New Duo Device Health Application Enhancements: More Security, Increased Confidence
Confidence in data can be a lot like having a good friend. When we trust the source, our confidence in the truth of the information we receive grows. And like any relationship, there’s room to develop that trust.
Originally built to support contractors using personal devices, the Duo Device Health application (DHA) took on an expanded role to help establish device trust by checking both the health and management status of endpoints before granting application access. Increasingly, it’s being used to differentiate managed devices from unmanaged BYOD (Bring Your Own Device). Now, we’re moving forward with enhancements that will further increase confidence in the truth of the data the DHA reports.
Stop the spoof
The enhancements to the Device Health application address two security challenges. The first is to make it even more difficult for a bad actor to “spoof” the DHA and its data. This improves confidence that the data reported by the Device Health app is valid, comes from a legitimate source and has not been tampered with during transmission.
The second is to make it more difficult for that bad actor to cause a device that should not be trusted (in the context of Duo Trusted Endpoints) to appear as though it should be trusted. Let’s take a look at the enhancements and how they overcome these challenges.
Device Health application enhancements
Automatic Device Health Application Registration, Payload Signing and Device ID Pinning are a set of capabilities that, when combined with Duo Trusted Endpoints, make it even more difficult for a bad actor to use a fake version of the DHA in place of the legitimate application or to tamper with the data reported by the app. With all three enabled, IT teams can more confidently depend on the source, authenticity and legitimacy of the Device Health app’s reports which are used to determine the trustworthiness of the access device and enforce a Duo access policy.
If the Device Health app is not already registered, Automatic Registration will occur when a user accesses a Duo-protected application and successfully completes multi-factor authentication (MFA). The DHA will generate a cryptographic keypair, store the private key on the access device and send the public key to Duo, where it is stored and associated with the user, account and access device.
If any of those three attributes change, say someone else uses the same access device to log into an application owned by the same Duo account, the registration process will repeat. This allows for many-to-many scenarios where multiple users can utilize the same device, a single user can use multiple devices, and any or all of them can register with multiple Duo accounts.
The private key that was generated during registration is used to cryptographically sign the data payloads sent by the Device Health app. The signature is verified by Duo’s back end using the public key that was sent at the time of registration. If the payload’s signature is invalid, either because it did not come from a legitimate DHA or it has been tampered with, the access attempt will be blocked.
Device ID Pinning
This feature works best when coupled with the Device Health-app based Trusted Endpoints feature. Device ID Pinning makes it more difficult for a bad actor to capture device-identifying information used to determine whether an endpoint should be trusted and make their own access device look like an endpoint that should be trusted. For example, it is theoretically possible for a determined bad actor to identify device IDs such as the UUID (Universally Unique Identifier) or CPUID (CPU Identification) that Duo considers to be trusted, enable their access device to represent itself with the same device IDs and therefore cause an access device that should be untrusted to appear as though it is trustworthy.
Device ID Pinning prevents devices that have already registered with a set of unique device IDs from registering again. Once enabled, the feature blocks any attempt to register a Device Health app where the access device has already been registered for that user and account. That way, a bad actor attempting to spoof a trusted endpoint will be blocked. If a legitimately registered device attempts to register again because the private key was removed (re-image, OS reinstall, etc.) an administrator has the means to de-register a device so that it can be registered again.
Having trust in the source of the data we receive gives us confidence that it’s accurate and reliable. With the security enhancements we’ve made to the Duo Device Health application, you can be confident the source, authenticity and legitimacy of the data reported by the Device Health app is trustworthy and not being spoofed by bad actors.
If you’d like to try the Device Health application and experience the new security enhancements for yourself, sign up for a free 30-day trial.