<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Fri, 07 Aug 2020 08:30:00 -0400 en-us info@duosecurity.com (Amy Vazquez) Copyright 2020 3600 <![CDATA["Duo &" - The Power of Great Combinations]]> duokp@cisco.com (Ken Perkins) https://duo.com/blog/duo-and-the-power-of-great-combinations https://duo.com/blog/duo-and-the-power-of-great-combinations Industry News Fri, 07 Aug 2020 08:30:00 -0400

My History

When I started my career at Duo back in 2015, I was amazed how the product disrupted the strong authentication marketplace. My main job was to help prospects test out a modern, future-proof cloud authentication technology. Cloud security was a scary term back then, and the quickest way to allay those fears was to engage in a proof-of-concept (POC). 

My team’s POC high water mark was nine applications integrated in six hours! This feat occurred at a Kansas City healthcare organization. The team presented our hard work the next day during a 45-minute executive overview. The end users were and still are medical professionals (not an easy audience to satisfy).  After rollout, the Duo team was pleased when we heard back from the chief medical officer.  His direct quote was, “Duo was not as frustrating as I thought it would be.” The quote was about the highest praise a technology could receive from a practitioner. From then on, I was a Duonaut for life.

Back to Basics

Today things have changed and they haven’t. Security professionals get bombarded with the promise of passwordless, OAuth, machine-learning/AI, zero trust, the proliferation of data and its location and on and on. During the past few months, I have seen many green-lit projects (see above) get put on the back burner.  Companies had to get thousands of employees the ability to work from home securely, in some cases within a week. It made me stop and think about one of the original values of Duo. I will address one of the primary value drivers of the Duo.

Duos & Duo

The ampersand holds a special place in popular culture.  

  • Peanut Butter & Jelly
  • Bert & Ernie
  • Salt & Pepa
  • Batman & Robin
  • Romeo & Juliet

And hundreds more! If you would like to weigh in on the topic, here is a cool website: https://www.ranker.com/list/best-duos-of-all-time/ariel-kana

Duo has many ampersands as well!

Duo Offers the Broadest Range of Coverage 

Founded on the idea that applications can live in many places within your organization, Duo can protect 99% of applications. Yes, I did not say 100% - Duo can not natively do mainframe (HAL 9000 could live behind a “jump host”).  

Even though Duo was born in the cloud, our founders Dug & Jon (see what I did there?) realized that on-premises applications and servers were just as critical as cloud and hybrid applications. The Duo documentation page offers step-by-step instructions to deploy the investment of a secure workflow purchase.  

How Do We Do It?  

Duo takes advantage of standards and a vibrant partner community.  Legacy standards include RADIUS, LDAP, REST API, and even a WebSDK.  If you don’t feel comfortable starting from scratch?  Developers can take advantage of Duo’s Github page:  https://github.com/duosecurity  Modern standards include FIDO/FIDO2, WebAuthn and SAML

Partners can easily integrate Duo into the authentication workflow by using Duo’s AuthAPI or the WebSDK.  Baking Duo into third-party applications gives companies the quickest way to include a secure authentication workflow.

Want to try it out?  Duo makes it easy to test.  Companies can sign up for a free trial and jump right into protecting applications. Duo wants organizations to be completely protected, so a Duo license entitles companies to protect as many applications as they can.  There are no hidden costs.  

  • Users can authenticate as many times as they need 
  • Users can have as many authenticators as they need
  • Users can securely access as many applications they are allowed to 

Plus, how does no maintenance cost, professional services fees, support costs and continuous upgrades sound?

Duo & makes it easy to roll out to your organization quickly. This approach allows you to reduce user friction while protecting your most critical applications.

That’s All?

Do you remember reading all those “next” technologies mentioned above?  I would not be much of a salesperson if I did not answer the question, “What else you got?”  Of course, Duo offers multi-factor authentication (MFA), device trust and access controls; you will have an easy way to secure application access and enable the flexibility users need.  In summary, Duo offers all the building blocks to help you on your zero trust journey. 

Until next time and happy authenticating!

<![CDATA[5 Tips For Optimizing Duo Cloud Operations]]> jefyeo@cisco.com (Jeff Yeo) https://duo.com/blog/5-tips-for-optimizing-duo-cloud-operations https://duo.com/blog/5-tips-for-optimizing-duo-cloud-operations Industry News Thu, 06 Aug 2020 08:30:00 -0400

Cloud operations is a critical component to "keep the lights on" for any deployment, this also applies to software-as-a-service (SaaS) solutions. As a service owner, you might apply IT Service Management (ITSM) frameworks such as Information Technology Infrastructure Library (ITIL) to ensure compliance with regulations and controls. This would encompass change management, continuity management, availability management and configuration management for solutions deployed in the enterprise.

In this post, we will explore five tips for optimizing Duo Cloud Operations and apply the correct application to the context of service management

1. Inactive User Expiration

Capacity management for your licenses is important to manage costs for the company. If you are using directory sync to provision and deprovision users from Duo that would be the ideal source of truth as users are added and removed automatically on each sync. In cases where CSV imports are used, inactive users who are not deleted from the trash are still consuming licenses. Consider pre-setting a fixed number of days of inactivity after which users will be deleted.

2. Monitor the Duo Cloud Service

As part of availability management, you should understand if the communications with the Duo cloud service is active and if the Duo cloud service is up and running. You can do this manually or automatically.

Automated - Using Auth API

A monitoring script can be created and configured to run using your in-house monitoring system. The best practice would be to limit these calls to once per hour:

Manually Using the Status Page

There is a link under “Deployment ID” on the left panel in the Duo Cloud admin panel that will redirect you to the status page. There you can browse the state of the deployment with the associated issues. If you have a Duo Authentication Proxy, that is another monitoring option you can set up.

3. Configuration Management - Help From Device Insight and Endpoints

Configuration management in ITIL tracks and maintains detailed information of any IT components including installed software, versions and patch levels. Device Insight complements this ongoing and iterative process. This information is important as it integrates with other processes such as change management when IT decides to upgrade and change base OS versions and release management when IT decides to implement new apps and need secure authentication. To export this information go to Endpoints select the devices and click on Export.

4. Change Management - Policy Impact Report in the Duo Admin Panel

When IT introduces a new app into the environment, how would that impact be assessed? How would the project owner provide confidence to the change management approval board that it would not affect users? How can we monitor the environment for these impacts on an ongoing basis?

Thankfully, in the Duo Admin panel, there is a feature which helps address those questions and you can refer to the guide on how to read the report.

5. Telephony Credits Monitoring

If you use SMS or phone calls as one of the authentication factors, it is important to monitor the credit usage. Set a transhold to alert the IT administrator's email distribution list so you know when credits are low.

The other thing to consider is to restrict users from overuse. This can easily be configured under Settings-> Telephony credits. I recommend using Duo Push instead because it is free and it is more secure, as it is out of band.


I hope these tips will better help align your cloud operations with an ITSM framework like ITIL. It is important for the cloud operations team to keep abreast of changes in the cloud environment to adequately address issues in a timely manner. I recommend downloading Duo’s free whitepaper “How to Successfully Deploy Duo at Enterprise Scale'' to learn more about considerations when rolling out Duo.

Try Duo For Free

With our free 30-day trial you can see  how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[How Phishing Impacts Healthcare]]> sbila@duo.com (Slavka Bila) https://duo.com/blog/how-phishing-impacts-healthcare https://duo.com/blog/how-phishing-impacts-healthcare Industry News Fri, 31 Jul 2020 08:30:00 -0400

It was a murky morning in mid-March 2020 at around 5 a.m. local time when the public announcement system at Brno University Hospital in the Czech Republic started to repeat an unusual message. All personnel were asked to immediately shut down their computers as a cybersecurity measure. If that wasn’t an unpleasant start to the morning, the message was repeated every 30 minutes.

At around 8 a.m., there was another public announcement saying that all surgeries were cancelled due to a cyberattack. Soon after, teams from the Czech National Cybersecurity Center (NCSC), Czech Police and the hospital's IT staff joined forces to help recover the hospital's IT network.

Though dramatic, the incident forms a part of a common trend. Hackers are a resourceful bunch and a period of crisis is a vital soil for their endeavours. Whether a geopolitical crisis or a pandemic, hackers take advantage of the moment when IT security staff may be putting out fires elsewhere.

Recent European Healthcare Security Breaches

The first half of 2020 saw the European healthcare sector falling victim to a number of similar cyber attacks:

Hackers Have Healthcare on Their Radar

Why do sophisticated hackers target healthcare? Motivators include medical records or health insurance information (such as insurance policy IDs) that could be used to commit healthcare insurance fraud. 

The continued digitalization of the sector seems to be a double-edged sword: technology continues to play a more important part in how healthcare organizations deliver patient care, conduct research or deliver education; however, the pace of digitalization has, in some cases, outstripped the speed of cybersecurity.

Healthcare’s cybersecurity systems are in a need of an improvement. But how can the sector which doesn’t have cybersecurity as a core business area effectively address this challenge? And where is the best place to start? Access controls? Endpoint protection? Training? 

Some would recommend starting with what’s considered the weakest security link in an organization: end users. After all, phishing is a social engineering method and as such, it leverages end users to get access to devices, and eventually networks.

Phishing Attacks: Hook, Line and Sinker

Many end users think they know how to recognize a phishing attack, from lookalike websites to advance fee requests (often from faraway countries boasting a number of spelling mistakes).. Yet, according to the recently published Data Breach Report by Verizon, every fifth data breach involves phishing. The report points out “a substantial increase in the number of breaches and incidents reported.”

