DUO Push Notifications Phishing Exercise

micah4 · ‎10-30-2018

Can anyone provide any guidance regarding the ability to perform 2FA Push notification Phishing Exercises to train users on approving random Push notification requests? Can this kind of exercise be achieved via an API or within the DUO admin console directly? Does anyone perform this or similar efforts to improve their security posture and what metrics can be pulled to show testing trends?

bullerjonathan · ‎10-31-2018

I know that you can send a Push to a user’s mobile device from the user page at the top right, by clicking “Send Duo Push”, although this will display on their device as a “Support request.” You will have to wait on that page to see if the individual user accepts or denies. There is a API endpoint for sending support pushes, I assume you could develop a script to do this en masse.

les.brewer · ‎08-10-2020

Is there at least any training material for this. We’ve had a user fall victim to getting their password compromised, then they approved the requests

Dooley · ‎08-11-2020

Hi Les, thanks for this feedback and sorry to hear about your user. What kind of training material are you looking for?

Just so you’re aware, our end-user guide includes the step “If you get a login request that you weren’t expecting, press Deny to reject the request. You’ll be given the ability to report it as fraudulent, or you can tap It was a mistake to deny the request without reporting it” at both https://guide.duo.com/iphone and https://guide.duo.com/android

We also have this very short video that demonstrates accepting and rejecting pushes in different scenarios: https://www.youtube.com/watch?v=rv12VryxlcE