Replace HMACSHA1

[halllo]

Please consider upgrading to HMACSHA512 for the crypto.

[AaronAtDuo]

Hi @halllo,
Unfortunately, that's a bigger task than it sounds. We do have some changes planned for this (and the other) Web SDK clients, and we will definitely be using more modern crypto as part of that project.

In the meantime, our security teams are keeping a close eye on our use of HMACSHA1 and are, for the moment, satisfied with its security for this use case. If anything changes on that front, we will definitely prioritize a crypto update.

[AaronAtDuo]

Duo has released an updated library for integrating Duo into .NET web applications. It is available on Github at https://github.com/duosecurity/duo_universal_csharp and on NuGet at https://www.nuget.org/packages/DuoUniversal.

Duo strongly recommends migrating web applications to the new prompt experience. The new prompt uses the latest cryptography and hopefully addresses your concern about HMACSHA1.

See https://duo.com/docs/universal-prompt-update-guide for more information on the move to the Universal Prompt. See duosecurity/duo_python#57 for a step-by-step example of migrating a simple web application to the new prompt flow.

If you have any problems or issues using the new .NET package, please contact Duo support via https://duo.com/support, or open an issue at https://github.com/duosecurity/duo_universal_csharp.