“The number of confirmed data breaches increased from 304 in 2019 to 521 this year and phishing has played a significant role in this surge.” –Data Breach Report, Verizon, 2020

The success rate of phishing campaigns stems from their nature — the sense of urgency and/or familiarity the combination of which offers a strong incentive for people to open malicious emails. All forms of phishing such as a business email compromise or BEC (hacker sends an email impersonating a senior company executive), email account compromise (a BEC attack launched from an impersonated sender’s email account) clone phishing (an attack leveraging a genuine, previously sent email) or spear phishing (a very targeted attack) rely on familiarity or urgency or both.

Phishing: Users Are the Weakest Link

Phishing is big business and easy money, especially phishing-as-a-service (PaaS) which is the hackers version of software-as-a-service (SaaS). A timely payment of a monthly fee is all it takes for an aspiring hacker to get access to a service that does all the dirty work. There’s no need to learn how to code, host fake websites or worry about selling the harvested data. Phishing-as-a-service removes technical and logistical issues, and opens phishing as an income stream for a wide group of people.

Credentials compromised via phishing could lead to data breaches. In fact, the Verizon 2019 Data Breach Investigations Report found that 80% of hacking-related breaches leveraged weak and compromised passwords. It isn’t just susceptibility to phishing that makes end users the weakest security link. Though unintentionally, end users are often responsible for compromised credentials. Many do not keep with the company policy or simply reuse passwords, which they use across a large pool of platforms with a varying degree of security out of convenience. 

99.9% of Account Hacks Can Be Prevented With MFA

The good news is multi-factor authentication (MFA) is an easy way for healthcare organizations to prevent stolen credentials due to phishing and anything else. Znet.com reports that 99.9% of account hacks can be prevented with MFA. By adding another form of authentication, MFA can prevent a hacker from gaining full access to a network even if user credentials have become compromised. 

Duo protects clients applications by using an additional form of validation, like a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every user and application, and as a cloud-based solution, it integrates easily with existing technology.

“Duo offers a very clean self-enrollment process and has a lot of pre-existing integrations with a variety of products we already use. We were able to quickly deploy the solution to our users and since haven’t seen any phishing attempts,” said Richard Bailey, vice president of IT Operations at Pruitt Health.

Similar to Pruitt Health, Marin General Hospital (MGH) also deployed Duo’s MFA solution to protect against an increase in phishing. The hospital needed secure remote access for thousands of physicians, physician staff, partners and contractors, and tos protect access to their email, VPN, EHR and more. They chose Duo because it was so simple to deploy to so many quickly.

Device Trust for Contract Workers 

But what about device trust? Devices pose risk, too. Particularly personal, contractor and partner devices, which are often outside the control of the IT department. Many of these are not enrolled in any device management solutions such as EMM (enterprise mobility management) or MDM (mobile device management), but require access to cloud applications such as Office 365, Workday or Salesforce. 

Enforcing consistent security policies across managed devices, BYOD (bring your own devices) and third-party (contractor or partner) devices poses a significant challenge for healthcare security teams.

Use Case

Sentara Healthcare addressed this challenge with Duo Access which comes with the Device Insight application. It enabled Sentara to gather deep insights into the security posture of mobile devices, such as out-of-date operating systems, passcode/lock screens, encryption and biometrics. By doing so, Sentara dramatically reduced the security risk of a data breach caused by phishing and other malicious attacks 

Securing Remote Healthcare Worker Access 

In the new world where remote working is a norm, many healthcare organizations need to secure remote access for their staff; from physicians and partners to contractors. This also means organizations must secure a wide pool of devices with varying degrees of cybersecurity measures in place, meaning some devices reflect safe online habits while others may be affected by unsafe web browsing, emailing or texting.

Gain Clear Visibility Into All Devices Accessing Your Network

Having control over which devices can access corporate applications is therefore extremely important. Duo’s Device Health application helps organizations achieve this by blocking access attempts from devices which do not meet device health checks previously stipulated by IT admins. With a few clicks, IT admins can identify end users who are using risky devices, for example those running out-of-date operating systems (OS), browsers, Flash and Java versions, etc.

As many industry professionals have pointed out, phishing is not going away. As phishing and spear-phishing campaigns become more sophisticated, it pays to be proactive and protect your organization against phishing attacks.


Recent cyber attacks have prompted the healthcare sector to review its ability to predict, prevent and respond to cyber threats. Bearing in mind that the weakest security link in an organization is its end users, many healthcare organizations have been investesting in cybersecurity education as well as evaluating suitable technology to combat increasingly sophisticated social engineering techniques such as phishing. Many, including Pruitt Health and Marin General Hospital (MGH), have deployed an MFA solution to help defend against and ultimately reduce attacks that bypass traditional security measures (such as firewalls) and protect both the perimeter of their network as well as the inside.

Learn More

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

Then check out our Device Trust webinar.

<![CDATA[Providing a Passwordless User Experience]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/providing-a-passwordless-user-experience https://duo.com/blog/providing-a-passwordless-user-experience Industry News Tue, 28 Jul 2020 08:30:00 -0400

Take a moment and remember your first time online, or perhaps your first time on a terminal. All that promise at your fingertips. You’re prompted for a password. Your first password. What did you type? 

I admit a little nostalgia for my first few passwords. They meant something to me. A little bit of text, a shared secret between me and my machine. They meant something to others, too. Late last year, vintage passwords from BSD pioneers were found and cracked. We’re talking the early 1980s. Two struck me. Ken Thompson used a chess move (p/q2-q4!). Clever. Eric Schmidt’s password was his wife’s name (wendy!!!). Adorable.

I used to make jokes in my passwords. Sometimes, I’d make promises (saveMoney!, sleep@More). I’m willing to bet you did the same. What changed?

Well, a password is meaningful to create when it’s your first one. A password is fun when you have a couple. By the time you’re reaching hundreds of accounts? The joy is replaced with the tedium of entering another unique phrase. (Or worse, reusing a well-known password. If you’re doing that, don’t tell me.) Even the idea of sticky notes with passwords is now a quaint memory. Who has monitor space for hundreds of stickies?

I don’t churn butter. I don’t pluck chickens. And I no longer make up passwords. Today, most of mine are randomly generated. Frankly, I’m looking forward to even those random passwords going the way of homemade butter, acoustic coupler modems, and CRT screens.

Let’s look at planning for a passwordless tomorrow.

Passwordless Use Cases 

The journey to passwordless begins with less passwords. Locally, that might be workarounds like password managers. Centrally, that might be single sign-on (SSO) dashboards. The task is to identify the authentication workflows people are using and then begin to reduce the complexity. 

There are a couple challenges here. First, it’s no mean feat. A person in the workforce averages 191 passwords. It’ll take time to inventory, assess, and consolidate these passwords. Second, it still leaves passwords vulnerable to compromise. As we move towards fewer passwords, we’re still relying upon a long-lived shared secret as the primary authentication factor.    

The security benefits come from removing passwords as the primary authentication factor for the use cases. For example, on mobile and desktop platforms, people may authenticate with biometric data in a Secure Enclave or Trusted Platform Module (TPM) on Touch ID or Windows Hello. For web application use cases, this likely means authenticating with FIDO2; the specification which uses Web Authentication (WebAuthn) and the Client-to-Authenticator Protocol (CTAP). Long term, passwordless will be extended to provide secure access for every enterprise use case (hybrid, cloud, on-premises, and legacy apps).

The passwordless experience for users means fast authentication with little friction. Criminals and adversaries experience IT with no shared secrets to copy, replay, or brute-force. And for administrators, the passwordless experience is one of identifying and migrating use cases, incrementally and iteratively, to delight the end user.

Passwordless Quick Wins and Long Hauls

Strategy is motivating people and marshalling resources towards a goal. As I wrote in Thinking Strategically About Passwordless, passwordless is a tactic for gaining support for security initiatives through providing a better user experience. The business case can be prioritized by influence, by impact, or by effort. Consider providing a passwordless experience to key stakeholders and security champions, thus building support. Evaluate deploying passwordless for teams with a high number of authentications or a high number of password resets, thus saving time and support costs. Of course, low effort areas to deploy such as web apps that already support FIDO2 are also good choices to build momentum.

There are some areas where passwordless is tougher to deploy. The first example is where people are unable or disinclined to use biometrics. As we’ve seen recently, this could be because of personal protective equipment interfering with facial or fingerprint recognition. Additionally, some people have significant trouble enrolling in fingerprints. We see this most often with older workforce. The next area is where shared equipment is the norm, such as call centers. Many passwordless solutions tie a person to their device for strong authentication. When multiple people share one device, this security model breaks down. For these types of use cases, it is better to tackle others first while the technology continues to improve.

There’s one other consideration when selecting use cases to migrate into a passwordless experience: regulatory compliance. Many standards require a password plus one or more additional authentication factors. While it can certainly be argued that passwordless provides the same level of security; auditors and standards will take time to catch up to new approaches. It is best to begin the conversations now with internal audit, while proving out the passwordless technology in other areas.

Final Thoughts

To help organizations prepare for passwordless, we published a new white paper “Passwordless: The Future of Authentication.” 

In the paper, you’ll find a five-step phased approach to realizing passwordless authentication.

Providing a passwordless experience means incrementally shifting use cases from password-enabled authentication to other factors. The end goal is improving the user experience for our workforce, while removing many tactics criminals and adversaries use today to gain access. 

Not all use cases will go quietly into the night. We’re still in the early days and it will take time for infrastructure and adoption to catch up. Good thing too, as this gives us time to plan and use this shift strategically.

And I don’t know about you, but I’m looking forward to someone cracking my password 40 years from now. “What did he mean by Wdx8yJGzXXOuobE3,” they’ll wonder, marveling at a time when people still had to manually type in credentials. 

Read more about the path to passwordless in our passwordless blog series.

