Nonstop duo prompt

wonnage
wonnage
Community Member

I have a personal, non-Duo account, as well as a Duo-secured account from work. Every couple of days the work account wants me to reauthenticate. This renders 1Password completely unusable until it’s done. 1Password keeps showing incessant duo prompts even after I’ve dismissed them.

For the love of god, can 1password fix this? It’s extremely annoying to drop everything and look for my 2fa device when in the middle of something else. This happens across iOS and the Mac apps.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:Duo

«1

Comments

  • ag_ana
    ag_ana
    1Password Alumni

    Hi @wonnage!

    Every couple of days the work account wants me to reauthenticate.

    The prompt is coming from Duo, right? It sounds like your team configured it this way (your admins can control this setting. I suggest you reach out to them if you think they should configure it in a different way :+1:

    For the love of god, can 1password fix this?

    Can you please elaborate? I am not sure I see an issue to fix: Duo is prompting you to authenticate regularly, as configured by your administrators? What would require fixing in this case?

  • wonnage
    wonnage
    Community Member

    I get a native iOS pop-up that says "1Password wants to use 1password.com to log in". Tapping cancel just triggers another pop-up a second later. I don't think Duo is controlling this, they're being spawned by the 1password app as indicated by the pop-up.

    What I want is for 1password to stop prompting me temporarily after tapping cancel, e.g until the next time the app is opened.

  • ag_ana
    ag_ana
    1Password Alumni

    @wonnage:

    I get a native iOS pop-up that says "1Password wants to use 1password.com to log in".

    Would you be able to share a screenshot of this with us?

  • linux4life
    linux4life
    Community Member
    edited September 2020

    Same situation and issue here. Makes app unusable on iOS.

  • linux4life
    linux4life
    Community Member

    On 1password Desktop App. (macOS) Was greeted with same prompt. Accepted Duo Prompt and Desktop App continued to work normally. Followed up with attempting Duo Prompt on iOS again, app began working again as normal. Something with accepting a push on desktop app first caused Duo Push to work on iOS. Odd.

    Hope the team continues to bring stability to products. Especially desktop integrations and TouchID integration. Quite unfortunate to lose the functionality with 1password X. Also plenty of crashes on desktop app past 4-5 weeks. :-/

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the screenshot @linux4life!

    On 1password Desktop App. (macOS) Was greeted with same prompt. Accepted Duo Prompt and Desktop App continued to work normally. Followed up with attempting Duo Prompt on iOS again, app began working again as normal. Something with accepting a push on desktop app first caused Duo Push to work on iOS. Odd.

    I am not sure if this was because you specifically accepted the prompt on Mac, I think it might be because you just accepted the prompt, regardless of the device. For example, the next time this happens, it would be good to know if accepting the prompt directly on iOS, instead of dismissing it, would also work.

    Also plenty of crashes on desktop app past 4-5 weeks. :-/

    We can take a look at this separately for sure. I would like to ask you to generate a diagnostics report from your Mac and email it to us to support+forum@agilebits.com, so we can take a closer look at why this is happening to you.

    After you have sent the email, please feel free to post the ticket number you received so we can locate your message and connect it with this forum discussion.

    Looking forward to your message!

  • linux4life
    linux4life
    Community Member

    I think it might be because you just accepted the prompt, regardless of the device. For example, the next time this happens, it would be good to know if accepting the prompt directly on iOS, instead of dismissing it, would also work.

    Numerous prior attempts to accept on iOS were performed as OP mentions. The iOS app was useless until a Duo Prompt was accepted on desktop. The next accept on iOS was then successful, returning operability to iOS app. Hope this helps the Dev Team.

  • ag_ana
    ag_ana
    1Password Alumni

    @linux4life:

    Numerous prior attempts to accept on iOS were performed as OP mentions.

    Op actually mentioned dismissing the prompt:

    1Password keeps showing incessant duo prompts even after I’ve dismissed them.

    And

    Tapping cancel just triggers another pop-up a second later.

    Which is why I thought this was why accepting it, even on another device, would explain the difference. But it sounds like you have been accepting them all along, so perhaps there is a difference in how you have been responding to these prompts.

  • linux4life
    linux4life
    Community Member

    Thanks for clarifying. In past, those prompts could be dismissed and app continue to be used on mobile, just wouldn’t update items and vaults with 1p servers. This was preferred because if in a hurry or poor data signal, could obtain most data needed without having to complete a Duo push.

    Yes, no matter how many times Duo Push accepted or cancelled on mobile, the app was not useable as pop-ups would re-appear within a second after accepting the push, or cancelling the dialog.

