OM-BP-0018: Protect MFA integration secrets (Best Practice)
ID
OM-BP-0018
Status
Active
Best Practice
Protect MFA integration secrets.
Rationale
Bad Practices
Implementation Details
Quotes
Volexity’s investigation into this incident determined the attacker had accessed the Duo integration secret key (akey) from the OWA server. This key then allowed the attacker to derive a pre-computed value to be set in the duo-sid cookie. After successful password authentication, the server evaluated the duo-sid cookie and determined it to be valid. This allowed the attacker with knowledge of a user account and password to then completely bypass the MFA set on the account. It should be noted this is not a vulnerability with the MFA provider and underscores the need to ensure that all secrets associated with key integrations, such as those with an MFA provider, should be changed following a breach. Further, it is important that not only are passwords changed after a breach, but that passwords are not set to something similar to the previous password (e.g., Summer2020! versus Spring2020! or SillyGoo$e3 versus SillyGoo$e2).
(https://open-measure.atlassian.net/wiki/pages/createpage.action?spaceKey=BIB&title=Cash%20et%20al.%2C%202020%20%28Duplicate%29)
Bibliography
https://open-measure.atlassian.net/wiki/pages/createpage.action?spaceKey=BIB&title=Cash%20et%20al.%2C%202020%20%28Duplicate%29
Related Best Practices
N/A
Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.
This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.