Try Duo For Free

With our free 30-day trial you can see  how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Virtual, But Still Vital: Attend Black Hat 2020 From Home]]> noelle@duo.com (Noelle Skrzynski Hardie) https://duo.com/blog/black-hat-2020 https://duo.com/blog/black-hat-2020 Industry Events Wed, 22 Jul 2020 08:30:00 -0400

It’s hard to believe we’re already halfway through 2020 and Black Hat is right around the corner. This year’s Summer Camp looks a little different -- Black Hat (August 1-6), DEF CON (August 6-9), and the Diana Initiative (August 21-22) are all happening virtually, and Queercon and BSides have sadly been cancelled. That doesn’t mean there won’t be plenty of learning, networking, and skill-building opportunities available at these sites. 

In fact, attending remotely means you don’t have to navigate through huge crowds to make your next session. It also means you can sneak some snacks and drinks in during keynotes. And of course, what you choose to wear under the desk is up to you. (Rainbow pajamas? Leopard-print jeggings? No pants at all? Do it up.)

Cisco Virtual Black Hat Booth: Registration Required

“Protecting What’s Now and What’s Next. That’s Cisco Secure.”

Connect with us at the Cisco virtual booth anytime between 8:30 a.m. and 6:00 p.m. PDT on August 5 and 6. At the booth you’ll get insights into Cisco Security’s newest features and latest research from Duo, Umbrella, Talos and Cloud Mailbox Defense. 

Learn how Duo Trust Monitor identifies risky and abnormal user and device behavior in your corporate environment, view Umbrella’s ThreatWise Episode on new Umbrella features in Viptela/vManage, and chat with our technical experts about SecureX.  Additionally, there will be plenty of sessions to attend at the virtual booth. 

Tune in for any of the following:

In addition to our sessions, Cisco Global Lead of Inclusion and Collaboration Strategy, Trey Boynton, is offering insight into the importance of diversity and inclusion through a written spotlight interview. A former diversity and inclusion executive at Duo, Trey now leads these efforts for the greater Cisco organization, and we couldn’t be more proud and excited that she’s shaping and strengthening Duo and Cisco’s values. 

"You'll need a Business Hall Pass to access speaking sessions and all sponsored content - register for one for free here. For access to Research Content (like Eldridge’s talk), you can purchase a Briefings Pass here.

DEF CON Safe Mode

It might be remote this year, but DEF CON Safe Mode still boasts some of the same exciting opportunities for participation as our beloved in-person conference. As always, there will be villages galore, the Capture The Flag competition, and there will be a DEF CON badge, created by LostboY (@1o57), so be sure to check on the DEF CON page for more information. 

The Diana Initiative

Focusing on Women, Diversity, and Inclusion in Information Security, the The 2020 Diana Initiative Virtual Conference will provide two days of speaking tracks, a Capture The Flag event, and three villages: Career Village for job-seekers, Maker Village for DIYers, and Lockpicking Village for picklocks. This year’s two keynotes are “Empathy as a Service to Create a Culture of Security” by Tracy Z. Maleeff, Information Security Analyst for The New York Times Company, and “What Does it Mean to Be a Barrier Breaker?” by Yolonda Smith, Head of Cybersecurity for sweetgreen.

With only a few weeks to go, make sure you’re registered for these upcoming events! Let’s kick off August in style (rainbow pajamas, leopard-prints, and all!) Until then, stay safe, enjoy the sun, and we’ll see you at the conference!

Try Duo For Free

With our free 30-day trial you can see  how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[WHITE PAPER: How to Successfully Deploy Duo at Enterprise Scale]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/guide-how-to-successfully-deploy-duo-at-enterprise-scale https://duo.com/blog/guide-how-to-successfully-deploy-duo-at-enterprise-scale Industry News Tue, 21 Jul 2020 08:30:00 -0400

At Duo, we have helped thousands of companies to enable secure access to applications and services from anywhere on any device. Enterprise multi-factor authentication (MFA) rollouts can be complex and nuanced. We have found that the most successful rollouts include some upfront analysis and planning. It doesn’t have to be time-consuming and usually pays off in faster speed to security and lower support costs.

Security that is easy is security that is used. We have found that putting users at the center of your rollout strategy is a great way to shift their mindsets from reluctant compliance to enthusiastic engagement.

According to ZDNet.com 99.9% of account hacks can be prevented with MFA. Duo’s MFA (or two-factor authentication) is recommended by the Department of Homeland Security, is FedRAMP approved, helps the enterprise stay compliant and more. Our approach to security includes strong user identity protections, Device Trust, Trust Monitor, and adaptive policies to assist enterprise organizations on their journey to a zero-trust solution (trust no authentication attempt without verifying identity with a variety of factors). 

When you are ready for Duo’s enterprise-level MFA solution, we created this step-by-step guide on our best practices for implementation.

In this white paper, you will learn about:

6 Steps to Successful Enterprise MFA Deployment 

1. User-Centric Planning

Enterprise organizations are most successful at MFA deployment when they place user experience at the forefront of their plan. In this guide, we share our must-use checklist for successful user adoption to help you fasttrack your mission.

2. Application Scoping

Whether you want to test run a pilot program for securing applications or need to do a full-scale deployment, this guide walks you through with our top planning tips for application scoping.

3. Rollout Strategy

A successful MFA execution for enterprise customers often starts with a thoughtful rollout strategy. Similar to launching a successful marketing campaign, introducing a new security process works best with notable touchpoints and milestones. This guide addresses useful strategies for enterprise rollouts. 

4. Communication to Users

There are many great ways to communicate with users when adopting an MFA security solution. In this guide, we share with you the best communication practices for enterprise customers that are tried and true based on our experience. 

5. Training and Support

Preparing the front lines and having the help desk team trained and ready is a recipe for success. This guide offers helpful hints on how to get the word out to users, while ramping up expertise internally.

6. How to Measure Success

We recommend starting with success metrics prior to adoption to create a clear path to measure successful outcomes. In this guide, we share common enterprise success metrics for you to keep in mind while preparing for your launch. 

“We consistently see that organizations who take the time to be thoughtful about their implementation increase their speed to security, reduce support costs and increase user satisfaction. That’s often a welcome surprise,” said Darcie Gainer, product marketing manager at Duo.

Learn more

Download our free white paper, “How to Successfully Deploy Duo at Enterprise Scale'' and learn how to jumpstart your organization’s security modernization to cloud-based multi-factor authentication in six easy steps.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Can Passwordless Authentication Be Trusted?]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/can-passwordless-be-trusted https://duo.com/blog/can-passwordless-be-trusted Industry News Tue, 14 Jul 2020 08:30:00 -0400

Every new feature we introduce to our users is potentially a new tactic we provide our adversaries. When I was learning to drive, this happened with car steering wheel locks. Do you remember these? Big bars people would put on their steering wheels, painted bright colors like neon pink. Sure, the owners felt more secure. But there was a problem. Car thieves developed a technique of cutting the steering wheel and using the bar to break the built-in wheel lock. 

A security feature turned into a tactic the criminals used. Fortunately, we’ve learned a lot since I took to the road. Take passwordless, for example.

Is Passwordless Authentication Even Safe?

“If someone steals my password, I can change my password. If someone steals my fingerprint, what do I do then?” 

Good question. We immediately think about password rotation because that’s about the only tool in the password toolbox. But moving to other authentication factors opens up new ways to stop credential reuse.

Tools to Help Passwordless Thwart Credential Theft

Device Trust 

Device Trust is one of the clearest indicators of whether an authentication is trustworthy and comes from a device the person has used before. In other words, the device identity, is it trustworthy?  It may seem easy to steal credentials, it’s significantly harder to steal them and their device used most often with them. Device visibility and device inventory reduces risk of credential theft. But like car security, the device itself might be used for circumventing controls. To address that, check the device health to see if the device is out-of-date, has been tampered with or jailbroken, or is potentially infected with malware. 

Smarter Platforms 

We can’t make a smarter keyboard that prevents adversaries from entering passwords. But equipment manufacturers are making smarter fingerprint readers and anti-fraud cameras for facial recognition. In addition, storing biometric data in a Secure Enclave or Trusted Platform Module (TPM) greatly limits what adversaries can steal, as well as providing brute-force and anti-hammering protections.

Monitor Trusted Access with Behavioral Analytics

Assume the adversary has somehow gotten the person’s biometrics, and stolen their device and circumvented the device’s platform security. (I know, that’s a lot of assumptions). It is doubtful the adversary will connect up and do the person’s work. Setup behavior analytics with Trust Monitor to model activity and telemetry and baseline the person’s activity. When suspect and potentially malicious activity is detected, the adversary can be investigated, caught, and stopped.  

Set Adaptive Policies

While the above increases trust in authentication in general, keeping abreast of a large workforce is a significant undertaking with passwordless authentication in particular. Automated and quick responses are key. We can enable adaptive access policies based on the above. Set the trust authentication based on the context of the user, device, location, behavior, and more, to prevent credential re-use.

In Conclusion

Looking back, advances in ubiquitous connectivity and near-field communications shifted how we prevent car theft. Looking forward, advances in device health and behavior analytics will shift how we prevent credential theft. In both cases, the trick is to view the problem from a wider lens and consider how adversaries will act before and during an incident. The broader view makes it possible for us to take actions that have stopping power, without introducing new risks.

We can increase trust in new approaches such as passwordless by reducing overall risks associated with authentication. With Duo, this approach includes strong user identity, Device Trust, Trust Monitor, and adaptive policies

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[VIDEO: Instantly Restore Accounts on Your New Phone!]]> lmejiari@cisco.com (Louis Mejia) https://duo.com/blog/instantly-restore-accounts-on-your-new-phone https://duo.com/blog/instantly-restore-accounts-on-your-new-phone Industry News Mon, 06 Jul 2020 08:30:00 -0400

See the video at the blog post.

