<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Wed, 17 Oct 2018 00:00:00 -0400 en-us info@duosecurity.com (Amy Vazquez) Copyright 2018 3600 <![CDATA[Unpacking Motifs in Federal Government Security]]> thu@duosecurity.com(Thu Pham) https://duo.com/blog/unpacking-motifs-in-federal-government-security https://duo.com/blog/unpacking-motifs-in-federal-government-security Industry News Wed, 17 Oct 2018 00:00:00 -0400

Recently, a few interesting federal government security stories have popped up in the news:

  • The payment card and travel information of 30,000 Department of Defense (DoD) military and civil personnel was stolen from a third-party contractor (Reuters)
  • New DoD computerized weapon systems can be easily hacked, according to a report from the U.S. Government Accountability Office (GAO) (ZDNet)
  • Voter records from 19 U.S. states were found up for sale on a hacking forum - with the seller stating the records are being updated on a weekly basis (SCMagazine)
  • A North Carolina water utility's computer systems were subjected to a ransomware attack, prompting the FBI and Department of Homeland Security to investigate (TheState)

This slew of rather grim news always comes with just a few lessons learned and many recurring motifs. Let me break it down:

Third-party vendors - Not a lot of information was made available due to pending investigation, but the DoD breach was due to single, unnamed commercial vendor of the executive branch department. It's well-known that attackers often target the lower-hanging fruit of small contractors that may have weaker or nonexistent security in place, granting attackers an easy proxy to larger organizations like the DoD.

In 2017, many security standards for federal contractors were made mandatory, as part of the final rule clarification of the Defense Federal Acquisition Regulation Supplement (DFARS). Among those controls include multi-factor authentication for local and network access, employing the principle of least privilege, retaining audit records and more - see an overview of those rules here.

Related resources on third-party vendors security:
Security Best Practices for Third-Parties: Protecting the Enterprise

Privileged access - In the GAO tests against the DoD weapons systems, test teams were able to easily move throughout a system and escalate their privileges until they'd taken over the system. One test indicated they were able to guess an administrator password in nine seconds. Other actions included copying, changing, deleting and scanning entire system data while disrupting and manipulating system operations.

Implementing the rule of least privilege - giving users access only to that which they need to complete their job function - can be done several ways. Controlling which users and user groups can access which applications, while granting access only after checking a combination of their verified identity and trusted device gives administrators the flexibility of an adaptive authentication solution.

Related resource:
Managing Risk With Adaptive Authentication

Data profiling for identity fraud - While state voter registration lists aren't strictly confidential, the usage of them is restricted. When this list of personally identifiable information (PII) is paired with other breached data lists of more sensitive information (like Social Security Numbers), malicious actors can create a target profile of the U.S. electorate for malicious means, as Anomali stated in a blog post on their findings.

The political repercussions could include identity fraud or fraudulent changes to online voter registrations - potentially rendering legitimate voters ineligible to cast ballots, or allowing attackers to delete voter registrations, request absentee ballots, etc.

This all highlights the need to keep access to sensitive data restricted with adaptive access policies that limit access to the users and devices that meet your organization's specific risk tolerance levels. With these, you can restrict access based on geolocation, user roles, network type and more.

Related resource:
Adaptive Authentication & Policy Enforcement

Credential-stealing (among other destructive behaviors) malware - In a media release from the targeted water utility company, Onslow Water and Sewer Authority (ONWASA), their CEO stated that their servers and personal computers had been experiencing persistent virus attacks from Emotet, a wormlike malware variant referred to as a modular banking Trojan by the U.S. Computer Emergency Readiness Team (US-CERT).

Emotet has a spambot module that enables itself to spread quickly, using email templates, attachments and email credentials downloaded from its host server. And yet another module steals credentials from web browsers and email clients, sending passwords to the host server to enable attackers to log in and spread spam emails, according to a Blueliv report.

While early detection and backups can somewhat help mitigate ransomware infections, backing up primary authentication with multi-factor authentication - a second factor in addition to passwords to verify users’ identities - can further block attackers from leveraging stolen credentials to log into email accounts and spread malware.

Related resources:
Multi-Factor Authentication (MFA)
Two-Factor Authentication Evaluation Guide

Critical vulnerabilities - Nearly all of the DoD computerized weapon systems were also found to be rife with vulnerabilities, according to the GAO report, rather aptly titled DOD Just Beginning to Grapple with Scale of Vulnerabilities(PDF).

Many of the vulnerabilities exploited by the test teams had already been identified in previous assessments - only one in 20 cyber vulnerabilities had been corrected since, and yet another test report indicated that the team exploited 10 total previously-identified vulnerabilities.

What does all of that mean? It means that for some reason, the DoD weapon systems weren’t updating or implementing solutions to close security gaps, making it trivial to exploit them to gain access or control of their systems. Many vulnerabilities exist in older versions of software, like operating systems, plugins and browsers. Knowing this, attackers are able to leverage out-of-date devices to compromise or install malware on them to steal data or gain entry to organizations' systems.

Getting visibility into all of the different endpoints accessing your environment - from managed to unmanaged; mobile to desktop; etc. - is essential to understanding which devices are out of date, and which require security remediation. Coupled with device access policies, admins can block and notify users to update their devices before granting access, protecting your apps and data from exposure.

Related resource:
Mobile Device Security Made Easy with Duo’s Security Checkup

<![CDATA[Duo Partners With Exabeam to Expand Zero-Trust Ecosystem]]> vgupta@duo.com(Vishal Gupta)rhirani@duo.com(Rahul Hirani) https://duo.com/blog/duo-partners-with-exabeam-to-expand-zero-trust-ecosystem https://duo.com/blog/duo-partners-with-exabeam-to-expand-zero-trust-ecosystem Product Updates Tue, 16 Oct 2018 08:20:00 -0400


  • Compromised credentials are a top cause of business data theft and security breaches. Security teams struggle to keep up with the volume of security alerts, while identity-based threats slip through the cracks.
  • Duo and Exabeam bring together the power of rich authentication data and advanced analytics to automatically detect and remediate identity-based threats.
  • This solution extends zero-trust policies beyond the point of access to the user session.

Credential theft continues to be the top cause of security breaches, as it has been for the past several years, according to the Verizon Data Breach Investigation Report. Compromised identities and credentials are even more damaging when they belong to privileged users who hold access to the “crown jewels” of an organization.

Security teams are finding it difficult to keep up with the avalanche of security events they need to investigate, let alone take swift action to prevent and remediate security incidents. According to Cisco’s 2018 Annual Cybersecurity Report, the quantity of organizations’ security events have increased four-fold in last two years. Further complicating matters, the lack of integration and automation between siloed security tools adds to the woe of SecOps teams, such that it takes about 66 days to contain a breach.

The result: According to Cisco’s cybersecurity report, half of legitimate events not remediated have led to the doubling of breaches in recent years.

Accelerate Security Analytics and Response for Identity-Based Threats

Duo and Exabeam have partnered to deliver a robust identity analytics, detection and response solution.

Speed Up Detection and Response

This integration enables SecOps to respond in real time to security alerts, thereby preventing or containing breaches.

Duo provides detailed authentication and endpoint data that helps in identifying potential threats very quickly and reliably, with less false positives. Duo’s adaptive authentication and endpoint data coupled with Exabeam’s advanced analytics and machine learning provides accurate and timely security alerts. This integration also removes manual remediation by automating the actions to be taken by Duo.

“This partnership will be of great benefit to our customers by increasing the speed, certainty and breadth in which they can detect and respond to potential threats in their IT environments,” said Ray Tam, Vice President of Security of Trace3. “We’ve been working closely with both Duo and Exabeam already and we look forward to engaging with both teams to ensure their solution is readily available to the organizations in our diverse customer portfolio.”

Extending Zero-Trust to User Sessions

Being squarely in the access path for every user, every device and every application allows Duo to enforce zero-trust policies at the time of access. This integration extends the zero-trust policies beyond the point of access by continuously monitoring, detecting anomalies and enforcing zero-trust policies throughout the user’s session.

While organizations need to build a strong front door to prevent breaches, they also need to build the capability to detect, resolve and respond to threats in order to limit damage as effectively as possible.

Beyond securing the front door with Duo, Exabeam is able to find the unfindable with advanced analytics and machine learning during the user session.

How It Works

  • The Exabeam Security Intelligence Platform takes in rich authentication and device data provided by Duo.
  • Exabeam’s advanced analytics and machine learning uses session data to find risky behaviors and suspicious devices.
  • Exabeam initiates a response by prompting Duo’s adaptive multi-factor authentication to verify the user.
  • If the user approves, the incident is closed. If the user doesn’t approve or doesn’t respond, Exabeam takes containment actions against the user through Duo to disable that user account, revoke permissions and/or send an email to the Security Operation Center (SOC) or SecOps team.

Duo and Exabeam Duo and Exabeam Configuring Duo services in Exabeam

For more details about the integration, see the configuration document.

Learn More

Duo and Exabeam partner page
Duo and Exabeam solution brief
Duo and Exabeam press release

<![CDATA[Every Cloud Should Have A Security Lining: A Recap of The 2018 Cloud-Native Security Summit]]> noelle@duo.com(Noelle Skrzynski) https://duo.com/blog/every-cloud-should-have-a-security-lining https://duo.com/blog/every-cloud-should-have-a-security-lining Press and Events Fri, 12 Oct 2018 09:35:00 -0400

Last month on Tuesday, September 18, Duo Security co-hosted the 2018 Cloud-Native Security Summit with Capsule8 and Signal Sciences in New York City. This full-day summit was jam-packed with panels, discussions and presentations focusing on security challenges and advancements in the cloud-native world.

