I know some of the Duo folks and they are serious security nerds and I don't think they would make this up. That said, I don't have any knowledge of the implementation. I did find this[1]:
> Duo Push technology employs asymmetric encryption to sign and verify communications between Duo's servers and a smartphone running the Duo Push app
I'm thinking this is saying something like they sign the contents of the push notification with a key that the app knows and that the man in the middle wouldn't have. So, they're not just relying on the provider of the push notification service.
Yeah, this doesn't help with a MITM because what happens is the victim is at Mallory's site thinking it's their real sign on site, Mallory is taking to their real sign on service. The victim types in real credentials, and says OK let's use Duo Push... Mallory now has their credentials and does Duo Push. The push is securely sent to the victim's phone, and they press OK because they really are trying to sign in. Mallory is allowed in.
FIDO tokens break this attack because the token is talking to the victim's web browser, and that's not visiting the real site so it doesn't work. If Mallory lets the victim's browser talk to the real site, sign in works but Mallory is cut out of the loop.
It's a Confused Deputy problem. Push 2FA assumes that if you confirm that you're trying to sign in at 9:14 and there's an attempted sign in at 9:14 then that's one event, but unlike U2F the only thing connecting the two is the timing, which Mallory can choose.
Why would Duo Push allow Mallory's site to initiate a Duo Push for RealSite.com without either a shared secret or certificate validation?
You present an obvious problem that has been solved securely many times over many products and act as if a group of IAM and 2fa professionals ignored or just hadn't thought of it before...
Because mallory.com (who's impersonating valery.com by ripping off the site design, and has a valid certificate for mallory.com) is running a full-up copy of Chrome in a VM, and is clicking the signin link just like a user would do.
I assume what Duo is referring to, though, is that they send through the IP address that your push request is coming from.
So if a user is observant and knows their public IP, they should see the difference.
The real site doesn't know this is Mallory, after all Mallory has the victim's credentials. It stands to reason it will offer Duo Push. And the victim is expecting Duo Push so they'll hit OK.
You insist this "has been solved securely many times over" but it famously hasn't, which is why I asked if Duo had some secret sauce. They evidently don't.
People keep building things that are very clever but don't actually respond to the threats in the real world, MITM is a real world threat, and one Duo shouldn't be pretending they're defending against with this Push technology.
> Duo Push technology employs asymmetric encryption to sign and verify communications between Duo's servers and a smartphone running the Duo Push app
I'm thinking this is saying something like they sign the contents of the push notification with a key that the app knows and that the man in the middle wouldn't have. So, they're not just relying on the provider of the push notification service.
[1]: https://searchsecurity.techtarget.com/answer/Do-two-factor-a...