<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Mon, 27 Sep 2021 08:30:00 -0400 en-us info@duosecurity.com (Amy Vazquez) Copyright 2021 3600 <![CDATA[Want Passwordless to Succeed? Make It Easy]]> tkietzman@duosecurity.com (Ted Kietzman) https://duo.com/blog/want-passwordless-to-succeed-make-it-easy https://duo.com/blog/want-passwordless-to-succeed-make-it-easy Industry News Mon, 27 Sep 2021 08:30:00 -0400

The Promise of Passwordless

If you've been following the evolution of passwordless, you've likely read countless blog posts and whitepapers pondering the promise of this technology. The pitch is relatively simple: passwords are insecure and inconvenient, so let’s get rid of them. We shouldn’t necessarily trivialize this promise. Passwords are insecure. They provide a time-tested avenue for bad actors to compromise and gain unauthorized access. As the Verizon Data Breach perennially points out, compromised credentials play a role in the majority of breaches. Passwords are also inconvenient. Password length, complexity, and rotation requirements have only gotten more stringent in the past ten years - leading to headaches for end users and help desks alike.

Before continuing on, it should be noted that all passwordless is not the same. “Getting rid of the password” could be as simple as removing the password field and asking for username only — which is obviously highly insecure. While secure passwordless technology removes the password, it does so by replacing it with stronger factors like device identity or biometrics. If you’re interested in learning more about the technical ins and outs of passwordless, Duo’s own Jeremy Erickson has written an extensive Administrator’s Guide to Passwordless — a great resource for those looking to dive into passwordless in all its glory.

IT Administrators and End Users Are Intrigued by Passwordless

However, let’s return to the problem at hand. Just because industry thought leaders and security vendors agree on a premise (like the value of passwordless), that doesn’t mean IT decision makers or workforce end users feel ready or willing to transition to a new technology. To get to the bottom of this, Duo conducted a global survey of both IT professionals and end users to gauge their attitudes when it comes to passwords and a potential transition to passwordless. The survey covered ten countries worldwide and had thousands of respondents. The findings were quite interesting. 

See the video at the blog post.

To start, end users are largely in agreement that passwords are inconvenient. Fifty-one percent of respondents noted that they forget and reset a password at least once a week. Furthermore, they may not always practice the most secure habits. Fifty-seven percent of respondents noted that they reuse passwords across multiple sites, and 78% of respondents create new passwords by adding a number or symbol to the end of an old password. 

Perhaps more interestingly, users seem more ready for a passwordless future than you might expect. Sixty-nine percent of respondents noted that they felt comfortable using their fingerprint in place of a password to log on. Additionally, 78% of end users already use at least one device in their daily lives with biometrics enabled.

See the video at the blog post.

When it comes to IT decision makers, they too are officially tired of passwords. The IT respondents spent an average of an hour and 15 minutes each week dealing with password resets and issues. Nearly half of (46%) also noted compromised credentials were a top security priority for them.

It also turns out that IT decision makers eagerly await a passwordless future. Fifty-six percent of respondents are actively considering implementing passwordless in their environments today.

Chief Concerns: Deployment and End User Training

These findings clearly indicate that end users and IT decision makers are intrigued by the potential of passwordless. However, that doesn’t mean making passwordless a reality is a slam dunk. The survey also illuminated some serious concerns about transitioning away from passwords. 

End users did express anxiety around their biometrics being stored and housed by private companies. It’s also true that, while 78% of end users have a device with a biometric enabled, it may not be one they can use for authentication at work — and there are still about a quarter of folks who wouldn't be able to use a biometric-based passwordless solution at all. 

IT decision makers worry about the deployment of passwordless. Yes, there are potential benefits — but many have already encountered issues with passwordless authenticators integrating into their environments. Passwordless solutions that work for certain applications or devices, but not their entire environment, also posed challenges.

Passwordless Priorities at Duo

At Duo, we understand the promise and potential of passwordless to improve security and offer end users a streamlined experience. However, we’re also taking to heart the concerns of end users and IT decision makers as we develop our passwordless solution. We’re not positing that every company can go fully passwordless tomorrow — that would be a huge oversimplification — but we have prioritized making it easy to take the first step. 

First, we’ve ensured that our passwordless authentication is easy to set up and deploy. If passwordless is difficult or frustrating to enable, people won’t do it. It’s more than easy enough to continue with the status quo. Unless the passwordless path is relatively simple to start down and walk along, people won’t take it. At Duo, we’ve made sure that testing, deploying and maintaining passwordless in any environment is as easy as possible.

Second, we want to make it accessible for end users to understand and use. While folks may hate the idea of passwords, they’re definitely used to them. To make sure there’s minimal friction for end users, Duo will support many device types as passwordless authenticators. In addition, the enrollment process will provide easy-to-follow instructions as well as relevant information about the security and privacy properties of our passwordless solution. For example, to address concerns about companies storing fingerprints, we inform users that Duo will never store or keep a copy of their biometric. This way, end users feel comfortable making the transition to passwordless.

With each passing month, the promise of passwordless is becoming a reality. However, it’s important to remember that even though security professionals, IT administrators, and end users feel ready for passwordless, it’s our responsibility to make it easy to fulfill its promise. To learn more about Duo’s approach, explore our Passwordless solution page or sign up to receive the latest updates about our Passwordless solution.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Windows Logon, Will You Remember Me?]]> pknight@duosecurity.com (Patrick Knight) https://duo.com/blog/windows-logon-will-you-remember-me https://duo.com/blog/windows-logon-will-you-remember-me Product & Engineering Thu, 23 Sep 2021 08:30:00 -0400

Sarah McLachlan, a sage of our time, once opined, “I will remember you. Will you remember me?” and for the longest time Duo for Windows Logon replied, “No.” Today, weep not for the memories of what was, but rejoice because the answer will soon be, “Yes.”

We’re pleased to announce the general availability of Trusted Sessions for Windows laptops and desktops. Trusted Sessions brings the “Remember Me” feature from our browser prompt to Windows Logon, allowing you to trust your local logins with Duo and reduce the amount of times needed to MFA in the future, saving you lots of time, energy and defenestration of Windows endpoints.

Consider the use case that New Hampshire Ball Bearing, Inc. is looking to solve. The IT Security team of this specialized manufacturing producer uses Duo to comply with the DFARS regulation and enforce corporate security policies. They wanted to ensure that security policies do not create user friction and negatively impact productivity. With Duo’s Trusted Sessions feature, the team reduced multi-factor authentication (MFA) fatigue without compromising on security.

"We protect local device logon with Duo’s MFA to comply with DFARS, and our corporate security policy mandates inactivity screen lock of 5 minutes. This scenario increased user frustration, especially at a time when employees are unable to use FaceID to unlock their MFA device due to mask wearing. Duo’s trusted sessions feature for Windows Logon has greatly reduced our end user hesitancy during MFA deployment while increasing voluntary adoption rates. The majority of our users recognized and enabled the trusted sessions feature organically with no notification or instruction from IT. Now our user base finds Duo unobtrusive and we're able to comply with our MFA mandate without push back from users." —Clayton Girouard, Sr. Systems Engineer - Information Technology, New Hampshire Ball Bearing, Inc. (NHBB)

Enable Trusted Sessions in Just a Couple of Clicks

Reducing user friction has never been so easy for administrators. They can easily enable trusted sessions from the admin console under the “Remembered devices” policy section. 

“Remember Me” for Windows Logon

With the Remember Devices for Windows Logon policy enabled, the user will be offered a “Remember Me for X Time ” checkbox during login. When users check this box, they will not be challenged for secondary authentication when they log in again from that device for a set period of time unless something changes. Policy is available for a minimum of one hour with a maximum of 90 days, allowing you to find the optimal time frame to meet the security considerations for you and your organization. 

One of the core challenges in our research was that logging into an endpoint requires different security properties than logging into a web application. As a result, we had to develop a way to proactively revoke trust when we could no longer assert the user and the device were in a state where it was appropriate to continue trust.

To achieve this, we looked at three properties:

  1. The operating session state. When invoking Duo, we determine whether the authentication attempt is an unlock or a new session. If it’s a new session, Duo will require MFA, and a subsequent unlock will honor the time duration set for “Remember Me.”
  2. Network location. At each authentication attempt, Duo will snapshot and compare the network state of the user's device to determine whether it moved off of your network. If it has, we'll prompt for MFA.
  3. User’s choice. Trusted Sessions give users the choice to end their remembered sessions early by clicking cancel while logging into a trusted session.

See the video at the blog post.

Now, a reality check. Duo is going to default to secure, so if there’s uncertainty about network location we’re going to prompt again. The idea is to streamline MFA attempts, not completely eliminate them. Additionally, we’re not delivering this feature for RDP sessions today. Our research highlighted the need for a robust way to assert the same user on the same device with trust, returning back to the same RDP session. That opened the door to a new round of research that was beyond our scope and would have seriously delayed delivery. And finally, Offline MFA sessions will not be remembered, because Duo cannot assert certain things about the device. We must assume it’s outside of normal administrative control and can’t be assumed to be in a trustworthy state. 

“Remember Me” Is Available Now to All Duo Customers

Trusted Sessions for Windows is available as part of all Duo product editions (Duo MFA, Duo Access and Duo Beyond) at no extra cost. Administrators decide which groups of users can use “Remember Me” and for how long.

For more information about Duo’s Windows login capability, read our documentation.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Resetting Passwords (and Saving Time and Money) at the IT Help Desk]]> gleishman@duosecurity.com (Ginger Leishman) https://duo.com/blog/resetting-passwords-and-saving-time-and-money-at-the-it-help-desk https://duo.com/blog/resetting-passwords-and-saving-time-and-money-at-the-it-help-desk Product & Engineering Tue, 21 Sep 2021 12:30:00 -0400

According to Gartner, 40% of all help desk calls are related to password resets — and those calls are expensive, with Forrester finding each password reset call costs an organization $70.

So it comes as no surprise that most businesses want to improve the productivity of their IT help desks and address the password reset cost problem. Many consider self-service solutions, possibly secured with Duo MFA, to help.

However, even the best self-service solution won’t eliminate all calls like these. And because help desk agents might feel pressure to reduce their ticket times (because time is money, after all) the focus on security can sometimes lapse.

For example, without a solution to enforce user identification at the help desk, organizations often rely on insecure methods like employee ID, which are vulnerable to a social engineering attack.

“Unfortunately, a lot of the methods currently used to verify users at the service desk today are insecure. Whether it’s employee ID or relying on recognizing someone’s voice, IT departments can do better.” —Darren Siegel, Product Specialist, Specops Software

Instead, IT teams can leverage solutions like Specops Secure Service Desk and Duo to address the need for improved efficiency and security.

How It Works

The help desk agent begins by looking up the user asking for assistance. Once they’re selected from the search results, we see a number of Quick Verification options, including Duo.

The options within Duo are dynamic, based on the user’s Duo enrollment. Duo Push is the easiest method, but if that’s unavailable the help desk can also request the one-time password (OTP) within the Duo app, or send an OTP via Duo SMS.

The user will receive a push notification on their device, with information about the help desk agent who requested it.

Once verified, the help desk agent can reset that user’s password right from Secure Service Desk and, if enabled, share the link to complete their self-service enrollment.

On the Reset Password screen, the agent is presented with the password policy rules for the end user (this works with native Active Directory password policies or Specops Password Policy as shown here). The user will need to change their password again at the next logon.

No Extra Enrollment Steps

When your users are already enrolled with Duo and have the Duo Mobile app installed, there are zero extra steps for them to take to verify their identities at the help desk with Specops Secure Service Desk.

Secure Service Desk is part of a larger authentication platform that enables self-service for password resets and encryption key recoveries. When used together, the solution can offer a consistent authentication process for users across all scenarios, utilizing Duo and more.

Do you need a secure process to verify users at the help desk? See how Secure Service Desk can help.

