Duo + PCI 3.2 = I Believe not! :(


#1

Guys, I have a problem implementing the Duo. I’m going through a PCI 3.2 certification process, where the MFA process has changed.

According to PCI 3.2 the MFA should now respect some points such as:

  • The authentication mechanisms used for MFA should be independent of one another such that access to a factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.

  • PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication. (Which is not happening in my case, first it opens the logon screen, however, when the user misses the password, Windows returns the screen again asking for the correct password, thus allowing a try and error case)

Moreover, no prior knowledge of the success or failure of any
factor should be provided to the individual until all factors have been presented. (Again my problem repeats itself.)

Could anyone tell me if there is a way to configure the DUO for this type of operation?

From what I read, the tool is fully compliant with PCI DSS 3.2, but I have not seen this in practice.

I count on your cooperation.

Big Hugs,


#2

Hi Gustavo,
Have you watched this webinar Webinar: MFA Requirements for PCI Compliance | Duo Security?

It covers the following topics:

  • Details on the most common PCI-focused deployment scenarios, and considerations when planning yours
  • Expert advice and best practices on meeting the multi-factor authentication requirements of PCI 3.2
  • Tips on how to meet PCI requirements for admins, including log retention, account lockout options, and more

Please review and let us know if you still have additional questions.