Researchers trick Duo 2FA into sending authentication request to attacker-controlled device

April 16, 2021

Using a clever yet non-threatening hack, penetration testers were able to get around Duo Security’s two-factor authentication (2FA) controls during a client engagement.

The trick only worked with two accounts on the same Duo deployment, but the researchers were able to redirect a victim’s 2FA push notifications to an attacker-controlled device, which allowed them to authorize access to the victim account.

Read More…