<![CDATA[What's the Buzz on Passwordless?]]> ccherrie@duosecurity.com (Chrysta Cherrie) https://duo.com/blog/whats-the-buzz-on-passwordless https://duo.com/blog/whats-the-buzz-on-passwordless Industry News Thu, 16 Sep 2021 08:30:00 -0400

The passwordless future is sooner than you think. At Duo, we're building a passwordless authentication solution that’s as easy to set up as it is to use – with our world-class security baked in. Is passwordless a good choice for you, and how do you lay the foundation? Our experts have you covered.

What is Passwordless, Anyway?

See the video at the blog post.

In the Administrator’s Guide to Passwordless blog series, Tech Lead Jeremy Erickson covers everything you need to know to determine for yourself why passwordless authentication can be more secure and more usable than today’s leading authentication systems. But not every passwordless product or system meets the security high bar administrators need.

Your Journey Begins with Multi-Factor Authentication

See the video at the blog post.

Advisory CISO J. Wolfgang Goerlich details in our white paper, Passwordless: The Future of Authentication, how pairing passwordless technology with strong MFA to protect access across cloud and on-prem is a practical way to provide the broadest security coverage today. With MFA in place, you can reduce your reliance on passwords and modify password policies to require less frequent resets, alleviating help desk burden and reducing user frustration.

“We’ll remove the password down the road, but the first step really is reducing the security vulnerability and ensuring that we can rely on that strong factor, and we get there by beginning with multi-factor.”

MFA + Passwordless = Raising the Bar

See the video at the blog post.

In considering a passwordless solution, we want to raise the security bar, not lower it. Part of ensuring that passwordless is just as secure as multi-factor is ensuring that it is multi-factor.

Read about why MFA and passwordless are a powerful pair.

Passwords Are Safer Than Biometrics, PINs Are Just Passwords, and Other Tall Tales

See the video at the blog post.

On your path to passwordless, it’s key to separate fact from fiction around biometrics, PINs and passwords.

“Whatever form it takes, passwordless should be easy to deploy, increase security, and be frictionless for users.”

Learn more about common misconceptions related to passwordless authentication methods.

No Phishing, Please

See the video at the blog post.

To prevent phishing, your authentication solution should offer a few general properties.

“Passwordless should also raise the bar by substantially reducing or even eliminating the risk of phishing attacks. Any ‘passwordless’ solution that cannot meet this bar is simply inferior.”

Get a rundown of the properties you should look for in an authentication solution to prevent phishing, and the difference between platform and remote authenticators.

One Step at a Time

See the video at the blog post.

Passwordless is a leap forward on the path to a strong and usable authentication system, consisting of many individual steps that you must navigate.

“A phased approach to providing secure access for the workforce can take you closer to a fully passwordless future.”

Review the high-level phases of the passwordless journey.

Bonus: We Bid Passwords a Fond Farewell

Video Producer and Twitter sensation Ben Armes shares a poetic passage about the problem with passwords and welcoming a passwordless future.

See the video at the blog post.

Duo’s Passwordless Authentication Resources

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[The 2021 State of the Auth Report: 2FA Climbs, While Password Managers and Biometrics Trend]]> ccherrie@duosecurity.com (Chrysta Cherrie) https://duo.com/blog/the-2021-state-of-the-auth-report-2fa-climbs-password-managers-biometrics-trend https://duo.com/blog/the-2021-state-of-the-auth-report-2fa-climbs-password-managers-biometrics-trend Duo Labs Tue, 14 Sep 2021 08:30:00 -0400

Duo Labs just released its third State of the Auth report, which takes stock of individuals’ experience and perception of 2FA in America and the U.K.

Adoption of two-factor authentication has substantially increased since we began conducting this research in 2017. However, considering only 32% of respondents report using 2FA on all applications where available, there’s still ample opportunity to improve 2FA adoption.

That Was Then, This is Now

2FA Usage Continues its Climb

Two-factor authentication has become notably more prevalent over the last two years, with 79% of respondents reporting having used it in 2021, compared to 53% in 2019 and 28% in 2017.

SMS Text Message Remains the Most Used Authentication Method

SMS (85%) continues to be the most common second factor that respondents with 2FA experience have used, slightly up from in 2019 (72%). Email is the second most common second factor (74%), with a notable increase compared to 2019 (57%).

While SMS is certainly more secure than no 2FA, there's room for improving security here. Other factors, such as push notifications and security keys, are more effective in preventing account takeovers.

2FA in the Workplace Drives Adoption

Among respondents who are currently employed, 2FA adoption is nearly 20% higher.

Of All Accounts, Users Perceive Banking as Most Important

Respondents continue to have money on their mind, with 93% considering financial accounts the most important to secure, up from 85% in 2019.

But in comparing user perception to reality, there's evidence that the impact of an email compromise is more harmful than a financial account compromise:

“Overall, email accounts are the most valuable online accounts as they are used to exchange sensitive information with banks, health services, and various online service providers. In addition, they are also often used as the recovery mechanism for other online accounts.”
—Elie Bursztein, Cybersecurity Research Lead, Google

Non-Traditional Authentication Methods Move the Needle

Two contemporary trends in primary authentication are password managers and biometrics. Password managers are a tool which securely stores a user’s existing passwords and can assist in the creation of new, more secure passwords. Instead of using something you know (username and password) as the primary factor, biometric authentication verifies identity with a user characteristic (such as a fingerprint).

In this survey, 32% of respondents report using a password manager, and 42% report using biometric authentication for at least some applications. A separate study conducted by Duo found the top two user privacy concerns about biometric authentication were attackers replicating a biometric (42%) and distrust of companies with personal biometric information (36%).

Explore our complete findings by downloading the 2021 State of the Auth report.

<![CDATA[Expanding Duo’s International Footprint: New Data Centers Opening in Australia, Singapore and Japan]]> ash.devata@duosecurity.com (Ash Devata) https://duo.com/blog/duo-new-data-centers-australia-singapore-japan https://duo.com/blog/duo-new-data-centers-australia-singapore-japan Product & Engineering Wed, 01 Sep 2021 08:30:00 -0400

Organizations of all sizes and types are facing increasingly severe and complex security challenges. For the last ten plus years, we at Duo and Cisco have been on a mission to make it simple for businesses to easily secure access for their workforces and mitigate security risks. Today, I’m proud to announce a major milestone in this long journey.

We’ve expanded our data center presence to include Australia, Singapore and Japan, in addition to our existing presence in the United States, Canada, Ireland and Germany. The new cloud data centers allow Duo to better respond to the needs of our global customers, particularly in the government, financial and insurance industries, where data sovereignty continues to be one of the key requirements.

With compliance requirements putting pressure on customers to ensure that their data is secure, we've seen a large increase in demand for control over where cloud services are hosted. To that end, our data centers and services are ISO27001 and SOC2 compliant and have 99.99% service availability. 

The new data centers will support our rapidly growing list of customers based in the region, as well as multinational customers whose workforce is based in various countries around the world.

International Expansion

The launch of the new data centers are part of Duo's international expansion strategy. All functionality from Duo’s zero trust platform including multi-factor authentication (MFA), single sign-on (SSO), VPN-less remote access, device trust and adaptive risk-based policies is available through these new data centers. Moving forward, passwordless authentication and other new features will be available in all of our datacenter locations simultaneously.

In 2022, we aim to launch additional data centers in the UK and India, giving multinational customers even more choice over service delivery location, helping them meet local regulatory requirements. As more companies move their workloads to the cloud and global SaaS regulations constantly evolve, these investments position Duo for the long-term well and ensure parity for our customers regardless of their location. 

Several teams from Duo and Cisco worked together to scope, prioritize and deploy these three data centers. The team executed well, despite the pandemic and everything else that’s happened over the last 18 months. Please join me in congratulating the teams and welcoming our new customers in Australia, Singapore and Japan.

Let’s continue to keep our workforces safe online!

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[User Group-Level Policy: The Sharpest Knife in the Drawer]]> aboutelle@duo.com (Alyssa Boutelle) https://duo.com/blog/user-group-level-policy-the-sharpest-knife-in-the-drawer https://duo.com/blog/user-group-level-policy-the-sharpest-knife-in-the-drawer Product & Engineering Tue, 31 Aug 2021 08:30:00 -0400

Building a security strategy for a company is a balancing act. How do you protect your organization without imposing an unnecessary burden on your employees? If you put too many locks on the door, sooner or later, the window will start to look like a viable option.

Using Duo’s Policy Engine empowers security professionals and IT administrators to put the right locks on the right doors. Policy is the tool that allows you to specify who gets access to what, from where, and through what authentication method.

Like onions, ogres and parfaits, your company’s security policy comes in layers. First is Global Policy, which is required and applies everywhere, all the time. Then, you can create custom policy by layering Application Policy, which is specific to a single application and works in addition to Global Policy. Finally, there’s Group Policy, for which you define a policy to apply to a specific group of Duo end users in your company, and it works in addition to Global Policy and Application Policy.

When it comes to creating your layers, some companies use Global Policy to build their strictest level of protection and then carve out exceptions for areas which only require lighter touches of security using Application and Group Policies. This methodology is considered best practice. Other companies choose to take an additive approach. Their Global Policy covers the solid basics, and then they layer on more strict controls to protect those applications and users which need tighter security.

Group Policy is the most granular policy control. It’s at the top of the hierarchical policy stack, allowing Duo administrators to precisely define how certain users can access company resources. However, right now, only 11% of Duo customers are taking advantage of this precision tool. The sharpest knife in the drawer can be intimidating to use if you’re not sure how to wield it! 

Let’s take a look at three cases where Group-Level Policy is effectively being used to balance a company’s security posture with reasonable ease of access for their employees.

Use Group-Level Policy when some of your users have a significantly different risk profile than others

A hospital has, in the past, experienced cybersecurity threats that originated from outside of where they are based in the United States. These threats prompted them to implement a Global Policy which denied all access requests coming from abroad. However, they sometimes have doctors who do medical mission trips to other countries and need to access hospital systems while traveling. In this case, these doctors temporarily have a higher risk profile but should still be granted access. The hospital uses a Group-Level policy to temporarily, during the time period of travel, adjust the geography-based access controls and allow an exception to the Global Policy for specific users. The hospital’s base layer of security stays strict, but all users get the access they need.

Use Group-Level Policy when some of your users have a different normal context, such as frequency of access requests, than others

A construction company recognizes that an IT administrator and a contractor working on a construction site are logging into sensitive systems at a different frequency. That has a couple of implications: first, the more frequent the access requests, the more frustrating it is to have to repeatedly authenticate. Secondly, the less frequent the access request, the less savvy a user is at spotting a phishing attempt. This company set up Group-Level policies to specify the authentication methods different that end users of Duo could use. This enabled them to mitigate push notification phishing risks from busy contractors in the field and to alter how long a system would remember a users’ login, to alleviate push fatigue from IT administrators.

Use Group-Level Policy when you want to designate a test group for new Duo features or settings

Many companies will designate a group of users, often made up of IT professionals, to be the first to have any new Duo Policy applied to them or be the first to test out exciting new Duo features or products. Having this smaller pool of users to give feedback can build your confidence in trying out Duo’s capabilities to their fullest.

In each of these cases, Group-Level policy served to balance the organization’s security needs and a low-friction user experience. Updating policy doesn’t always mean making sweeping changes to a company’s overall security settings. Policy is the tool you need to make precision strikes that address the unique risks your company faces while doing the job that you and your company are there to do.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Lessons from a Former K-12 Teacher: How Duo Brings Cybersecurity to the Head of the Class]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/lessons-from-a-former-k-12-teacher-how-duo-brings-cybersecurity-to-head-of-the-class https://duo.com/blog/lessons-from-a-former-k-12-teacher-how-duo-brings-cybersecurity-to-head-of-the-class Product & Engineering Wed, 25 Aug 2021 08:30:00 -0400

As a former high school history teacher, I used to love teaching lessons that used technology. It allowed the class not only to learn facts, but also to practice their critical thinking skills — evaluating the reliability of a source, analyzing a variety of primary and secondary documents, and corroborating information in order to develop independent views on what is important and true.

