Guys, I have a problem implementing the Duo. I’m going through a PCI 3.2 certification process, where the MFA process has changed.
According to PCI 3.2 the MFA should now respect some points such as:
The authentication mechanisms used for MFA should be independent of one another such that access to a factor does not grant access to any other factor, and the compromise of any one factor does not affect the integrity or confidentiality of any other factor.
PCI DSS requires that all factors in multi-factor authentication be verified prior to the authentication. (Which is not happening in my case, first it opens the logon screen, however, when the user misses the password, Windows returns the screen again asking for the correct password, thus allowing a try and error case)
Moreover, no prior knowledge of the success or failure of any
factor should be provided to the individual until all factors have been presented. (Again my problem repeats itself.)
Could anyone tell me if there is a way to configure the DUO for this type of operation?
From what I read, the tool is fully compliant with PCI DSS 3.2, but I have not seen this in practice.
I count on your cooperation.