Device Security Beyond Enrollment: Securing the Self-Service Portal
Duo’s Self-Service Portal (SSP), which lets users manage their own authentication devices, saves time for both Duo users and admins. However, it can also be a target for cyberattacks. Often the first step for an attacker with stolen credentials is to try to fraudulently register an MFA device, giving persistent access to the user’s account.
In a recent blog, we discussed best practices for user enrollment, including how to prevent malicious device registration when users self-enroll. In this blog we’ll share best practices for Duo admins to continue reap the benefits of self-service after enrollment while keeping their user accounts secure.
Why use the Self-Service Portal?
The SSP allows existing Duo users to add, edit and remove authentication devices. Users can access it from the Universal Prompt during login or from Duo Central when enabled. Self-service allows users to do tasks like activating Duo Mobile on a new phone without having to contact the helpdesk. This saves time for users and IT staff.
In addition to being convenient, using the SSP can help boost an organization’s security posture. Users can easily register more secure authentication methods, such as WebAuthn devices, that were not added during initial enrollment. Users can also resolve problems with authentication devices on their own, making it less likely that they’ll default to using less secure phone-based methods such as SMS to authenticate.
What’s the risk?
Self-service device management presents a similar risk to new user self-enrollment: a bad actor with stolen user credentials can attempt to access the SSP and register their own device. Once they do so, they gain persistent access to the account.
Unlike new user enrollment workflows, the SSP is protected by MFA. However, actors may try to circumvent MFA using techniques such as passcode phishing or MFA fatigue attacks. If one of these techniques succeeds against the SSP, the actor's newly registered device lets them circumvent MFA protections for future logins to other applications.
How to protect the SSP
Protecting the SSP follows the same principles as any other resource. However, secure posture exists on a spectrum and often has tradeoffs with end-user friction. A critical resource like the SSP should lean toward the secure end of that spectrum. Fortunately, users should need to access the SSP infrequently, so lockdown access controls won’t be too much of a burden.
Duo by default overrides configuration settings that allow users to bypass MFA, such as remembered device and authorized network policies and user bypass status, for SSP access. We further recommend setting custom policies for the SSP to ensure a strong posture. Specifically:
Restrict authentication methods to the most secure one accessible by your users, such as Verified Push or WebAuthn-based methods
Deny access from anonymous networks and from countries not typically frequented by users
Disallow the use of tampered devices
Consider adopting security-enhancing features such as Trusted Endpoints and Risk-Based Authentication
In addition to these application policy settings, admins can elect global settings to guard against device registration attacks.
Attackers may target inactive accounts for takeover; to prevent this, elect to delete inactive users after a period of time
Turn on user notifications so that users can report suspicious device registration activity
Monitor suspicious device registrations using Duo Trust Monitor
With some or all of these safeguards in place, the SSP can be an effective way for users to manage their devices.