However, incorporating technology was not as simple as logging on to a computer. The process started with reserving the computer cart about a week in advance. On the day of the lesson, I would pick up the cart from the office and distribute the computers to my students. Inevitably, there were some computers that weren’t charged, so they had to go back in the cart and students had to shuffle around to get access to chargers.

If the computer required a password, I needed to go around the classroom and enter the password on each computer, because teachers weren’t allowed to share the credentials with students. There was also the looming, and realistic, possibility that the wifi would go out, meaning I was always prepared with back-up paper documents.

I share this with you to illustrate the challenging logistics that educators often face to get a classroom of 25 K-12 students online. Considering that you only have 45 minutes with those students, the situation takes on more urgency. And you might not realize that there were few, if any, security measures in place to ensure that students were not risking their own data and privacy.

Since joining Duo Security, I’ve realized that security should not be overlooked, regardless of how many people are impacted or their self-perceived level of importance. This is especially true with the rise in ransomware and data breaches in 2020, specifically among K-12 schools.

In our new world of virtual learning and cloud applications, it’s not enough to hand out logins and passwords, considering that 81% of breaches come from stolen credentials. However, as a teacher, if you had asked me to incorporate another step into logging onto the computer, I would have said it can’t be done. 

If schools want to successfully implement a security solution, it must be simple, fast and teacher-friendly. In my opinion, Duo checks those boxes with a clear focus on design and ease of use (just tap the big green button to log in). All schools want to ensure that they don’t get breached and that the data of their teachers, staff and students are protected online — and Duo provides the tools to make that happen without disrupting learning. 

When I think back to my time in the classroom, I remember the feeling that I couldn’t add more to my plate. It seemed like every new policy or requirement made our job more difficult, rather than providing the resources we desperately needed. Security shouldn’t feel like a burden, and Duo offers a solution that both teachers and schools can get behind. We owe it to our students to unlock the use of technology and make it easy to be safe online.

Related Resources

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Teamwork Makes the Dream Work: Why We Thrive on Collaboration]]> jbammel@duo.com (Jen Bammel) https://duo.com/blog/teamwork-makes-the-dream-work-why-we-thrive-on-collaboration https://duo.com/blog/teamwork-makes-the-dream-work-why-we-thrive-on-collaboration Industry News Wed, 18 Aug 2021 08:30:00 -0400

From knocking out high-velocity sprints to successfully delivering key features, everyone on the Endpoint Health team here at Duo really feels like they’ve hit their stride. Handling customer issues quickly and efficiently, and having in-depth, successful technical conversations have become normal, expected occurrences within the team, which provides us with a great sense of accomplishment. Looking at these things together, we asked ourselves why. What have we been doing well that produced successive sprints and left us feeling accomplished and proud of our team’s work?

The answer wasn’t just one thing, but rather a combination of factors among our team that have contributed to our success. Even better, these factors aren’t unique to our team; they’re as relevant for engineers as they are for a creative team, customer support, and everyone in between.

There's no single, easy answer, but we think we've found some of the reasons we love working together. Ensuring effective communication, fostering a sense of ownership over your product, and maintaining a general sense of positivity all work together to create a successful, cohesive team.

Communication is Key

Communication now, more than ever, is vital to our daily operations as a team. Word choices can make all the difference in fostering team unity. Using “we” and “us” instead of “I” and “me” can make successes feel bigger and failures feel smaller. For example, instead of saying “When I worked on the feature,” you could instead say, “When we worked on the feature.” This language switch helps to solidify a unified front as a team, where everyone feels recognized for their contributions to the product overall.

An easy way to make this kind of communication more natural to nurture the personal connections between everyone on the team. The microinteractions throughout a normal day in the office have disappeared, and video calls have seemingly been forced into all-business mode. This change to remote work removes a lot of the “chit chat” that naturally happens in a workspace, so it's important to encourage any level of non-work-related conversations that happen during video chats. For example, we’ve added a weekly “icebreaker” to our first standup of the week — it helps us get to know each other better and find common interests. 

When people feel a personal connection with their teammates, they’re more likely to communicate when they need help, or are more likely to support other members on the team both when they need help and when they need positive reinforcement. Something that Duo uses to further influence better communication between team members is assessing how each person likes to be communicated with, and giving a central location for you to double check that you’re communicating with someone as effectively as you can.

Some people react positively to long, detailed conversations, while others prefer getting straight to the point. Some people prefer discussing issues over whatever chat system you use, while others prefer face-to-face conversation. It's critical to keep those things in mind when interacting with one another to ensure effective, positive discourse among your team.

Everyone Should Feel Ownership of the Team’s Product

Every team has a product. Whether it’s a marketing campaign, a big sale, or a piece of software, every team owns something. In most cases, a single individual is not responsible for that entire product, as there have been designs discussed, opinions solicited, products reviewed, and many other steps taken before that product is released.

A great way to foster a team-centric success/failure mindset is to set goals to achieve as a team, and then break down the goals into pieces that each team member o can own. An important thing to note here is that the goals are not “handed down” to the team — they’re set by the team and worked on as a team. Feeling ownership over the products you create makes it natural to jump at the chance to help when improvements are needed or a bug needs immediate attention.

Developing a sense of ownership comes from every member of the team. Encourage each other to own pieces of a project, set goals that everyone can work toward, and if you’re an expert in an area, try not to dominate the conversation — let others contribute!

If everyone on the team feels that same sense of ownership, issues no longer slip through the cracks. Instead of one or two people consistently supporting issues, everyone focuses together because everyone is driven by the same overarching goal. Everyone feels driven to ensure that a project or a task is completed, both in the code sense and in the sense of ensuring it’s delivered to the end user.

Succeeding and Failing as a Team

Along with any kind of product comes success and failure. It’s important to realize that both of those outcomes are built upon the contributions that preceded them. Our team celebrates successes by taking the time to recognize achievements as often as possible. This could be as simple as telling someone their code review is awesome, or by sending out a wider shout-out communication to highlight when someone on the team has done an excellent job. 

We also struggle through challenges together, like when bugs in production have caused us to drop what we’re doing and rally to find the solution as a group. In those situations, instead of being mired in a battle of blame and shame, we focus on finding the solution, and acknowledge the fact that we both succeed and fail as a team. Everyone makes mistakes, and it’s important to ensure that everyone on the team knows they’ll be supported when or if they make an error.

Additionally, it’s important to realize that when something goes wrong, it’s rarely a single team member’s fault. Between code reviews and other checks and balances to ensure the work and responsibility are evenly distributed across team members, it's rare to find instances where issues can truly boil down to one person. Supporting each other in those times of failure can lead to a better, more positive team dynamic.

A Positive Atmosphere

A large portion of our team’s success comes from a general sense of positivity, but this doesn’t always mean that our day-to-day operations always bring happy feelings. From unexpected outcomes of a research task to customer calls that leave you feeling defeated, everyone on the team has an opportunity to encourage each other and, in turn, strengthen the team.

Positivity is much easier to talk about than to actually feel. Even describing positivity within a team seems so simple to talk about, yet so difficult to build. We each see the world and interact with it differently. This means one team member may come out of a customer call feeling defeated after seeing an unhappy customer, but another sees so much exciting potential. Both of them play a key role in encouraging the team — the former to make a better product to please customers, and the latter to energize.

In addition to helping in times of strife, positivity also helps to ensure all team members feel valued. You can show it by recognizing a team member’s hard work, or by recognizing the strengths of the team in general. One way we work to create a positive atmosphere is by talking about our “happys and sads” in our sprint retrospectives, which cover both work-related and personal events. The “sads” are conversation topics we can address as a team and do our best to prevent in the future. The “happys” become things we can celebrate together.

Final Thoughts

If we had to summarize in one word what makes our team effective, it’d be trust. We acknowledge that trust is not something that comes quick or easily. It has to be built and maintained over time. Open communication, a shared sense of ownership, working as a team, and a positive environment all drive trust forward and, in turn, reinforces each of those attributes. Fostering an environment where each piece is encouraged can drive any team forward.

That said, our team doesn’t have everything figured out. The team consists of individuals who have unique personalities, handle stress differently, and tackle problems in various ways. We’re growing and changing every day, so every time we sit at our desks in the morning, the team looks different. We’ve realized recently that we’ve been working well together, but we can always move forward and learn together as we continue to grow as a team.

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[Duo Makes Verifying Device Trust as Easy as 1-2-3]]> gumapathy@duosecurity.com (Ganesh Umapathy) https://duo.com/blog/duo-makes-verifying-device-trust-as-easy-as-123 https://duo.com/blog/duo-makes-verifying-device-trust-as-easy-as-123 Product & Engineering Mon, 16 Aug 2021 12:29:00 -0400

“There are primarily three ways you can authenticate someone: with their username and password, with two-factor authentication, and with a company-supplied device that you can trace. For most stuff, you should have two of those things. For critical things, you should have all three.”
—Alex Stamos, Former Chief Security Officer, Facebook, in WIRED magazine

Adopt a Defense-in-Depth Strategy With Device Trust

Identifying what devices are accessing corporate applications is critical to understanding the overall security posture of an organization and reducing the risk of unauthorized access.

  • Unknown devices offer the lowest level of trust because they’re beyond the control of the IT department.
  • Enforcing security requirements such as OS updates and disk encryption help organizations set a baseline for healthy and compliant devices.
  • For critical applications and environments with sensitive data (e.g., HIPAA compliance in healthcare or PCI compliance in retail), organizations need to ensure that only managed devices are authorized to access.

Security practitioners are always looking to minimize risk of a data breach, and a common framework to achieve this goal is by leveraging a defense in-depth strategy. Implementing device-based access policies follows this framework by layering on authentication and authorization controls, raising the bar for cyber criminals looking to gain unauthorized access. Even if an attacker compromises an employee’s credentials and somehow manages to get around multi-factor authentication, they would still need to access the application using a compliant and/or managed device.

Establishing Device Trust, Simplified

Since 2017, Duo has enabled organizations to identify if a device is enrolled in the corporate management system and apply device-based access policies based on the management status. Duo administrators may be familiar with the Trusted Endpoints policy, which typically relies on device certificates to verify the management status.

At Duo, we constantly seek feedback from customers to understand their pain points. One recurring comment from customers was that the deployment and management overhead of device certificates impacted the policy implementation. 

Administrators want an easier way to verify the enrollment status of devices in corporate management systems without having to deal with digital certificates. And security practitioners want to ensure that critical applications are accessed only from managed devices.

Enter Duo’s Device Health Application. The lightweight client application that was released in 2019 helps organizations enforce device-based access policies around security requirements such as:

  • OS version (including minor versions)
  • presence of security agents (eg: Crowdstrike, Cisco Secure Endpoint, Symantec)
  • host firewall status
  • password status
  • disk encryption status

We’re excited to share that administrators can now use the Device Health application to easily enforce the Trusted Endpoint policies for devices that are Active Directory domain-joined or enrolled in Jamf Pro. Other device management tools will be supported soon — stay tuned! 

Duo’s Device Health application now collects unique device identifiers (UUIDs) and, at the time of authentication, verifies whether that device has been enrolled in the enterprise management system. This novel approach eliminates the need for device certificates, helping organizations balance security with usability.

Enable Trusted Endpoints In Three Easy Steps

Duo has made configuring and applying Trusted Endpoints policy as easy as protecting an application. Administrators can get started in just three simple steps: 

1. Create an integration in the Duo admin panel by navigating to the Trusted Endpoints Configuration and selecting your device management tool.

2. Configure your device management system, and input the information in the Duo admin panel to complete the integration.

