Duo Security open source alternative for push-based multi-factor authentication

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨bot@lemmit.online [bot]⁩ to ⁨opensource@lemmit.online⁩

https://old.reddit.com/r/opensource/comments/1it5tot/duo_security_open_source_alternative_for/

This is an automated archive made by the Lemmit Bot.

The original was posted on /r/opensource by /u/FlxMgdnz on 2025-02-19 13:46:03+00:00.

Hello Open Source Community,

I am the founder of hanko.io, a German open source software company. A few years ago, we developed a push authenticator app solution similar to Duo Security, consisting of white-label authenticator apps for iOS and Android, a server that handles push notifications and public keys (FIDO UAF), and a KeyCloak plug-in.

The solution has been developed for a customer in the public / health space and it has been in a handful of live deployments for several years and is regularly updated. We are currently working on compatibility with KC26.

We feel that the white-label capability of the mobile apps is a unique feature that enables branded push authentication apps with device binding capabilities that can be published to the app stores under the customers’ name and brand, without the need to maintain the push authentication capability as part of a complete custom app. There have been requests to add other features to the apps, such as a more informal notification system (“inbox”), but so far we have been unsure whether this is the right direction.

The KeyCloak plugin allows the app to be configured for both first-factor (“passwordless”) and second-factor MFA use cases. The solution can also be used in other non-KeyCloak environments via a simple API. App enrollment is done by scanning a QR code that initiates the creation of a key pair on the device. Multiple credentials per app are supported.

Since we spent the last 3 years mostly on another project focused on user management and passkeys, we didn’t invest any more time in the push authenticator app as a standalone product.

While passkeys are great, they definitely lack the device binding capabilities (private keys always remain on a single device) that the app solution can provide. Therefore, we are considering releasing the solution as a set of open source projects together with a hosted/cloud offering to pay the bills.

We would love to hear your thoughts and feedback. Would you be interested in the solution, or do you know someone who might be?

Thank you.

source

Comments

Sort:hotnew top