"Your device is listed by DUO as a tampered / jailbroken Operating System."

dcc

I thought I'd report this experience here. I don't believe it rises to the level of filing an Issue on github, but it is interesting.

An employer of mine uses DUO to authenticate. I have used their Duo MFA on my Graphene devices for years. However, they instituted a new policy where tampered devices are now blocked by Duo. I received an email that Duo reported my device to my employer as "jailbroken or tampered."

It turns out Duo simply checks Play Store to see if your device is Play Protect Certified. You can check this yourself under Play Store (only if you're logged in) - Settings - About - Play Protect certification. It will say Device is not certified. If you click Fix device issue it will perform a lookup for a bit - likely just checking Google servers to see if your device is listed? - then fail.

Note, this is not the same as Play Protect, which is an agent which scans user-installed apps for malware. Play Protect Certified apparently just reports whether you are running a device which Google, Inc. has licensed. That's it, as far as I can tell.

Ironically, even an old, very insecure, out-of-date Android device will likely still pass this check. Read this GOS discussion for more info.

So Duo does not check your OS, or your bootloader, or whether the device is actually tampered or rooted. It simply pings Google Play Store app and asks if you're running a device which Google has a licensing agreement with. That seems like a very lazy check, but I guess it is effective.

Note, Duo used to work fine on Graphene (with Play Store, with Play Store not logged in, or even without Play Store installed, albiet push notifications don't work in that case). So this is probably due to a new workplace policy. Duo must have reported my device as tampered for years, but my workplace did not have a filter in place to block access.

Either that, or Duo recently updated to include this check. (I doubt Duo would document this, but someone can check.)

Even now, I can still install and operate Duo. I even get a rotating 2FA code! But when I enter that 2FA code on any device, Duo gives me an error message that my device is tampered and the entry is not accepted.

Also, Duo push notifications are still pushed to my "tampered" device! Which seems wild to me. But again, they are not accepted.

My cybersecurity team said that it may be possible to sideload the Play Protect certificate for Google Pixels. However, I have my doubts.

I did see that Google offers a way to register your device so it is Play Protect certified. However, I cannot run adb root - it says root access is blocked in production builds. Per this discussion forum post, it sounds like that won't help anyway.

Finally, I guess one option is to email Duo to request they change their check to allow GrapheneOS to pass, and there are suggestions on how to do that here. But Duo doesn't seem like the most user-friendly company. Corporations are their main customer, not end users.

Any thoughts are appreciated, but unfortunately I consider this an intractable issue due to Duo's (lazy?) check of Play Protect Certified status.

r134a

dcc Duo must have reported my device as tampered for years, but my workplace did not have a filter in place to block access.

Wether or not that would be the case, in your position i would have come to the conclusion to request a phone from said employer to use for work related things, duo included.

dcc

I can add some additional information.

Duo has a new help page called Why is my device listed as "tampered" in the Duo Admin Panel?

In May 2025, Play Integrity attestation checks became more strict. Because of this, more Android devices may be identified as tampered by Duo now than in the past.

In January 2025, Google replaced SafetyNet with Play Integrity attestation.

With the implementation of Play Integrity, Duo gained the ability to define further granularity of the insight we can provide into your users' devices. The definition of tampered devices in the Duo Admin Panel depends on where it is seen:

In the Device Insight page, 2FA Devices pages, and on individual device pages, tampered indicates Android devices that are either rooted or fail the Play Integrity check and iOS devices detected to be jailbroken.

In the Policies page, tampered is a combination of Android devices that fail the Play Integrity check and iOS devices detected to be jailbroken. If tampered policies are in place, Android users can trigger them by failing the Play Integrity or Duo's standalone rooted test.

So it does check for root, but it also checks for the Play Integrity test. There's probably no way to get Graphene to pass that test?

(Even though I get notifications on Graphene that other apps utilize the Play Integrity API?)

Lucario1829

dcc yeah some apps check play integrity but choose not to block the app from you if you fail it. graphene also passes the basic check but not the other two, so a developer might not block you because they only take the basic level into account

Starved1753

This isn’t a solution to the problem of duo not working with GOS but duo does support hardware tokens. It may be your easiest option to just have your employer get one for you. For example my employer gave me a duo branded token “Digipass GO 6” https://duo.com/product/multi-factor-authentication-mfa/authentication-methods/tokens-and-passcodes

dcc

r134a oh yeah I tried that. They claim even the executives have difficulty getting a phone approved.

Unfortunately in my industry we're a captive audience and they can make policies like "you must have a personal smartphone, and you must be willing to load Duo on your personal device, or you can leave"

chinook

r134a This is pretty much the case.

I'm using Duo without any problems whatsoever, but we also use yubikeys as another way of authentication. It must be set up by the organisation's Duo admin but works everywhere the normal duo challenge shows up.

The other thing, however? Sure, you can also not eat?

(My company will issue me a work phone if one day my personal will stop working for Duo or 1Password, but I know it's not universal.

dcc I suggest you spend some time doing your research and buy get the absolute oldest/cheapest/worst/most dangerously unpatched phone that passes this check swimmingly.

Install Duo, company email client, company chat client, whatever is normally expected (to increase attack vector)

Then send an email to your line manager and CC security advising them that due to the company request to PURCHASE separate complaint phone to run Duo in the way gated by the company (ie: enforcing Play Integrity), you got yourself this-and-that because it works and it's affordable, and you just wanted to let them know it has some 8 years of unpatched RCEs unlike your secure GoS, so you are just politely asking for permission to connect to the company wifi.

One way or another. I know it sucks to comply to the idiocy, but at least make it their decision. Bonus? You will be leaving "company phone" at home during weekends, no way to reach you in your free time.

Edit: dammit, I reread and it's you employer who is a contractor in the $company. I guess that this level of malicious compliance is not advised, but in that case (as you) I'd just purchase this sort of crappy phone, officially issue it to your employer, who then needs to raise the ticket to have Duo moved to the crappy phone. Make sure the make/model/android version of the phone are in the ticket, so adding awfully insecure device will technically be approved by the $company.

Or not. Sorry, I guess you could try to liaise with security in there and explain why it's a security theater (give examples of the shitty old phones passing, rooted phones with magisk passing, leaked Nexus 4 (?) certificate allowing any rooted phone to pass) -- the last one alone should be more than enough ("this is encouraging/approving a very dangerous modifications while barring the safest device in your network")

dcc

I emailed Duo to request that they use hardware attestation as a fallback, which should let Graphene pass the check.

They sent back a boilerplate email informing me that they did not locate an account for me, and unless I'm a system admin, they won't respond to anything or provide assistance with anything. I responded politely that this was a suggestion, not a request for personal service, but they emailed back a personal note saying they only speak with admins. Oh well.

Unfortunately they are a corporate contractor and their actual customer is corporations, not end users.

I suppose I could have my company's security team send the same request. Doubt it would get anywhere, but who knows?