Kicking off the event was Chenxi Wang, founder and managing partner for Rain Capital, as she went over the results of The State of Cloud-Native Security, our recent research survey of 486 IT and security professionals on adoption of and concerns about Cloud Native Applications.

The survey notes an increasing reliance on Cloud Native for three primary reasons: new software development, operational cost savings and business modernization. However, increased security risks present a barrier to cloud adoption. Many companies struggle with threat visibility and detection: 73 percent say that they lack real-time insight into threats and on-going attacks, while nearly half report that false positives account for more than half of their production environment security alerts. In addition, companies struggle with deploying effective security in their production environments, with 40 percent saying they do not have a DevOps function in place.

In order to solve these difficulties, the survey suggests that companies find ways to increase visibility to production infrastructure, demand more immediate and precise detection tools, establish defined DevOps processes, and enable security teams to work hand-in-hand on deployment scales.

Following Chenxi’s presentation, Art Coviello, former chairman and CEO of RSA, and Ed Amoroso, CEO at TAG Cyber, took the stage for a fireside chat. During the discussion, they noted the importance of taking cybersecurity seriously by focusing on people and processes instead of point products, as well as the importance of understanding and acknowledging the dangers of not taking security seriously.

They also discussed being realistic about what can and can’t be done, especially when it comes to things like Artificial Intelligence. Ed pointed out that there’s lots of crazy hype about AI solving all our problems — unfortunately, this isn’t the case, but AI is finding its place when it comes to detecting behavioral patterns.

The summit continued with a panel discussion between:
• Doug DePerry, Director of Product Security, Datadog
• Patrick Ancillotti, VP of Systems Engineering, Vimeo
• JJ Agha, Head of Information Security, WeWork

A key theme in this discussion was instilling a companywide security culture by bridging the gap between security groups and non-security groups. All three panelists emphasized transparency and clear communication, stressing that we need to approach people at their level. JJ mentioned the effectiveness of providing metrics, showing how things actually work, and explaining what you’re doing. Patrick mentioned moving accountability upwards and conducting audits. Doug suggested raising awareness through visibility, though he warned, “Don’t be Chicken Little!”

Signal Sciences CEO & Cofounder Zane Lackey, with Doug DePerry, JJ Agha and Patrick Ancillotti

Continuing the theme of bridging gaps and working with others, Stephen Fridakis, CISO of HBO, shared his experiences in navigating security for the television network’s original productions in a fireside chat moderated by Andrew Peterson, Founder & CEO of Signal Sciences.

Stephen talked about the difficulty of controlling security for these productions, sharing that there are 20 to 70 entities involved in post-production, and the software they use does not always work in the cloud. Additionally, once the content is ready for distribution, there’s the problem of platforms and developers — HBO is available on 37 different platforms, all using a wide range of tools. Because of all this, they must strike a balance between security and the needs of the producers and developers.

In the summit’s second panel, the discussion shifted slightly to how people and processes figure into detecting attacks at scale. The panel was moderated by John Viega, co-founder and CEO of Capsule8, and included:
• Melody Hildebrandt, CISO, 21st Century Fox
• Heather Adkins, Director of Info Security & Privacy, Google
• Brad Maiorino, former CISO, Target, GE, GM
• Jess Frazelle, Microsoft

The panel explored the role of humans vs machines, with Heather noting that machine learning can provide insights into what’s happening, but not why it’s happening — the new role of humans, she suggested, is to teach the system this.

The panel also stressed that we need to change how we think about detection. Heather noted that we should be offering services instead of demanding requirements. Brad stressed the need for relentless practice and red team simulation, so that we can train people to fill in any technology gaps when it comes to missed threat profiles.

Geoff Belknap, CISO at Slack, also noted the importance of people during his fireside chat, stating that the most important thing is to help set the stage for culture. One of his biggest wins was using Security Bot (an automated program/persona within Slack) to discourage risky engineering behaviors. He noted that it’s possible to subtly modify behaviors by making the safe option the easiest option and providing incentives for doing the secure thing.

When asked how people are thinking about the problem of cybersecurity, Geoff suggested what was once a network and infrastructure problem is now an issue of the generation gap. Some people are used to thinking about things in a physical way, but we can’t do that now. We do need to understand how people are thinking about it, but then correct misconceptions and adapt our narrative so that it makes sense to them.

Following Geoff, Duo’s Director of Advisory CISOs Wendy Nather led a panel discussion on learning to trust zero trust. Participating in the panel were:
• Ross McKerchar, CISO, Sophos
• Nick Selby, Director, Cyber Investigations & Intelligence, NYPD
• Harry Sverdlove, CTO of Edgewise Networks

Just what is zero trust? Nick explained that it involves continuously checking if users are who they claim, with Harry adding that it’s starting with no trust and then building trust with every interaction. Ross stated that it means setting user identity as the perimeter instead of the server, while minimizing privilege to that user.

How do we implement a zero-trust structure? Ross advised that you shouldn’t change everything at once, but focus on one group at a time. Harry suggested starting with the biggest risk first, and Nick added that if you do, be sure that each part is finished completely before moving on to the next step. Wendy noted that users of critical systems are the crankiest, so an alternative approach would be to start off with users that you know will follow through.

All four panelists asserted that different systems will go through different paths in their journey to implementing zero trust. However, Wendy surmised that perhaps in the future, zero trust won’t be zero trust anymore...it will just be security.

The final presentation came from Rich Smith, Director of Duo Labs, who stressed that zero trust is not a product, but an approach. To continue protecting both users and devices (which are equally important), we must build security with an attack-driven defense in mind, by predicting how new technology will be abused and working to resolve those instances.

While the summit provided and reinforced many great points on the importance of security culture, human-machine responsibilities and interactions, and vigilance and collaboration in the face of threats and breaches, there’s still so much to learn about security in the cloud-native world. As we continue to grow our understanding and technologies, we appreciate all the contributions everyone has provided, and we look forward to seeing you at the next summit!

<![CDATA[Beneath, Between & Behind - A Smart Card Reality]]> srazier@duo.com(Sean Frazier) https://duo.com/blog/beneath-between-and-behind-a-smartcard-reality https://duo.com/blog/beneath-between-and-behind-a-smartcard-reality Industry News Tue, 09 Oct 2018 08:20:00 -0400

Beneath the noble birth
Between the proudest words
Behind the beauty, cracks appear


Please don’t throw the baby out with the bathwater.

I’ve always hated this saying, but there is a point to it, and this point resonates with me when it comes to upping the game of human identity-based authentication. We in the public sector have spent millions of dollars and dozens of years putting a pretty good system in place to deal with this.

Pretty good...but not great and not without its holes - some small, some gaping. We’ve also been lurching back and forth between “smart cards are dead!” & “smart cards are with us forever!”. The truth, as it always is, is somewhere in between.

We spend a good amount of time talking about quick wins to get started (or maybe restarted?). Or, at least, recommitted to closing the gaps that exist and doing it in a way that has an eye toward a longer, more complete journey and doesn’t break the proverbial piggy bank.

But from an enterprise perspective, we have to keep going back to the investments we’ve made and find a way to leverage them.


We’ve tried to do this with a derived credential with mixed results. While it looks good on paper, you lose something in the translation - you lose one of your factors. It would be a stretch to call PIV-D (Derived Personal Identity Verification) multi-factor authentication.

So you would still need something else. And while it’s great in a mobile context and will be even greater once all endpoint platforms have on-board TPMs (Trusted Platform Module) or a secure hardware-based element with which to store the credential, it’s still not strong enough. It doesn’t mirror the strength of...the card.

Which is why we want to build in support for card-based proofing for enrollment. This leverages the years-long investment in public key infrastructure (PKI) and “the card” to prove identity and device ownership in order to provision a simpler, more widely-accepted authenticator.

These authenticators can be one or many and can be provisioned and utilized based on risk as outlined in NIST’s SP-800-63-3 guidance. For example, you could authenticate with a PIV or CAC (Common Access Card) and provision a Yubikey for AAL Level 3, AND provision a Duo Push token for AAL Level 2 access.

It’s important to note that since NIST was smart and separated the enrollment/provisioning from usage, this “derived authenticator” should satisfy, depending on workflow, NIST SP-800-63-3 IAL Level 3. We really are moving more toward a “risk-based” model, which will only help us and is really the right security approach.

The technology world is moving fast. This pace is creating heartburn and fire drills in private enterprise, and public sector enterprise is really no different here. By leveraging existing infrastructure and existing investment, we can find a way to save $$$ and deliver a superior user experience while still meeting the “laws of the land.”

These are exciting times and we ain’t even done yet.

<![CDATA[Celebrate Security with Duo at the 2018 Internet2 Tech Exchange]]> noelle@duo.com(Noelle Skrzynski) https://duo.com/blog/celebrate-security-with-duo-at-the-2018-internet2-tech-exchange https://duo.com/blog/celebrate-security-with-duo-at-the-2018-internet2-tech-exchange Press and Events Fri, 05 Oct 2018 09:35:00 -0400

October is here, and you know what that means*? The 2018 Internet2 Technology Exchange is right around the corner! Join Duo Security from October 15 to October 19 in sunny Orlando, Florida for this week long event.

(*I bet you were thinking Halloween, which is also exciting. Bonus points if you were thinking National Cyber Security Awareness Month, which is even more exciting — more on that later.)

