SIM Swap Attack


#1

Hi there

Just wondering, how does Duo protect against SIM Swap attacks.

EG

  • A hacker does a SIM Swap on a users Cell Phone.
  • They find a users password by an email Phishing attack,
  • The user can then authenticate via Duo.

Is there a way to disable text message as the second form of 2FA?

Thanks


#2

Hi zzzp. You can restrict which Authentication Methods are allowed using the Duo Policy engine.


#3

Thanks for the reply.

How about when a user Forgets their password, and they go through the Duo steps to recover their account.

Is there a way to disable a user from “Forgetting Password” e.g. if a user looses their phone, or forgets their password to log into Duo, is there a way to stop the user using a Cell Phone as a method of 2FA for when recovering an account? I want to stop any chance of SIM Swap attacks happening and believe Duo allows a Cell Phone to be used when recovering an account/forgot password?

Thanks


#4

Using the Authentication Methods Policy restrictions mentioned above, you could prevent users from logging in with any method beyond hardware tokens or U2F tokens. This would de facto stop them from using 2FA methods that are commonly associated with a smartphone.


#5

If you are also concerned about Duo administrators using phones for 2FA (I think you are as only Duo administrators have the “Forgot Password” reset option), you can also restrict allowable factors for an administrator. See here: Managing Duo Administrators | Duo Security