Skip to content

Duo Admin API Secret

Service Name: Duo Security

Service Description: Duo Security is a cloud-based multi-factor authentication (MFA) service that provides two-factor authentication for users accessing applications and systems. It helps organizations secure access to their applications and data by verifying users' identities.

Service Address: https://duo.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level in the Duo Admin Panel.

Secret Access Scope: Grants programmatic access to the Duo Admin API, allowing management of users, phones, tokens, and administrative functions within a Duo account.

Secret Revokement URL: https://admin.duosecurity.com/

Secret Example: 5WfduSOkqPXAB123XYZ789abcdefghijklmnopqrstuvwxyz0123456789ABCDE

Suspicious Activity Investigation Instructions:

  • Review the Duo Admin Panel authentication logs for unusual access patterns.
  • Check for unauthorized changes to user accounts, authentication devices, or policy settings.
  • Monitor for unexpected API calls, especially those modifying authentication policies or adding new devices.
  • Review the Admin API logs for calls from unfamiliar IP addresses or during unusual hours.
  • Check for any new admin users or changes to admin permissions.

Mitigation Instructions:

  • Log in to the Duo Admin Panel at https://admin.duosecurity.com/
  • Navigate to Applications > Admin API
  • Locate the compromised integration and click "Delete Integration"
  • Create a new Admin API application with fresh credentials
  • Update all legitimate applications and services to use the new credentials
  • Review and update IP restrictions for the Admin API application if applicable
  • Enable detailed logging for the new Admin API application
  • Review all recent administrative changes made through the API to identify and revert any unauthorized changes