惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
Simon Willison's Weblog
Simon Willison's Weblog
H
Help Net Security
F
Fortinet All Blogs
H
Heimdal Security Blog
S
Schneier on Security
L
LangChain Blog
博客园 - Franky
酷 壳 – CoolShell
酷 壳 – CoolShell
NISL@THU
NISL@THU
P
Palo Alto Networks Blog
J
Java Code Geeks
博客园 - 【当耐特】
The Last Watchdog
The Last Watchdog
W
WeLiveSecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Vulnerabilities – Threatpost
I
InfoQ
Recorded Future
Recorded Future
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
C
CERT Recently Published Vulnerability Notes
T
Tenable Blog
腾讯CDC
C
Check Point Blog
量子位
M
MIT News - Artificial intelligence
GbyAI
GbyAI
罗磊的独立博客
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
B
Blog
小众软件
小众软件
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
CXSECURITY Database RSS Feed - CXSecurity.com
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
P
Privacy & Cybersecurity Law Blog
V2EX - 技术
V2EX - 技术
T
Threatpost
Engineering at Meta
Engineering at Meta
Attack and Defense Labs
Attack and Defense Labs
T
Tailwind CSS Blog
S
Securelist
The Cloudflare Blog
博客园 - 叶小钗
L
LINUX DO - 最新话题
T
Troy Hunt's Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
爱范儿
爱范儿

The Duo Blog

Active Directory security: how to stop modern threats | Cisco Duo Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo How to secure the holidays & prep your 2026 IAM strategy Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
Thwarting adversary-in-the-middle attacks with Proximity Verification
brelau@cisco.com (Brendan Lau) · 2025-11-20 · via The Duo Blog

Product & Engineering

Headshot of Brendan Lau, Mobile Engineer

Brendan Lau

5 minute read

Approximately 4 years ago we introduced Verified Duo Push—an evolution of Duo Push. Verified Duo Push improves security by requiring users to input a numeric code displayed in the Duo Prompt when approving the Duo Push request.

Requiring a numeric code at authentication time prevents 2 types of push phishing:

  1. Push Harassment — An attacker sending multiple successive push notifications to bother a user into approving a push for a fraudulent login attempt

  2. Push Fatigue — Constant multi-factor authentication means users pay less attention to the details of each login, causing a user to mindlessly accept a push login

Verified Duo Push, while more secure than Duo Push alone, is still susceptible to certain attacks.

Let’s examine a real-world Verified Duo Push attack vector:

Case study: Verified Duo Push attack (email phishing + proxied phishing site)

This Verifier Impersonation attack involves a convincing phishing email and a reverse-proxied phishing site:

The Attacker sends the User a phishing email posing as IT support. The User clicks a malicious link and is taken to a proxied login page. The user, thinking the malicious login prompt is the real login prompt, enters their primary credentials. The attacker, in turn, receives those credentials and enters them into the legitimate login page, which proceeds to send a Verified Duo Push to the user’s phone. When the Duo Prompt requests the Verified Push code be entered into Duo Mobile, the Attacker's proxy relays the code back from the real site to the fake site, tricking the User into entering it and granting full access.

Step-by-step breakdown of the attack

  1. Attacker sends a phishing email posing as IT support

  2. User clicks the malicious link and visits a proxied login page

  3. User enters their first factor credentials into the proxy

  4. Attacker forwards the credentials to the legitimate login page and begins authentication

  5. Attacker (via their legitimate Duo Prompt) sends a push to the User's phone requesting VP code

  6. Attacker's legitimate Duo Prompt displays VP code, which is forwarded to and displayed on the attacker's proxy site

  7. User enters the Attacker's VP code into their Duo Mobile, granting the attacker full access to their account

At Duo, we constantly are innovating and adapting to the ever-changing threat landscape. Next let's take a look at the steps we've taken to make Push-based authentication even more secure.

Duo Proximity Verification

We recently released Duo Proximity Verification to Duo Essentials and above, at no additional cost! Proximity Verification helps prevent verifier impersonation attacks and active phishing campaigns.

This new authentication method requires Duo Mobile to perform a BLE communication handshake with the laptop or desktop that the end user is authenticating from in order to successfully approve the login request. The computer must be running a companion application, Duo Desktop, that communicates both with Duo Mobile and with the Duo Prompt.

Proximity Verification stops such attacks with a two-pronged approach:

  1. Origin (Verifier Name) Binding — Duo Desktop must be able to verify that the request for authentication came from a legitimate instance of the Duo Prompt

  2. BLE Proximity Verification — Duo Desktop (via Bluetooth Low Energy) must be able to verify that the Duo Mobile application associated with the user who initiated the authentication request is within physical proximity

These requirements stop verifier impersonation attacks and offer security comparable to FIDO2/WebAuthn without requiring expensive and difficult-to-provision hardware.

Let's take an in-depth look at how Duo Proximity Verification blocks the earlier attack.

Duo Proximity Verification thwarts verified push attack (email phishing + verified impersonation)

Let's first examine a common attack scenario where the Attacker attempts to leverage the user's Duo Desktop for proximity verification:

Since it’s the User’s Duo Desktop that needs to be within physical proximity of the User’s Duo Mobile, the Attacker allows their proxied site to communicate over localhost with the User’s Duo Desktop.

Step-by-step breakdown

  1. Attacker sends a phishing email

  2. User clicks the link and visits a proxied login page

  3. User enters credentials

  4. Attacker forwards the credentials to a legitimate login

  5. Attacker sends a push to the end user

  6. Fake Duo Prompt attempts to communicate with Duo Desktop over localhost

  7. Origin check fails

  8. Attack is thwarted

Here, Origin Binding is the mechanism that saves the day. Even with the Attacker’s approach of communicating with Duo Desktop (located on the User’s machine), the origin validation request will always fail, as the request originated from evil-acmecorp.com.

Now, let's consider a more sophisticated attack where the attacker attempts to bypass the origin check by installing Duo Desktop on their own machine:

When Duo Proximity Verification is required

  • No Verified Push code is shown in the login flow. Instead, an encrypted single-use payload not visible to the user is exchanged between Duo Mobile and Duo desktop using BLE.

  • Duo Desktop verifies the origin of the authentication request ensuring that it came from a legitimate Duo Prompt.

  • BLE communication is used to prove that the user approving the Duo Push request in Duo Mobile is in close proximity to the computer they are logging in from.

  • The attacker cannot satisfy these conditions, so the attack fails.

Step-by-step breakdown

  1. Attacker sends a phishing email

  2. User clicks the link and visits a proxied login page

  3. User enters their credentials

  4. Attacker forwards the credentials to a legitimate login

  5. Attacker sends a push to the end user

  6. Duo Prompt (on the Attacker's machine) pings Duo desktop (also on the Attacker's machine) over localhost to provide encrypted payload

  7. Duo Prompt validates the origin of the request from Duo Prompt. All is well!

  8. Duo Desktop attempts BLE communication with Duo Mobile, but since Duo Mobile isn't in proximity, this check fails

  9. Attack is thwarted!

Duo’s Proximity Verification provides a new layer of security beyond what Verified Push offers, neutralizing sophisticated verifier impersonation attacks without requiring additional hardware.

Where to learn more about Proximity Verification

If you’d like to explore Proximity Verification in more detail, check out the documentation, a demonstration, or start testing in your environment today!

If you aren’t a Duo customer but are interested in trying out this feature, you can start a trial of Duo.