SecureWorld Webinar: Why Password Managers Fail to Secure and How You can Take Back Control
Register Now

MFA Cannot Stand Alone Series – The DUO Hacking

CTO & Co-Founder at Unixi

Unveiling the Limitations of MFA

As was demonstrated in the previous blog post, MFA cannot stand alone. MFA, on its own, still leaves enterprise systems vulnerable to various breaches. In the following post, we will continue exploring different vulnerabilities of the MFA mechanism.

The DUO Hacking Incident

One such vulnerability was exposed very recently  with the breach associated with one of the leading MFA providers – Cisco’s DUO. According to reports, DUO was acquired by the IT giant Cisco for around $2.35 billion. DUO is a cybersecurity platform that offers access management, phishing prevention, and risk-based authentication. It is a reputable platform trusted by clients worldwide. However, last week, it fell victim to hacking.

DUO itself was not directly breached, and that’s the point of discussion here. Instead, DUO’s third-party telephony provider (VoIP) was breached and compromised. Through a social engineering attack, an employee of the third-party VoIP disclosed their credentials to the hackers, granting them access to the company’s internal data. Subsequently, the hackers gained access to communication logs between DUO and the third party. The breach reportedly exposed information about DUO’s users, including emails, phone numbers, names, and other metadata associated with the messages.

This incident highlights a significant vulnerability in suppliers such as DUO. While claiming to eliminate password usage and ensure complete immunity from hacking, DUO’s clients were ultimately compromised due to the underlying issue plaguing companies and the cybersecurity industry – social engineering and its derivative, credential theft. The information obtained by hackers in this incident will likely be utilized in future spear-phishing attacks, as the hackers can now target specific individuals armed with their personal contact information.

Addressing MFA’s Shortcomings with Unixi

This serves as another reminder that MFA cannot stand alone. Companies serious about their cybersecurity must incorporate additional tools into their arsenal to complement MFA. MFA alone does not holistically address social engineering, and as evidenced, even MFA suppliers are susceptible to social engineering attacks. This incident is another example of a scenario where Unixi’s solution would have resolved the issue. Firstly, DUO’s third-party provider would have been protected under Unixi’s universal SSO, and credentials and phishing protection, thus mitigating the risk of credential theft. Additionally, DUO’s users, even if exposed by this or a similar attack, would have peace of mind knowing that there is no leak or breach that will allow hackers to breach other accounts in the future. While MFA is undoubtedly valuable, Unixi’s platform also offers it with its universal SSO (with 100% compatibility and seamless integration), but it becomes impervious with Unixi’s credential and phishing protections.

Reuvein Vinokurov

CTO & Co-Founder at Unixi

Reuvein Vinokurov is the co-founder and CTO of Unixi, where he directs the platform’s core architectural vision and technical innovation. He brings deep enterprise engineering and offensive security expertise, having previously served as VP of Efficiency & Innovation at HUB Security and Offensive Security Team Leader at Comsec. With years of hands-on experience developing advanced automation tools and leading red-team simulations, Reuvein designed Unixi’s proprietary decentralized architecture to achieve 100% single sign-on coverage at the interaction layer. His mission is to dismantle the underlying mechanics of identity theft and credential exposure, turning unmanaged SaaS blind spots into ironclad enterprise security barriers.

Explore more