![]() Hostname whitelisting isn’t enabled by default because it’s difficult to know what hostname(s) are used by many Duo prompt integrations beforehand.I’ve contacted Duo PSIRT about this and their full reply is quoted at the end of the blog post. Without hostname whitelisting, Duo is similar to an OTP generator during a phishing attack. To prevent phishing, it is paramount that you enable hostname whitelisting. If you can bypass the Duo prompt, then the phishing attempt will be successful, even if U2F is used. This boils down to bypassing the Duo integration. ![]() Because Duo is a 3rd-party service, we don’t have the same security properties that are associated with U2F between the victim and the server. ![]() TLDR: U2F prevents MITM attack between the victim and the Duo server, but not between the victim and the application. ![]()
0 Comments
Leave a Reply. |