Duo is proud to help sponsor this event, which brings together chief technologists, scientists, engineers, architects, operators and students from around the U.S. and beyond to learn about implementation challenges, best common practices, and the future of the technology and security industries within the realm of research and education.

The conference will be held at the Loews Royal Pacific Resort and begins with a pre-event day on Monday, October 15, where you can select a full-day or half-day tutorial on subjects like network automation, TIER access governance, routing security and more. Then from Tuesday, October 16 to Thursday, October 18, join some track sessions focused on advanced networking, information security, and trust & identity; attend working meetings; and network with your peers during breakfast, lunch, breaks, evening receptions, and sponsor socials. (Make sure to register before heading to the sessions — a shameless plug, because we’re sponsoring the registration desk, but also necessary to get in!) The event winds down on Friday, October 19 with Trust & Identity “ACAMP” sessions.

If you’d like to catch some time with your favorite tech and security vendors (like Duo!), stop by the expo hall of the conference center Tuesday through Thursday during the following times:

  • 7:00 a.m. - 8:30 a.m.
  • 9:50 a.m. - 10:20 a.m.
  • 12:10 p.m. 1:40 p.m.
  • 3:30 p.m. - 4:00 p.m.

Visit our table to snag some swag, check out a demo, and learn how you can use our Duo Beyond edition to provide access to all of your applications anytime, anywhere.

We’d also love to see you at our special interest group on Tuesday, October 16 from 12:30 p.m. to 1:30 p.m. You’ll meet with other campuses using Duo to learn about shared use cases and updates on the NET+ Duo program, and to provide input on the future of the program.

Want even more Duo goodness? Make sure to attend “The Rise and Fall and Rise of the Edge: The End of Passwords, Beginning of Zero Trust, and the Technologies on the Edge Driving It” on Wednesday, October 17 at 2:40 p.m. Hosted by Keith Brautigam, Director of Identity and Access Management at Pennsylvania State University, and Duo’s Senior Security Researcher, Mark Loveless, this presentation will cover the rise and fall of the network perimeter, why it’s falling, what will rise up to take its place or cover the gaps (e.g. zero trust), and how the Internet of Things (IoT) is unintentionally driving this perimeter-less movement. (Please RSVP to save your seat!)

But wait, there’s more Duo at Internet2. Come party with us on Wednesday night at our cocktail reception from 5:30 p.m. to 7:30 p.m. Grab a drink and some food, and catch up with some of your dearest industry experts and enthusiasts to relax after a long day of learning. (Again, please make sure to RSVP to attend.)

We’re so excited for this year’s Internet2 Technology Exchange, and we hope to see you there in mid-October. However, the learning doesn’t have to stop (or start) with Internet2.

As mentioned earlier, October is National Cyber Security Awareness Month (NCSAM), which is one of Duo’s favorite things! All month long, we’re working to improve awareness and promote secure online behavior. Together with Internet2 and EDUCAUSE, we’re encouraging campuses to adopt multi-factor authentication, also known as two-factor authentication. So far, we’ve reached 154 campuses, with almost two million students and about a million staff members set up with MFA. You can find more information about this initiative in the Stay Safe Online blog

There’s so much excitement on the way — we look forward to seeing you at the conference!

<![CDATA[Higher Education in the Mile High City: Duo at EDUCAUSE 2018]]> noelle@duo.com(Noelle Skrzynski) https://duo.com/blog/higher-education-in-the-mile-high-city-duo-at-educause-2018 https://duo.com/blog/higher-education-in-the-mile-high-city-duo-at-educause-2018 Press and Events Fri, 05 Oct 2018 08:30:00 -0400

Duo Security is off to the Mile High City - Denver, CO - at the end of the month for the 2018 EDUCAUSE Annual Conference - will we see you there?

This year’s activities will be held at the Colorado Convention Center and start with a pre-conference day on Tuesday, October 30; followed by a full three days of breakout sessions, panel discussions and interactive presentations.

While at the conference, you can choose from over 300 sessions on subjects like managing and reducing IT risk, transforming the student experience, and creating a culture of data-informed decision-making. You’ll hear from over 700 speakers and network with over 8,000 IT professionals and technology providers in higher education. You’ll also have the opportunity to learn about the latest technology and security solutions by visiting with over 275 solution providers in the Exhibit Hall on Wednesday, October 31 from 9:00 a.m. to 5:45 p.m., and Thursday, November 1 from 9:00 a.m. to 4:15 p.m.

Duo will be one of these vendors -- stop by booth #158 to ask us questions, get a demo, and learn how our Unified Access Security solution can ensure only trusted users and trusted devices are accessing your institution’s applications and intranet.

If you’re looking for more time with us, please swing by our cocktail reception the evening of Wednesday, October 31 from 6:30 p.m. to 8:00 p.m. We’ll be hosting the reception with Fischer Identity -- meet us at Henry’s Tavern for drinks and apps as we kick back and relax with other professionals from the conference.

Lastly, Duo will present on Friday, November 2 at 8:00 a.m. Join Duo’s Senior Security Researcher Mark Loveless in meeting room 303 for his interactive presentation, “When IoT Becomes IIoT.” Mark will explore the topic of the industrial Internet of Things (IIoT) and how networks are evolving; potential pitfalls involving security/privacy and IIoT; and what we can expect in both the short- and long-term from evolving and perimeterless networks.

We can’t wait for the conference (and to see you!), but you don’t have to wait until then to get your security fix. All October long, we’ll be celebrating National Cyber Security Awareness month. You can get involved, too, by participating in the Universities Lock-Up -- Duo, along with Internet2 and EDUCAUSE, are encouraging campuses to adopt multi-factor authentication, also known as two-factor authentication. Our collaboration with Internet2 to promote multi-factor authentication has reached 154 campuses, with almost two million students and about a million staff members set up with MFA. You can find more information about this initiative in this article.

Here’s to National Cyber Security Month and the upcoming 2018 EDUCAUSE Annual Conference! See you in a few weeks!

Bowling Green State University: A Duo Case Study

Bowling Green State University (BGSU) is one of the top public universities in Ohio. Duo helped BGSU significantly improve their cyber security posture while being cost-effective at the same time.

BGSU’s phenomenal success with Duo gave the university the confidence to expand its deployment to all users and all critical applications and data. See how Duo helps BGSU protect more than 30,000 users effectively in our full case study.

<![CDATA[National Cybersecurity Awareness Month 2018: Make Your Home a Haven for Online Safety]]> ccherrie@duosecurity.com(Chrysta Cherrie) https://duo.com/blog/national-cybersecurity-awareness-month-2018-make-your-home-a-haven-for-online-safety https://duo.com/blog/national-cybersecurity-awareness-month-2018-make-your-home-a-haven-for-online-safety Press and Events Thu, 04 Oct 2018 16:18:00 -0400

Ah, October. It's a time for pumpkin spice everything, Halloween tricks and treats... and our personal fave: National Cybersecurity Awareness Month! In this annual initiative, government and industry combine their powers to "ensure every American has the resources they need to stay safer and more secure online."

To that end, we're sharing quick tips to coincide with each week's theme. First up: Make Your Home a Haven for Online Safety. Whether checking your social media feeds, adjusting your IoT gadgets or taking care of business, you'll find virtually everyone in the family online. Along with that shared connectivity comes a shared responsibility to use the internet safely and smartly:


• Usernames and passwords alone aren’t enough to protect your email accounts, banking information and social media profiles. Put a layer of security between you and potential attackers, like two-factor authentication, which uses something you know and something you have to confirm that you’re really who you say you are.

Keep a Clean Machine

• Your best defense against threats like viruses and malware? Staying current. Get the latest security patches and updates for your web browsers and operating system.

• Don't leave your mobile devices out of the loop. While you're updating your laptop or desktop, show your cell phone and tablet some love.

• The same goes for smart appliances and connected devices, like thermostats, toys and home assistants. They're smart, sure, but to reduce risk of attackers accessing your network and information, you still need to keep them updated with the latest security software.

Share with Care

• Think before posting about yourself and others online. What kind of personal information are you revealing? Who might see it? Could it be used against you in a social engineering attack?

• Boo! Old tweets, posts and photos may come back to haunt you. Before you post, consider how it might be perceived now or in the future.

Back it Up

• Protect your valuable work, music, photos and other digital information by making an electronic copy and storing it safely.

• Having a recent copy of your files means you can retrieve them if you fall victim to ransomware.

Personal Information is Like Money. Value it. Protect it.

• Info about you, such as what you've purchased online or where you're located, has value – just like money. Be thoughtful about where you're sharing that info and how it’s collected through devices, apps and websites.

• The smart devices and connected appliances you use at home are powered by data about you. Be mindful of how this info is being collected and stored.

Secure Your WiFi Router

• Have you changed the default name and password of your Wi-Fi router? Set a strong, easy to remember passphrase (at least 12 characters long), like Ilovecookies! – and name your network in a way that doesn’t let people know it’s in your house, like Cookie Factory.

<![CDATA[Infosec Has an Image Problem]]> (Hafsah Mijinyawa) https://duo.com/blog/infosec-has-an-image-problem https://duo.com/blog/infosec-has-an-image-problem Design Wed, 03 Oct 2018 08:30:00 -0400

When most people think of “security,” the concepts of good security hygiene or zero trust are not likely to be the first things that come to mind. It’s more likely the average individual will cycle through a mind mapping session that starts at the door to a bank vault and might end up somewhere near an episode of Person of Interest. In large part due to mainstream media, the idea of security often becomes entangled with fictional concepts of who the people in the world of security are and what the data battlefield looks like.

