Re: Is it smart to use duo push on the same phone lastpass is installed (Or any password manager?)

tlamming · ‎06-16-2020

I set up duo push with my lastpass account recently and when I went to log in to access it on the phone, after entering the password, I recieved the push to the same phone. Of course, this is secure when typing the password into lastpass on another machine, but it gave me pause because if someone had grabbed my phone and knew the password, the 2nd factor (duo push) effectively would be useless, right?

What is the recommendation for mobile phones in this regard? I have a yubikey also, but unless you use duo its basically no choice on which way you want your 2nd factor to authenticate. I would have to remove duo from my lastpass account, and only use yubikey. I like to have options

tlamming · ‎06-18-2020

Bump for any insight on best practices for phones.

Amy2 · ‎06-18-2020

Hi @tlamming, this is a great question. Thank you for sharing it in the Duo Community. I am checking on a few things with the Duo team, and hope to have an answer to you soon. Thanks for your patience.

colohost · ‎06-19-2020

This is a frustrating weakness in the platform. I put in a feature request related to this about a year ago; no progress yet. I asked that there be a way to set via policy that the authenticating device cannot be the same as where the app requesting authentication is. We have users who store passwords to apps in iCloud keychain, so they can log into such an app, and then Duo Push auth, from the same device. About the only thing you can do to try to counteract this issue is to set a policy for “Mobile Device Biometrics” where you require biometric verification. Then at least if someone has a phone’s PIN/pass, and it supports touch or face, Duo app will require that. Won’t help if the person who’s phone it is is passed out and has their finger pressed against it, but at least they have to be conscious for face recognition to work.

Obviously such a feature would have to be implemented in conjunction with a disabling of phone and sms-based auth, to ensure those don’t go to the same device, as Duo would not know whether or not it was the same.

Amy2 · ‎06-22-2020

Hi again, best practice and our recommendation is to use out-of-band (OOB) authentication, where authentication methods are conveyed through different channels. Ensure that any lost or stolen device is reported to your IT admin or helpdesk immediately, so they can invalidate it to prevent it from being used for authentication. Using strong, unique, secure passwords for your accounts also reduces the likelihood someone would be able to access your account. All of these steps help protect you from the case you describe, but that being said, there is greater security in separate devices. Also, certain compliance regulations require separate access devices and 2FA devices, if you are using Duo for work for example.

It’s especially important to practice good device security when performing in-band MFA. Safeguards such as screen locks and device biometrics can assist in mitigating someone gaining physical access to the MFA device. To @colohost’s point, requiring biometrics will significantly minimize risk as the device’s biometrics will be called upon during MFA, even if the screen is already unlocked

Read more on the Duo blog about how OOB authentication with Duo Push can protect against man-in-the-middle attacks.

tlamming · ‎06-22-2020

Thanks Amy,

My question is how to I use DUO which is out-of-band on workstations and other computers, but not out of band when it comes to the actual smartphone itself which also utilizes duo. I cant configure duo to recognize that its in-band and here we are. All of the other things are just mitigating the weakness of not being able to properly configure out of band, for instance, I would like duo to know that I’m requesting from my mobile device and prompt me to use my ubikey (out of band) instead of push notification (in band). Does that make sense?

BabbittJE · ‎06-22-2020

I understand your problem, tlamming. I have the same worry but my phone has facial recognizance and biometrics. Whenever I access LastPass on my phone, it always asks me for my biometrics, if yours doesn’t. But, yes, it doesn’t help if someone forces my finger on the phone.

Amy2 · ‎06-23-2020

That does make sense @tlamming. Thank you for explaining further. If you haven’t already, I encourage you to open an official feature request to have your name added to the list for this enhancement. You can do that with your Customer Success Manager (CSM) or Account Executive (AE) if you have one, or by contacting Duo Support.