  • Thanks @linux4life. Are you able to reproduce this problem using the latest version of 1Password? There was a problem with the authentication looping as described but it was resolved in 1Password for iOS v7.6.2. Please let me know.

    Ben

    ref: dev/apple/issues#4894

  • linux4life
    linux4life
    Community Member

    @Ben Issue was occurring on iOS 14 Beta 6 with 7.6.2. Will have to see if the problem reoccurs once another push from Duo is required.

  • Thanks; please keep us in the loop. :+1: Also, if you're going to run beta OS versions, you may want to consider using beta versions of 1Password as well, as we generally don't push fixes for beta OSes in stable releases of 1Password.

    Use 1Password beta releases

    This of course comes with the usual caveat emptor about betas, but since you're already on the OS betas I assume you're familiar. ;)

    Ben

  • wonnage
    wonnage
    Community Member

    I can’t seem to upload the screen recording, but here’s an iCloud link: https://share.icloud.com/photos/0ovlZhM7VxeWvUwfS9sEaWc6w

    I’m on iOS 14, but this was happening prior to the upgrade as well (iOS 13.7).

  • Thanks @wonnage. Our business team is investigating further. We appreciate the video. Our current understanding is that it should be possible to hit cancel there and then use the app until taking an action that requires communication with the server which would then cause another prompt. But I can see from your video that no action is taken between prompts. We're going to try to reproduce this issue and then will follow up with our development team to see if our understanding is correct.

    Ben

    ref: /archives/CFRHP2K4Z/p1600689836008100

  • Another small update: our business team was able to reproduce the issue and I have filed a bug report with our development team. :+1:

    Ben

    ref: dev/apple/issues#5002

  • grumpygraeme69
    grumpygraeme69
    Community Member

    Hello Ben, am wondering if there is an update from
    Your post of 21 September. I too have the same issue as wonnage, no matter how many times I push an authentication and approve via Duo, 1Password for iOS duo auth keeps looping and will not allow me to use the app at all. I was able to get around this for some time by asking Duo to call my mobile and authorise instead of a push notification, but this has also since stopped working. App on Mac OS works fine. Really need a fix as iOS is my main source of access to my 1Password app and is becoming a major inconvenience now.

  • Hi @grumpygraeme69

    It is not currently on the to-do list, but I've asked our business team to push to get it back on there if this continues to be an issue for our business customers. You may also want to reach out to your account manager (or business@1password.com) to let them know you're affected by this.

    Ben

  • grumpygraeme69
    grumpygraeme69
    Community Member

    Hello Ben, thanks for the quick response. So basically in a nutshell you are telling me the only way I can use 1Password iOS app at the moment is to disable Duo 2fa integration and increase security risk on a highly sensitive app because the fault is not high up on the radar of the dev team? If that is the case, no problem, it will be goodbye to 1Password. I am dumbfounded that this is not a priority to address. This must be affecting many others too?

  • Hello Ben, thanks for the quick response.

    You're welcome!

    So basically in a nutshell you are telling me the only way I can use 1Password iOS app at the moment is to disable Duo 2fa integration

    If you are running into this, yes, that is my understanding.

    and increase security risk on a highly sensitive app because the fault is not high up on the radar of the dev team?

    The primary thing protecting your data with 1Password is end-to-end encryption. The only benefit 2FA offers 1Password accounts is some layer of protection for the device authorization process, the first time you sign into your 1Password account from a new device. Beyond that, it is not used. That's outside the scope of your question, but you made that comment so I thought it might be helpful to elaborate on the purpose of 2FA in terms of 1Password. Additionally, Duo is not the only (or even a very popular) choice for 2FA for 1Password. TOTP would be the more typical solution:

    Turn on two-factor authentication for your 1Password account

    I am dumbfounded that this is not a priority to address. This must be affecting many others too?

    We have 8 customers other than yourself who have reported this difficulty. I have added you to the affected customer list, however, as I say, our business team would be in the best position to advocate for a change in priority here. I would encourage you to reach out to them if this continues to negatively impact your 1Password experience.

    Ben

  • nrose
    nrose
    Community Member
    edited February 2021

    @Ben : Make that at least 9 business customers.