Scary Security This is not the security industry you’re looking for.

In taking a closer look at the portrait of security through the eyes of modern media, some themes emerge. The dominance of red and black is no coincidence, nor is the distinctly futuristic tone of most security-oriented visuals. Keeping in mind that film and narrative depictions of hacking, cryptography and the digital network overall were often grossly exaggerated by imaginative minds moved by the potential of “cyber” and the brave new technological world, it is interesting to note that a good chunk of aesthetic choices within the infosec industry appear to have drawn inspiration from those same glamorized concepts found within genre fiction.

The breadcrumbs begin in the mid 70s during the height of network development. As the future of human connection and technological innovation dawned, authors like William Gibson, Neal Stephenson and Philip K. Dick penned genre-defining works that would become synonymous in the mainstream with what the swiftly impending future could look like.

In tandem, special effects technology was evolving, making film a robust medium for giving further shape to the mysterious worlds of those intimately versed with the language of the internet. Data itself could become a character, with code and network activity brought to life through frenetic animation and fast-paced editing.

With the personal computing market booming, the 80s and 90s would produce cinematic cult classics like Wargames (1983), Hackers (1995) and The Matrix (1999) which depicted exclusive, ultra-edgy worlds loaded with social commentary, and wildly imagined tech. While these works of fiction were rarely wholly true (and often painfully inaccurate) to the realities of how IT professionals or cryptography enthusiasts lived and worked, the aesthetics certainly did not go unappreciated by them.

Hack Viz Hacking/data visualizations from left to right: Hackers (1995), Johnny Mnemonic (1995), The Matrix (1999)

Fiction is not alone in influencing the security culture’s distinctive looks. Subscribers to video game, comic and punk subculture were often makers, tinkerers, programmers and cryptographers of various ethical alignments. Through their shared ideologies and curiosity for understanding how things worked, many technology enthusiasts found community and purpose.

This often culminated in the assembly of collectives of like-minded individuals who could learn, play, and tinker together. It is the proverbial love of the game, the thrill of knowledge-seeking, the nostalgia and romanticism of technological obsession, and the old-school pastiche of the 70s-90s that still heavily influences the infosec industry’s image.

But how well does it serve audiences to flavor the fairly mundane activity of protecting digital data with the cyberpunk mystique? Let’s face it—as an activity, security doesn’t look terribly sexy. However, watching Rami Malek decrypt keylogger files to subvert bad guys in under three minutes is pretty compelling. These kinds of depictions of the security world have helped to provide simplified context to modern audiences. It is that cinematic “sexiness” which infosec advertising often utilizes in order to access the attention of wider audiences. This strategy can be helpful because it is difficult not to notice advertising that evokes mystery, secrecy, or danger and alarm.

Because security marketing often errs towards being provocative, it can invite the feeling that everyone and everything is after your data and that an overreactive response is the best response. This strategy can be problematic because while emotion can mean that you are paying attention, it can also mean that you will simply react out of mistrust, doubt or fear. This is where the security industry at large encounters an image problem.

Our Brand’s Approach

At Duo, we don’t believe that using the visual glitz of FUD (fear, uncertainty and doubt) is the most helpful or effective way of evangelizing security. Duo is fundamentally borne from a hacker ethos, but with the challenge of democratizing security before us, we set out to approach marketing security differently, without using the vague mystique of “cyber” or hacker culture as a crutch or invoking any socio-politically inspired feelings of dread.

Our intention is to make security concepts clear and actionable for individuals within diverse tech trades, to emphasize security overall as a holistic utility, and to help educate a growing public audience with mobile, digital lives that are rapidly transitioning to the cloud. Our advertising methodology is a response to Duo’s mission of reimagining security into an accessible and sophisticated commodity and philosophy. We are creating sophisticated, top-shelf products that help to revolutionize how companies secure their data, and we are creating and marketing them with trust, simplicity and integrity in mind.

Taking a pass over Duo products and graphics, you might notice a few things. We champion the concepts of ease, simplicity and cultivating trust, from the Duo Mobile authentication application to the admin panel. This sensibility continues into the DNA of our brand.

What radically sets the Duo brand apart is the design influence which comes from within Duo doors. Our in-house brand team subscribes to the International Typographic Style—better known as the Swiss Style. The Swiss style is an influential design methodology famously adopted by contemporary designers such as the likes of designer/filmmaker Saul Bass or graphic designer Paul Rand.

It not only encapsulates a specific way of designing, but adheres to a core philosophy of visual cleanliness, clear hierarchy and structure. The Swiss design methodology allows complex concepts to be visually stripped down to their core essence, thus discarding unnecessary ornament which communicates nothing, and embracing the stark beauty of brevity. With that reasoning, we find our inspiration for approaching our “reimagining” of security advertising.

Duo eBook Covers A sample selection of Duo’s ebooks, all produced in-house from concept to production.

Duo Posters A collection of Duo posters, adapted from the cover artwork for a number of our ebooks.

Next, you might notice an abundance of green. An unusual color perhaps, set against a landscape of security branding that often comes in attention-grabbing shades of red, yellow and black. Duo’s dominant combo of green and navy intentionally seeks to avoid the red—evocative of fear, danger or denial—that is ubiquitous within the security industry. As the majority of the Duo user experience is the process of authenticating, or using the green “approve” button in our mobile app, the company’s overall appearance is aligned with the same “green means go” sense of trust and approval.

Additionally, by using a cool color palette vs. warm, the visual and psychological correlations become closer to a sense of calm, growth, health, positivity and balance. This intention becomes clearer when looking at other company branding produced in-house, such as Duo Labs, our in-house security research group. Somewhat conversely, Duo Labs boasts sleek monochrome branding which elevates the presentation of content oriented toward a more technical audience, and creates a vibe that is just a bit edgier (without becoming cliche) than the overall Duo brand.

Finally, you may notice that we take a different tone than might be expected when we speak about security. The language adopted by a brand is as important—if not more —to the appeal, perception and inherent identity of the organization as any other visual asset.

Duo Literature A Duo literature sampling, left to right: Moving Beyond The Perimeter, The 2018 Trusted Access Report, Phishing: A Modern Guide to an Age-Old Problem

Brand language is a core component of winning the hearts and minds of audiences, and as with our design, it is something that we treat very consciously and carefully at Duo. Our messaging and content comes first, therefore it is frequently paired with visuals for a variety of mediums, creating an array of assets that aim to inform and educate.

Duo’s Creative team, comprised of graphic designers, web developers, content strategists and filmmakers, works together closely to ensure that all of our materials are in sync and consistently following the methodologies that help to make our brand of security unique. We maintain an approachable, straightforward tone that avoids buzzwords, cliche and FUD in order to evangelize our work and provide context to current events in the infosec business.

Problem Solving for a Security Image Revolution

As designers within the infosecurity space, we have accepted a unique problem-solving challenge: How do you reinvent the way a concept has been visualized and communicated over so many decades?

Security has historically been designed and advertised for the eyes of infosec professionals, CISOs, CIOs, hackers and tinkerers. Increasingly, the need has arisen to design for security’s greatest untapped ally, the end user, who we hope will be receptive to understanding security beyond the concept of two-factor authentication (2FA) and using unique passwords.

Our challenge as a Creative team for a security company is to address an audience that has always been aware of infosec, but has been consuming a less-than-effective image of what the industry is for a long time. Times and audiences are changing rapidly, and our brand is committed to being responsive.

From inception, Duo has been driven by the problem-solving sensibilities both of programmers, and that of visual designers. We are a company of skilled craftspeople—both creative and technical—who use many instruments to create a bold new imagining of infosec. We hope that more of our peers in design and technology will join us in that effort.

Further Reading & Watching

The International Typographic Style: A Brief History
How Color Helps A Movie Tell Its Story
The Anthropology of Hackers
The Best Hacking Film You Haven’t Seen (Yet)
DEFCON - The Full Documentary

<![CDATA[Developments to WebAuthn and the FIDO2 Framework]]> nsteele@duo.com(Nick Steele) https://duo.com/blog/developments-to-webauthn-and-the-fido2-framework https://duo.com/blog/developments-to-webauthn-and-the-fido2-framework Industry News Tue, 02 Oct 2018 08:20:00 -0400

Since my last blog post on WebAuthn eight months ago, there has been a massive amount of progress made by both vendors and the authors of the specification to bring this spec into usage in browsers and websites. As of September 2018, there is support for Web Authentication (WebAuthn) in the stable builds of Chrome, Firefox and Edge. While the implementations may vary slightly between the three browser builds, we are well on our way toward the passwordless future set out by WebAuthn and the FIDO Alliance.

Additionally, the FIDO Alliance has begun to hold plenary meetings to discuss things like how account recovery should work and best practices for implementation, and interoperability events aimed at getting vendors on the same page with their development versions of the WebAuthn specification.

One of the big contenders that showed up on the FIDO Alliance and WebAuthn scene is Mastercard, and some FIDO messaging has begun to position WebAuthn as a tool for handling identity in regards to payments over the web. This is a great step, because organizations like Mastercard have a massive user base, and their backing of the spec could help drive mass adoption.

The impetus for payment providers and other companies to adopt this spec, and even use it as their default authentication mechanism, is a bit of a no-brainer. Aside from eliminating passwords, which are notoriously insecure, implementing WebAuthn gets rid of a substantial attack surface for organizations.

