2FA bypass local admin rights (affects DUO, not OpenOTP AFAIK)

[Colin]

https://www.pentestpartners.com/security-blog/abusing-duo-2fa/

This is just an FYI, and figured the devs would want a heads-up with what pentesters are doing to bypass applications similar to OpenOTP.

I in no way know if OpenOTP is vulnerable to similar pentest techniques.

[Administrators]

Thanks for the article!

You are right this is very useful for to know about these potential vulnerabilities.

Btw the weakness is around the fail-open policy in DUO plugins which falls back to usual login if DUO servers are not reachable or DNS gets poisoned. 

OpenOTP servers run locally (it's not a saas service) so loss of connectivity to OTP servers is not relevant with RCDEVS.

And OpenOTP-CP plugin does not fail-open. Instead, it includes a secure fallback mechanism for offline use (using QR code scans and temporary asymetric keys).