3. Deploy Duo Device Health application on the managed devices, and apply the policy to Duo-protected services and applications.

Benefits of using Device Health Application to Verify Device Trust:

  • Enables trusted endpoints policy in five minutes or less!
  • Eliminates overhead due to certificate deployment, management or expiration
  • Performs real-time and reliable device identity and security health checks 
  • Reduces dependency on third party PKI infrastructure 
  • Provides broader support for browsers and compatible thick client applications 
  • Supports environments with shared workstations

In Conclusion: Balance Security With Usability

Enforcing Trusted Endpoints policy using Device Health application significantly reduces certificate deployment and management hassles for organizations, while providing similar security benefits and raising the bar for cyber criminals to compromise internal systems. 

We’re excited for our customers to try this new approach and share feedback. If you’re not a Duo customer, sign up for a free trial and reach out to a Duo representative to try this feature. 

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Recommended Reading: Check out our ebook, Anatomy of A Modern Phishing Attack, to learn how trusted devices, zero trust, adaptive user policies and more can thwart phishing before it can result in a data breach.

<![CDATA[Policy Hardening, and Why Your Security Posture Should Evolve With Your Business Needs]]> jduggan@duosecurity.com (Joe Duggan) https://duo.com/blog/policy-hardening-and-why-your-security-posture-should-evolve-with-your-business-needs https://duo.com/blog/policy-hardening-and-why-your-security-posture-should-evolve-with-your-business-needs Product & Engineering Thu, 12 Aug 2021 12:30:00 -0400

When’s the last time you finished a project — say, implementing a new cloud integration — without any hiccups or surprises? If you’ve accomplished this recently, congratulations (and please teach me how you did it)! If you haven’t, you’re in good company.

According to Duo’s cloud data provider, our average mid-market customer manages 20 application integrations in their environment. Controlling this access throughout your environment and ensuring the right people get the right access at the right time is incredibly difficult. That’s a key factor in why Gartner’s CARTA model emphasizes how important it is to “continuously discover, monitor, assess, and prioritize risk — proactively and reactively.” So what are we to do in the face of this complexity? 

Let’s start with the basics. Your security posture must be designed to serve business access needs within your specific risk context. But business needs and risk environments are constantly changing. Given the changing landscape, you must constantly evaluate and readjust your access policies and posture. That’s where machine learning tools come in, like Trust Monitor, which can identify and flag anomalous events for you to review, providing the context necessary to understand an event’s impact for your unique scenario. From here, you can remediate the event and fine-tune your policy.

Duo Trust Monitor's Risk Profile flow enables administrators to select a prioritized set of Duo-protected applications, user groups, and locations/IPs.

Trust Monitor helps you gain visibility by leveraging Duo's enriched, historical authentication data, shedding light on what's normal, and what’s atypical, as users and devices access your corporate environment. Understanding anomalous access enables you to harden security posture as well as policy; detect and remediate access risk; and step access requirements up (or down) accordingly. Because it operates on carefully calibrated machine learning models, Trust Monitor can continuously react to changes without your manual input.  

What does this look like in practice? The general process is like this, while Trust Monitor runs in the background:

  1. Because of your business needs and risk environment, you set up a new application, protected by Duo.
  2. Something changes, either among your business needs or your risk environment. This could be as significant as the shift to remote work brought on by the COVID-19 pandemic, or as routine as onboarding a new contractor or introducing a new application.
  3. Trust Monitor continually trains itself on what “normal” looks like in your environment. When it finds that something has changed, it creates a new definition of what “anomalous” behavior looks like.
  4. This new anomaly is flagged for review, you’re able to fix the environment, and your company’s security posture is better off for it.

The Security Events dashboard allows administrators to review events surfaced by Duo Trust Monitor based on their anomaly score and other factors, like Risk Profile designation.

Since releasing Trust Monitor earlier this year, we’ve heard dozens of stories from our customers about how Trust Monitor has helped them improve policy. At Duo, we call this “policy hardening,” and we think it’s an important practice for good security hygiene. Let’s take a quick look at some of these policy hardening success stories:

Securing a National Retailer's Storefronts

A national retailer rolled out updated multi-factor authentication (MFA) policies. They implemented these new policies starting with the Security team, followed by the IT team, and finally to headquarters and in-store teams. However, due to a misconfiguration in their Identity and Access Management system, a retail store was included in this rollout and enabled with MFA before the team was properly trained. Trust Monitor spotted the anomalous access from the improperly enrolled store, and the retailer was able to fix the misconfiguration before it negatively impacted their Sales team.

More on Duo’s solutions for Retail

Enforcing a Law Firm’s Client Data Protections

A mid-sized law firm has a strict set of company guidelines and information security protocols implemented in order to prevent customer data from leaving the country. Trust Monitor has been invaluable to them as they maintain visibility of what information is accessed where — and, more importantly, when access to data is attempted from out of compliance. This awareness empowers them to shore up their data governance and policy enforcement.

More on Duo’s solutions for Legal

Allowing Access as Needed for a Healthcare Provider

A healthcare provider has critical patient information that needs to be shared with third-party providers, insurers and other interested parties. Because of the uncompromising requirements they have for patient health data, they set a strict global policy limiting access outside of the US. However, business requirements changed, and they contracted with an international supplier.

Trust Monitor flagged these access attempts for review, giving the healthcare provider an understanding of where their sensitive patient information was being used. The company updated their blanket policy to be more granular in allowing access from partner locations, but not too broadly across other regions. Because of Trust Monitor, the company was able to find the right balance of access and security for their business needs. 

More on Duo’s solutions for Healthcare

Duo Trust Monitor provides detailed information and additional context around anomalous access attempts, as well as a timeline of the access events surrounding it.

Each of these Duo customers has a complex IT environment, security concerns and risks, and business needs that must be met — and each of these environments, concerns, risks and needs are changing. Trust Monitor has proven to be useful to these customers in understanding their environment as it evolves and continuing to serve their customers and employees with the convenience and security that they need to get their work done.

Further Reading

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Connectedness and Culture: My Summer as an Employee Programs Intern]]> ltsai@duo.com (Lucia Tsai) https://duo.com/blog/connectedness-culture-my-summer-as-an-employee-programs-intern https://duo.com/blog/connectedness-culture-my-summer-as-an-employee-programs-intern Industry News Fri, 30 Jul 2021 08:30:00 -0400

As I write, It’s been two months, one day, and nine hours since I began my internship at Duo. In celebration of Intern Week on the blog and my two months-ish milestone, take a step back with me as I reflect on my journey through the virtual doors of Duo!

How did you get here?

A few weeks before my sophomore year in college, I made a last-minute addition to my fall course load: the class Organizational Management in Startups. Not only did I find myself surprisingly fascinated by the fast-paced spontaneous startup environment, I also learned about Duo as a successful Ann Arbor startup.

My interest in people organization began in my senior year of high school, where I had the opportunity to take on a similar, albeit simplified, role. I fell in love with advocating for people and developed the belief that a company’s employees are truly its greatest assets. Imagine my excitement when I found not only internship openings at Duo, but coincidentally an opening on the Belonging Team — a more perfect opportunity could not exist! I immediately started working on my application, harboring hopes of working at Duo, and the rest was history.

Okay, so what exactly do you do as an Employee Programs Intern?

Great question! On a broader scale, I help out the Belonging Team with a number of internal programs. More specifically, I work with my manager Emily Boring, Global Events Manager, on Global Events. I’ve had the amazing opportunity to observe the planning processes behind successful events such as a Fireside Chat with Daniel Dae Kim and the Duo Pride Celebration. A day in my life at Duo is never the same, which I appreciate so much! One day I may spend hours brainstorming projects and writing, stopping occasionally to chat with vendors or ask for peer reviews. Or I may bounce from meetings with my manager to conducting listening tours around Duo and pitching in to help with other Belonging Team projects. Typically, my days are a mix of the two, with ample personal focus time and collaboration time.   

Duo's Decades Party, hosted by DJ Graffiti

Tell me more about the projects you’ve been working on this summer!

My main project for summer was to create a virtual summer social for Duo that would bring renewed fun energy and offer opportunities for Duo team members to connect. This culminated in the Duo Decades Party, featuring DJ Graffiti spinning songs from the 1970s to today, plus a throwback outfit contest and other activities.

Other projects on my plate this summer include a guide for virtual team building (coming soon to the Duo wiki) and a virtual event proposal for future company celebrations. 

The Duo Decades Party was a blast! What did you enjoy most about the experience?

On the other hand, did you run into any challenges? If so, what did you learn from them?

Something people may not know about event planning is that there are a lot of moving pieces. Originally, my main project consisted of a series of three to four events. After continuous discussions with the team, however, the focus narrowed to one event. Even a few days before Decades Party, details were still evolving. It was sometimes tough to navigate changes and feedback, but from this experience I learned the value of getting a diverse set of perspectives.

Without the Internal Communications team (thank you, fellow intern Hannah!), I wouldn’t have considered the cadence and tone of communications. I also consider myself lucky to be able to draw on the expertise of both Emily Boring and Head of Employee Programs Emily Reid in designing inclusive and fun social programs.

The best part is that nothing ever goes to waste! For example, one virtual event proposal I built out will make an appearance in a future Belonging Team event. Being flexible and open to new ideas was definitely essential in navigating these roadblocks and helped the experience tremendously. 

What advice do you have for future interns?

The first thing I’d say is to stay organized in whatever way that looks for you. I personally found it super helpful to block out times on my Outlook calendar to focus on completing self-designated action items. I also keep a notebook of notes from meetings that I can refer to later on.

Secondly, be flexible and receptive to feedback. Others may point out things you overlooked or offer creative new ideas. Be appreciative of them, because it helps enhance your work overall, but also feel empowered to stand up for your ideas!

Lastly, time goes by fast — take advantage of the resources available and get to know the lovely and kinder than necessary folks around you!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[Administrator's Guide, Part 4: Phases of a Passwordless Rollout]]> jerickson@duo.com (Jeremy Erickson) https://duo.com/blog/administrators-guide-part-4-phases-of-a-passwordless-rollout https://duo.com/blog/administrators-guide-part-4-phases-of-a-passwordless-rollout Duo Labs Thu, 29 Jul 2021 08:30:00 -0400

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

If you’re considering passwordless authentication for your organization today, you’ve probably been thinking for a while about a holistic authentication strategy. Passwordless is a leap forward on the path to a strong and usable authentication system, consisting of many individual steps that you must navigate.

Let’s start by reviewing the high-level phases of the passwordless journey:

Phase 1: Establish Multi-Factor and Identify Passwordless Use Cases

Multi-factor authentication has been a critical component of strong authentication systems for more than a decade. Hopefully, you’ve already got this one — but if not, there are countless products that can help you mitigate the threats of password-based single-factor authentication.

Phase 2: Consolidate Authentication Workflows

A typical company runs hundreds of applications. Managing each application’s authentication methods and security policies quickly becomes untenable for administrators at this scale. Rather than attempt to augment the security of each application individually, Phase 2 focuses on consolidating authentication workflows into a place where the majority of the authentication events can be centrally managed.

This may take the form of single sign-on (SSO) or federated portals through standard protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). Even applications that aren’t web-based, such as SSH clients or remote desktop software, may be able to go passwordless by using a reverse proxy and client software that opens a passwordless web prompt. There are numerous products and services that will offer different experiences and features, and both the features you need and the protocols your applications support may dictate which products and services are suitable for your organization.

Phase 3: Increase Trust in Authentication

Next, focus on building a more comprehensive user authentication system and mitigating additional threats in your environment. Ensure user authentication is occurring from known and trusted devices with up-to-date software and operating systems. Detect anomalous user behavior and flag it for remediation. Identify safe conditions and risky behaviors and configure flexible policies that can reduce user friction without reducing security. Support for all of these things builds upon your work in Phase 2 and the selection of a vendor that supports the features you need.