We’re excited to announce that we are bringing Instant Restore to Android! This is a feature we launched earlier this year on iOS that makes changing phones easier than ever with Duo Mobile. You can now effortlessly and securely move your Duo-protected accounts to your new phone, making the transfer possible in just a few seconds.

Ditching your old phone? Don't forget to transfer your two-factor authentication (2FA) accounts to your new phone. Knowing how important it is to access your accounts when you need to, Duo has developed an easier way to get your Duo-protected accounts set up on your new phone or tablet so you can continue to verify your identity when logging in, preventing a potential account lockout. It’s really easy.

Note: Duo-protected accounts can only be active on one phone at a time. After transferring them to your new phone, your old phone can no longer be used to authenticate.

Which accounts get restored?

Instant Restore will transfer your Duo-protected and Duo Admin accounts. If you enabled automatic reconnection for third-party accounts, those can be restored, too. Find out more about restoring your third-party accounts.

Note: Windows Offline accounts are not restored and need to be manually reconnected on your Windows machine.

How does Instant Restore work on Duo Mobile for Android?

When Duo Restore is enabled, we back up your accounts' non-sensitive data to a hidden folder in your Google Drive that’s only accessible by the Duo Mobile app on your devices. The backup includes a token that, when combined with a QR code displayed by Duo Mobile on your old phone, helps establish trust in the new phone to ensure that it's really you.

Once said trust is established, we automagically reach out to Duo's service on your behalf to reactivate your Duo-protected accounts on your new phone.

Note: Your Duo-protected accounts’ sensitive information is not included in these backups. Your security is at the heart of Duo and we want to ensure your information is always safe and private.

3 Simple Steps to Instantly Restore Duo Accounts on Android

(Have an iPhone? We got you! Learn how to restore your iphone.)

Now we are going to show you how to save both time and effort by quickly transfering your Duo-protected accounts to your new phone in 3 simple steps!

Before we begin, make sure that your Duo Mobile app is up-to-date. This feature is available on Duo Mobile versions 3.32.1 and above for Android. You can check your app version from the settings menu within Duo Mobile.

Step One:

Open Duo Mobile on your old phone and enable “Backup accounts with Google Drive” under Settings > Duo Restore.

*Also transferring third-party accounts?

If you use Duo Mobile to protect your third-party TOTP-enabled accounts like Instagram or Dropbox, consider enabling automatic reconnection for third-party accounts while you're here. Keep in mind, enabling this option will prompt you to create a password used to encrypt your accounts backup. This is to keep your accounts safe and secure.

Step Two:

While still on your old phone, navigate to Settings > View QR Code.

If you can’t see this option, please contact your organization’s administrator or help desk for assistance reactivating your accounts on your new phone.

Step Three:

Pick up your new phone, install Duo Mobile, open it and tap “Get my account back.” You will then be prompted to scan the QR code shown on your old phone.

If automatic reconnection for third-party accounts was enabled on your old device, as recommended, a prompt to enter your backup password will follow.

That’s it! Your Duo-protected accounts should now be up and running on your new phone.

We want to hear from you!

We're always looking for ways to improve your experience with Duo, so don't hesitate to reach out to us with your comments on Twitter (@duosec) or leave a review on the Play Store or the App Store.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[#WeAreDuo Employee Spotlight with Glenn Stempeck]]> wtellache@duo.com (Whitney Tellache) https://duo.com/blog/weareduo-employee-spotlight-with-glenn-stempeck https://duo.com/blog/weareduo-employee-spotlight-with-glenn-stempeck Industry News Wed, 01 Jul 2020 08:30:00 -0400

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with R&D Manager Glenn Stempeck to learn about what he does and his experience at Duo.

Glenn Stempeck

Employee Name: Glenn Stempeck

Title / Department / Office Location

Engineering Manager / R&D / Ann Arbor

How long have you been at Duo, and what do you do here?

I have been with Duo for just over one year now and manage engineers on the Windows Engineering Team split between Ann Arbor and Austin.

What's your day-to-day like at Duo?

The day-to-day typically involves a combination of identifying what our future stories are for simplifying security for customers using Windows operating systems and working with engineers to solve the key problems on our road to providing visionary technology solutions; all while supporting our current customers day-to-day enterprise Windows challenges. Our goals is always to be kinder than necessary.

What tools do you use to help you do your job? 

We use a variety of tools to help us do our jobs. We use Workboard to define high-level prioritized objectives to work through each quarter; Phabricator for more granular tracking of daily work; Visual Studio to drive our code changes; Gitlab to drive our release and testing automation; and even Microsoft Azure to build entire environments in which we test our products to ensure security, quality, and trust for our customers. Probably the most powerful tool we use though is a variety of learning platforms — from books and wiki's to developer networks — to online options and of course learning from each other, learning every day is the requirement to play for us engineers.

How do you and your team collaborate with other teams within Duo?

We collaborate in a variety of ways. For example, we have cross-team endpoint team demos where our engineers are encouraged to demo something for peer engineers on other teams. We have product managers, designers, and QA engineers embedded on teams joining daily stand-up's and team meetings. We even have a collaboration time, where we invite folks inside and outside the team to bring a topic where collaboration is required to help each other out.

How did you get your job at Duo?

Having been in a variety of spaces in technology as a jack-of-all-trades, master of some (the C# language, in case you were wondering), I applied to this role at Duo after hearing from others that had joined the company how amazing the culture, people, collective intelligence, mission and products are. It all seemed "too good to be true" so I had to check it out for myself. I was fortunate enough after interviewing with over half-a-dozen folks to be offered the position. I can now attest, all the amazing talk isn't just talk - it's true! 

What is the first thing you do when you come into the office?

Coffee, repeatedly.

Any big projects or goals you're currently working on?

Expanding Windows features to Win the Enterprise 

What’s an important lesson you’ve learned while working at Duo?

When your actions (beyond simply words) demonstrate that you care about people, you will be loved.  We care, which is why we're the most loved company in security. 

How is Duo different than other places you've worked?

Many other places I have worked prioritized urgent short-term gains and quick delivery of technology. Duo cares so much about security, quality, and trust, that it leads us to prioritizing building for the future instead of rushing to release. We prioritize investing in our people and our products for the long-term success of both. It results in great products and company environment.

How is your role at Duo different from roles you've had with other companies?

Leadership is a highly valued, high-leverage activity at Duo. We don't view leaders as individual contributors with side-reports, they're a key component of our success. Good leaders build good teams, which build good products and organizations. I'm proud to lead here!

What would you tell someone considering a role at Duo?

Do your research.  Believe in the good that you hear about Duo, because it's the reality here.  Come and be your best self here, and know that the company, leaders, and peers will be the best you've ever worked with regardless of how much time you spend here. Join for the learning experiences, and because you enjoy making a real difference in lives and organizations throughout the world. It happens here every day.

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

<![CDATA[Strong MFA: The First Stop on the Path to Passwordless]]> ahickey@duo.com (Andrew Hickey) https://duo.com/blog/strong-mfa-the-first-stop-on-the-path-to-passwordless https://duo.com/blog/strong-mfa-the-first-stop-on-the-path-to-passwordless Industry News Tue, 30 Jun 2020 08:30:00 -0400

Passwords, the antiquated security mechanism in place since the 1960’s, have since their inception caused user and administrative frustration due to their complexity and frequent resets. As technology has evolved, there is a strong desire to move away from the use of passwords, but it’s not as if we’re going to wake up tomorrow morning and – POOF! – we never need passwords again. 

We have too many apps; too many accounts; too much complexity. 

Yes, there will eventually come a day when passwords are just a pesky thing of the past. And businesses are currently evaluating a good place to start their journey in preparation for a passwordless reality. 

Gartner predicts that by 2022 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than 50% of use cases. Right now many are evaluating what adopting passwordless, sometimes referred to as “modern authentication,” means and where to start.

As with any major technology shift and architectural change, the journey toward a passwordless environment should be a phased approach, with a handful of stops along the way; and based on your environment there may be some twist and turns too.

To help organizations prepare for passwordless, today we published a new white paper “Passwordless: The Future of Authentication.” The paper, written by Duo Advisory CISO J. Wolfgang Goerlich, examines how digital transformation is prompting a shift toward passwordless authentication and its business benefits, while laying out a five-step phased approach to realizing passwordless authentication.

“Sixty years after adopting the password as the primary authentication factor, we’re at a unique moment in history, where we can both improve the user experience and increase the security posture,” Wolfgang says. “Passwordless provides a strategic opportunity to get users excited, and this latest white paper shows how to move security programs forward.”

Passwordless vs. Less Passwords

Since passwordless doesn’t happen with the snap of a finger – think about it, the average business user must keep track of 191 passwords, we’re not going to eliminate them in one fell swoop – it’s important to start by using less passwords, as in reducing your reliance on passwords.

One way to start moving toward passwordless practices and to lower the risk of credential theft is by identifying and selecting specific use cases for passwordless in your organization. Next, rank these use cases based on user experience, IT time and costs and security and compliance risks. From there, group them by applicable passwordless solutions – or you may end up with a series of point products. Once ready, you can create an implementation plan for areas that will have the biggest impact and have the shortest time to value.

This sets the stage for more pervasive passwordless authentication within your organization. 

Strong Authentication

The point at which users are accessing applications is a practical starting place for an organization’s passwordless journey. If we are getting rid of the password, we need to make sure that we have mechanisms in place to verify trust in the user, passwordless doesn’t mean no authentication but strong, secure authentication with less friction.

This is where multi-factor authentication (MFA) truly shines. 

Implementing strong MFA for secure access to all applications – cloud, on-premises, hybrid – offers broad security coverage and allows you to reduce your reliance on passwords while letting you modify password policies to require less frequent resets. This combines to alleviate help desk burden and costs, and ultimately quell user frustration.

With MFA, you can eliminate the risk of using passwords as the single form of user authentication and reduce the risk of credential theft by requiring a second method of identity verification that cannot be easily stolen remotely by an attacker –  and let’s face it, passwords have proven themselves pretty easy to steal. According to Verizon’s 2020 Data Breach Investigations Report (DBIR), more than 80% of hacking breaches involve brute force or the use of lost or stolen passwords. 

MFA opens the door for additional authentication methods – whether it’s through biometrics, security keys, mobile devices and more. MFA, in many cases, can take the day-to-day use of passwords out of the equation.

Simply put, MFA provides more factors. More factors provide more choices for verifying identity. In the future, these alternatives enable security leaders to carefully calibrate authentication to balance ease of use and strength of security. 

MFA From Duo

Duo provides an agnostic platform that can be integrated across your environment to protect your cloud and legacy applications, the desktop, remote access and more with strong MFA. Duo provides diverse authentication options to support your diverse user base, and with MFA protecting every application, your users’ credentials will be protected by a strong layer of security that thwarts account takeover.

MFA from Duo gets you started on the path to passwordless and reduces your reliance on passwords.

Read more about the path to passwordless in our passwordless blog series.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[7 Observations (I Didn’t Expect) From a WFH World]]> rdeyer@cisco.com (Ryan Deyer) https://duo.com/blog/7-observations-i-did-not-expect-from-a-wfh-world https://duo.com/blog/7-observations-i-did-not-expect-from-a-wfh-world Industry News Thu, 25 Jun 2020 08:30:00 -0400

At the time of this post, my team has spent more of 2020 in mandatory WFH (work from home) than in-office. Right away, there were a few predictable challenges that came as little surprise to anyone; balancing kids at home while working; onboarding new employees remotely and missing the interaction with my co-workers. Keeping everyone on the team closely aligned and engaged takes extra effort. These types of things I might have predicted would be issues, and for the most part still bare true. What I didn’t expect are some of the benefits that have come along as well. 

Here are my Top 7 observations 

1. Not being constrained by conference rooms

At most companies (including ours) availability of conferences rooms (especially desirable ones) during peak times is a challenge. With an entirely WFH environment, teams suddenly aren’t hunting for conference rooms or adjusting schedules based on when they become free. When we want to meet, we all hop onto a video conference call with little to no friction and we’re off and running. Those precious minutes and sense of freedom actually make a big difference.

2. We learned more about our co-workers personal lives

We used to ask our coworkers questions around the coffee machine such as “how’s your day going” or “how’s your family doing?” Now we’re seeing how they are doing. We see their houses, kids and pets moving around in the background. My team isn’t worried about making everything look buttoned up behind them. They understand this is a new normal and it’s okay for everyone to see a little chaos behind them now and again. I’ve gotten to know my co-workers better than I did before. I remember the names of their spouses and kids because I'm actually seeing them each week, not just once a year at a holiday party.

3. Co-workers without kids had challenges I didn’t anticipate  

It was a fairly obvious prediction that parents would have challenges balancing the needs of work when their kids are suddenly home all day and craving attention. What I didn’t understand and appreciate early on is that co-workers without spouses or kids would have their own set of unique challenges. Being distraction free sounds great in theory, but the distractions of a spouse or kids often can help reset your brain when you need a break. Kids often wake up around the same time each day and eat meals around the same time each day, meaning parents have a built-in defined routine. 

The co-workers on their own often kept working late into the evening or coming back to work throughout the evening, if nothing else because they were bored. Without a clear boundary ending their day, they were slowly burning themselves out. 

One method our team started to counteract this blending of time without boundaries, was setting an end time for the day by physically packing up your laptop. It may seem silly to pack up when you’re not going anywhere, but there is a sense of peace knowing that part of your day is done and reinforcing it with that simple action.

4. Social interactions and equality evolved

Think about the dynamics of a team out at a restaurant together for a social lunch or happy hour. Some people are at the ends of the tables and others are in the middle spots. Some people create sub-conversations with the person next to them. Many conversations can develop at once, leaving some people out.

Now, think of a virtual happy hour during quarantine. Each person’s video is allotted the same amount of size on the screen. Only one conversation can happen at a time. Suddenly we’re all on the same level. We see and hear the same things. There’s a sense of togetherness when we share such a common experience.

5. Productivity didn’t drop

Our teams operate in two week sprints. I wasn’t sure if measurable outcomes from our sprints would go up or down in a mandatory WFH world. I was surprised by how consistent they performed compared to when we were all in the office. Analyzing data only, you would have no idea such a large change had happened with our teams. Will that continue? Only more time and experience will tell us that. 

We saw some teams start to have their first minor drop in measurable outcomes in sprints after 2 months. It was easy to see temporary burnout had started to set in for many of the team members from being home so much. We’re fortunate that Cisco started to see this and has since given our employees two extra holiday days off to help team members recharge in the middle of this new normal and encouraged us to take time off as needed. Their family first approach is comforting.

6. We’ve become less self conscious about schedules

There probably isn’t an employee out there that hasn’t needed to leave work early for a day and wondered if anyone was judging them while they packed up and others continued to work. A change I noticed happening during mandatory WFH is that team members started embracing their unique schedules. People seemed less self conscious of taking off time in the middle of the day or ending their day early. Why is that? 

I would argue, it’s because we don’t have a choice and everyone knows it. We need to take care of our kids, take mental breaks, and our spouses are trying to work in the same house as well, etc. I find it refreshing that we’ve embraced flexible schedules and more fully trust that we’re all getting the job done — even if we can’t see each other physically next to us.

7. No one got left out of the conversation

Hallway conversations and water cooler chats are one of the hardest things for a remote employee to overcome when the rest of their team is co-located. With everyone WFH that problem is not prevalent. When our team members want to talk they send chat messages in a public channel or launch a video chat that anyone can join. In many ways communication amongst the team is easier, not harder as I would have expected before all of this.

Where to go from here

Our next step in this giant unexpected social experiment is what happens when some of us go back to the office and some of us stay remote. That setup is what many of us used to consider normal. 

Will we find it easier or more challenging? Will we revert to our old ways? Will we remember the positives and find ways to replicate them in a hybrid environment? 

Maybe we can all borrow a piece of the Agile methodology and hold retrospectives with our teams to ensure this period of time results in meaningful change for the better. We can work as a team to create a list of what went well during this WFH stretch, what didn’t go so well, and define ideas the team can experiment implementing. 

Overall, what I have learned from this new way of working is that this is an opportunity to treat this moment in time not as an inconvenience but a chance to grow as a team.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[What I’ve Learned From My SMB Customers]]> itsfrank@cisco.com (Frank Chevannes) https://duo.com/blog/what-ive-learned-from-my-smb-customers https://duo.com/blog/what-ive-learned-from-my-smb-customers Industry News Wed, 24 Jun 2020 08:30:00 -0400

I’ve been at Duo Security, now part of Cisco, for close to 3 1/2 years. Coming in I had very little knowledge of cybersecurity and what drove the industry, so I treated my first year at Duo like a student would his freshman year at University. But with such open and honest prospects and customers alike, my first 12 months didn’t feel like a trial by fire. Thankfully, lol.

In that first year, I learned a wealth of knowledge, which in many cases came straight from our customers. I quickly began to understand what Duo’s mission of democratizing security truly meant. Each time I was introduced to a new company, I noticed a common trend: generally, within the SMB space, we were speaking with small teams with low resources and limited time. And yet, in front of those same teams were a plethora of objectives with challenging timelines. 

When it came to providing secure access and multi-factor authentication (MFA) solutions to their respective organizations, each SMB team mentioned four common needs: speed, simplicity, coverage, and value, typically driven by compliance, industry standards, requests from consumers, and sometimes, unfortunately, preventing another breach. 

Let’s look at these needs one by one:


We always want to know from our customers what timelines they’re working towards so we can provide them with useful resources on time. What stood out to me is the reality that within a business, if a project isn’t moving at a respectable pace stakeholders can lose interest or suggest other options they believe will achieve the same outcome quicker. Fortunately, Duo offers a solution that can be set up in hours, not days or weeks. Anyone with a laptop or desktop can create an account, grab a guide from our documentation library and integrate Duo with numerous applications – all before breaking for lunch.


It was apparent that traditional security solutions were complicated, cumbersome, and required a tremendous amount of user training to get them off the ground. This also impacts speed. Duo customers find that verifying your identity as an end user is no more challenging than answering a text or liking a picture on Instagram. We all know how to give someone a thumbs up or thumbs down. Duo’s authentication flow works in a similar way: a green check to verify that it’s you and a red X to alert your IT team that your credentials may have been compromised.


By far the biggest misconception our customers make upfront is thinking there is no way one solution is going to cover all of their use cases. I’ve spoken to businesses whose applications are completely on-premises or are transitioning to the cloud, and even some who are a hybrid mixture of both who have really obscure and niche applications. Something which always sets Duo apart from the crowd is its ability to cover almost any use case an organization can throw at it. Duo is broad in its coverage and flexible in its deployment. You can’t really find an industry for which Duo doesn’t offer out-of-the-box solutions to solve key challenges.


Last but definitely not least. I’m sure we can all agree that no one is interested in talking to any provider who tries to sneak in hidden fees or is overpriced. At Duo, we’re all about transparency. You don’t even need to pick up the phone; our pricing is clearly listed on our website for the whole world to see.

For resource-strapped SMBs with small teams and limited time, Duo’s MFA delivers the speed, simplicity, coverage, and value they need to secure access to all of their applications.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo's trusted access.