With WebAuthn, if an organization’s user credential database is compromised by an attacker, nothing has really been gained by the attacker. There’s also no easy way to phish for users’ credentials for the same reason; the user credentials are unique and scoped to a single organization. Implementing WebAuthn gets rid of the costs and need to handle fraud and attacks related to managing passwords.

The FIDO2 Framework

So, back to developments in the spec. One of the biggest changes to WebAuthn came earlier this year in April right before the RSA Conference, when WebAuthn received a bit of a “rebranding” with the announcement of its inclusion in the “FIDO2 Framework.” This led to WebAuthn to often be referred to, in part, as FIDO2 authentication, which can be a bit confusing for folks. While the two terms are used interchangeably sometimes, the FIDO2 Framework actually includes a second specification called CTAP, or Client to Authenticator Protocol. To make things more confusing, while CTAP can be supported in Web Authentication flows, we are actually going to be using CTAP2 in WebAuthn’s final form.

So what is FIDO2? CTAP2 and WebAuthn, together. The FIDO Alliance has begun to concatenate the two seperate specifications into the single namespace of FIDO2. CTAP2, an updated version of the Client To Authenticator Protocol previously used for FIDO’s U2F framework, includes updates to how data is transported and has parameters specific to WebAuthn that are provided to authenticators. Both CTAP1 and CTAP2 have a great amount of interoperability, and most authenticators you could use for WebAuthn right now, like Yubikeys, can indirectly support CTAP2 requests by mapping them via the client API to CTAP1 transports.

Before you go and pull up the CTAP specifications, it is important to note that having a working knowledge of what CTAP does is important, but not necessary for adding WebAuthn to your website. The Client to Authenticator Protocol, as the name implies, is specific to the client and authenticator, and unless you’re creating a new browser, or hardware or software-based authenticator, you probably don’t need to worry much about the finer points of this specification. Most user clients implementing WebAuthn already support CTAP2 with the only exceptions currently being Firefox and Safari.

Yubico has already started shipping FIDO2-specific keys, meaning keys that are made to support CTAP2, and as FIDO2 gains traction, we can expect the same from other groups like Feitian and Google.

New Technical Developments

The implementation of WebAuthn has been rapid in most major browsers this year as changes to the technical details of the spec have slowed. Now that WebAuthn has entered Candidate Review with the W3C, browser development groups can proceed without uncertainty of major elements of their implementation changing with updates to the spec documents.

Before talking about the technical developments in browsers, one of the big changes on the technical side of the WebAuthn spec has been how attestation statements are handed from the authenticator back to the browser. The attestation statement, which is provided by the authenticator to prove it created the credential for a given site, could potentially be used to track a user across multiple sites.

The attestation statement could include attributes unique to the user’s authenticator, so in order to mitigate this issue, recent versions of browsers implementing WebAuthn, specifically Chrome and Firefox, will present users with a modal asking if they want to include the attestation data when they authenticate with a site.

CTAP WebAuthn Graphic concept source: Adam Powers, Former Technical Director and current Technical Advisor @FIDOAlliance. Founder WebAuthn Consulting.

There are still elements of the specification that aren’t currently working in browsers although talked about in the W3C documentation, specifically, the authentication types described that allow for Android devices to be supported natively as authenticators by the API.

There have, however, been applications like Krypton, that allow us to override the API in Chrome and use the phone as an authentication device. Krypton achieves this by using a Chrome extension that pairs with a user’s phone, which then intercepts requests to the credential API, using the phone in part to create the WebAuthn credential.

The Microsoft Edge team has caught up with Firefox and Chrome in the last few months, and added support for WebAuthn to Edge browsers running on Windows 10. Additionally, their implementation supports Windows Hello, which is a great advancement at this stage in the spec’s development, since most users like myself are only testing operability with external hardware tokens. Users with a Windows device that supports Hello, like the Windows Surface Pro, can use their face as their biometric login for websites with WebAuthn support. Visit webauthn.io with a Windows Hello device for the demo.

Google and the Chrome Web Identity team have been killing it in new developments for WebAuthn within Chrome. As of writing this, there are two new feature flags in Chrome Canary version 69, the first one for adding native support of the MacBook Pro’s TouchID to Chrome, and it currently works!

The second flag is there to develop handling cloud-assisted bluetooth, or caBLE, for WebAuthn. The caBLE extension would allow for most likely Google-specific devices to pair using Bluetooth, but with little to no need of going through the standard pairing protocols that are currently used. While public information on caBLE is limited, it would be a great way to handle WebAuthn in a closed or offline environment as well.

Next Steps

If you haven’t checked out any code for it, there are now many examples of WebAuthn applications on GitHub. James Barclay, a fellow researcher at Duo Labs, and I still have two example applications written in Go and Python that show how WebAuthn works, and the Go version is hosted here if you prefer a quicker demo.

This is a good time to develop your own WebAuthn application, too, since the credential API is not expected to change much. If you’re already working on your own code, the FIDO Alliance has been developing conformance tools for testing FIDO2 operability, so folks that have made their own production-ready implementations of WebAuthn/FIDO2 architecture should put their code to the (unit) test!

So, even though the code hasn’t been changing much, there are other things that the FIDO Alliance has been focusing on that you can follow along or get involved with. One working group within the FIDO Alliance that I have been involved with concerns how account recovery will work with sites using FIDO2 framework. Account recovery when a user loses their authenticator is an interesting issue with regards to passwordless authentication, because some of the most obvious solutions could introduce additional problems.

For example, a solution such as “adding additional authenticators to an account” could be troublesome because it would require a user to have an additional, and often expensive, secondary authenticator to fall back on. There are myriad other solutions being thought about, but it is an interesting thought experiment to weigh the pros and cons of account recovery methods for passwordless authentication.

WebAuthn and FIDO2 as a whole is well on its way to being introduced to the world as an actual replacement to passwords, and the Duo Labs team and myself will continue to excitedly follow its progress. Feel free to contact me on Twitter if you have any questions and continue to be excited for WebAuthn!

<![CDATA[The Business of Building Trust (On Cisco's Acquisition of Duo)]]> dugsong@duosecurity.com(Dug Song) https://duo.com/blog/the-business-of-building-trust-on-ciscos-acquisition-of-duo https://duo.com/blog/the-business-of-building-trust-on-ciscos-acquisition-of-duo Industry News Mon, 01 Oct 2018 00:00:00 -0400

Dear Duo,

It was 8 years ago during the Great Recession, as my wife and I were expecting our second child, and Jono was finishing his PhD, that we quietly started on a mission to democratize security by making it easy and effective for all.

Over 700 of you also took a leap of faith to join us on this mission, and I want to take a moment to express to each and every one of you my overwhelming pride and gratitude for all that we accomplished, and how far we’ve come together.

From the outside, many have recognized Duo’s success at delivering security for people in a way that is easy to understand, try, buy, manage, and use. But it’s actually how we do this that will have the largest and lasting impact on our industry, as we consider the massive opportunity ahead with Cisco.

Companies in established industries typically prioritize three things, in order: Results, Process, and People. They define the results they want, follow historical processes by which to achieve them, and hire/train people that fit into their program. For decades, the security industry grew by chasing badness, adding complexity and selling on fear, and hiring from a limited pool of industry insiders.

Our approach at Duo has been decidedly different. We didn’t just want to solve specific problems in security, but the larger problem of security. “Security sucks, who has time for this?” was a marketing slogan we never used, but saw customers quietly screaming to themselves every day. To eliminate the cost, complexity, and frustration of security, we needed to go back to first principles, and build the right kind of company.

By putting people first, innovating to the needs of our team and our customers, and never compromising our long-term goals or core values in exchange for short-term results, we achieved a very special kind of success in this industry – a company we can all be proud of.

A Culture of Learning & Growth

Culture is how we work and play together. And as early as 20 employees at Duo, we started building a platform for our people, with the goal of developing our culture to drive the business. Because while change in our industry is constant, growth is a choice – and we wanted Duo to be a place where people could do their best and highest work, while serving our best and highest purpose in simplifying security.

With every interview and onboarding session, we’ve learned about your backgrounds and experiences, and what makes you unique. By hiring for shared values and cultural contribution, versus “cultural fit”, we’ve been able to integrate new mental models, skills, and perspectives that have allowed us to solve problems from many different angles.

Because Duo isn’t bigger, we aren’t smarter, and we don’t work any harder than our competitors. Instead, we engineer the business by taking calculated risks, and learn together how to win on our own terms. We go out of our way to help customers and colleagues be successful by being kinder than necessary, seeking to understand their needs and point of view.

Ann Arbor may have set our foundation for learning and winning as a team, but with every new location, we’ve drawn upon what’s unique around us. Silicon Valley is the epicenter of disruption and London is the crossroads of the world; Austin is keeping it weird and Detroit is hustling harder.

And as we join Cisco, we have the opportunity to apply our thoughtful, gritty, weird, and innovative ways at an unprecedented global scale.

Moving at the Speed of Trust

Learning from difference in a team, even one that shares these values, requires more than just our honest intentions. We needed the scaffolding of management practices, infrastructure, and processes that help us innovate quickly, and to win or learn.

From the start, and over many years, we optimized our processes for velocity in our business.

We partner with customers through design and development, and organize around the heartbeat of a two-week engineering release cycle. Our customers get our products up and running in under a day, and without requiring an army to deploy them.

