Solved: Re: SIM Swap Attack

zzzp · ‎04-09-2018

Hi there

Just wondering, how does Duo protect against SIM Swap attacks.

EG

A hacker does a SIM Swap on a users Cell Phone.
They find a users password by an email Phishing attack,
The user can then authenticate via Duo.

Is there a way to disable text message as the second form of 2FA?

Thanks

mkorovesisduo · ‎04-09-2018

Hi zzzp. You can restrict which Authentication Methods are allowed using the Duo Policy engine.

View solution in original post

mkorovesisduo · ‎04-09-2018

Hi zzzp. You can restrict which Authentication Methods are allowed using the Duo Policy engine.

zzzp · ‎04-09-2018

Thanks for the reply.

How about when a user Forgets their password, and they go through the Duo steps to recover their account.

Is there a way to disable a user from “Forgetting Password” e.g. if a user looses their phone, or forgets their password to log into Duo, is there a way to stop the user using a Cell Phone as a method of 2FA for when recovering an account? I want to stop any chance of SIM Swap attacks happening and believe Duo allows a Cell Phone to be used when recovering an account/forgot password?

Thanks

DuoKristina · ‎04-10-2018

If you are also concerned about Duo administrators using phones for 2FA (I think you are as only Duo administrators have the “Forgot Password” reset option), you can also restrict allowable factors for an administrator. See here: Managing Duo Administrators | Duo Security

Duo, not DUO.

mkorovesisduo · ‎04-10-2018

Using the Authentication Methods Policy restrictions mentioned above, you could prevent users from logging in with any method beyond hardware tokens or U2F tokens. This would de facto stop them from using 2FA methods that are commonly associated with a smartphone.