    I've spent the last couple weeks looking at 1Password as a replacement for our existing password repository, anticipating billing for an initial test deployment beginning this week with our Infrastructure team. Secrets have already been mass migrated. SCIM Bridge implemented w/ provisioning in place. Every configuration setting tweaked and ready to go in anticipation of beginning deployment. My hitting this Duo MFA bug in the 11th hour has the potential of becoming a big problem fairly quickly. The fact that it was initially raised ~5 months ago yet is still an active bug is enough to provide serious reservations about if this product is enterprise ready. Duo integration is a feature you advertise on both Business and Pricing pages regardless of its apparently popularity.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the additional feedback @nrose! This fix should make it to one of the next updates ;)

  • nrose
    nrose
    Community Member

    @ag_ana : Genuinely appreciate the (quick!) response Ana and do hope you understand why this bug is raising heavy concern on my part. After ~5 months there's a bit more ambiguity in "one of the next updates" than I'm comfortable with. (i.e. Does that mean next week? Next year?) I did reach out to our account manager this morning as well in hopes of someone being able to provide specifics regarding what kind of focus this is actually receiving internally. If it is still "not currently on the to-do list" then I think it's a fair argument that 1Password needs to update their marketing to specify Duo MFA support for desktop only (or removed all together). This has broken iOS usability, a feature we're going to need for our field users if we ultimately make the switch to 1Password.

  • ag_ana
    ag_ana
    1Password Alumni

    @nrose:

    When it comes to actual dates, I am afraid I cannot tell. In general, I know we never mention these because, as I was told in the past, "it's a great way to be wrong most of the time" :) From the changelog, however, I see that the fix was addressed in 7.7.1.BETA-1, so the next stable update should include it ;)

  • sf1
    sf1
    Community Member

    I toggled duo off then on in the admin console and that seems to have resolved it for now.

  • ag_ana
    ag_ana
    1Password Alumni

    Thank you for the update @sf1! I am glad to hear that this helped :)

  • davidliv
    davidliv
    Community Member

    I've been stuck in this 1Password 2FA Duo Push authentication loop a number of times. Today, I figured out a workaround.
    Opening 1Password on my iOS device
    1Password opens then prompts that it wants me to sign in via 1password.com (for the Duo authentication)
    Duo 2FA screen displays.
    Normally, you'd want to choose Push authentication, but that begins the loop. Instead choose enter code.
    Open Duo on the mobile device and copy the authentication code.
    Paste the code in the 1password.com Duo authentication screen.
    Success.

    The problem appears that 1Password is set to lock once it is no longer the app in focus. The duo push prompt switches you to the Duo app to approve authentication, but then when you return to 1Password, it has locked and needs authentication again.

  • @davidliv

    Indeed switching away from the 1Password app once the authorization process has started is the source of the difficulty. 1Password for iOS loses its place in the authorization process when switching apps. If you can get a code or approve the push notification (e.g. on another authorized device) without 1Password losing focus then it should work. As Ana mentioned we have what we hope will be the fix for this in the 1Password 7.7.1 beta, so if all goes well that would be included in the 7.7.1 release.

    Ben

  • nrose
    nrose
    Community Member
    edited March 2021

    @Ben / @ag_ana

    FYI, the Beta build I was using after Ana’s recommendation had Duo MFA working perfectly for a week and a half. Tonight my phone updated to the latest beta build (70701005) and now the Duo MFA problem is back. I rolled back to 70701003 and it fixed the problem.

    Was the fix intentionally left out of the latest beta build? (Was there an issue?)

  • Hi @nrose

    I think that may be a coincidence. We were hoping v7.7.1 would fix this, but it appears it has not. :frown: I suspect an earlier build working is a red herring. Could you please try:

    1. Update to the latest build
    2. Reproduce the issue (note the date, time, and timezone)
    3. Send us a diagnostic report along with the info from step 2 and a link to your post: https://1password.community/discussion/comment/590463/#Comment_590463

    (instructions for sending the report can be found here: https://support.1password.com/diagnostics/ )

    Thanks!

    Ben

    ref: dev/apple/issues#5002

  • nrose
    nrose
    Community Member

    @Ben I don't want to be too quick to discount any possibility, though the behavior is definitely confusing. I had our 1Password tenant requiring Duo MFA every 3 days. I switched over to beta builds on February 16th and do not recall having any issues until after an update on the 28th to 70701005. I was able to reproduce the issue on 70701005. When I roll back to 70701003, the problem went away (and I'd successfully MFA'd at least once since doing so). To contrast this, I just now updated back to 70701005, turned my tenant MFA timing down to 1 day (triggering an MFA request on my phone) and now it worked properly -- hence I'm not sure what's going on.

    We just signed our contract for deployment to our initial users so I can't go throttling down MFA permanently for testing anymore -- but I'll keep an eye for the next time I can reproduce the issue to upload the diagnostics.

This discussion has been closed.