. Privacy-conscious folks and those who simply do not wish to run proprietary software on their phones should have a way to opt-out without special intervention from their organization. Duolibre makes it easy to use an alternative authenticator that's more respectful of one's privacy and freedoms.
I developed Duolibre by man-in-the-middling communication between the Duo Mobile client and Duo's servers. Duo Mobile for Android implements certificate pinning to defend against this reverse-engineering technique, but I was able to circumvent that using the Xposed module [JustTrustMe](https://github.com/Fuzion24/JustTrustMe).
## Usage
```
Usage: duolibre [OPTIONS] ACTIVATION_URIOptions:
--output-file TEXT
--help Show this message and exit.
```## License
[The Unlicense](https://unlicense.org)