In the past I had been testing out Duo Security and their 2FA solution for adding a extra layer of authentication to my remote desktop settings. I stopped having a need for remote access to my machine during the day and it had been a number of years since I signed in. I attempted to sign in and no big surprise I had forgotten my password, well +1 point for not reusing the same password I guess and decided to reach out to support.
That’s when the first troubles with Duo started. I asked about a password reset figuring they would say no, and thank goodness they did and I understand why. However, when I asked if they can please delete my account, they said it would not be an issue.
The next day I was told it was not possible for security reasons despite the email address I was asking to be removed was the email address I was corresponding from.
I followed up to see if it was a ‘wont‘ or ‘cant‘ and after about 4 days of emails the only solution they had been for me to use the gmail alias extension to make a new account so my email would be firstname.lastname@example.org not email@example.com
This was not a acceptable solution. I have personally experienced account lockout from other companies when I sign up with a email that uses the gmail ‘+’ alias and mid–week a content delivery service who will remain unnamed,(Uplay) made a policy adjustment that does not allow me to sign–in with any +‘s.
I figured they could at least close the account seeing that there were no authentications in the last 3 years, I had provided the IP address I had last accessed it from, the client name it was running on at that time, and the phone number. I just can’t imagine using this in a corporate environment, with IT being a job that can have high turn over if an admin had forgotten or neglected to pass the torch the company would have no way of updating users / policies in Duo. Something else also tells me this conflicts with the EUs (C-131/12) law on right tobe forgotten.
So I said to myself fine, I’ll be ok without the 2FA. I also happened to be going to Blackhat and DEF CON this week and saw they had an event going on.
So thinking I would have a chance to speak to one of their reps and find out if they really cant delete accounts I started to sign up and noticed something.
The form auto populated my name when I put in my email, I assumed it was because I am a customer (well a locked out one) and signed up. Once I was done I figured hey lets try another email address and see what happens this time not a duo customer. So I asked a buddy to just fill out his email and this was the result.
So yes, Duo is unwilling to remove your email, however they feel completely fine having a web form run by clear bit that will tell you what some may consider private info. Playing around some more I got some interesting results.
Its basically a giant email address and phone number resolver similar to sellhack. Sure most of this is probably public information but still, it leaves another bad taste in my mouth with Duo. Its not like your phone number, employer, last name is PII is it? Oh but it is.
If you would like to be removed from form software Duo is using you can request that here: https://claim.clearbit.com/claim