We focus on treating our customers and each other well, as guiding principles for countless decisions made across the company. We’ve been thoughtful and deliberate in where we’ve said ‘no’ as much as where we’ve leaned in, even turning down multimillion dollar opportunities because they didn’t make sense for the customer, or the kind of company we wanted to be.

We’ve built a highly differentiated go-to-market engine, driven by a high-volume demand generation program fed by approachable, well-crafted content. We chased greenfield opportunity and expanded the security market by making our product and customer experience approachable.

We took the same approach to developing our brand as we did to developing our product – by focusing on the customer, not ourselves. We waited to get big before we got too loud. We wore our quirks on our sleeves. We remained true to our ideals, and most importantly, we’ve been honest and forthright with ourselves, our customers, and the industry.

And we did it while retaining much of our early team, ensuring the principles we formed the company with continued on as the team leveled up and expanded, because the things you do when you’re small get amplified in hypergrowth.

Our Best-in-Class Results

“The score takes care of itself” – Bill Walsh, former coach of the 49ers

By focusing on people, process, and then results - we cultivated a high-performing team, built an exceptional business, and enjoyed a success few companies ever see. Our results speak for themselves, and have been truly best-in-class for any SaaS, much less security, company.

Duo has been one of the fastest-growing, and most capital-efficient SaaS businesses ever. For much of our history, we doubled our team, tripled annual recurring revenue, and binary-exponentiated our customer base every year. We did this while spending only $16M since we began to reach $100M in annual recurring revenue last year.

We built our reputation as the Most-Loved Company in Security with customers, partners, and employees as we delivered the fastest time-to-value of any security vendor, led the industry with a 70+ quarterly Net Promoter Score and renewal rates in the high 90s, and enjoyed Glassdoor ratings of 4.5+ with the majority of our workforce coming from outside the industry.

We’ve also grown the market for security, making it approachable for customers who have not been traditional security buyers. We still have a goal of erasing the “security poverty line” of financial and human resources required by organizations to effectively protect themselves, as companies big and small need their security or IT teams to have an outsized impact.

And as far as we’ve come, I’m excited by how much further we’ll go, accelerating the reach of our mission as part of the world’s largest network and security company. We get to be a big part of the change at Cisco as it moves rapidly to reinvent itself in a cloud and mobile era.

But internally and externally, we will continue to build trust so people can do what they’re supposed to do, building bridges between each other and to the future.

Mackinac Bridge to Michigan’s Upper Peninsula – Golden Gate bridge to the SF Peninsula #WeAreDuo #WeAreCisco

And we’ll do it our way.

With love and gratitude,


<![CDATA[Weak Apple DEP Authentication Leaves Enterprises Vulnerable to Social Engineering Attacks and Rogue Devices]]> jbarclay@duosecurity.com(James Barclay) https://duo.com/blog/weak-apple-dep-authentication-leaves-enterprises-vulnerable-to-social-engineering-attacks-and-rogue-devices https://duo.com/blog/weak-apple-dep-authentication-leaves-enterprises-vulnerable-to-social-engineering-attacks-and-rogue-devices Duo Labs Thu, 27 Sep 2018 05:45:00 -0400 Over the last few months, Duo Labs has been researching the security of Apple's Device Enrollment Program (DEP). In this research, we discovered an authentication weakness in DEP, used by many organizations to automatically enroll devices in their Mobile Device Management (MDM) server. Simply put, enterprises use DEP to bootstrap the provisioning of Apple devices.

This has a few real-world implications:

  • Leveraging this authentication weakness, an attacker can potentially enroll any device into an organization's MDM server - which could allow them to obtain privileged access used to further pivot within the network. Whether the attacker will be able to automatically enroll their device into the MDM server depends on how the server is configured, and whether the device was previously enrolled. Since the MDM protocol doesn't require user authentication, not every organization has implemented this protection, even though Apple publicly documents these best practices in their Apple Business Manager Help documentation.
  • Or, an attacker could use serial numbers obtained through open-source intelligence (OSINT), social engineering or generating them via brute force to query the DEP API for device profiles. The DEP profiles contain information about the organization, such as phone numbers and email addresses, which could be used to launch a social engineering attack against the organization's help desk or IT team.

See the full report for an in-depth, technical overview of our findings.

Device Enrollment Program

DEP is a free service offered by Apple for organizations using MDM to manage and configure their users' devices, including devices purchased directly from Apple or authorized resellers. DEP gives users a zero-touch setup experience of their new company-provided devices.

Authentication Weaknesses in DEP

Our research focused on the details of how some of the undocumented DEP APIs work, specifically those that are used by Apple devices to communicate and enroll with the DEP service. Through this research, we found that because of the way DEP is implemented, it only uses a device's serial number to authenticate to the service prior to enrollment. Also, while Apple’s MDM protocol supports user authentication prior to MDM enrollment, it does not require it - meaning some organizations could be protecting device enrollment with the serial number alone.

The key issue is that serial numbers are used to authenticate devices to the DEP service, but are not data that should be considered secret. Additionally, because not everyone expends the effort to protect serial numbers, it's not uncommon to find them online.

Furthermore, serial numbers are predictable and are constructed using a well-known schema. This means that an attacker does not have to find serial numbers that have been inadvertently leaked; they can instead generate valid serial numbers and use the DEP API to test if they are registered with DEP.

With this in mind, an attacker armed with only a valid DEP-registered serial number can use it to query the DEP API to glean organizational information. Or, in configurations where an associated MDM server does not enforce additional authentication, a malicious actor can potentially enroll an arbitrary device into an organization’s MDM server. The ability to enroll a chosen device to an organization’s MDM server can have a significant consequence, subsequently allowing access to the private resources of an organization, or even full VPN access to internal systems.

Who Does This Affect?

It's impossible for us to know the full size or scope of devices that this DEP issue impacts, but every customer using Apple's DEP service is affected. However, it's worth remembering, not every Apple enterprise customer that deploys Apple devices in their corporate IT environment uses Apple’s DEP service.

Disclosure Timeline

Below is a summary of the timeline starting with when we discovered the authentication weakness in DEP and leading up to this research being published:

  • 2018-05-16: Initial report to Apple.
  • 2018-05-17: Acknowledgement from Apple.
  • 2018-08-16: 90 days since first report.
  • 2018-09-27: Research published.
  • 2018-09-28: Public Disclosure at ekoparty Security Conference.


So what can be done to protect both the organizations using DEP and their users? The full security research provides several remediation options, covering steps that both Apple and organizations using DEP can take.

Our recommendations to Apple center on ensuring strong authentication of devices and not relying on serial numbers as a sole authentication factor to retrieve the DEP profile. Until the core issue is resolved, Apple can help make their DEP APIs more resilient to misuse by implementing rate limits on requests and limiting the information returned by the API endpoints. Additionally, Apple could strongly authenticate users as part of the DEP enrollment process, using modern authentication protocols such as SAML or OIDC. This would prevent DEP profiles from being retrieved if the device’s associated user is not authenticated.

If your organization uses DEP, one of the best steps you can take is to ensure you enforce authentication on any MDM server used with DEP, so that knowledge of a serial number alone does not allow device enrollment. Additionally, embracing a zero-trust approach can help to ensure that the privileges afforded to devices that have been enrolled in MDM are not excessive. Put another way, just because a device is managed by your MDM server should not automatically afford it a higher degree of trust.


Regardless of the authentication weaknesses in the current implementation of Apple's Device Enrollment Program, there's no question that it still provides value for organizations with large fleets of Apple devices. The benefits of ensuring that devices are securely configured and managed via MDM and bootstrapping that process via DEP outweigh the risks associated with this authentication weakness.

There are a number of steps that can be taken by Apple to establish strong authentication and trust while still ensuring a relatively frictionless, streamlined user experience and device deployment process. However, some of these mitigations (such as device attestation) only recently became feasible due to new hardware capabilities. It will take time for these changes to be fully realized, and for Apple's customers that are leveraging DEP to benefit from them, but the future looks bright.

In the meantime, Apple customers using DEP can protect themselves by requiring user authentication prior to MDM enrollment, or by not trusting devices simply because they're enrolled in MDM.

<![CDATA[Building the Zero Trust Plane While Flying It]]> (Dean Scontras) https://duo.com/blog/building-the-zero-trust-plane-while-flying-it https://duo.com/blog/building-the-zero-trust-plane-while-flying-it Industry News Mon, 24 Sep 2018 08:20:00 -0400

The author, Forrester Analyst Chase Cunningham, of this article Get Your Federal Team In Sync With Zero Trust is correct. The government has lead the way on previous cybersecurity trends. In contrast, the industry is leading the way on zero trust and the government has to figure out how to fly the plane while building it. Typically, not an easy proposition.

The image associated with this article depicts just how the once forward-leaning government has become a bit of a laggard in its race toward modernization and the cloud. The pictured technology is all but gone in the commercial world, but remains predominant in some federal agencies. It's acting as an anchor in the move towards IT modernization.

Employees and contractors can still be seen toting lanyards and keychains full of old authenticators. Meanwhile, it's known that these "approved" legacy solutions are costly, don't support the cloud and never will. Yet, with IT modernization, and other government megatrends, the government is supposed to be moving quickly to the cloud with solutions that enable it while increasing security and the user experience?

Duo does just that. In fact, after hearing about the requirements of what constitutes IT modernization - we read like a case study. We check all the boxes. Improve security, reduce costs, improve user experience, etc. In fact, we have developed a fed-specific "IT modernization calculator" that will calculate the cost reductions associated with replacing legacy solutions with Duo. But I digress, as sales people are prone to do. :)

Meanwhile, in other agencies, there are "gaps" where PIV is not viable, for whatever reason. Consequently, modern MFA solutions like Duo can replace legacy solutions and fill gaps while building the bridge to zero trust. Fly and build.

While there are admittedly several factors to the transition to zero trust, one of the first should be starting with a form of MFA that can bridge agencies from the current operating environment (of PIV) to one that is equally as strong (FIPS 140-2 Level 3), while also providing a framework for future state of identity and access. Too many decipher this as a rip and replace proposition. That's not the case, at all.

Anyway, the author is also correct, the marketing hype around zero trust is peaking and it's hard to distinguish who does what and how to get there. Where do you start? At the beginning of course, with a form of modern MFA that gets you to the cloud and IT modernization. Hence, we are looking to further distinguish our message from much of the white noise. Subsequently, in the coming weeks, we will be starting a "Zero Trust for Government" LinkedIn group with some of the industry and former government thinkers that can hopefully help government customers on this journey.

<![CDATA[Mapping Social Networks With Gephi]]> oanise@duo.com(Olabode Anise)jwright@duo.com(Jordan Wright) https://duo.com/blog/mapping-social-networks-with-gephi https://duo.com/blog/mapping-social-networks-with-gephi Duo Labs Thu, 13 Sep 2018 08:30:00 -0400 Social networks like Twitter, Facebook and Instagram allow people to share content and build communities. Each user has their own social network of other users they're connected to. This means that we can think of social networks like a large graph, with accounts as nodes in the graph and the connections between accounts as edges.

Earlier this month, we presented a technical research paper at Black Hat USA 2018 called Don’t @ Me: Hunting Twitter Bots at Scale that details the process of gathering a large public Twitter dataset and finding automated accounts (bots) within that dataset. In this research, we examined a large botnet consisting of over 15,000 bots that actively spread a cryptocurrency giveaway scam. Moreover, we showed how mapping out the connections between accounts allowed us to discover the structure and organization of the botnet.

Botnet Map

Visually mapping social network connections reveals patterns that may otherwise be hidden in the data. If that weren’t enough, these graphs also serve as compelling pieces of generated artwork.

This post shows the step-by-step process to create a graph of your own social network using Gephi.

Introduction to Gephi

Gephi is open-source software that makes it easy to generate beautiful layouts of graphs and networks. The graphs generated by Gephi can be explored, analyzed, filtered and modified.

There are many options offered by Gephi that allow graphs to be formatted so that they most effectively tell the story you're trying to tell. Everyone's workflow is different, but my standard process when building a graph with Gephi is:

  • Import the GEXF file
  • Apply a layout
  • Color/resize the nodes and edges by attribute or through automatic community detection.
  • Export the resulting SVG

While our previous work focused on using this process to map relationships between bots, the same process can be applied to any graph of social networks.

To show how this process works, let's take a look at how to create a map of your own social network.

Graphing Your Social Network

Gathering the Data

In order to make a graph of a social network, we first need to gather the data. As part of our research, we open-sourced a script, crawl_network.py, that crawls the social network for a user and exports the results in GEXF format.

To fetch my own social network, I can run the script like this:

python crawl_network.py --degree=1 --max-connections=5000 --root-connections jw_sec

The first thing to consider when running the script is that gathering connections is a slow process. To gather the data, we use the followers/ids and friends/ids API endpoints. At the time of this writing, these endpoints are rate limited at 15 requests per 15 minutes. This means that crawling thousands of accounts may take multiple days. We can first limit the number of degrees we want to crawl using the --degree flag. We can further limit the number of connections we fetch per account using the --max-connections flag.

The next thing to consider is how much data Gephi can handle. When crawling social networks, it's easy to generate graphs with hundreds of thousands of nodes and edges. Large graphs reduce Gephi’s ability to quickly apply layouts. To help manage the size of our graph, we can use the --root-connections flag to only map connections between nodes that are immediately in our social network.

Running the script outputs two files: the raw JSON results in ndjson format, and a GEXF file for use in Gephi.

Visualizing the Graph

When opening up the GEXF file in Gephi, we're presented with a large group of nodes clustered together.

Graph Layout

We first want to clean up the layout of the graph, which will make it easier to see how the nodes and edges are structured.

Graphs are visualized using a layout. These are algorithms that organize nodes and edges in unique ways. Our graph has 2,700 nodes, making it a good candidate for using Force Atlas 2 as the layout. You can adjust settings as needed in the “Layout” window, but I'll typically apply a "Scaling" factor greater than 1,000 to help spread out the nodes. Then, I'll enable the "Stronger Gravity" option to help keep the overall graph contained.

These are the options I used to graph my social network:

Layout Options

After setting our options, we can click "Run" to apply the layout. I let this run for a few moments to stabilize before hitting "Stop," resulting in the following graph:

Circular Node

You’ll notice that the nodes in my social network are tightly connected to one another, creating a circular graph. Most of the accounts in my network are related to infosec, so it’s expected that many of them follow each other.

If you want a black and white graph, you can skip to the "Exporting a Work of Art" section below. Otherwise, let's add some color to our graph.

Adding Some Color

Gephi allows you to assign colors to nodes using attributes. Some attributes can be provided in the GEXF file (such as whether an account is a bot or not), while others can be calculated in Gephi itself.

A common practice is to color groups of nodes by communities. Gephi can run an algorithm that determines which nodes are likely in the same community based on their connections, and then color each community differently. This is useful when we want to find groups of users within a population.

To identify the communities in a graph, run the "Modularity" option located under the "Statistics" sidebar, accepting the default options. After this is completed, you'll be presented with a screen showing how many communities were found and the number of nodes in those communities.

HTML Report

Running this process also adds an attribute that can be used to assign colors. To color the graph based on these communities, select the "Nodes" tab under the "Appearance" panel in the left sidebar. Then, select the nested "Partition" tab. Finally, select "Modularity Class" as the attribute you want to use for assigning color.

Appearance Class

Gephi will automatically assign colors for you, but these can be changed. For now, we'll use the default - clicking "Apply" to color the graph.

Color Graph

It’s interesting to explore the communities that Gephi uncovers. In my case, most of the communities were still related to infosec, but the green community in the bottom left of the graph consisted largely of accounts of software developers or designers.

With the colors applied, all that's left is to export our graph!

Exporting a Work of Art

Now we have a graph that is organized and colored by communities. All that’s left is to generate a clean, high-resolution work of art!

Opening the “Preview” pane gives a list of options that determine what the final graph looks like. Gephi offers a few presets to make this easier. A common preset you’ll see used is “Black Background,” which creates a graph with curved edges on a black background.

For our case, I used the “Default Curved” preset, and reduced the opacity of the edges. I also removed the labels since, for this graph, there are so many nodes that it would be difficult to read.

Here are the final options that I used to generate my graph:


After setting the options, pressing the “Refresh” button will generate a preview of your graph:


With the layout the way we want it, we can use the “Export” button to export our final image:

Exported Image


This was just a brief introduction into how Gephi is used to create compelling graphs of networks. There are quite a few ways to customize the graph to fit your preferences, so I encourage you to explore the various options and tutorials offered by Gephi.

If you’re interested in how we used this network mapping to map out relationships between bots in a botnet, we encourage you to check out our research Don't @ Me: Hunting Twitter Bots at Scale.

After releasing the initial research, we got feedback asking us to release the graphs as wallpapers. As part of this post, we are excited to announce that we’re releasing high-resolution wallpapers of each graph that you are free to use.


<![CDATA[UK CISO Survey Reveals Concerns About Shadow Devices]]> thu@duosecurity.com(Thu Pham) https://duo.com/blog/uk-ciso-survey-reveals-concerns-about-shadow-devices https://duo.com/blog/uk-ciso-survey-reveals-concerns-about-shadow-devices Industry News Wed, 12 Sep 2018 04:45:00 -0400

Shadow devices - aka, bring your own device (BYOD); those employee-owned personal phones, laptops, tablets, etc. - are connecting to your corporate network.

But you don't know how many there actually are, or what's on them, or if they even meet your minimum security standards, which might look a little bit like this:

  • Not jailbroken or rooted
  • Running the latest operating system, browsers and plugins
  • Passcode-protected
  • Encrypted

Your employees browse social media sites, download apps and games, and click on clickbait. And all of those behaviors can potentially introduce malware and phishing to their personal devices - and, by proxy, your corporate network.

Shadow Devices & Risks on the Rise

A Duo survey of 100 UK-based chief information security officers (CISOs) and senior information security leaders revealed their concerns about shadow devices. Nearly 60 percent of CISOs ranked access to their corporate network by shadow devices as the biggest security risk, with access from public Wi-Fi as another high concern.

A man-in-the-middle (MITM) attack over public Wi-Fi is possible as open internet connections are often unencrypted and unsecured. Attackers can sniff, or access any of your information that is passed between your browser and websites you visit.

And if your user is connecting remotely to your corporate network, that means they may be able to snatch their password, gaining entry to your company data.

Our survey found that users are connecting remotely to work applications, at least a quarter of the time, according to 3 in 4 CISOs. And 48 percent of companies have more than half of their employees working outside of the corporate network.

Some of those users may include third parties - another 48 percent of CISOs ranked external suppliers as their most risky users, understandably. Many contractors and vendors have been linked to breaches of larger enterprise companies, due to lax security practices or lack of security budget/practices.

