Skip to content

Duo Keys

Service Name: Duo Security

Service Description: Duo Security is a cloud-based multi-factor authentication (MFA) service that provides two-factor authentication and security solutions to protect organizations against account takeovers and data breaches.

Service Address: https://duo.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the application level through Duo's Admin Panel.

Secret Access Scope: Duo API keys grant access to Duo's Admin API, allowing programmatic management of users, phones, hardware tokens, and administrative functions.

Secret Revokement URL: https://admin.duosecurity.com/

Secret Example: - Integration Key: DIxxxxxxxxxxxxxxxxxx - Secret Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - API Hostname: api-xxxxxxxx.duosecurity.com

Suspicious Activity Investigation Instructions:

  • Review Duo Authentication Logs for unusual authentication attempts or administrative actions.
  • Check for unexpected API calls or administrative changes in the Duo Admin Panel.
  • Look for new applications or integrations that were recently added.
  • Monitor for changes to authentication policies or user enrollment settings.
  • Review IP addresses that accessed the Duo Admin API for unfamiliar locations.

Mitigation Instructions:

  • Log in to the Duo Admin Panel at https://admin.duosecurity.com/
  • Navigate to Applications > Protect an Application
  • Find the application with the compromised integration key
  • Click "Protect" to view the application settings
  • Click "Delete Application" to revoke the integration
  • Create a new application integration with fresh credentials
  • Update your application configuration with the new integration key, secret key, and API hostname
  • Consider enabling IP restrictions for the new application integration
  • Review and update your security policies to prevent future compromises