MFA push phishing

I understand we can use Duo’s Allowed Hostnames feature to mitigate push phishing but is it possible to set a maximum number of push notification attempts in a certain time frame?


Hi @Lharris, this is such a great question! Push phishing is becoming more of an issue these days, so it’s good to be vigilant and take whatever steps you can to minimize the risk to your users.

In the global settings for Lockout and Fraud, you can enable Anomaly Detection to prevent Duo Mobile from receiving multiple push requests per user within a short period of time. Check the box next to Block anomalous Duo Push attempts to activate this option. Users will need to wait one minute before requesting another Duo Push. You can also adjust the number of consecutive failed authentication attempts allowed before the user’s account is locked out to prevent brute force attacks.

Finally, there’s a really helpful blog article about how Duo Trust Monitor can be used to detect push phishing. The TLDR version is that Duo Trust Monitor (which is our machine-learning enabled risk detection tool) highlights anomalous access attempts. It does so by ingesting Duo authentication information and using it to develop baselines of workforce activity - who typically accesses what from where.

I hope that helps! We also have a great guide to push phishing defense and best practices here that you should check out.

Thank you so much for this information. I have enabled Block anomalous Duo Push attempts and plan to look into the other options. I also lowered the number of consecutive failed authentication attempts.



1 Like