Status: Scaffold — content in progress
Duo Security (acquired by Cisco in 2018) is a market-leading MFA and Zero Trust Network Access (ZTNA) platform. It is primarily an MFA overlay — it integrates with existing authentication systems (AD, VPN, SSH) rather than replacing them.
Integration Modes
| Mode | How It Works |
|---|
| Duo Authentication Proxy | On-prem agent that intercepts RADIUS/LDAP auth and adds 2FA step |
| Duo SSO | SAML IdP with Duo MFA built-in |
| Duo for Windows Logon | Windows login + 2FA via RDP or local logon |
| Duo Universal Prompt | Browser-based MFA flow embedded in app authentication |
Duo MFA Factors
| Factor | Phishing Resistance |
|---|
| Duo Push | No — push bombing target |
| Duo Push with number matching | Significantly harder |
| TOTP | No |
| SMS | No |
| Duo hardware token | No |
| Security key (FIDO2) | Yes |
| Biometric | Yes |
Attack Surface
| Attack | Description |
|---|
| Duo Push fatigue | Flood push notifications → user approves accidentally |
| Authentication Proxy compromise | On-prem proxy has credentials to Duo service + LDAP/AD |
| Admin panel takeover | Full Duo policy control |
| Bypass via legacy auth | If legacy auth protocols (basic auth, RADIUS without Duo) are still enabled |
Cross-Links