Increase Trust in Smartphone Authenticators with Platform Restrictions
Two-factor authentication methods come in many flavors: One-time passcodes (OTP) are sent via text message (SMS), read aloud on the phone, generated on hardware tokens, and displayed on mobile devices. The mobile device that generates OTPs, sometimes called a soft token (or software-based token) has dramatically increased in popularity in the last few years. Take a look at the number of websites and apps supporting the Software Implementation category (175, today!) on twofactorauth.org.
Adoption of the soft token method has been accelerated by two factors (#sorrynotsorry): cost and passwords. The cost of using a mobile app as a two-factor authentication method is effectively free, and practically everyone that needs two-factor authentication has a device that can run a soft token app in their pocket. Combined with the fact that passwords have been proven to be increasingly ineffective in keeping accounts secure, it's no surprise that these phone-as-token methods are more popular than ever before.
Growth of affordable two-factor authentication is a big win for the Internet. While many of us (likely reading this blog) are willing to use a different password on every website, it is not practical to expect that most people will use a password manager (and use it properly). Enforce a minimum password length, require 2FA, and call it a day.
Evolving Phone-as-Token Authentication Methods
Five years ago, one-time password mobile apps were the most widely used, and free, two-factor authentication methods. In 2011, Duo Security introduced push-based authentication. This out-of-band, public-key-based authentication method isn't vulnerable to all of the attacks that have targeted some one-time passcode implementations. It's a lot more friendly to end-users, too. Given these security and usability improvements, it shouldn't be a surprise that industry analysts such as Gartner and Forrester, vendors, and customers are noting the popularity of push-based authentication methods.
Authentication security is no stranger to evolution. As two-factor authentication becomes more widely adopted, attackers will adjust their account takeover techniques. Whether it's SMS intercepting malware on Android or a mobile Remote Access Trojan (RAT) on jailbroken iOS, it's clear that attackers aren't getting any less clever.
So, how do companies evolve their two-factor authentication implementations and policies to adapt to these threats?
Restrict Authentication Methods with Duo Security
Earlier this year, we introduce the ability for Duo Security customers to restrict which authentication methods are permitted, by organization or user group. An organization that has 100% mobile phone coverage could eliminate the phone callback method, for example. Or, administrators, which almost always have higher privileges, could be restricted to only use Duo Push, our most secure authentication method.
Introducing Platform Restrictions for Duo Mobile
We've taken this concept a step further with Platform Restrictions. Now, Duo Security customers can restrict which platforms and operating system versions are permitted to be used as mobile authenticators running Duo Mobile. For example: Is Windows Phone not permitted by your organization's BYOD policy? Disable it. Want to make sure your iOS users are running a recent version of the OS? Set a minimum.
Permitted platforms are enforced for both self-enrollment and authentication, and permitted OS versions are enforced during authentication. The example below shows a Duo Mobile passcode attempting to be used with a policy that requires a minimum of iOS 7.
Try it today
This capability is being introduced as the first feature in our opt-in program for Duo Enterprise customers, Labs Features. Read the Labs Features FAQ to learn more. After giving it a try, please send us an email with your feedback: How you're using it, what you think it does well, and what you wish it did. firstname.lastname@example.org will get it to the right place.