The Duo Blog
Multi-factor authentication is one of the best ways to thwart bad actors using stolen credentials — but it’s not foolproof. Here’s how bad actors are circumventing MFA protection, and 11 ways Duo can help you strengthen your security posture beyond standard MFA.
Year after year, the Verizon Data Breach Report highlights the fact that compromised credentials contribute to the majority of breaches — and MFA remains the strongest mechanism to deter the use of stolen passwords. However, while implementing MFA decreases the risk of account compromise by 99.9%, there will always be bad actors looking to break through even the most robust defenses.
For example, recently there has been news regarding MFA phishing kits. These kits can take advantage of reverse proxies, acting as a “man in the middle” to snag an end user’s valid access token. The prevalence of such kits is unknown, but the risk is worth taking seriously.
First, let’s dissect the structure of using these kits. Keep in mind the strategy here is just an adaptation of existing attack vectors, which focus on end user manipulation. The attacker is sending a user through a proxy and retrieving credentials and/or session tokens by manipulating the end user into thinking they are authenticating into a legitimate resource or application. These attacks are not necessarily new, but hacking tools/scripts and scripts are constantly evolving and have made it easier for attackers to execute them.
At Duo, we think about addressing these attacks in a few ways, both in and outside of our own MFA platform.
Key Controls and Features You Should Consider
Implement Domain Security Features
- First and foremost, utilize Duo’s Allowed Hostnames feature to mitigate abuse of the Traditional Duo Prompt. This function disallows non-verified servers, like those popularized by tools such as Modlishka, EvilGinx2, and Muraenathe, from displaying the Duo prompt. Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: