Skip navigation

Duo Security is now a part of Cisco

About Cisco

Industry Events

Announcing Duo’s University Site License Program

Universities are wonderful breeding grounds for hackers.

My co-founder Jono and I should know.

Twelve years ago, in the Year of Napster, I took a sabbatical between startups to work with old friends at CITI, a classic university security research lab renowned for cutting-edge work in smartcards, secure distributed filesystems, etc. But my interests quickly wandered to other things...

Under the aegis of my advisor, I undertook a one-month, no-holds-barred penetration test of the University of Michigan with the end goal of recovering the Regents’ passwords. All in the name of science, of course. He said he wanted to include them in a presentation he was scheduled to give on university security.

Unsure of his motives, but with official marching orders and a Get-Out-Of-Jail-Free card in hand, I was able to recover the passwords for not only every Regent of the University of Michigan, but also a few hundred of their staff, several thousand faculty and students, and found administrative access to much of the University infrastructure through the use of some novel tools, techniques, and exploits I developed at the time. I was, as friends at the l0pht liked to say, making the theoretical practical.

A few years after starting Arbor Networks, I met Jono when he was still a student, intently hacking our wireless network from the Starbucks below our office (he didn’t get anywhere, though — it was a honeypot!). He did, however, go on to successfully compromise the University of Michigan’s online records and registration system, student ID cards, and single-sign on infrastructure for some 40,000 students.

The beauty of a university research environment is that it admits and encourages disruptive innovation — and protocols like BGP, RADIUS, LDAP, MIME, PPP, etc. could not have been invented anywhere but Ann Arbor because of it (see Merit’s role in NSFNET and the Internet - and more recently, Internet2). But such environments need to be carefully fostered and protected. While Jono and I are mostly harmless (we just suffer a security mindset), this doesn't hold true for many of the others attacking higher ed and federal research institutions today.

We are deeply indebted to the university and research community we’ve long been part of (participating even long after we transitioned to industry). Today, we are proud to announce our new university site license program which affords universities and their research partners, for the first time, an easy, commercially-supported two-factor solution to deploy at scale for faculty, staff, and students. Finally: two-factor authentication where cost is not a factor!

Join us in supporting InCommon and Internet2’s mission to provide a secure and privacy-preserving trust fabric for research and higher education institutions, and their partners, in the United States — sign up for Duo today!