Phase 4: Adopt Passwordless (We are here!)

Passwordless requires support from both your users’ access devices and your SSO portal or federation system. Microsoft, Apple, Google, and other system manufacturers have done an excellent job in rolling out access device support for passwordless, and security key manufacturers like Yubico, Feitian, and SoloKeys can help enable support for passwordless on devices that don’t support it natively. SSO and federation providers are beginning to bring passwordless solutions online. If you’ve done the hard work in Phase 2 to consolidate your authentication workflows into a centralized authentication experience, you may be able to enable passwordless across the majority of your organization by simply switching it on. Your existing authentication and authorization policies, device trust, and configured settings should ideally transfer over and take effect right away.

Phase 5: Optimize Passwordless

Unless you’ve managed to consolidate every one of your applications into using the same federation solution, it’s likely you won’t be able to completely eliminate the use of passwords overnight. This is where having a layered security model with MFA, configurable policy, device trust, and adaptive authentication pays dividends. Your organization is only as safe as your weakest authentication method, so ensuring every authentication method is strong reduces your risk as you transition towards Pure Passwordless. The goal here is to aggressively continue consolidating authentication workflows into centralized auth solutions where passwordless support exists and begin the process of disabling password-based authentication.

This will be a protracted phase, as disabling passwords will highlight all sorts of corner cases where passwords may be used in your organization, such as new user onboarding, account recovery, and that one server in the basement that you don’t want to touch in case something goes terribly, terribly wrong. Certain applications and protocols will most likely not be able to adopt passwordless initially, so some of your users may need to keep a password around to use with these systems for a while.

Passwordless is exciting and promises both security and usability benefits. We mostly get the usability benefits in Phase 4 and the security benefits in Phase 5, but like anything, there’s a spectrum. So long as passwords remain an option, adversaries can apply the same attacks they use today to password-based auth methods. Adding passwordless auth as an option starts by making authentication easier. Removing passwords as an option makes authentication safer

For frequent use, adding additional factors behind a password may have been deemed too much friction, but it may be more acceptable as an infrequent fallback when passwordless is the primary authentication method. Security benefits can also come simply from user habit migration. For example, users who become conditioned to passwordless authentication will find an unexpected push or a password entry field conspicuous, even if they’re still allowed as options. This is one of the few exciting breakthroughs in authentication technology where a more usable option is more secure as well!

However, it would be remiss to say everything will be roses. Let’s dig in to Phases 4 and 5 and discuss some of the challenges you are likely to face as part of passwordless adoption and how to manage them.

Your First Few Weeks of Passwordless

When you flip the switch and enable your first passwordless login, it’s probably going to feel unfamiliar. If you’ve read this guide and have a general understanding of how authenticator devices store and use credentials, you’ll probably be able to infer how things operate. Your users, on the other hand, may have no idea what they’re supposed to do. Passwordless login is supposed to be quicker and easier than using a password, but most people have years or even decades of experience using passwords. We know what to do when we see a password input form. 

Your users will be old hats at passwordless in no time, but the first time seeing an unfamiliar prompt to scan a fingerprint or face can be unsettling. If a user thinks they’re entering their system password into a web form, being prompted to enter a PIN or local system password can be confusing or even suspicious. You’ll most likely want to evaluate the passwordless login flow yourself and work out a strategy for assisting your users through their first passwordless logins.

But before we even get to passwordless login, your users will need to enroll a credential or add an authenticator device to their account or profile. This can be just as confusing as a first login, if not more so. However, depending on your MFA configuration, your second-factor authentication method may be suitable, or nearly-suitable, for passwordless auth already.

If your users have adopted a WebAuthn-capable 2FA method such as Windows Hello, Touch ID, Face ID, Fingerprint/Face Unlock, or a FIDO2-certified security key and regularly use it as a second factor, your authentication provider may be able to use the same credentials for passwordless authentication if they support user verification. If not, then the simplest way to enroll a new passwordless device is to piggyback on top of a normal password-based auth and ask your users to enroll a device as part of their normal login process. This will probably feel pretty similar to how your users first enrolled their MFA devices after entering a password the first time. On next login, they’ll be able to use passwordless!

Now, imagine you’re a few weeks into your passwordless rollout and one of your users loses their first device. Even though their credential on the device should still be protected by a user verifying PIN or biometric step, we want to invalidate that credential as soon as possible because it’s now lost the something you have property. Your authentication provider should offer a control panel or other administrative console where you can view your users and see what devices they have enrolled. You should have a quick and easy way to invalidate the lost device and credentials through this interface. (In case you’re curious, each device is supposed to only have one credential per user account.) If you haven’t disabled passwords yet, your user should be able to use their password to enroll a replacement authenticator device the next time they try to log in.

Removing Passwords: Applications vs. Users

Throughout Phase 4, passwords remain a viable fallback option. Although these challenges in Phase 4 are likely to require lots of time, they’re more about helping your users acclimate to a new process than technical complications per se. You may wish to progressively roll out passwordless to smaller groups within your organization at first, to smooth the influx of help tickets and allow early adopters to share knowledge of passwordless with their peers.

Things get trickier as we move toward Phase 5 and start to remove passwords as an option. Any user who hasn’t acclimated to passwordless login will be stuck if they no longer have a password-based fallback. The goal of Phase 5 is to remove passwords from the environment to improve security, while minimizing new complications. Let’s explore a few complications that may come up as we remove passwords.

To start, not every application will be able to use passwordless. Take connecting to a wireless network for example. Unless you’ve rolled out client certificates to your fleet, the main WPA2 Personal and Enterprise authentication protocols expect either a pre-shared key, or a username and password. Not every protocol is web-based or can be proxied through a web-based gateway. Applications released years ago may never get updates that support SAML, OIDC, or other federation protocols. It’s likely that one or more additional applications or use cases in your environment may not be passwordless-capable, now or in the future. That’s okay. Each application from which you can remove passwords gains the security benefits.

Every user from which you can remove passwords is one fewer user who can be phished or introduce credential reuse into your organization. However, it’s much harder to completely remove passwords from users than to completely remove them from applications. If a user no longer has passwords, then they can’t fall back to a password if they lose their authenticator device. It becomes important that each user have two or more authenticator devices enrolled, so that they do not get locked out of their account. Once passwords are eliminated, your users will probably need to use passwordless authentication to enroll new devices.

Authenticator Management Considerations

Platform authenticators like Touch ID and Windows Hello are conveniently present on the access device but are also limited to being used on the specific platform they’re a part of. Let’s say you need to enroll a new device with a platform authenticator but no longer have a password. How do you bootstrap trust in your new device to get to where you can enroll its platform authenticator?

Roaming authenticators like security keys or mobile authenticators have the advantage that they can be used to authenticate across multiple machines. You can use a platform authenticator to enroll a roaming authenticator on one computer, then move the roaming authenticator to another computer and use it to enroll that computer’s platform authenticator.

It’s clear that the passwordless future involves lots of devices and a mix of both platform and roaming authenticators. However, increasing the number of authenticators introduces even further complications, as each authenticator must generate its own per-site credentials. Enrolling multiple devices with each of multiple websites will likely grow tiresome. You can partially alleviate this via federated login, centralizing login to a handful of sites or fewer. On the plus side, enrolling multiple devices gives your users the ability to self-remediate individual lost or stolen devices without losing access to their account.

Inevitably, some users will find themselves with one or more lost authenticator devices and no way into their account. You will need a recovery flow. There are many different recovery flows, including temporary passwords, recovery links, backup codes, and more. Your recovery flow may delegate the authentication decision to another provider, such as an email host, wherein if your user still has access to their email account, they may be able to self-remediate. If not, they may need to contact your help desk for an override. Recovery flows are also a potentially-viable option for bootstrapping trust across platform authenticators without a roaming authenticator to assist.

While it’s critical to have one or more recovery flows, know that the recovery flows you support, especially any self-remediation flows, are viable attack vectors. It doesn’t meaningfully improve your security posture to remove password-based authentication if your recovery flow isn’t ultimately stronger.

Your organization may likely reach Phase 4 quickly but spend years optimizing passwordless in Phase 5, which is to be expected. Over time, the passwordless space will expand to support additional applications and use cases, and someday, we hope, passwords will be a relic of the past. 

If you’d like to see how Duo can help bring passwordless to your organization, visit the product page for our passwordless authentication solution.

Duo’s Passwordless Authentication Resources

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Let's Duo It Again: Why I Returned to Duo for a Second Internship]]> zvarner@duosecurity.com (Zane Varner) https://duo.com/blog/why-i-returned-to-duo-for-a-second-internship https://duo.com/blog/why-i-returned-to-duo-for-a-second-internship Industry News Wed, 28 Jul 2021 08:30:00 -0400

When I announced that I was returning to Duo for my second internship, I was met with a great deal of congratulations — and occasionally with surprise. In a few cases, I even experienced some soft criticism about this decision. “You should be trying to have a variety of experiences,” some said, “Your early career is a time to explore.”

However, I must take this advice with a grain of salt. By returning to Duo, I would say that I am having a variety of experiences, and I have lots of opportunities to explore! The work I’m doing this summer, both technically and organizationally, is markedly different from last summer. Beyond this, my work will continue to evolve as I communicate both my short- and long-term goals with my extensive support system.

Also, variety alone isn’t enough. To make informed decisions about the future, we need to consider which experiences will likely bring us the most value. That’s what led to my decision to return to Duo. The work I’m doing this summer is a strategic step in the right direction for what I aim to do in my future career.

Last summer, I worked with an excellent team on a rewarding project. I was involved in the frontend development of the new Universal Prompt, implementing features that are seen by users millions of times daily. Throughout the summer, I gained immense experience in both the hard skills of programming as well as the intangible skills of structuring my time and working within a team setting.

In addition, the summer taught me a lot about myself and helped me understand what kind of work excites me the most. The most interesting problems that I faced included how the new Universal Prompt would work in front of the users. At the end of the day, any decisions that we made in this area had to be reinforced by some kind of data. When we had more data to work with, the decisions would become easier, and we could develop the product much faster. This work specifically sparked my interest in the engineering behind data-driven solutions.

At Duo, when anything sparks your interest, you’re generally free to pursue it. When I expressed my interest in working with the Data Engineering side of the business, I was quickly set up to do so. Honestly, in terms of switching teams, I felt like I had pretty much carte blanche access to the entire organization. Everyone is open to discussing opportunities and more than willing to offer advice and help along the way.

While it was tough to say goodbye to my team, I was met only with support in my decision to move forward onto the Data Platform team, where I’m working this summer. As Duo team members, our job is to support the company, but Duo reciprocates this deal and supports us just as much. At Duo, everyone seems to sift into the positions where they want to be.

My story is not unique — many other people around Duo can speak to this experience. We frequently receive emails about job promotions at Duo, and typically there are too many to read! In fact, my former hiring manager who interviewed me for my new role this summer was only on the team for a period of weeks at the time of the interview (I had spent more time at Duo than he did!).

However, over just a few months’ time, he was deservingly promoted into another role. I think it’s a great fit, and I’m very happy for him, as well as my new hiring manager who was promoted to fill his place. You can also find other blog posts where Duo teammates share more experiences like these.

My decision to return to Duo was also complicated by the possibility of working for another company. I did work with other companies over the fall recruiting season, but none of them could really match the freedom that I was given at Duo. Honestly, it was a pretty black-and-white decision. With every other company’s software engineering internship, I had essentially no information about where I would be working, which product or sector I would be working on, or what kinds of technologies I would be working with. While this kind of uncertainty is inevitable and often leads to growth, I couldn’t turn down the work at Duo for this summer, especially because it’s such a certain, targeted leap forward in my career.

It’s also worth mentioning that working on the Duo product is motivating in and of itself. The company is growing rapidly, and Cisco continuously releases news to us about how our product is being used more widely and making a difference in the industry. I’m instantly motivated in an environment where I’m attempting to build technology that’s more innovative, clean, and efficient than all of our competitors. 

