Surviving the Oregon Trail of NIST and FIPS 140-2 Federal Requirements
Building any product is a journey, but building a cloud-based product that aligns to federal compliance objectives and NIST guidance is like enabling someone to take a long journey on the Oregon Trail: all you have is your trail equipment to get you across the country (and the will to not die from dysentery):
- Your wooden wagon is your MFA, your primary vehicle to move you across the country.
- Your rifle to ward off predators is your access controls, your source of food and protection.
- Your raft to float your wagon across the Mississippi River is your authentication logs, that are there when you need them.
But what if your tools don’t solve your problems in an effective way and you’re left stranded with a broken wagon wheel? Taking it a step further, what if your MFA solution locked your end users out from productivity for four to eight hours at a time, with no flexibility to get them back online until they can get in-person to the IT support desk?
Why We Built Duo’s Federal Editions the Way We Did
At Duo, we talk a lot about simplifying product design and reducing user friction - if this isn’t thoughtfully done, feisty end-users will naturally work towards circumventing security controls or will burn out in frustration getting their critical jobs done. “If nobody is going to help me get my wagon wheel fixed, PUSH THE DANG WAGON!”
I could have fun with that analogy for days, but in Duo, we’ve raised the bar with our federal product by making cloud-based authentication and access control easy while being federally compliant and in alignment with NIST’s Digital Identity Guidelines (NIST SP 800-63-3) / OMB ICAM policy guidance, as a defacto standard.
Highlighting a few key federal product takeaways from Duo’s federal editions:
- We removed telephony-based (SMS/Voice) authenticators from Duo’s federal editions altogether; getting behind NIST’s SP 800-63-3b guidance, which calls telephony authenticators “RESTRICTED” and requires risk acceptance when used.
- In March 2019, we aligned Duo Mobile authenticators (Push and Passcode) to be FIPS 140-2 compliant by default and mapped them directly to NIST 800-63-3b Authentication Assurance Level 2 (AAL2) requirements.
- We’re solving FIPS 140-2 compliant implementations from end-to-end, when you use Duo’s federal editions. Not only have we made Duo authenticators FIPS by default, but we’ve implemented FIPS on the backend of our cloud service for FedRAMP, as well as provided FIPS-mode for Duo’s Authentication Proxy, ensuring your authentication traffic to-and-from Duo is FIPS 140-2 compliant. If you’re a graphical learner like me, please see below on how FIPS is being implemented by Duo’s federal editions:
Don’t shame me if I influence a Duo developer to make me a Duo Federal Oregon Trail video game, of which I would take great delight in playing…
Try Duo’s Federal Editions
Learn more, read our tech specs Federal Guide.
Check out this article on CyberScoop that reports both the Republican National Committee (RNC) and the Democratic National Committee (DNC) are using Duo's 2FA solution ahead of elections to thwart potential threats.