<![CDATA[Duo Log Sync: Sending Your Duo Logs to Your SIEM]]> djaenicke@duosecurity.com (Daniel Jaenicke) https://duo.com/blog/duo-log-sync-sending-your-duo-logs-to-your-siem https://duo.com/blog/duo-log-sync-sending-your-duo-logs-to-your-siem Product & Engineering Tue, 23 Jun 2020 08:30:00 -0400

The Problem

Data is key for an organization to make any decision. But for data to be effective, it needs to be in a central location, which has presented a challenge.

Duo Log Sync helps customers overcome the challenge of data centralization by allowing them to easily send their logs from Duo to the SIEM of their choosing.  

Before we began development on this tool, we wanted to make sure we understood the customers’ pain points rather than just their problem. As such, we reached out to as many customers as we could from our community and from our Customer Success teams. We conducted 44 interviews with companies ranging from SMBs to large enterprises.

In our conversations with customers we found that there was no simple way for customers to send logs from Duo to a SIEM. In fact, we discovered that some level of technical experience was required to achieve even a rudimentary ability to do this.  

When digging in further and listening to what the customers’ ideal solution would look like, four key themes emerged: 

  • Simplicity: A solution had to be easy to install, setup, and then forget about
  • Granularity: Customers need the ability to configure Duo Log Sync to accomplish their aims
  • Compatibility: A solution had to be easy to use with the ever-expanding field of SIEMs
  • Flexibility: A solution must allow customers to make customizations if they need to tinker

To solve our customers’ pain points and also address these four key themes we designed the Duo Log Sync tool from the ground up.

The Technical Implementation

The lead engineer for this project, Rohan Bendre, made sure the application was as simple as possible so end users could make changes locally if needed and use it for their specific use cases.

In order to achieve simplicity, the architecture of our tool was a pub-sub model. This means:

  • Producers are responsible for fetching logs from different endpoints and each endpoint has its own producer
  • Producers write data to different queues
  • Every log will have its own queue from which to consume data. This will allow Duo Log Sync to manipulate different logs in a different manner. e.g. sending different logs to different SIEMs over different transport protocols
  • Sending in different formats like JSON and syslog (CEF)

There were many technical considerations taken into account from our customer calls, and every call about Duo Log Sync touched on four key feature requirements:

  • It should be easy to install, setup and configure
  • Customers should have the ability to enable specific endpoints
  • The solution must be able to recover from application or network failures
  • And it must support multiple protocols (TCP, TCP over SSL, UDP)

To achieve the required features, we made sure to write our code as simply as possible so modifications would be easy to make. We also wanted to allow Duo Log Sync to be installed through PIP so customers could easily download and run it. Our configuration file has easy to follow parameters and we used asyncio to make asynchronous calls to endpoints.

Lastly, we wanted to make sure that our Duo Community could customize, improve, and tinker with Duo Log Sync, which is why we have made it open source. We cannot wait to see what the Duo Community does with the Duo Log Sync.

We know Duo Log Sync will continue to evolve with Duo’s offerings and we will make sure we continue to develop Duo Log Sync to address any pain points our customers experience.

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[What’s the Deal With the CCPA?]]> info@duosecurity.com (Mike Serra) https://duo.com/blog/whats-the-deal-with-the-ccpa https://duo.com/blog/whats-the-deal-with-the-ccpa Industry News Mon, 22 Jun 2020 08:30:00 -0400

Imagine Jerry Seinfeld performing his 1990s standup comedy routine in front of a brick wall saying to the audience: “what’s the deal with airline food?” Now, picture Jerry Seinfeld as a lawyer in 2020. The brick wall is his home office. His audience is now a cat (or maybe folks on a Webex call). Sporting horn-rimmed glasses and a shock of gray hair, “Lawyer Jerry” stares at a client’s email on his computer screen, squints, and says to himself: “what’s the deal with the CCPA?”

What is the CCPA?

The California Consumer Protection Act (CCPA) is a comprehensive consumer privacy law designed to give California residents the right to know what information about them is processed and with whom their information is shared. The CCPA gives California residents similar rights as Europeans receive under the General Data Protection Regulation (commonly referred to as GDPR) including rights of access, portability, as well as the right to opt-out of the sale of their personal information. Because the CCPA applies to all California residents, understanding the CCPA’s requirements is important for companies around the world who serve or may serve Californians. 

So, What is the Deal With the CCPA?

Lawyer Jerry along with scads of compliance officers, data scientists, information security professionals, and others in similar roles are pulling out their hair trying to understand the CCPA. Sure, you can read the law. But it’s more complicated than that. And the stakes are high. One estimate reported that corporate compliance costs could be around $55 billion

Here is where things stand as of publishing this article in June 2020: the CCPA took effect on Jan. 1, 2020, however, the California Attorney General must wait until July 1, 2020 to begin enforcement. In the meantime, the Attorney General’s Office was tasked with issuing regulations to facilitate, clarify, and provide guidance to consumers and businesses about the law. It issued proposed regulations, updated those regulations in February, updated them again in March, and submitted final proposed regulations in June. Those final proposed regulations will be reviewed by California’s Office of Administrative Law and filed with the Secretary of State before they become enforceable. Some questions remain about the enforcement timeline, especially regarding the regulations. Further impacting that timeline, 30 trade associations and companies have asked to delay enforcement generally because of the ongoing coronavirus pandemic. 

Adding to the confusion is a new data privacy initiative in California that recently passed its first threshold to qualify for the November ballot called the California Privacy Rights Act (the CPRA or colloquially known as “CCPA 2.0”). The CPRA intends to strengthen Californians’ privacy rights beyond the CCPA by regulating “sensitive” personal information (covering race, ethnicity, sexual orientation, etc.) and creating a new state agency overseeing privacy. 

How Can Lawyer Jerry Support His Clients With CCPA Compliance Needs? 

Although the details are murky, we do know that Californians will have the broadest data privacy rights in the United States. One option for Lawyer Jerry is to follow the approach of others. Duo Security and its parent, Cisco, could serve as an example for how to offer these kinds of data privacy rights to all individuals, whether they are in California, Europe, or elsewhere.

Duo and Cisco are committed to respecting and protecting the privacy rights of their workers, customers, partners, users, and others – no matter where they are located. Our long-standing security, data protection, and privacy program is anchored on the principles of transparency, fairness, and accountability and has been certified to align to privacy frameworks and legal requirements around the world (i.e., EU Binding Corporate Rules, EU/Swiss-US Privacy Shield, APEC Cross Border Privacy Rules system, and APEC Privacy Recognition for Processors). 

While Cisco cloud-enabled offerings (including Duo products) do collect, process, and share limited categories of personal information; they do so in order to conduct their business and provide their products and services. When we share personal information with business partners (like vendors and service providers who process data on our behalf), we do so pursuant to a written contract that prohibits such partners from processing the data for any reason other than performing the services as specified in that contract. 

Transparency is key for compliance with all data privacy laws. This is why Cisco publicly posts detailed information about its privacy policies in its Trust Portal. Cisco’s Privacy Data Sheets are key components of that Trust Portal. Each cloud-enabled offering has a Privacy Data Sheet spelling out the categories of data collected, the purposes of processing, and international data transfers, while also identifying subprocessors and retention periods, among other pertinent information. Duo’s Privacy Data Sheet can be found here

As the CCPA, CPRA, and other laws around the globe evolve, Duo and Cisco will update their disclosures and practices as needed to ensure privacy is appropriately respected and protected. We do so not only because the law requires it, but because it is right and fair. This practice benefits our customers and can guide people like Lawyer Jerry towards respecting and protecting privacy rights of all people. 

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[CyberSecure From Home in Canada]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/cybersecure-from-home-in-canada https://duo.com/blog/cybersecure-from-home-in-canada Industry News Thu, 18 Jun 2020 08:30:00 -0400

The universally accepted, “Home is where the heart is,” has recently proven itself to be mildly untrue. Any IT security professional currently navigating the ever-changing waters of these times will tell you that the new “work from home” norm is the opposite of where their heart lies, as they juggle supporting work from home while keeping their organizations secure. Their heroic efforts deserve a Timmies gift card to cover the unlimited double-doubles they are, no doubt, using as fuel to minimize any interruption to business. 

The Shifting Perimeter

Increasingly, organizations are facing a reality that the perimeter is shifting. Things are not neatly contained within a brick and mortar structure, or contained by national borders— and IT teams need to have measures in place to balance the need for security without impacting productivity. The new paradigm that IT teams face in supporting a diverse remote workforce has exposed a security quandary for many. Balancing a lack of resources, technological shifts, and conflicting priorities while still trying to meet requirements like the CyberSecure Canada certification mark is no small feat. Amidst all this kerfuffle, what is often overlooked is that the controls being put in place and security practices being adopted are all a part of a zero trust security approach

Canadian Center for Cybersecurity Tools

What we do know is that the perimeter-based security approach of the last century is no longer adequate for securing the modern enterprise.Today, organizations must secure a mobile workforce that uses a mix of corporate-owned and personal devices (BYOD bring your own device) to access cloud-based applications and services, often from what was previously thought of as outside corporate network boundaries. Luckily, the Canadian Center for Cybersecurity provides guidance and certification programs for organizations to become cybersecure. 

But what does being cyber secure even mean? And how can companies safely and effectively fast-track this move? With a list of baseline security controls, choosing the right moves to make can feel overwhelming; however, these controls provide a foundation for implementing a zero-trust approach to security. 

Key Cybersecurity Questions 

Right now, we need to be asking ourselves: How do I deal with identity and access management for a geographically dispersed workforce using a myriad of different devices? And how can I scale remote access in a timely and cost-effective manner? What solutions do I need to implement to do this securely? 

If you are not already asking these questions, I defer you to the insightful words that Margret Atwood shared during an interview with me on the Plaintext podcast, ”Do you have any idea what the consequences will be if you do not (fill in the blank)?... And you didn’t fix it, and now there has been a massive leak.”

