Duo Admin API Secret
Service Name: Duo Security
Service Description: Duo Security is a cloud-based multi-factor authentication (MFA) service that provides two-factor authentication for users accessing applications and systems. It helps organizations secure access to their applications and data by verifying users' identities.
Service Address: https://duo.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the application level in the Duo Admin Panel.
Secret Access Scope: Grants programmatic access to the Duo Admin API, allowing management of users, phones, tokens, and administrative functions within a Duo account.
Secret Revokement URL: https://admin.duosecurity.com/
Secret Example: 5WfduSOkqPXAB123XYZ789abcdefghijklmnopqrstuvwxyz0123456789ABCDE
Suspicious Activity Investigation Instructions:
- Review the Duo Admin Panel authentication logs for unusual access patterns.
- Check for unauthorized changes to user accounts, authentication devices, or policy settings.
- Monitor for unexpected API calls, especially those modifying authentication policies or adding new devices.
- Review the Admin API logs for calls from unfamiliar IP addresses or during unusual hours.
- Check for any new admin users or changes to admin permissions.
Mitigation Instructions:
- Log in to the Duo Admin Panel at https://admin.duosecurity.com/
- Navigate to Applications > Admin API
- Locate the compromised integration and click "Delete Integration"
- Create a new Admin API application with fresh credentials
- Update all legitimate applications and services to use the new credentials
- Review and update IP restrictions for the Admin API application if applicable
- Enable detailed logging for the new Admin API application
- Review all recent administrative changes made through the API to identify and revert any unauthorized changes