Since the victim connects to the Duo API host directly, the necessary HTTPS connections are established with the right domain,, making U2F possible. Any attempt to authenticate when there is a MITM between victim and Duo will fail.įortunately, with this setup, we only need to get a MITM between the victim and the application. U2F protects the connection between the victim and Duo. If we simplify this to two main connections: Here is an illustration of the process that results when implementing the Duo web (which we discuss in the next secions). We just work around how Duo is integrated to the application. This will be available soon.īecause U2F is done through the an integration Duo and not directly on the application, the MFA can be bypassed without attacking the U2F directly. Fortunately, the Duo prompt and Web SDK are undergoing a major redesign that will eliminate the need for manual hostname whitelisting for all applications.This feature is encouraged in the documentation and is proactively recommended by Duo support to its customers that use U2F or WebAuthn.Hostname whitelisting isn’t enabled by default because it’s difficult to know what hostname(s) are used by many Duo prompt integrations beforehand.I’ve contacted Duo PSIRT about this and their full reply is quoted at the end of the blog post. Without hostname whitelisting, Duo is similar to an OTP generator during a phishing attack. To prevent phishing, it is paramount that you enable hostname whitelisting. If you can bypass the Duo prompt, then the phishing attempt will be successful, even if U2F is used. ![]() ![]() This boils down to bypassing the Duo integration. ![]() Because Duo is a 3rd-party service, we don’t have the same security properties that are associated with U2F between the victim and the server. TLDR: U2F prevents MITM attack between the victim and the Duo server, but not between the victim and the application.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |