Support
General FAQs

How can I scan websites integrated with the Cisco Duo mobile application for MFA?

This document is for:
Invicti Standard, Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Cisco Duo MFA adds a second layer of security using push notifications, passcodes, or biometrics, via the Duo app.

Automation of Cisco Duo MFA in DAST Scanner

The integration of multi-factor authentication (MFA), particularly through the Cisco Duo mobile application, significantly strengthens authentication security. However, it also introduces substantial obstacles for automated tools involved in dynamic application security testing (DAST). These tools are designed to operate in a fully automated pipeline, where any requirement for user interaction - such as approving a push notification in the Duo app - breaks the automation model and inhibits continuous integration or large-scale scanning workflows.

This document presents an overview of research conducted on automating the handling of Duo-based MFA in DAST scenarios. It evaluates current limitations and outlines potential bypass strategies. The goal is to enable fully unattended scanning without compromising the security posture or violating integration constraints imposed by MFA solutions.

Auth Flow with Cisco Duo MFA

  • User Login – The user enters their username and password in the application.
  • MFA Challenge – The application requests authentication from Duo's cloud service.
  • Push Notification – Duo sends a push notification to the user's mobile device via the Duo app.
  • User Approval – The user opens the Duo app and approves or denies the request.
  • Access Granted – If approved, the application grants access; if denied, authentication fails.

MFA Automation via Duo API

MFA Automation via Duo API does not allow full replacement of the Duo app, as Cisco Duo does not provide an API to programmatically approve MFA push notifications for security reasons. The Duo Auth API allows initiating authentication requests and checking their status, but manual approval via the Duo app is always required for push-based MFA.

MFA Automation without Manual User Intervention

Authentication can proceed without user intervention by using Duo Bypass Codes, which can be generated via the Duo Admin API, or by configuring Conditional Access Policies to exempt specific users, devices, or trusted networks from MFA. These methods enable automated logins while maintaining security controls.

Reverse Engineering of Private APIs

No public or documented private API exists for programmatically approving Duo MFA push requests. Cisco Duo does not provide an API endpoint to auto-approve authentication challenges for security reasons.

Reverse engineering the Duo app to discover private endpoints may be technically possible, but there are significant challenges. The app likely encrypts MFA requests and responses, making interception or manipulation difficult. Any private API discovered would likely be rate-limited and protected against unauthorized automation. Using them in production is not recommended due to security, legal, and reliability concerns.

Bypassing MFA via Duo Bypass Codes

Administrators can temporarily bypass MFA using Duo Bypass Codes, which allow users to authenticate without an MFA challenge. These codes can be generated in the Duo Admin Panel or via the Duo Admin API and set to expire after a single use or a defined duration.

Other log in options

An AppSec engineer typically does not have permission to generate Duo bypass codes unless explicitly granted administrative access. Bypass code generation is usually restricted to Duo Administrators, such as IT security teams or identity and access management (IAM) personnel, to prevent unauthorized MFA circumvention. However, an AppSec engineer may request a bypass code from an administrator if needed for security testing or automation purposes.

Bypassing MFA via Conditional Access Policies

Conditional Access Policies in Cisco Duo allow MFA exemptions based on criteria such as trusted networks, specific user groups, managed devices, or low-risk logins. While AppSec engineers typically do not control these policies, they can request exceptions for security testing, automated scanning, or application assessments. However, granting such exceptions is at the discretion of Duo Administrators or IT security teams, who must balance security risks with operational needs.

 

Conclusion

In Cisco Duo, MFA cannot be bypassed programmatically through API approvals, but it can be managed through security policies. Organizations can:

  • Use Conditional Access Policies to exempt specific users, devices, or trusted networks (IPs), from MFA.
  • Generate Duo Bypass Codes via the Duo Admin API for temporary authentication without requiring MFA approval.
  • Leverage Device Trust Policies to reduce MFA prompts for managed or recognized devices.

Given the complexities of handling MFA, the most practical solution for automated DAST scanning is to request an exception for our cloud scanner’s IP through Conditional Access Policies on the customer’s side, eliminating the need for MFA . The use of Duo Bypass Codes could also be a viable option if the individual operating our DAST product has access to obtain bypass codes from a Duo Administrator.

One option is to bypass MFA using Conditional Access Policies or Duo Bypass Codes, while another approach is to use OTP authentication, which is supported by Duo. Unlike push notifications, OTP authentication can be automated by integrating it into login workflows, making it a viable alternative for scenarios where MFA approval needs to be handled programmatically. OTP authentication is supported by Invicti products.