cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3222
Views
0
Helpful
4
Replies

SIM Swap Attack

zzzp
Level 1
Level 1

Hi there

Just wondering, how does Duo protect against SIM Swap attacks.

EG

  • A hacker does a SIM Swap on a users Cell Phone.
  • They find a users password by an email Phishing attack,
  • The user can then authenticate via Duo.

Is there a way to disable text message as the second form of 2FA?

Thanks

1 Accepted Solution

Accepted Solutions

mkorovesisduo
Level 4
Level 4

Hi zzzp. You can restrict which Authentication Methods are allowed using the Duo Policy engine.

View solution in original post

4 Replies 4

mkorovesisduo
Level 4
Level 4

Hi zzzp. You can restrict which Authentication Methods are allowed using the Duo Policy engine.

zzzp
Level 1
Level 1

Thanks for the reply.

How about when a user Forgets their password, and they go through the Duo steps to recover their account.

Is there a way to disable a user from “Forgetting Password” e.g. if a user looses their phone, or forgets their password to log into Duo, is there a way to stop the user using a Cell Phone as a method of 2FA for when recovering an account? I want to stop any chance of SIM Swap attacks happening and believe Duo allows a Cell Phone to be used when recovering an account/forgot password?

Thanks

If you are also concerned about Duo administrators using phones for 2FA (I think you are as only Duo administrators have the “Forgot Password” reset option), you can also restrict allowable factors for an administrator. See here: Managing Duo Administrators | Duo Security

Duo, not DUO.

mkorovesisduo
Level 4
Level 4

Using the Authentication Methods Policy restrictions mentioned above, you could prevent users from logging in with any method beyond hardware tokens or U2F tokens. This would de facto stop them from using 2FA methods that are commonly associated with a smartphone.

Quick Links