Get ready to strap on your skates and put your stick on the ice. In the words of famed hockey player Wayne Gretzky, “This is a time when we need to skate to where the puck is going to be, not to where it has been.”

Canadians are innovators and inventors, producing notable things like ski-doos, jet-skis, velcro, zippers, insulin, penicillin, Zambonis, the telephone, short wave radios, Robertson screws (square hole) — but they don’t need to reinvent the wheel when it comes to implementing strong security that doesn’t impact productivity. Based on our answers to the questions above, we can navigate the implementation of the changes we decide to make. Searching for cybersecurity solutions from companies that make such implementation easy is critical. 

These times require a careful examination of the word, “opportunity.” The most readily available heuristics of the word tell us that opportunity presents itself in a positive way, with little to be undesired. However, while the remote workforce is difficult to navigate, it also provides an opportune time to take the leap into zero trust and secure your company’s network once and for all. 

The Right Time for Change Is Now

It does not have to be daunting, and there are things that you can start with today, like introducing MFA everywhere to protect all users (and move to a passwordless user experience), establish trust in devices, protect applications with access controls, and securing remote access. The tools to start today are readily available for lasting change.

To co-opt the words from the Tragically Hip — this is no dress rehearsal, this is our life — we are ahead by a century. By implementing the right controls, Canadian businesses can embrace the adoption of the cloud and remote work in a secure way, accelerating into the future of work. Implementing security practices is like having the right ratio of cheese to gravy on your poutine,, anything is good, but when you have to have the right combination it is perfection.

Duo is able to scale with customer needs as more organizations transition to working from home, with a complete 5-step program to implement zero trust for the workforce. Duo provides solutions that help organizations not only adopt a zero trust security approach, but helps organizations going through a digital transformation by protecting their Microsoft workforce applications including those like O365 and Remote Desktop.  

Try Duo For Free

With our free 30-day trial you can see for yourself how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Standing in Solidarity: Celebrating Pride This June]]> kmitchell@duo.com (Kendra Mitchell) https://duo.com/blog/this-june-marks-lgbtq-pride-month-50th-year https://duo.com/blog/this-june-marks-lgbtq-pride-month-50th-year Industry News Wed, 17 Jun 2020 08:30:00 -0400

For over 50 years, we’ve celebrated June as LGBTQ+ Pride Month. Pride has its roots in the 1969 Stonewall riots, where it has been said that Marsha P. Johnson, a black transgender sex worker, threw a single brick that sparked the modern LGBTQ+ liberation movement. There are varying views on who, if anyone, actually threw the brick that first night. But it is undisputed that trans women of color like Marsha P. Johnson, Sylvia Rivera, Major Griffin-Gracie, and black lesbians and drag kings such as Stormé DeLarverie, played a key role in the events surrounding the Stonewall riots - and in the following decades of organizing and activism. Today, people all over the world, from Los Angeles to London and Lisbon, join together to celebrate Pride as part of one of the world’s largest human rights demonstrations.

This June feels different, though. 

The pandemic has altered the ways we live and come together as a community. Our streets are not filled with Pride floats and revelers, but rather protesters demanding justice as part of a long-overdue racial reckoning. Added to that, just last week we saw the killings of two black trans women, Dominique “Rem’mie” Fells of Philadelphia and Riah Milton of Liberty Township, Ohio. The Human Rights Campaign has called the specter of violence facing the black trans community its own national epidemic. And last Friday, on the same day we observed the 4th anniversary of the attacks at Pulse nightclub in Orlando, whose 49 victims were overwhelmingly LGBTQ+ and Latinx people, the trans community saw critical healthcare discrimination protections reversed. 

We’ve come so far, and yet have so far to go.

At Duo, we reaffirm our stance that LGBTQ+ rights are human rights. We know that we've come far (including this week’s landmark Supreme Court workplace discrimination ruling), but have yet to reach the finish line in the journey to fully secure the right to equality and freedom from discrimination for the LGBTQ+ community. Over the last several years, for many within the LGBTQ+ community, it has felt like a “whiplash of LQBTQ protections and rights.” If we factor in race and take an honest look at where we stand today, we see that we have much further to go in ensuring a just and equitable future for all. For example, systemic issues between black people, police and the jailing system extend to the trans community as well, with the trans community being 7x more likely to experience physical violence with police than non-trans people and nearly 50% of the trans community having experienced incarceration. 

As an ally, in addition to exercising your right to vote, contacting your elected officials to help hold them accountable for securing and protecting the rights of people in the LGBTQ+ community are critical acts of solidarity. 

Celebration is an act of both solidarity and survival.

For allies and members of the LGBTQ+ community, while this June feels different and a bit less celebratory, please know that it is possible to celebrate - and to do so while standing in solidarity with the black community and acknowledging intersectionality with communities of color. Don’t forget that pursuing joy and hope during these times can often be a critical act of survival, especially for members of marginalized communities. For those who have fought and for the gains that were made, we celebrate. We also celebrate in the hopes of an ever-brighter future. 

This Pride, I hope you celebrate, and that you don’t forget to remember why we do or that the marathon for equality continues.

Below are ways you can help support the fight for LGBTQ+ equality 

How to Support & Learn More

Organizations to Support: 

Resources for more information: 

Learn more about Duo's Culture here.

<![CDATA[New Guide: The Essential Guide to Device Trust in the Enterprise]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/new-guide-the-essential-guide-to-device-trust-in-the-enterprise https://duo.com/blog/new-guide-the-essential-guide-to-device-trust-in-the-enterprise Industry News Tue, 16 Jun 2020 08:30:00 -0400

Imagine you are a small business owner. Maybe you own a restaurant or accounting practice. You have seasonal employees who need to access your network. They might have to use their own personal devices to access your network and applications. You have limited bandwidth and IT support to manage the creation, deletion and tracking of devices accessing your network — or if they are using secure credentials. 

Now, image you are a giant global corporation and you have hundreds of workers all over the world, some full-time, some on contract, some with internships and they all need to access your network, each with a different degree of access. Companies of all sizes struggle with this basic endpoint security issue because it is difficult to get a clear picture of who and what devices are accessing your network. 

How do you secure BYOD (bring your own device) with a device trust management tool that is platform agnostic? We took all of these challenges and created a super simple device trust guide to walk you through how you can easily obtain device trust security and prevent stolen credentials at the same time. 

In this guide, you’ll learn about the problematic nature of establishing trust in the devices that are accessing corporate data and applications; considerations that need to be made to ensure only devices deemed trustworthy have access; and how Duo helps you improve device visibility, assess device security posture and enable continuous risk assessment.

Real-World Use Cases

You’ll also hear from five Duo customers about how they use device trust in their organizations to gain visibility, ensure secure access, enforce security policy, meet compliance and more. Duo's device trust works on all major platforms—Windows, MacOS, iOS, and Android and gives organizations a variety contextual controls to mix and match use across different platforms and device endpoints from mobile to desktop.

Get The Guide

Download The Essential Guide to Device Trust in the Enterprise now and learn how you grant access only to trusted devices.

Try Duo For Free

Now you know how to make the most of it, try our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device. 

<![CDATA[SSO and the Road to Passwordless]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/sso-and-the-road-to-passwordless https://duo.com/blog/sso-and-the-road-to-passwordless Industry News Mon, 15 Jun 2020 08:30:00 -0400

We’ve all heard the phrase “every journey starts with a single step.” While this might seem obvious on the face of it, we can often feel pressure to immediately arrive at our destination.

Discussions around passwordless often are too simplistic or too complex by trying to come up with an immediate solution instead of addressing the journey and its all-important first steps. I could not think of a more salient topic related to authentication these days.

Static passwords have long been a hobgoblin haunting our existence in the technological realm. When an attacker breaches a website they will, more often than not, re-use all of the purloined credentials against other websites to gain access. Why?

The reasons are rather simple:

People have an unfortunate predisposition to use the same password on multiple websites. For the average person it can be a challenge trying to remember the credentials for multiple websites. This is a problem I know well. In my own password management software I have no less than 929 passwords. There is no conceivable way I would be able to maintain all of those in my memory.

We, as humans, also tend to create passwords that are too short and too simple; translation: not complex enough. Remember, I have nearly 1,000 passwords in my password manager, it would be much easier to remember more of them if they were basic short words and phrases. Hence the frequent reminders from the tech press and your security team that “password” should not be your password. But therein lies the rub - hundreds of complex passwords are impossible to remember.

There must be a better way. How do we get to that wonderful state of nerdvana where access is simple but secure? It begins with a single step. The joy of this single step is that you can take it from the comfort of your fuzzy slippers ensconced in your own home. That journey to a passwordless future begins with single sign-on or SSO, which allows us to dramatically reduce our reliance on passwords. This is the state of authentication where disparate mechanisms coalesce to provide unified access control.

Rather than being expected to create, remember and secure many complex passwords, an individual would need to remember only one for their day job. One solitary password to rule them all! A welcome change! But if we channel Ron Popeil, “wait, there’s more!” we could further simplify access with the added layer of push based multi-factor authentication (MFA).

Imagine getting ready for your workday, be it either remote or in an office (someday) and only having to remember a single password, your mobile device and pants. It seems like something that is highly achievable.

OK, do we have your attention? This is a fantastic way to reduce the security exposure for an organization, and also for you as a user of these platforms. If we implement MFA in conjunction with SSO to marshal access to your email, document repositories and all manner of web based applications, there is far less chance that a phishing attack would be successful.

Additionally, an SSO portal can be set up to present as a landing page for employees when they first login. Each link in the page will provide access to the predefined applications they need to get work done. This would work in any vertical really: control systems, financial orgs, government, healthcare or retail as just some of the many examples.

