Openness + Transparency = Better 2FA Security for All
At Duo, we strive to be open and transparent about all aspects of our business. We believe it's key to building trust with our customers, and vital to deliver authentic, pragmatic security in an industry full of hype.
That openness can manifest itself in very simple ways. For example, our documentation is publicly-available on our company website and our pricing is transparent and simple to understand. Maybe it doesn't seem like a big deal, but it's quite uncommon in the stodgy enterprise security space, where vendors seem to be allergic to addressing how customers actually want to buy services in the modern day.
It's a similar story for our integration software (eg. the software you that install to protect your services and applications with Duo's two-factor authentication), which is publicly available to anyone on the Internet. For example, you can freely download our duo_unix integration or just browse the source code on GitHub, instead of hiding the software behind a paywall or making only accessible through a customer portal.
So, what does any of this have to do with security?
Since our integration software is available to anyone on the Internet, it allows enterprising researchers to download and audit our software. Other vendors might argue that hiding the software might make it harder for an adversary to find vulnerabilities (i.e. security by obscurity), but that's not a philosophy we subscribe to. Vulnerabilities are vulnerabilities, and they're present whether you hide your software or not.
Recently, Duo's openness paid dividends, not only for our customers but for the security of the entire two-factor authentication industry.
Several months ago, researchers from FireID Security reported an issue to us in our Outlook Web Access (OWA) integration. In particular, they discovered an extra component of OWA called Exchange Control Panel (ECP) was not protected by two-factor authentication. Thanks to their research, we were able to resolve the issue in our OWA integration, and notify and protect our customers.
Perhaps unsurprisingly, this issue with the ECP functionality of OWA was not unique to Duo. In fact, the OWA integrations of other two-factor vendors was (and still is) also affected, according to preliminary analysis by FireID. We're hoping that FireID Security's disclosure will prompt affected two-factor vendors to audit their software and release any necessary patches.
In this case, the simple step of making our software publicly available resulted in Duo customers being protected in advance against a multi-vendor vulnerability. The FireID Security researchers were able to sign up for a free trial, download and audit our OWA integration software, and report the issue to us without jumping through any hoops. And, assuming the other affected vendors release patches, we will have jointly improved the security of two-factor authentication for everyone.
I think Kobus Botha from FireID Security put it best: “I'd say this whole experience is a solid case study in why it's a good idea to make your software easily obtainable.” :-)
We'd like to thank Konrad Blum, Kobus Botha and the rest of the FireID Security team for collaborating on the discovery, report, and disclosure of this issue. It's always a pleasure to work with like-minded researchers to help strengthen the security of security products themselves. You can read more about the disclosure in FireID Security's blog post here.
If you're a customer of another two-factor vendor, we recommend reaching out to your vendor to request clarification of whether a patch is necessary or available for OWA ECP.
Or, come give Duo a try instead! I think you'll find our open and transparent philosophy a breath of fresh air in a stale industry, and our product ain't too bad either. ;-)