Duo Two-factor Authentication Bypass

This report describes discovery and exploitation of two Duo 2FA bypass techniques: one that copies and injects an attacker-controlled 'sid' into a victim's 2FA request and a more reliable variant that reuses a 'txid' to make Duo believe the push was accepted by the victim. Both methods allowed an attacker who already had the victim's credentials and a separate Duo-enabled account under their control to receive the victim's push approval and complete authentication. The issue was reported to Duo, who implemented a fix promptly and coordinated disclosure.