Defeating MFA from its admin plane: Duo Admin API abuse

MFA is the control you trust to stop stolen passwords, and Duo’s Admin API can reach into MFA itself. A stolen Admin API key lets an attacker quietly undermine the second factor from its own admin plane, without ever touching the user.

How the attack works

The Admin API key authenticates from a host that has never used it and reads users and devices. It generates a bypass code for a privileged user’s account, allowing login without a real second factor, then enrolls an attacker-controlled phone as a new factor so future push prompts are the attacker’s to approve. Finally it edits an authentication policy so the account can skip MFA for a target application. In ATT&CK terms this is T1556, Modify Authentication Process, with T1098, Account Manipulation.

Why it works

The Admin API key had full scope with no source-IP restriction and no alerting on sensitive actions, so a single stolen key was effectively a master key to MFA.

How to fix it

Revoke the Admin API key to stop further tampering, but that is only step one. The move the scenario teaches is to undo what the key already changed: delete the bypass code, remove the attacker-enrolled device, and revert the weakened policy, or MFA stays subverted for that account. Disabling MFA org-wide is exactly the attacker’s goal, and a password reset alone leaves the bypass and rogue device intact. Scope every affected account from the Duo admin actions log, since a user profile shows only the after-state. As a class fix, scope Admin API keys to least privilege, restrict them by source IP, and alert on bypass-code creation, device enrollment, and policy changes.

Practice it

We built this as a GraphLattice Range scenario so administrators can rehearse revoking the key, reversing the bypass, device, and policy changes, and scoping affected accounts from the admin actions log.