My Duo Key leaked! What should I do?

What is a Duo Key and how it is used?

A Duo Key is a unique cryptographic key pair used in Duo Security's two-factor authentication system, consisting of a public key and a private key.

When it comes to secret management and detection practices, understanding the main use cases of the Duo Key is crucial for developers. Here are three key points to keep in mind:

• Two-Factor Authentication (2FA): The Duo Key is primarily used to enable two-factor authentication for applications and services. By requiring users to provide a second form of verification in addition to their password, the Duo Key helps enhance security and prevent unauthorized access.
• Secure Access Control: The Duo Key can also be used to enforce secure access control policies within an organization. By integrating the Duo Key into authentication processes, developers can ensure that only authorized individuals are able to access sensitive systems and data.
• Identity Verification: Another key use case for the Duo Key is identity verification. By leveraging the Duo Key for multi-factor authentication, developers can verify the identity of users and mitigate the risk of identity theft or unauthorized account access.

How to generate a Duo Key?

To generate a Duo Key, follow these steps:

1. Log in to your Duo account.
2. Go to the "Applications" section.
3. Click on the "Add Application" button.
4. Choose the type of application you want to generate a key for (e.g., Web SDK, Mobile SDK).
5. Follow the on-screen instructions to generate the Duo Key for your application.

Once you have generated the Duo Key, make sure to securely store it and use it in your application to enable Duo authentication.

My Duo Key leaked, what are the possible reasons?

There are several reasons why a Duo key might have been leaked:

• Weak security practices: If the key was stored in an insecure location or shared with unauthorized individuals, it could have been leaked.
• Accidental exposure: Developers may inadvertently include the key in code repositories, configuration files, or documentation that is accessible to others.
• Malicious insiders: An employee or contractor with access to the key may intentionally leak it for personal gain or to harm the organization.
• Phishing attacks: Attackers may use social engineering techniques to trick individuals into revealing the key through email or other communication channels.
• Compromised systems: If the systems where the key is stored are compromised, attackers may be able to access and leak the key.

What are the risks of leaking a Duo Key

When it comes to secret management, it is crucial for developers to understand the risks associated with leaking a Duo Key. A Duo Key is a sensitive piece of information that, if exposed, can lead to serious security breaches and compromise the integrity of the system. Here are some specific risks of leaking a Duo Key:

• Unauthorized access: A leaked Duo Key can be used by malicious actors to gain unauthorized access to sensitive data and resources.
• Data breaches: Once a Duo Key is compromised, it can be used to extract confidential information or manipulate the system, leading to potential data breaches.
• Identity theft: With access to a Duo Key, attackers can impersonate legitimate users and carry out fraudulent activities, such as financial transactions or account takeovers.
• Reputation damage: A security incident resulting from a leaked Duo Key can severely damage the reputation of the organization, leading to loss of trust from customers and partners.

It is essential for developers to implement robust security measures to protect Duo Keys and other sensitive information. This includes using secure storage mechanisms, restricting access to authorized personnel only, and regularly monitoring and auditing the usage of these keys. By following best practices in secret management, developers can mitigate the risks of leaking Duo Keys and ensure the overall security of their systems.

Duo Key security best practices

• Avoid embedding the secret directly in your code. Instead, use environment variables or secrets managers‍
• Secure storage: store the Duo Key in a secure location, such as a password manager or a secrets management service.
• Regular rotation: periodically rotate the API key to minimize the risk of long-term exposure.
• Restrict permissions: apply the principle of least privilege by only granting the key the minimum necessary permissions.
• Monitor usage: regularly check the usage logs for any unusual activity or unauthorized access attempts.
• Implement access controls: limit the number of users who have access to the secret and enforce strong authentication measures.
• Use a secrets manager: utilize secret management tools like CyberArk or AWS Secrets Manager for enhanced security.

By adhering to the best practices, you can significantly reduce the risk associated with Duo Key usage and improve the overall security of your Duo Key implementations.

Exposing secrets on GitHub: What to do after leaking Credential and API keys

Duo Key leak remediation: what to do

What to do if you expose a secret: How to stay calm and respond to an incident [cheat sheet included]

How to check if Duo Key was used by malicious actors

• Review Access Logs: Check the access logs of your Duo Key account for any unauthorized access or unusual activity. Pay particular attention to access from unfamiliar IP addresses (if you haven’t set up a specific allow list) or at odd hours.
• Monitor Usage Patterns: Look for anomalies in the usage patterns, such as unexpected spikes in data access or transfer.
• Check Active Connections and Operations: Review the list of active connections and recent operations on your database. Unusual or unauthorized operations might indicate malicious use.
• Audit API Usage: If possible, audit the usage of your API key through any logging or monitoring services you have integrated with Duo Key. This can give insights into any unauthorized use of your key.

Steps to revoke the Duo Key

Generate a new Duo Key:

• Log into your Duo Key account.
• Navigate to the API section and generate a new API key.

Update Services with the new key:

• Replace the compromised key with the new key in all your services that use this API key.
• Ensure all your applications and services are updated with the new key before deactivating the old one.

Deactivate the old Duo Key:

• Once the new key is in place and everything is functioning correctly, deactivate the old API key.
• This can typically be done from the same section where you generated the new key.

Monitor after key rotation:

• After deactivating the old key, monitor your systems closely to ensure that all services are running smoothly and that there are no unauthorized access attempts.

How to understand which services will stop working

• Inventory of services: keep an inventory of all services and applications that utilize your Duo Key.
• Communication and documentation: Ensure that your team is aware of which services are dependent on the key. Maintain documentation for quick reference.
• Testing: before deactivating the old key, test your services with the new key in a staging environment. This helps in identifying any services that might face issues post rotation.
• Fallback strategies: Have a fallback or emergency plan in case a critical service fails after the key rotation. This might include temporary measures or quick rollback procedures.

In summary, the remediation process involves identifying potential misuse, carefully rotating the key, and ensuring minimal disruption to services. Being proactive and having a well-documented process can greatly reduce the risks associated with a compromised API key.

What about other secrets?

GitGuardian helps developers keep 350+ types of secrets out of source code. GitGuardian’s automated secrets detection and remediation solution secure every step of the development lifecycle, from code to cloud:

• On developer workstations with git hooks (pre-commit and pre-push);
• On code sharing platforms like GitHub, GitLab, and Bitbucket;
• In CI environments (Circle CI, Travis CI, Jenkins CI, GitHub Actions, and many more);
• In Docker images.