====== πŸ” Duo Fraudulent Authentication Requests (Push Fatigue Protection) ====== **Purpose:** To explain what a fraudulent Duo authentication request is, how push fatigue attacks work, and the correct best-practice user behaviour when using Duo MFA. ===== πŸ“Œ Platform ===== * MFA Provider: [[https://duo.com|Duo Security]] * Authentication Method: Push Notification (Duo Mobile App) ---- ===== 🚨 What Is a Fraudulent Duo Request? ===== A fraudulent authentication request occurs when a user receives a Duo push notification **without actively attempting to log in**. This usually means: * The attacker already has the user's username and password. * They are attempting to bypass MFA. * They are hoping the user will approve the push notification. This method is commonly known as: **Push Fatigue Attack** Attackers repeatedly send push notifications hoping the user will press *Approve* out of confusion, habit, or frustration. ---- ===== πŸ›‘οΈ Best Practice – Correct User Behaviour ===== ==== βœ… 1. Open Duo BEFORE Logging In ==== Users should: - Open the **Duo Mobile app** on their device. - Then initiate the system login. - Immediately approve the push while actively viewing the request. Opening the Duo app before logging in ensures: * The push is expected. * The approval is intentional. * No delayed or mistaken approvals occur. ---- ==== βœ… 2. Only Approve When Actively Logging In ==== If you are not logging into a system: **DO NOT APPROVE THE REQUEST** Unexpected push notification = 🚩 Security incident. ---- ==== ❌ 3. Never β€œWait for the Prompt” ==== Do NOT: * Click login and wait passively. * Approve a push that appears unexpectedly. * Approve repeated push notifications. * Assume β€œit’s probably fine.” Multiple pushes in a short time = high likelihood of attack. ---- ===== πŸš‘ If a Fraudulent Request Is Received ===== Users must: - Press **Deny** - Immediately report to IT - Change password if instructed Treat every unexpected Duo push as a potential account compromise. ---- ===== πŸ”Ž Why This Is Critical ===== MFA only protects the organisation if: * Approvals are intentional. * Users remain alert. * Push notifications are treated as security events. One accidental approval can result in full account compromise. ---- ===== πŸ“’ End-User Awareness Message (Short Version) ===== If you are not logging in and receive a Duo push: * Press **Deny** * Report it immediately * Do NOT approve it Always open the Duo app before logging in. ---- ===== πŸ“Š Risk Level ===== ^ Threat Type ^ Impact ^ Likelihood ^ Risk Level ^ | Push Fatigue / MFA Bypass | High | Increasing Globally | πŸ”΄ High | ---- ===== πŸ“… Review Cycle ===== * Review annually * Review after any reported MFA incident ===== Quick Links ===== * Support Email: [[mailto:help@mmc24.com|help@mmc24.com]] * Self-Serve Tickets: [[https://help.mmc24.com|help.mmc24.com]] Author: Mike Last Updated: %%DATE%%