This sort of deployment will make it easier for the people who need to get their jobs done. There will be a far lower number of help desk tickets opened up to reset passwords, especially if you allow your staff the ability to self manage their access.

Once SSO and MFA are in place, you are in a position to be able to transition your organization to using technologies like W3C’s WebAuthn standard for using public key-based credentials, for example, to secure access to web applications.

With every journey the foot has to first land somewhere on the road. Having those first couple of steps land on MFA and SSO are a brilliant move on the path to a passwordless adventure.

Read more about the path to passwordless in our passwordless blog series.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Upending Old Assumptions in Security]]> wnather@duo.com (Wendy Nather) https://duo.com/blog/upending-old-assumptions-in-security https://duo.com/blog/upending-old-assumptions-in-security Industry News Mon, 01 Jun 2020 08:30:00 -0400

Every time you think you’ve figured out this risk management thing, something else happens to torpedo your hidden assumptions. Remember when we assumed that an IP address was a pretty good indicator of someone’s physical location and origin, so a network-layer firewall was enough? Twenty years ago, the Jericho Forum started questioning that assumption, and today we have the zero trust movement.

This year we’re having to face the impracticality of other assumptions having to do with physical proximity and touch. We’ve known for a long time that for many people, especially for the disabled, showing up someplace in person with an ID in hand to perform an authentication was difficult, if not impossible. For help desk staff scattered outside the corporate buildings, it’s become harder to authenticate a caller who isn’t dialing in from an office phone, or who can’t show up and sign a form. I’m trying right now to figure out how to get a new passport photo taken and printed, when I used to be able to walk into a store without a mask. The physical presence factor isn’t a given, so how do we replace it?

Even biometrics are having a moment of concern, particularly with shared readers that everyone needs to touch with an ungloved finger or hand. It makes more sense for everyone to keep and use an individual biometric reader, and that drives users more towards personally assigned or provided devices. And contactless payment is great, as long as the bearer of the device doesn’t have to get too physically close to anyone else about to use it. We won’t even mention the problem with FaceID while wearing a mask.

This is where we come back to the tenet of adaptive authentication. We have to adapt to circumstances of technology use that we might not have foreseen, whether it’s a mobile phone shared within a family, a facility without cellular service, a point-of-sale terminal that is used by so many staff members in one day that individual logins take too long, or by providing a second authentication factor in a sterile operating room. And we have to plan for outages of anything we used to rely on, whether it’s within a long supply chain or key people in a workflow process. 

Security For Today

The good news is that we have enough options and enough creativity to adapt. We can make risk decisions such as, “If everyone has to use an X, then everyone has to have their own X.” CISOs are used to granting exceptions to policy for specific periods of time: “You can skip that step as long as you re-verify it within 24 hours.” Let’s face it: we’re dealing with a very dynamic environment calling for numerous exceptions that may become permanent policy, so here’s what we can do:

  • Document your risk decisions: who made them, who approved them, what the reasoning was behind them, and how long they’re expected to be in effect.
  • Examine your controls for single points of failure (what will you do if you don’t have any connectivity of any kind?), and build in alternatives, even if you don’t feel comfortable with them. Yes, we know SMS is hackable, but sometimes it’s all we have, and it’s better than nothing.
  • Security is all about tradeoffs and mitigations, so make sure you have a robust process in place where anyone can make a suggestion or a request. “Yes, you can use your own device as long as you update its software within the same time period as our managed devices.” 
  • And finally: build for the future, even if you don’t know what the future will bring. Flexibility is not the same as temporary fixes, and we all know that it’s the latter that tend to lead to security vulnerabilities. A cloud instance that was only supposed to be a proof-of-concept for a short time, so it isn’t secured; a website set up for a sale that has been over for weeks; a firewall port that was opened “just until we get this into production” -- even though things are changing rapidly right now, we can’t afford to build up technical debt even faster than before. 

We can live in the now, but it might turn out to be a long “now.” Let’s get comfortable and stay alert.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Trials and Transformations: Test Driving Multi-Factor Authentication and Zero Trust Solutions]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/trials-and-transformations-test-driving-multi-factor-authentication-and-zero-trust-solutions https://duo.com/blog/trials-and-transformations-test-driving-multi-factor-authentication-and-zero-trust-solutions Industry News Thu, 28 May 2020 08:30:00 -0400

Does this sound familiar? “It’s just a trial. I have plenty of time. I’ll get to it when I get to it.” I’ve heard these things from my team in the past, and I hear them more now, given today’s culture of try before you buy. But then the trial’s over. The time’s gone. Then the team didn’t get to it, and it doesn’t happen.

How to Get The Most Out of Your Trial

If you are ready to learn how multi-factor authentication can prevent stolen stolen credentials and passwords from accessing the network 99.9% of the time, then you are ready to start your journey to zero trust.  

This article tackles that head-on by sharing what I’ve seen work for trials and proof-of-concepts. It sounds intuitive, but the point of a trial or a POC is to prove the feasibility of a solution or the feasibility of a critical aspect of a solution. Typically when we are engaged in a trail you are trying to answer questions similar to the ones below:

  • Will this technology meet our specific use cases and unique needs?
  • Does the product perform as advertised?
  • How does the solution compare?
  • Will it provide intangible benefits, like improving productivity or a new way of doing things?
  • What will it take to get the solution in, up, and operational?

Answering these questions takes work before the trial, during, and afterwards. Running a POC is a project in and of itself. Let’s look at some winning practices. 

Before the Trial

Involve people. We’ll want our champion and business stakeholders, of course. We’ll also need to loop in the IT team for support, and purchasing to understand their process. It is counterintuitive, but, we also need to include naysayers. Knowing and addressing concerns early on in the pilot strengthens the resulting business case.  

Be specific. Pilot projects which understand the mindset of our stakeholders and  document specific use cases succeed. Include quantitative measures such as time to setup, time to authenticate. Also, consider quantitative measures like ease of use and ease of administration. Finally, even though this is a technology pilot, be sure to include how this change supports the broader organization’s strategy and goals. Create an evaluation sheet with these considerations.

Schedule it. Every pilot I’ve seen run into trouble had one thing in common: not dedicating time to run the pilot like a project. If possible, get a project manager assigned. Plan the proof of concept, the technical environment, and the testing. Run the use cases, the evaluation sheet, and the plan by the people involved. Getting buy-in on the approach early on increases the support we’ll have on the final decision. 

During the Trial

Take it for a test run. Stay focused on the defined use cases and success criteria. Set it up, integrate it, kick the tires, and take it for a test drive. Work through a complete use case and get any specific questions answered. There are a couple things to look out for here. First, keep the scope tight and be careful not to let the excitement carry us away from the plan. It’s not easy to do especially when we get into the details. Second, keep an eye on the clock. A month pilot, for example, should wrap up the initial testing in the first week or two.  

Check in with the team. After spending a week or two running it through its paces, present back to the core team. Show a test case to our stakeholders and make sure the approach is resonating. In a separate meeting, bring in our secret weapon: the naysayers. Find out what concerns and questions they have early. Gather the feedback to evolve the approach and the story. It’s hard, but keep the evaluation criteria front of mind during these conversations to make a decision supported by the data.

Finish strong. With the final couple weeks of a month-long pilot, retest any use cases and answer any questions raised during the check-in. This is a good time to engage the vendor to get additional information and clarify any points. Begin preparing the final report out. We need to tell the story about how the pilot fits in the organization’s broader context, answers the technical need, and satisfies the use cases. Run it by a small set of the people involved to get early feedback.

After the Trial

Present the pilot. If not dedicating time to run the pilot like a project is the number one factor in pilots going sideways, the number two factor I’ve seen is not presenting the results. Seems odd, right? We’ve spent several weeks planning and executing on the pilot, only to fumble. But it makes sense in the broader context. Doing the work is fun. Presenting, for many of us, is less so. Moreover, operational concerns and the growing to-do list often gets in the way. Don’t let this happen. Find our best speaker, give them our best slide template (or borrow one from someone who successfully presents business cases), and schedule it. Establish the business reason, explain the evaluation and success criteria, and tell the story. Having run this by others during the pilot, we’ll be prepared to answer most questions that come up.

Decide on the direction. Gaining buy-in on the approach at the beginning simplifies gaining support for the decision at the end. Combining the data-driven approach of objective and subjective considerations with the storytelling makes for a more compelling presentation. If we clearly understood the problem we’re trying to solve, and have found the right tool for the job, the decision should be easy, right? Well. Not so fast. We think of pilots as Option A versus Option B. But in reality, it may be A versus B versus doing nothing. Be prepared to spend time running the decision to ground, getting IT and purchasing involved, and turning the decision into action. 

Implement and execute. SaaS means Software-as-a-Service not Shelfware-as-a-Service. So there’s one final step in the pilot process. That step is actually applying the SaaS to the use case. To do this, we need three things. First, we need a clear hand-off between the person owning the pilot and the person owning the implementation. This means sharing what we’ve learned from the pilot, including not only about the tool, but also about the stakeholders and all the people involved. Second, we need a tighter partnership with the customer success team. And finally, we need a good plan.

Final Thoughts

The transition from trial to implementation to transformation should be seamless and smooth. This is even more critical when we are deploying security solutions across an organization. Regardless of whether we are going through a regular buying motion, or purchasing to address an emergency situation the vendor we work with needs to be there to provide support and have the tools and processes in place to help us be successful. 

In this article, I’ve shared what I’ve done to succeed when planning, executing, and finishing a proof of concept. Make it about the business. Include people, not only champions but also naysayers. Be specific in our use cases and our success criteria. Do the work and tell the story. Finally, work to make the decision the right decision, by working to ensure the product delivers on our promise. In today’s culture of try before you buy, remember, it’s our team’s approach that produces results. 

Try Duo For Free

Now you know how to make the most of it, try our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.