Duo vs. Fraudulent Device Registration
It is a well-known and established point that a password alone is not enough to secure an account. That’s where multi-factor authentication (MFA) comes in. Typically, a user confirms their identity using an application on their phone and accepts a push notification. But what if an attacker can just send that authentication request to their own personal phone? Now MFA can no longer stop the cybercriminal from gaining unlimited access.
This type of attack is known as Account Manipulation: Device Registration. This is when a bad actor gains access to a user’s account through compromised credentials and push bombing or phishing a one-time passcode to get past the MFA requirement. Then, the attacker enrolls a new device to bypass MFA and gain unlimited access to an organization’s resources and data.
Mike Moran, Duo data scientist, threat researcher, and co-contributor of this MITRE ATT&CK® technique wants customers to understand how important it is to be aware of and protect against this type of attack.
“An adversary attempting to or successfully registering their own MFA device has become much more common over the last few years, yet it is still an aspect of zero trust systems that is often overlooked. This reality highlights the need for security enhancements to the enrollment process that provide real-time detection and remediation while maintaining scalable usability.”
Protecting against fraudulent device registration requires fully understanding the device enrollment process within your organization and increasing your defenses against this specific action. In addition, it is important to continuously audit and monitor your environment to detect potentially risky registrations. With Duo, there are a few different approaches to harden your defenses. You can also check out this Duo help article that provides policy recommendations and directions for how to secure your accounts.
Proactive Protection:
Self-Service Portal Authentication: To enroll a new device on your Duo account, set up the policies in the self-service portal to limit authentication to more secure factors, like WebAuthn or Verified Duo Push.
Trusted Endpoints: Duo’s Trusted Endpoints feature allows an organization to block all unknown or unmanaged devices from accessing your organization’s resources, preventing the trusted user from getting fraudulent push or enrollment requests in the first place.
Risk-Based Authentication: Risk-Based Authentication can detect patterns from attackers and step up the authentication requirements to more secure factors in unknown or risky situations.
Detection & Response:
New Device User Notifications: Set up notifications so users are informed if a new device has been added to their account. If the user does not recognize the device or action, they can report the activity to the Duo administrator.
Duo Trust Monitor: Duo Trust Monitor uses a combination of machine learning models and security heuristics to surface events that may be a risk or threat to your organization. For device registration events, we primarily use heuristics that are defined by threat researchers based on previously observed or theorized attacks against MFA systems. The product is currently being improved to surface registration events in real time, combine intelligence from multiple data sources when making an assessment, and more.
For more information, on best security practices to protect against identity-based attacks, check out Duo’s new eBook, Securing Organizations Against Identity-Based Threats.