This summer, on the Data Platform team, I’m already in the midst of a project that involves making product data immediately available for analysis. The project involves linking together multiple technologies into a system, and I’m pushing the boundaries of how these technologies can be used with one another.

Finally, I can’t forget to mention that the culture at Duo is fantastic. There’s a specifically-designed, multi-pronged approach to keeping a fun, exciting, and lively team environment, and this does not come by accident. On that note, I’d also love to thank Emily Samar for inviting me to write this blog post about my experiences. It really feels special to be heard, especially as an intern. I’m very happy to be back at Duo, excited for everything to come this summer, and encourage you to consider the program if it’s the right time in your career!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[This is Remote Life: Embracing the Suite Life of Interning from Home]]> kyang@duosecurity.com (Katherine Yang) https://duo.com/blog/this-is-remote-life-embracing-the-suite-life-of-interning-from-home https://duo.com/blog/this-is-remote-life-embracing-the-suite-life-of-interning-from-home Industry News Mon, 26 Jul 2021 08:30:00 -0400

With only a handful of years of wisdom under my belt, I’ve come to realize that the world works in ways you never expect. The big “P” was a challenge that no one could have prepared for, but one outcome of 2020 surprised me in the best way possible: interning from home is kind of nice, and I want to share a few reasons why.

The Home Office™: Working Here, There, and Everywhere

I hear that Duo’s offices are the pinnacle of an open-office tech start-up floorplan, complete with cool wall art and unlimited fancy coffee. However, I’d like to think that my humble remote setup can still spark joy. For starters, it exists wherever I want it to be.

Although I primarily sit at my crammed (but cable-optimized!) desk, seven feet from my bed, some other Home Office choices include: at the living room/kitchen table with my other fellow WFH roommates, outside in a hammock under some trees, and in an air-conditioned university building when the heat becomes too much. I have the freedom to choose where I work best and the flexibility to continue working, even if I choose to move back to my hometown or spend a few weeks in a different city.

This luxury of comfort and mobility is facilitated by the way teams here at Duo adopted remote working. While the initial shift to remote was challenging, Duo workshopped processes and programs (like summer internships) that adapt to needs and feedback. I frequently find myself hopping on quick calls, sharing my screen to get quick troubleshooting advice or creating a collaborative board to brainstorm with my team.

Tools like chat programs, Webex, and Mural, when complemented with supportive management and an openness to learning new methods of working together, contribute dramatically to establishing digital best practices that create a healthy and collaborative work culture. These are changes with longevity — a third of the Product Marketing team works in places without any Duo offices, so these practices will continue even as buildings begin to open.

A Broader Scope: Variety is the Spice of Life

Speaking of chat programs and Webex, one of the greatest advantages of a digital-first internship is the variety of conversations, projects, and unique learning opportunities I’ve been able to experience.

This internship I set a goal for myself: overcome my fear of “coffee chats” and talking to strangers. There were definitely a few factors at play here, like re-learning post-quarantine social skills, but for the most part I was successful — driven by both the ease of setting up 30-minute Webex meetings and the knowledge that the people I reach out to in a direct message are excited to talk to me. As a result, I’ve learned that CS stands for Customer Success (and not just computer science), compiled a list of more than 50 pieces of life advice (a go-to question particularly around my 20th birthday), and honestly met a bunch of really cool people.

Being able to reach out across the organization also allowed me to dive into functional areas that interest me. For example, I’ve been able to explore the international marketing scene in ways I probably wouldn’t have had the chance to if I were sitting in the Ann Arbor office. I’ve been in meetings with people from London and Sydney to Canada and Japan, giving updates, working on campaigns, and generally growing a deeper understanding of markets beyond North America through firsthand experience, rather than feeling confined by the small office area I would’ve been assigned. 

After a few months’ experience in the remote world, the number of digital experiences drastically expanded. At Duo, I was surprised to learn about the “Intern Learning and Development Budget” — and that’s on top of the pre-existing unlimited book fund. I’ve been able to attend specialized conferences, read recommended books, and even sign up for training and certifications without the significant costs of travel and time.

Imagine my surprise when I heard a fellow intern animatedly sharing her early-morning dance session that kicked off a virtual Customer Success Festival she was attending, all in week two of the Summer Internship. Duo hosted several virtual guest speakers, webinars, and learning sessions, and I somehow found myself interviewing Daniel Dae Kim for AAPI Heritage Month (first name basis, 100% bucket list accomplished). Suddenly, something I’d never even considered an option became a major part of making this internship memorable.

Breaking Barriers: Unlocking Opportunities and finding Connection

This summer cohort is the biggest at Duo yet — 26 undergraduate and graduate interns across both technical and non-technical roles. Remote internships have mitigated a lot of traditional barriers to work experience: cost of living in cities; logistics of leasing and housing; commuting; and even time zone challenges. In the cohort, people log in from New Jersey and New York to California, Texas, and… throughout the Midwest. For many, including myself, this is a first exposure to roles like technical writing, program management, and product marketing. It also opened the opportunity to co-op and get professional experience while taking classes in the winter and spring (shout-out to the three-person intern chat during hard winter months).

Feeling connected during the workday is a real challenge, and it takes more than beloved “meeting icebreakers” to fix. Rather, I’ve found that frequent, smaller interactions can help drastically humanize the WFH experience: quick messages, virtual working hours, drop-in lunch, and maybe even some happy hours putting our trackpad drawing skills to the test. As an intern cohort, we have our own chat channels, attend Design Thinking training together, and keep each other in the loop on our diverse projects. All of this, and more, felt more genuine than I had expected — even though only four of us are located near the Ann Arbor headquarters.

Reflections: The WFH Internship Experience and the Future of Work

In an ode to myself rediscovering and watching “The Suite Life of Zack and Cody,” I’d like to kick off this conclusion with a quote from the iconic 2005 theme song that aptly describes the remote work life:

“Here I am in your life, here you are in mine.”

As I enter week 24 of my second fully remote internship at Duo (they don’t call me a “senior intern” for nothing), I’ve come to appreciate many of the things working from home has brought to my attention. Overall, there’s a greater focus on work-life balance, building accessible experiences, and giving people more autonomy to decide for themselves how they work best. Maybe it’s because I grew up in a generation where technology has touched almost all aspects of my life, or maybe it’s because I’ve admittedly never worked a “real-life, in-person, 9-to-5 cubicle office job” before, but the shift online felt like a natural progression of where I would find myself.

In school I took a class on the future of work, reading articles about applying machine learning to customer service bots and discussing the implications of autonomous vehicles. We explored the different fields of application — healthcare, education, manufacturing, global economics, public policy — and zoomed out to see the greater (exponential) rate of growth of technology. It’s interesting to think that in January 2020 the future meant a looming workforce of robotics, AI, and automation, and only a few months later it shifted to mean finding a solution for the most human-centric needs for connection, collaboration, and balance.

While the Fourth Industrial Revolution is definitely still something to consider, I think in the closer future is a work world where in-person and online hybridize. Maybe in the coming months and years there will be a visible shift in office spaces. Maybe interactive calls and virtual experiences become the default, building for accessibility and opportunity. And maybe it’ll be led by the interns who know that it’s positive, healthy, and feasible because they’ve experienced it before. After all, sometimes the world works in ways you’d never expect.

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[Celebrating Duo’s 2021 Community Impact Award Winners]]> aboris@duosecurity.com (Anndrea Boris) https://duo.com/blog/celebrating-duos-2021-community-impact-award-winners https://duo.com/blog/celebrating-duos-2021-community-impact-award-winners Industry News Fri, 23 Jul 2021 08:30:00 -0400

Giving back to our local and global communities has always been a big part of Duo’s culture. This tradition inspired us to launch the Duo Commmunity Impact Awards, now in its second year, which recognizes and celebrates how Duo team members made an impact in their communities over the past year. 

Joining me on the awards committee were Megan Furman, Chief of Staff / Head of Operations; Emily Reid, Head of Employee Programs; Stephanie Frankel, Head of Brand Team; and Kristina Birk, Release and Documentation Manager / Duo Gives Planning Team.

We received a wide variety of nominations across Duo, and we loved hearing about all the amazing things our team is doing to make the world a better place — volunteering, coaching, mentoring, running community initiatives, and so much more both inside and out of the workplace. We also loved seeing how many people nominated someone else. Each nominator shared that they’re personally inspired by seeing their colleagues’ efforts, and we think they’ll inspire you, too. 

We’re really excited to highlight our five winners, who each earned a $5,000 grant for Bright Funds, Cisco’s charitable giving and matching platform. This allows our winners to award non-profits that they’re personally passionate about, further spreading their positive impact and kinder-than-necessary attitude.

Andy Peterson, Technical Solutions Architect, volunteers at nonprofit animal welfare organization Friends of Upland Animal Shelter in Upland, California. He spends most of his free time working to drive animal welfare education and activities to improve the situation for lost and abandoned animals. He typically volunteers around 100 hours per month doing various activities including fostering puppies, supporting as a volunteer board member, committee member, and everything in between.

Rose Putler, Data Scientist, volunteered with Our House, a southeast Michigan-based organization helping young people with foster experiences transition successfully into adulthood. She not only participated in one-on-one and group mentoring with the organization, but also reached the milestone of more than four years working with her mentee, Alexis! (You can learn more about Rose and Alexis in this interview.) Having moved from Michigan to Boston after working with Our House for so long, she’s thrilled to be able to support them from afar and hopes to find a similar organization to work with in her new hometown. Rose hopes folks get inspired to be more compassionate and to advocate for policies which respect the dignity of the disadvantaged and the value of their time.

Jim Salmonson, Federal Systems Engineer, has been giving back in a variety of ways over the past year. He volunteers for the development of future Cyber Warriors as well as promoting music and arts in high school programs. Jim has been able to connect his network of cyber professionals and resources to help Junior ROTC leadership mature their programs, where he consults and mentors the senior directors to engage Cisco Systems and expose this community to current security capabilities, while developing good cyber citizens. In addition, Jim has been an active volunteer on the weekends for the local philharmonic and high school band programs to keep music active in the community. Jim provides audio/video services to the programs to keep kids connected and active safely during the pandemic.

Ted Stockton-Smith, Account Development Representative (ADR) Manager, has spent countless hours volunteering within COVID-19 vaccination centers since the beginning of the year. He has selflessly given his spare time, along with his Time2Give hours (a Cisco benefit providing team members 40 hours per year to give back to our communities) to one of the most important causes of the past 18 months. Being able to regularly spend three hours in the morning or on weekends assisting a team that vaccinated thousands of people a day, and then start work at 9AM ready to mentor, coach, and manage the ADR team is really inspiring.

Kevin Wainczak, Software Engineer, was driven to get involved in his community after a year when many people felt a strong sense of disconnection. He is a volunteer coach in pole vault at a local high school, working with athletes of all skill levels. Developing trust within such a difficult sport really allows the kids to achieve their best, and Kevin has fun and takes pride in seeing the enthusiasm and hard work that they show up with every day. He hopes that the athletes come away more confident than when they started, and that they feel like part of a team.

With so many impressive submissions, we wanted to highlight five more honorable mentions! Each of these Duo team members was awarded a $100 Bright Funds grant to donate to the non-profits that matter most to them.

Daniel Bagwell, Software Engineer, assisted with the distribution of COVID-19 vaccines at the Dallas, TX Fair Park Vaccine Mega Center. Because the site was only open during business hours, Time2Give allowed him to volunteer when others could not.

Courtney Eastman, Account Executive, organized a group to convert a trailer into a home for a family who lost their father and were living in a hotel. Donating replacement flooring, cabinets, and appliances, along with painting, cleaning and landscaping, took about five days.

