Duo Keys
Service Name: Duo Security
Service Description: Duo Security is a cloud-based multi-factor authentication (MFA) service that provides two-factor authentication and security solutions to protect organizations against account takeovers and data breaches.
Service Address: https://duo.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the application level through Duo's Admin Panel.
Secret Access Scope: Duo API keys grant access to Duo's Admin API, allowing programmatic management of users, phones, hardware tokens, and administrative functions.
Secret Revokement URL: https://admin.duosecurity.com/
Secret Example: - Integration Key: DIxxxxxxxxxxxxxxxxxx - Secret Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - API Hostname: api-xxxxxxxx.duosecurity.com
Suspicious Activity Investigation Instructions:
- Review Duo Authentication Logs for unusual authentication attempts or administrative actions.
- Check for unexpected API calls or administrative changes in the Duo Admin Panel.
- Look for new applications or integrations that were recently added.
- Monitor for changes to authentication policies or user enrollment settings.
- Review IP addresses that accessed the Duo Admin API for unfamiliar locations.
Mitigation Instructions:
- Log in to the Duo Admin Panel at https://admin.duosecurity.com/
- Navigate to Applications > Protect an Application
- Find the application with the compromised integration key
- Click "Protect" to view the application settings
- Click "Delete Application" to revoke the integration
- Create a new application integration with fresh credentials
- Update your application configuration with the new integration key, secret key, and API hostname
- Consider enabling IP restrictions for the new application integration
- Review and update your security policies to prevent future compromises