Three Best Practices Every Security Leader Should Consider When Using Duo
As cybersecurity leaders have been stepping up efforts to secure all users and applications with multi-factor authentication (MFA), Duo Security is highlighting security best practices that can help deter against malicious attacks. With vulnerabilities such as PrintNightmare (CVE-2021-34527), which have been reported by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), it’s important to consider and reference a defense-in-depth security strategy to protect against ongoing security threats.
1. User Auditing
Have your team create a user audit of unenrolled users in Duo and create a plan for enrollment. Why do this? Making sure all users have a valid MFA device is crucial to secure Duo deployment. It deters malicious actors from attempting to enroll an MFA device if a user’s password is compromised.
2. Out-of-Band MFA Enrollment
Create an enrollment flow for MFA where the user’s password is not used to complete enrollment into MFA. With any MFA workflow, it is important to have confidence and trust in whoever is enrolling. Some organizations do not have confidence in user passwords and may not consider them fully trusted.
By securing and safeguarding your initial user enrollment workflow through an out-of-band enrollment process which does not use passwords, you will improve your overall security posture and can deter malicious actors from attempting to enroll into an MFA as a user.
3. Duo Policy Hardening
Utilize Duo Policy to deny access to unenrolled users. It’s important where possible to block any MFA enrollment through an externally accessible application, as these applications are accessible through the internet and can be an attack vector. Instead, rely on your out-of-band MFA enrollment process.
We provide additional, actionable steps for following these best practices in our guide for securing a Duo enrollment.
Duo Care helps ensure your MFA rollout goes smoothly
The three best practices discussed above can help ensure your organization properly builds extra layers of security. They also deters malicious actors from accessing your resources. Duo will continue to educate customers and safeguard organizations against potential attacks.
For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.
You can also read our guide on preventing cyber actors from bypassing two-factor authentication.