Madhavi Kongara, Data Warehouse Developer, has been involved with Wayne County Senior Services initiative, providing meals to homebound senior citizens through Meals on Wheels. For the past nine months, she’s delivered meals to 10-20 seniors each week.

Amelia Lombard, Learning & Development Lead, volunteered twice a week in a virtual Algebra 2 classroom from January through June. During the one-hour classes, she and the teacher divided the class and supported their respective groups as they worked through math activities.

Mike Spitz, Head of America SMB Sales, is part of the Ann Arbor Community Academy, a volunteer group of citizens who connect with the city to understand more about what goes into day-to-day operations in Ann Arbor, Michigan. Through AACA, Mike learned about and got involved with several other initiatives, including one to plant 10,000 trees!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[Now Available: Microsoft 365 Application for Duo Single Sign-On]]> cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/now-available-microsoft-365-application-for-duo-single-sign-on https://duo.com/blog/now-available-microsoft-365-application-for-duo-single-sign-on Product & Engineering Wed, 21 Jul 2021 08:30:00 -0400

When I open my laptop for the first time in the morning, one of the first things I check is my email. As a Duo team member, and as part of the greater Cisco organization, I am one of more than 258 million monthly active subscribers of Microsoft 365. Because this service is integral to the working lives of our customers and ourselves, we wanted to ensure that you can easily yet securely access your emails, documents, and presentations from any device and any location.

That’s why we’re happy to share that Duo now offers a Microsoft 365 application for Duo Single Sign-On (Duo SSO), allowing you to federate your Microsoft 365 domains with Duo SSO. 

Where We Started: Duo Access Gateway, 2015

In 2015 we introduced the Duo Access Gateway (DAG), which used SAML 2.0 to authenticate users into Office 365 (now Microsoft 365). Next, we added support for legacy authentication protocols (Basic Authentication).

Since its inception, nearly half of all customers using the DAG consistently leverage it for at least Microsoft 365 — both for Modern and Basic Authentication. Many customers even use the DAG exclusively to protect Microsoft 365!

For these customers, the many pain points of maintaining an on-premises SSO offering — configuring servers, managing certificates, configuring high-availability, making sure everything is kept up-to-date — increasingly consume more time and resources that could be used to solve and improve other IT issues. That’s a lot of overhead for a single, albeit business-critical, application.

Building a Better Solution

Because the metrics we observed with the DAG are not trivial by any means, and we’d begun work on our hosted Duo Single Sign-On (SSO) offering, we knew that we had to deliver the best experience possible for Microsoft 365, for administrators as well as users. 

Keeping that in mind, we worked hand-in-hand with Microsoft to design, build, and validate according to their best practices by using WS-Federation, WS-Trust and WS-MetadataExchange, instead of SAML 2.0.

This allows us to fully support a wider range of modern and legacy authentication workflows, improving the end user experience, and aligning with Microsoft’s current and future product plans. These include, but are not limited to:

  • Web browser logins
  • Microsoft Office application logins
  • Azure AD Management Tools
  • Legacy email client logins
  • Azure AD and Hybrid Domain Joins
  • Windows Autopilot

When using WS-Trust for legacy workflows, we also give the option to limit access based on IP address, user agents and/or groups. We want to help customers move toward more modern authentication workflows, but we also recognize this isn’t always an overnight shift. These controls allow organizations to incrementally scale back on legacy usage. 

We’ve also made it easier than ever to get Microsoft 365 working with Duo by providing a prebuilt configuration script after entering some information about your tenant into the Duo Admin Panel. Long gone are the days of typos that have plagued our customers, and often technical support teams!

What’s Next with Microsoft and Duo?

Our partnership with Microsoft is stronger than ever, and we’re incredibly proud and excited to provide our joint customers with one more place to take advantage of Duo SSO. In addition to providing more options today, it also prepares our customers for the release of our upcoming Passwordless authentication solution!

Duo SSO is just getting started. Want to follow along? Subscribe to our release notes.

To learn more about Duo SSO and Duo Central as a whole, view our official documentation.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Adopting OIDC Standard For MFA]]> nikhare@cisco.com (Nikhil Khare) https://duo.com/blog/adopting-oidc-standard-for-mfa https://duo.com/blog/adopting-oidc-standard-for-mfa Product & Engineering Mon, 19 Jul 2021 08:30:00 -0400

This blog is part of an ongoing blog series for Duo’s Universal Prompt Project. The project is a major re-architecture and redesign of the Duo multi-factor authentication experience. In this post, we’d like to discuss a “behind the scenes” change we’ve made that helps achieve the overall project goals — improving security and delivering a better user experience. The change involves adopting the OpenID Connect (OIDC) standard to integrate with supported applications to deliver the prompt for MFA. But before jumping into the details, it might help to understand the open standards in discussion.

Understanding OAuth 2.0 Framework and OIDC Protocol

Problem to solve: Apps and services need a way to share data with each other

Years ago (back in the early 2010s!), applications shared sensitive information by asking users to enter their credentials from one application into another. Many applications offered services which would tie together functionality from other sites. For example, mobile applications such as Yelp requested your Gmail address book to encourage more signups by emailing your contact list on your behalf. Similarly, budgeting applications like Mint.com needed access to your banking credentials to help track your spending, and website developers wanted ways to post users’ tweets on their own websites.

These were all great services that provided benefits to everyday users, but users needed to share their username and passwords with these services to realize those benefits. Sharing credentials or passwords with multiple applications not only increases the risk of a compromise (yes, that same password you also use for online banking), but also gives third-party applications full access to your account.

This is a big no-no! Once credentials are compromised, hackers can take over user accounts; even change the passwords and lock users out. Even today, according to Verizon’s 2020 Data Breach Report, 37% of credential theft breaches use stolen or weak credentials. 

The main problem to solve here was authorization — in particular, how can we verify that an application or service is authorized to access information about the user?
This problem was solved with the creation of the OAuth framework.

The OAuth 2.0 framework essentially allows a third-party application to access information on behalf of the user. Think about how you might provide a friend an extra set of keys when they’re visiting so they can come and go as they please. However, there’s a key difference: You already know your friend, so you don’t need to authenticate them. Instead you just need a way to authorize them to access your home.

Once applications were able to successfully share data with each other, developers realized that this framework could also be used to implement some form of authentication. The OAuth 2.0 framework gained popularity and significant adoption to become an industry standard. However, it was not explicitly designed to support/enable authentication. And that’s why the OIDC authentication protocol was developed as an identity layer on top of the OAuth 2.0 framework, to explicitly provide support for authentication. Specifically, OIDC protocol allows you to log into multiple websites using a single set of credentials. Depending on the use case, the protocol provides several workflows. 

This entire workflow is like checking into a hotel. To make this flow more understandable imagine that a traveler, let’s call him Bob, is checking into Hotel Duo. 

Authentication workflow: Bob arrives at Hotel Duo and walks up to reception. Here the receptionist checks that Bob is who he says he is, actually has a reservation, and provides him with a key card (access token) for access to his room. 

  • The hotel receptionist here is the OIDC provider, who is responsible for verifying Bob is who he says he is and that he meets the right criteria to get a key card. 

Authorization workflow: Next, Bob enters his room with his key card. Once Bob settles down in his room, he has time to get in a quick workout, maybe at the gym or at the swimming pool. Bob’s room key card also authorizes him to access other amenities like the gym or the swimming pool, but not facilities like the conference room unless Bob explicitly requests it. 

Benefits of Adopting OIDC for Duo MFA: Reliability and Security

One thing to note is that today, Duo does not support OIDC for identity federation. Rather, Duo leverages the protocol to integrate with applications for MFA. 

Now, let’s take a look at what the new Duo authentication experience looks like when using the OIDC-based integration:

  1. Bob is authenticating with an application
  2. Bob succeeds his first factor
  3. Bob is redirected to the Duo prompt
  4. Bob succeeds his second factor with Duo
  5. Bob is redirected back to the application

The new Duo MFA experience for Bob is very similar to the current experience, but the prompt is now on a Duo-hosted web page. While only the savviest of users might notice the change, this approach enables Duo to deliver strong authentication that is more reliable and secure.  

Ultimately, by utilizing the OIDC Auth API or WebSDK 4 to integrate with an application, Duo provides developers a familiar and simple way to build MFA into their products and applications. Also, because this integration mechanism redirects to a Duo-hosted page for MFA, developers and customers need to build an integration only once and continue to get improvements for security and user experience.

We've received a lot of positive feedback from customers who have participated in the private preview. And we can't wait for all our customers to try Duo’s next-generation authentication experience. Until then, you can get started by learning more with:

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Administrator’s Guide, Part 3: What Makes Passwordless, Dare We Say It, Phish-Proof?]]> jerickson@duo.com (Jeremy Erickson) https://duo.com/blog/administrators-guide-part-3-passwordless-phishproof https://duo.com/blog/administrators-guide-part-3-passwordless-phishproof Duo Labs Thu, 15 Jul 2021 08:30:00 -0400

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

In some ways, the term “passwordless” is a misnomer. Yes, it’s a password-less authentication method, greatly streamlining the login experience, and while that’s a great incentive to use passwordless for logging in, it’s not an improvement in authentication security in and of itself. 

Passwordless uses multiple factors in one step. Unlocking authenticator devices locally removes the threats of credential reuse and shared secrets. But on top of all of that, passwordless should also raise the bar by substantially reducing or even eliminating the risk of phishing attacks. Any “passwordless” solution that cannot meet this bar is simply inferior. 

That isn’t to say that every password-less solution needs to be phish-proof. There may be other properties of an authentication solution you’re considering that make it a better fit for your environment, and you may be able to mitigate the risk of phishing using additional authentication factors. While not every solution will use the same mechanisms to prevent phishing, there are some properties that will be common to every solution that is truly phish-proof.

To prevent phishing, there are a few general properties that your authentication solution needs:

No Shared Secrets is the property that secrets are never shared and are always kept local to the authenticator device. The authenticator will use these secrets to sign messages, which can be verified by the other party to only have been able to come from the authenticator device. Unlike passwords or other shared secret-based approaches, the solution should guarantee that the secret used for one website is distinct and separate from any secrets used for other websites.

Origin Binding is the property that the site you (as a user) are attempting to log in to must match the domain, or origin, of the site you’re actually on. The history of active phishing has taught us that this is not something that the user can be relied upon to do, so any solution must avoid being dependent on the user checking the domain before authenticating.

Secrets, or credentials, should be linked to the domain upon which they were registered, and should not be unlockable without an automated check that the user is actually on that page. From our first No Shared Secrets property, we should be guaranteed to have different credentials for different sites, and so while a phishing site should be able to gain access to credentials for its own domain, it must never be able to access credentials for another site.

Channel Binding is the property that the communication channel from the authenticator to the website must be strongly tied to the browser session attempting to authenticate. Put another way, an attacker attempting to log in as the victim should be unable to reach the user’s authenticator to prompt the user to log in. Doing anything else would make push phishing attacks viable. There must be a guarantee that only the user’s browser (or other legitimate software) can activate the authenticator device. The channel between the browser and authenticator must be bound. This is the most nebulous of the three properties, and the one that authentication solutions most often fail.

Let’s dive into how WebAuthn and FIDO2 implement these properties and provide a very robust resistance to phishing. To start, compliant authenticator devices exhibit the No Shared Secrets property by design. The authenticator generates a new keypair, or credential, for every website, and then registers the public key with the website so its signed messages can be verified during later logins.

In a WebAuthn login, the browser itself (not the website) passes the origin of the page to the authenticator device to be included in the signed assertion response. Because of this, the signed assertion is only usable by the page matching the origin. No other site will accept it. This eliminates the ability for passive phishing, such as a site with UI elements that mirror a victim site. Because the origin also includes the https:// scheme (and WebAuthn requires TLS), this also prevents active phishing attacks, even those using a TLS-stripping attack.

