Weak Cipher, TLS 1.0, and TLS 1.1 Deprecation with Duo MFA
TLS 1.0 and 1.1 were deprecated in Mar 2021 with IETF RFC 8996. Today, the baseline TLS version used by most enterprises and businesses is 1.2. Many organizations, particularly those in highly regulated verticals and government agencies, also have to meet their respective compliance requirements. These requirements – like HIPAA, PCI-DSS, etc. – mandate the use of TLS 1.2 as a minimum version to meet the latest security standards. The consequences of not meeting compliance requirements could be huge, ranging from hefty fines to significant legal consequences.
There are also real security risks of using TLS 1.0 or 1.1 in any IT infrastructure or solutions. Well-known attacks like BEAST (Browser Exploit Against SSL/TLS), POODLE (Padding Oracle On Downgraded Legacy Encryption), etc. target insecure TLS versions, increasing organizational risks in exposing both their own and their users’ valuable data, potentially incurring major financial penalties and legal liabilities. The ever-evolving hacker landscape also means new cyberattacks will continue to emerge for any businesses that are not moving forward with secure technologies like TLS 1.2 or 1.3.
Even with TLS 1.2, it has been proven that the use of weaker ciphers has exposed unnecessary vulnerabilities to hackers (see FREAK).
To protect Duo Security customers and users from violating compliance and to properly protect their data, we are deprecating these insecure technologies from our solution offerings in 2023.
Duo is here to help you
For customers starting their zero-trust network access (ZNTA) journey with Duo multi-factor authentication (MFA), TLS 1.0 and 1.1 and some generally weak ciphers will no longer be supported by the end of January 2023.
For existing customers, Duo will remove the support of TLS 1.0 and 1.1 and weak ciphers for those using our MFA solution starting June 30, 2023*. Any MFA client codes – whether it is 3rd party applications, custom installers, Windows Login/MacLogin integrations, etc. – that have embedded Duo code will be updated to leverage TLS 1.2 or 1.3.
Weak ciphers (e.g. those using Cipher Block Chaining or CBC) that previously were available to encrypt the TLS 1.2 traffic will also be deprecated, ensuring that only industry-recognized strong ciphers can be used.
What action do you need to take?
At this time, there is no immediate action required by customers due to this TLS 1.0 and 1.1 deprecation. Duo will send out direct customer communication to describe the exact transition path in the first half of 2023. Please follow our instructions in these communications and plan for the migration as soon as possible, as you may otherwise experience service disruption after June 30, 2023.
We also understand that there will be situations where legacy systems may not be able to upgrade to higher TLS versions in the near future. We are providing a feedback form and will continue to work with you to ensure that there will be a viable solution moving forward.
*NOTE: Many Duo solutions (e.g. SSO) already only support TLS 1.2 and above today. The deprecation of TLS 1.0/1.1 from the MFA path will mean that all Duo solutions will support TLS 1.2 or 1.3 only.