Hacking Duo in Real Time


This is Alice, she doesn’t know it yet, but she’s being phished. The link she clicked on looks just like her work login. So she proceeds as normal, entering her username and password.

However, she’s not the only one logged in to her account. She has unknowingly let in a bad actor with her. This is what the bad actor sees. In their software, we can see that even with Duo’s push 2FA, they were able to capture Alice’s login credentials with the phishing link.

But what if Alice had Beyond Identity? When she clicks on the bad link, it again takes her to a screen that looks just like her work login. Notice there is no password field, as Beyond Identity's frictionless MFA is completely passwordless. As Beyond Identity begins its authentication process, it checks for things like if antivirus software is installed, if the firewall is on, what operating system version the device is on, and other customizable risk policies that are configured in the admin console.

Noticing the bad link, Beyond Identity does not authenticate this device and prevents the login. From the bad actor’s point of view, you can see that they were unable to capture any of Alice’s credentials when she tried to login with Beyond Identity’s passwordless MFA.

All MFA’s are not created equal. Using Beyond Identity eliminates passwords and user friction providing the strongest, phishing-resistant MFA.