Skip navigation
Product & Engineering

Building social engineering resilience with Duo Identity Verification

Headshot of Landy Naylor, Product Manager
Landy Naylor
6 minute read

Organizations have put in a ton of work to ensure their data and resources are comprehensively protected with strong user authentication. In doing so, the goalpost has shifted, and attackers are now looking for another way in. According to Splunk, 98% of cyberattacks now rely on social engineering, the vast majority of which are directed towards compromising user identities.

Attacks commonly take place during vulnerable moments in workforce users’ lifecycles. These include:

  • Calling the helpdesk — Organizations are relying on authenticator possession and/or knowledge-based verification questions to aid end-users and can be tricked into offering support to an attacker.

  • Initial enrollment/onboarding — Organizations often send an enrollment link or temporary credentials to a user when they are onboarding. With these processes, organizations can become victims of intercepted credentials and/or entirely fraudulently hired employees. With the large shift to remote work, this is particularly impactful.

  • Self-service — Many organizations offer self-service to provide a 24-hour way for end-users to self-remediate access issues. However, if phishing-resistant authenticators aren’t required for access, attackers could gain access and add their own authenticators for further access. Additionally, self-service is only effective at reducing load on the helpdesk if users have an authenticator to gain access to self-service in the first place.

These moments highlight the trade-off between ease-of-use and security. If organizations choose to be highly secure, they may also experience significantly increased IT costs and end-user friction. Choices made in an effort to operate in a highly secure manner could also have unintended consequences such as missing out on hiring top talent by requiring them to reside near an office.

Other consequences could be higher employee turnover due to the friction with the organization’s rigid security process for users to regain access. On the opposite end, many organizations are operating at the status quo and are therefore at risk of social engineering attacks. They may be aware of these risks but don’t have the proper tools to implement secure processes that can scale gracefully.

Duo Identity Verification, powered by Persona

But what if your organization didn’t have to make that tradeoff? With the introduction of Duo Identity Verification, organizations can make these once-vulnerable moments resilient to social engineering attacks by ensuring the user who is attempting to gain access is who they say they are. We are giving customers the option to integrate with Persona to offer differentiated experiences that help provide this assurance at the helpdesk, during enrollment, and for self-service account recovery.

Duo Identity Verification Powered by Persona Logo

Helpdesk Verification

This solution allows end-users to quickly and easily verify their identity when contacting the helpdesk for assistance, whether it be identity and access management (IAM) related, or a call in to HR or payroll to update their direct deposit. This is a market-leading offering that integrates identity verification directly into Duo’s security-first IAM platform and is available via the Duo admin panel or Admin API. This functionality will be available to all customers in Beta starting in late July 2025.

Beginning of the Duo Verify Identity process

Duo Verify Your Identity in progress

Remote Onboarding Identity Verification (IDV)

This solution provides high identity-assurance during user enrollment, making enrollment codes or email links useless should they happen to fall into the wrong hands. This allows the best of both worlds; the ability to use any of Duo’s flexible end-user self-enrollment methods coupled with high assurance the intended user undergoes it. This functionality is expected to be in Alpha soon, with a wider Beta release expected in late summer 2025.

Self-Service Account Recovery

As mentioned before, self-service is only valuable if it is secure. You also need a credential to access self-service in the first place. Duo plans to add the ability for users to use their identity to regain access to the self-service portal so that they can add or reactivate an authenticator and then independently get back to work. This further reduces an organization’s helpdesk costs while providing the user with autonomy to self-solve. This functionality is expected to be in Alpha by fall 2025, with a wider Beta release expected by the end of the 2025.

How it works

Duo Identity Verification process in progress

So how does Duo Identity Verification work? The solution does require a separate Persona account and licensing, but Duo and Persona provide an integration that makes configuration of this solution as simple as possible!

Once everything is set up in Duo and Persona, this is how IDV works.

When the verifying user is redirected to Persona, users will be asked to provide a snapshot of their government-issued ID and take selfie photos. Persona will perform a variety of verification checks depending on how the organization has configured things. Among them are:

  • Various checks to the government ID, such as legitimacy, expiration date, and tampering

  • Various checks to the selfie including liveness detection, deepfake detection, and matching of the selfie to the photo in the government ID

  • Checks to see that the user in Duo matches the user who has undergone identity verification

Once the user successfully completes verification, the Duo admin will be informed of the result, or the user will be taken to the next step of the flow they originally entered. If your organization retains selfies within Persona, it can be used to enable an even faster selfie-only re-verification should the user verify themselves again later.

Conclusion

With these workflows now more resilient to social engineering, organizations can even more confidently support their users, near and far, and achieve deployable end-to-end phishing resistance.

Are you new to Duo? Sign up for a free trial today and learn more about Duo IAM!

About Persona

Persona is a leading secure identity verification (IDV) platform trusted by organizations across industries. They empower companies to confirm user identities quickly and securely, so legitimate users can continue to do their important work with minimal interruption while stopping attackers in their tracks. Persona offers global support and has flexible options that can be catered to your organization’s unique needs. Learn more.

*Note: The features described above remain in varying stages of development and will be offered on a when-and-if-available basis. The delivery timeline is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.