The WebAuthn protocol supports only a few mechanisms for invoking authenticators. One such method is looking for a platform authenticator built into the access device, such as Windows Hello, Touch ID/Face ID, or Fingerprint/Face Unlock on Windows, Apple, and Android devices, respectively. Because this authenticator is built into the access device itself, the channel binding between the authenticator and browser session is straightforward. An attacker cannot, without already having substantial privileges on the victim’s device, invoke the victim’s platform authenticator to push phish the victim.

The other category of WebAuthn-compliant authenticators are roaming authenticators. These authenticators are not attached to the access device itself, and can be used across many different devices. They may plug in via a USB port, like a Yubikey, or connect via Bluetooth or Near-field communication (NFC). In each case, it is critical that an attacker cannot invoke the authenticator.

For USB-attached authenticators, the act of plugging the authenticator into the access device typically gives the access device exclusive access and control over the authenticator, very similar to platform authenticators. Bluetooth authenticators require an explicit pairing step by which the user links the access device and the Bluetooth authenticator. An attacker should not be able to invoke the Bluetooth authenticator remotely, unless they can somehow trick the victim into pairing the Bluetooth authenticator to the attacker’s device.

NFC is only usable over short distances of a few inches. This should give similar properties to those of a USB-attached authenticator, under the assumption that an attacker would have to bring a physical device in very close proximity to the victim’s authenticator. Proximity-based controls, such as those for NFC, are vulnerable to relay attacks that can break the important channel binding property. In practice, however, relay attacks are typically targeted and affect individual victims. They are more similar to biometric spoofing attacks in complexity and specificity than the more widespread phishing techniques used against passwords and 2FA today.

Because WebAuthn and FIDO2 achieve these security properties, products based on them tend to be some of the most secure, phishing-resistant authentication methods. However, let’s also talk about some common anti-patterns among password-less solutions, where they violate these properties, and what vulnerabilities they introduce.

Push 2FA

Push notification-based methods are great for mitigating the risks of password-based authentication, but they’re often phishable. Whether the notification comes from an SMS message or an app, or whether the push requires biometric verification (making it multi-factor), push-based solutions typically have weak or nonexistent channel binding properties. An attacker who is able to enter a victim’s username into a login prompt configured to initiate a push becomes capable of initiating pushes to the victim’s phone on demand. This is because normal operation lacks a channel binding the user’s browser session to the user’s phone, so it’s difficult to differentiate (and block) an attacker’s browser sending a push to the victim’s phone. 

When push is used as a second factor in conjunction with a primary factor, such as a password, this risk is reduced because an attacker must additionally know the victim’s password. However, if push-based authentication is used as a primary factor, push phishing becomes a much greater threat.

Tip: In evaluating any Push-based passwordless solution, look for documentation on how the solution binds the access device’s browser session to the push device in such a way that anonymous actors cannot push phish your users.

QR Code Scanning

Some authentication solutions rely on QR codes to bootstrap or transfer trust from one device (often a mobile phone) to another (often a PC). Take the following example: A user attempts to log in to a website on their PC. The website displays a QR code for the user to scan with their phone. The user scans the QR code and their phone initiates an authentication, such as a Face ID scan. When they complete the Face ID scan, the phone informs the website of the user’s identity and the website allows the PC to log in as that user.

Unfortunately, this authentication model breaks the channel binding property we need as well. To illustrate, a victim can be phished and end up on a page that looks identical to the site they’re where they’re attempting to log in. However, the QR code displayed to them could come from an attacker, which when scanned, ultimately allows the attacker’s browser session to log in as the victim. This general category of attacks is known as QRLJacking.

The victim doesn’t even need to land on a phishing site for QRLJacking attacks to be effective. QR codes are indecipherable to humans, but can contain virtually any text, including various URI schemes. App Links or Universal Links are links designed to automatically open and invoke some mobile application. Imagine someone scanning a QR code on a digital billboard, only for their authenticator app to be invoked, use Face Unlock and WebAuthn to authenticate them, and position them only one confirmation click away from returning a response that will log an attacker into their account. Authentication methods that use QR codes to proxy authentication between devices are scary.

It’s also important to note that the risk of QR code scanning is reduced depending on the context in which it is performed. There are many solutions that use QR codes to initially set up an account or an authenticator for the first time, such as during the creation of an initial OTP seed. Since these QR codes are typically scanned just one time to set up the account and the user is typically already engaged with the specific enrollment session, the risk of an attacker breaking the channel binding by man-in-the-middling the QR code is greatly reduced compared to solutions that use QR codes for every login.

Tip: There is no guarantee that just because an authentication product uses FIDO2 or WebAuthn for part of its solution that it will achieve the same phishing resistance properties as the base protocol. Each solution must be evaluated as a whole.

Fallback Authentication Methods

Wait, hang on. Non-passwordless authentication methods are a passwordless anti-pattern?

Well, no. But also yes.

When rolling out passwordless authentication to your organization (more on this in Part 4 of this series), your users are only as secure as their weakest authentication method. Passwordless authentication may be quicker and easier to use, but if an attacker can phish your users’ passwords and push-phish their second factors, your organization is still susceptible to those attacks.

Recovery flows are also important. Even if you have entirely removed passwords from your environment, if a user gets locked out of their account but can recover access using an automated email recovery flow, the email recovery flow is part of the attack surface. An emailed link the user clicks on to initiate a recovery flow is less susceptible to phishing than a temporary access code they must copy and paste into the correct field. Emailed recovery links are not typically subject to the same sorts of push-phishing attacks as described above because the recovery link will create a new browser session on the user’s device, rather than authenticate an existing browser session that may have been initiated on an attacker’s device.

Despite early work on new recovery flows for passwordless authentication, it is likely that fallback authentication methods and current recovery methods will be used to some extent for the foreseeable future. When evaluating your passwordless rollout, make sure to consider not just the highest bar you can reach, but the lowest bar you’ll support as well.

Duo’s Passwordless Authentication Resources

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

<![CDATA[Black Hat 2021: Better Than Ever (As Always)]]> noelle@duo.com (Noelle Skrzynski Hardie) https://duo.com/blog/black-hat-2021-preview https://duo.com/blog/black-hat-2021-preview Industry Events Tue, 13 Jul 2021 12:30:00 -0400

You can always expect certain things at the height of a Las Vegas summer: sunshine, sweltering heat, and Hacker Summer Camp. While last year was different because most of the events were either virtual or cancelled, this year is looking up — Black Hat is dipping its toes back into in-person events with a hybrid approach! 

So some of you will be breaking out your hacker t-shirts, dusting off your sneakers, and heading out to steamy Las Vegas for the conference. Meanwhile, if you aren’t traveling you can still attend from home, enjoying a different kind of glow from the light of your computer screen.

What does this mean for Duo? You bet your USB sticks we’ll be joining the fun, but we’re taking it a little slower by participating virtually this year. (Remember: we’re all learning to navigate this new approach, which means we’re all testing the waters at different rates.)

In either case, whether live or online, this promises to be another exciting conference! Starting with a few days of training on Saturday, July 31 and ending with briefings on Thursday, August 5, Black Hat is back, chock full of informative keynote talks, engaging sponsored sessions, friendly Business Hall exhibits, and more!

Featured Duo Talks

Evaluating Passwordless: Cutting Through the Noise with Three Metrics

In this talk, Duo Product Marketing Manager Ted Kietzman will share three technical metrics you can use to assess a passwordless solution, highlighting some potential pitfalls of “passwordless” along the way. Join Ted on Wednesday, August 4 at 1:10 p.m. PT to learn what’s what when it comes to passwordless, and come prepared to think about the implications of quick response logins (QRLs) and the type of binding necessary for secure passwordless solutions. For more information about how Duo is paving the way for passwordless authentication, visit our Passwordless Authentication preview page, where you can also sign up for updates about our upcoming passwordless solution.

Bridge the Gap with Cisco: Best Practices for Balancing Productivity and Security

Stolen credentials and unpatched software are common attack vectors used by cybercriminals in many types of attacks, including ransomware. Organizations have invested in security tools such as MFA, EDRs, MDMs, VPNs and more to mitigate these attacks. However, for maximum security efficacy, these tools need to be supported with simple processes and great usability.   In this session led by Cisco Secure CISO Josh Yavor, you’ll learn about best practices that Cisco implemented to enable secure access for a global remote workforce, providing the best experience for productivity without compromising on security. Join him on Thursday, August 5 at 1:10 p.m. PT to learn more.

All in the Family: Other Interesting Talks

Make sure to keep a spot in your schedule for these other sessions featuring Cisco speakers:

Rock ‘Em, SOC ‘Em: Intel Director vs. CISO Battling for Better Incident Response

In this talk, Wendy Nather, Duo’s Head of Advisory CISOs, and Matt Olney, Director of Talos Threat Intelligence and Interdiction, join forces to present on security operations and incident response. Matt will provide an Intelligence Director’s take on the lessons learned from facing some of the most notorious cyber attacks to help answer the question: what makes a world-class incident response program? Wendy will give the CISO perspective on how to build a sustainable, ongoing program using evidence-based practices. 

Making Zero Trust Work in Your Organization

In this live-streamed Dark Reading virtual panel, join Dark Reading editors and top security experts for a discussion that not only explains the zero trust approach, but also offers practical advice on how to implement it in a real-life, operating IT environment. You’ll get an overview of the tools required, the processes you need to put in place, and the impact you can achieve by making zero trust a core piece of your cybersecurity strategy.

Moderating this panel is Timothy Wilson, Editor in Chief and co-founder of Dark Reading. Recognized by his peers as one of the top cybersecurity journalists in the US, as well as named one of the 50 Most Powerful Voices in Security by SYS-CON Media, Tim will be sure to keep the conversation candid and engaging. 

During this panel, you’ll also hear from:

  • TK Keanini, Distinguished Engineer, Security Platform & Response, Cisco Systems
  • Gal Shpantzer, Security Consultant, Virtual CISO, Faculty at IANS
  • Elena Kvochko, Chief Trust Officer, SAP

Getting Rid of the Password: The Next Wave of Enterprise Authentication

For this live-streamed Dark Reading virtual panel, top experts will discuss real-life strategies you can use to shore up endpoint security and decrease your reliance on passwords. You'll learn about some of the latest multi-factor authentication tools, and hear how other security teams have implemented more effective processes for managing end user access. Tune in Wednesday, August 4, 2:50pm-3:20pm PT.

Joan Goodchild, Senior Editor at Dark Reading, will moderate this panel. Joan has spent more than a decade covering security for a variety of publications, and served as editor-in-chief for CSO online, so she’s no stranger to these subjects and won’t hesitate to press for forthright answers from the panelists:

  • Ash Devata, General Manager of Cisco Zero Trust
  • Andy Ellis, founder and CEO of Duha, Operating Partner at YL Ventures, and former CSO of Akamai
  • Jim Routh, Cybersecurity Advisor, Former CISO, MassMutual

Even More Passwordless

If you’re interested in a demo of Duo’s passwordless authentication, look no further than the Cisco virtual booth. Find out how Duo can help you transition to passwordless seamlessly and securely. On your journey to passwordless, build a holistic strategy that reduces authentication friction while simultaneously increasing trust in every authentication.

BSides Is Back, Too!

We were all saddened last year when BSides announced there would be no BSides Las Vegas, but luckily, this year BSides is back with a virtual twist. Happening on July 31 and August 1, this event will include eight tracks covering a variety of security topics, with talks hosted on Twitch and interactive discussions hosted through Discord. Cisco Secure is sponsoring the event — look for our goodbye to passwords video, or if you’re interested in careers at Cisco/Duo, stop into the #job-postings Discord channel to see what roles are open.

With so much to look forward to, we can’t wait for Black Hat to begin. Until then, stay hydrated, wear that sunscreen (or if you're joining from home, be sure to step away from the screen occasionally!) and get ready for another Hacker Summer Camp adventure.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.