When I action a DUO PUSH from a one of many similar VMs (all behind the same firewall) that reside together. How do I know from which server the push originated - I ask because my APP (Android) - often seems to prompt multiple times - and I am concerned that I may be authorising logins to other VMS - i.e. being hacked - is that possible - or is it just the APP - or is there a possible attack vector…
Hi @Simon_Henson, welcome to the Duo Community! I’d start with trying to address the issue of receiving multiple Duo Push authentication requests during login first. This a common issue with many potential solutions, depending on which application you are protecting with Duo.
For example, we have the following help articles on this subject:
- Why do I receive multiple Duo Push notifications when logging in to Palo Alto PAN-OS?
- Why do I receive multiple Duo Push notifications when logging in to NetMotion Mobility XE?
- Why do some users receive multiple pushes when logging into OWA, AD FS, or RDWeb Duo-protected applications?
What application(s) are you currently protecting with Duo today?
When determining whether a Duo Push is fraudulent or not, you want to look at name of the application you are logging into, the timestamp of the authentication attempt, and the location as well. If any of these seem off, you can report the push.
If these VMs appear as separate accounts in your account list in Duo Mobile, you could rename the accounts to help you better identify them. I hope that helps!