What's the concern about all this remote work/access? Those attacks that can cause security incidents - like phished credentials, which accounted for 48 percent of incidents, according to UK CISOs. That's twice as many breaches than malware accounted for (22 percent), although one is often a precursor for the other in an attack.

Phishing also accounted for the biggest security incidents in the last 12 months for half of all CISOs.

Shine a Light on Shadow Devices

What can you do about all this?

Shadow Devices (BYOD): Security starts with transparency. Get insight into every single device on your network, not just ones managed by your company. Duo's Unified Endpoint Visibility shows every device logging into your network, while Trusted Endpoints lets you distinguish between personal and corporate-owned devices.

Remote Work: This is our now-reality, so get secure about it. Implement a second layer of user verification with two-factor authentication to prove they're legit, and combine that with device checks at login to verify they meet your security standards. Then, layer in policies and controls to block access from certain countries or IP addresses to further limit who can log into your company applications.

Third Parties: 2FA their logins, then apply some additional controls - like limit what they can access on a per-application basis, and limit the time period during which they have access to your applications. With user and device reports, you can monitor their login activity and flag any anomalous events. Plus, you can enforce device checks to ensure their personal devices are secure enough to gain entry to your applications and data.

Phishing & Social Engineering: User training and awareness is one aspect, but strong 2FA can also help limit password attacks. Duo Push or Universal 2nd Factor (U2F) provides a stronger way to authenticate, protecting against social engineering attacks. There's more than just 2FA - getting insight and control over risky devices can also protect against the risk of malware introduced via phishing.

<![CDATA[Bringing Feature Requests to Life: Duo Push Verification]]> (Chris Demundo)(Marcus Stojcevich) https://duo.com/blog/bringing-feature-requests-to-life-duo-push-verification https://duo.com/blog/bringing-feature-requests-to-life-duo-push-verification Product Updates Tue, 11 Sep 2018 08:20:00 -0400

When I started as a Masters of Business and Administration (MBA) Product Intern at Duo this summer, I had two goals: learn about product management and make an impact on Duo’s customers and business. For my project, my software engineering counterpart Marcus and I were looking at a feature request from customers to allow admins to send a Duo Push from our Admin Panel. For this blog post, I want to give you a look into the process of bringing that feature request to life.

Starting With the Customer

At Duo, it always begins with the customer. By my second week, Marcus and I were conducting phone interviews with customers, having in-depth conversations about their help desk processes and existing solutions they had in place.

In total, we spoke to over twenty customers of many sizes and industries, and we developed a deeper understanding of the challenges they faced every day: imagine you’re a help desk agent and an end user calls in, verbally identifies themselves, and then asks for a password reset. How do you verify that you are not speaking to a malicious actor?

I also conducted internal research and found that this was a problem that even our own help desk team, Duo Support, faced. We had struggled with a lengthy callback process and, to solve this, we pulled together a solution using our Auth API that allowed us to send a Duo Push to verify a user before continuing the call.

This new feature, called Help Desk Push, is coming soon to the Duo Admin Panel and will be available for all customers on September 28, 2018.

But What’s the Solution?

Once I had a good understanding of the problem, the next step was handing it over to Marcus and one of our product designers, Amy Afonso, to work on a solution. Despite the extensive customer research, there were outstanding questions, like: where should this feature live within the Duo Admin Panel? How do we best log that these events are taking place? We went to the whiteboard to start conducting design sessions in which we grappled with these problems.

In our research, we learned that during high-value events like password resets or sending bypass codes, help desk admins have already received a username or email as an identifier and are thinking in context of the user. Due to this fact, we decided to place the feature on the user page in the Duo Admin Panel.

A new Send Duo Push link opens a pop-up that allows you to choose the two-factor authentication device, send a push and receive a response. There are three possible responses - Approved, Denied, and Timed Out. If Duo Support receives anything other than Approved, our policy is to not proceed with the call for security reasons. Finally, for visibility, the result of every push verification is logged as an Administrator Action.

We knew this was the right solution because it solves both problems our customers were facing:

  • It’s quicker than lengthy callback procedures and more secure than checking identity via security questions
  • Push verification allows help desk admins to efficiently help users with low user friction

Building and Testing the Feature

Once we determined a direction, Marcus was able to start the real work of actually building the feature! We tested initial prototypes with real help desk agents to validate our decisions and made changes where necessary. Throughout this iterative process, I’m happy to report the feature will soon enter beta testing with some of the original customers we interviewed.


Over the course of this project, I got to work with great people and learn a ton about software product management. For my part, I learned that there are many solutions to a given problem, and my goal was to allow engineering and design to creatively iterate while being the voice of the customer when necessary. Closing off a vector for social engineering with this feature will make a real impact for our customers. It solves a problem they deal with every day, which I learned, is what product management is all about at Duo!

Learn more about how this feature works below:

<![CDATA[Announcing Offline Multi-Factor Authentication for Windows]]> bbentley@duosecurity.com(Bob Bentley) https://duo.com/blog/announcing-offline-multi-factor-authentication-for-windows https://duo.com/blog/announcing-offline-multi-factor-authentication-for-windows Product Updates Mon, 10 Sep 2018 09:05:00 -0400

Duo’s data centers process the authentication requests from thousands of organizations every day, providing us a great view into usage trends and statistics. (We publish an analysis every year in our Duo Trusted Access Report.)

Based on the huge numbers of Windows laptops, desktops and servers in use, it’s no surprise that Duo’s integration with Windows environments (called Duo WinLogon) is one of our most highly used integrations, with nearly 10 million authentications per month.

Customers use Duo WinLogon to enforce multi-factor authentication at initial login and return from screen lock. It can be used for remote Windows server access via Remote Desktop Protocol (RDP) or for local logins to Windows laptops and desktops.

MFA for Local Login

Organizations use multi-factor authentication for local Windows login to ensure the identity of users on Windows machines — either to use the applications installed on that machine, or as an onramp to the rest of the network. Duo confirms the user’s identity to protect against breaches that could originate from the Windows machine due to phishing and other password-based attacks.

Many of our customers deploy Duo WinLogon specifically to fulfill compliance requirements. For example, government-adjacent organizations such as military contractors are regulated by the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS requires these organizations to follow the strict data protection standards outlined in NIST SP 800-171, which mandates “multi-factor authentication for local and network access to privileged accounts.”

Why Offline MFA?

The most commonly seen need for offline MFA is to support users who are required to complete multi-factor authentication but are occasionally offline by the nature of their job function — for example, a frequent traveler on a plane who needs to authenticate to their laptop, or an employee working remotely at a contract customer location, where network access is not allowed.

Introducing Duo WinLogon Offline

In July we began a public beta program for our new WinLogon Offline capability, with general availability planned for October. At that time, it will be available as a feature of Duo MFA, Duo Access and Duo Beyond.

Duo’s modern approach does not require an agent, and it is launched only at the time of login or return from screen lock. With no third-party agent constantly running in the background, Duo avoids issues typically associated with agents, such as high resource consumption and user privacy concerns.

Also, Duo’s approach does not piggyback on top of the Windows RDP protocol. This means that Duo extends offline MFA capability to laptops and desktops, not just to servers.

As you’d expect, deployment and user self-enrollment for WinLogon Offline also follow Duo’s high standards for simplicity and ease of use. Administrators can choose which groups of users are allowed to use offline MFA.

Stay Tuned for More

In the next few weeks we will follow up with another blog post about how Duo with WinLogon Offline works. We’ll dive into the technology and unique design behind it, plus we’ll cover how to deploy and take best advantage of this great new feature.

<![CDATA[What is WebAuthn?]]> stevew@duosecurity.com(Steve Won) https://duo.com/blog/what-is-webauthn https://duo.com/blog/what-is-webauthn Industry News Wed, 29 Aug 2018 08:20:00 -0400

Authentication is evolving - and WebAuthn (Web Authentication) is what’s next. See the first blog post in this series, The History of Biometric Authentication to get an overview of how biometric authentication has evolved through innovations by major platform vendors Apple and Microsoft.

The Ecosystem

If we take a step back and think about biometric authentication as an ecosystem, we might frame it in the following way:

Biometric Authentication Ecosystem

Hardware is addressed two-fold:

  • Biometric sensors like fingerprint sensors or facial recognition systems
  • Secret storage processor like Secure Enclave Processors (SEP) or Trusted Platform Modules (TPM)

Platforms mean at the system level:

  • TouchID/FaceID and Fingerprint API on iOS and Android respectively
  • Windows Hello and TouchID on Windows and MacOS respectively

Open standards have been the missing gap. The web is built upon open frameworks that can be leveraged by third parties, and there hasn’t been a solution that can meet the heterogeneous uses for biometric authentication. And that’s where WebAuthn fits in.

Enter WebAuthn

WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication. It was officially ratified by the W3C (World Wide Web Consortium) in April of this year, and we’ve seen tremendous movement and support by major browsers ever since. Mozilla Firefox was first with support for WebAuthn and Google added Chrome support just last month. Microsoft’s Edge browser is also expected to add support later this year.

Immediately, WebAuthn can be used to support Universal Second Factor (U2F) security keys. However, as laptops with biometric authenticators become increasingly ubiquitous in enterprise environments, it will be used primarily for biometric authentication.

WebAuthn will allow for web applications to trust a strong biometric authentication as a credential that is specific only to that service. No more shared passwords. And due to the aforementioned benefits of modern biometric authentication methods, this means that we now have a secure means to generate, store and utilize a credential whose attributes are unknown to the user and thus can’t be stolen and exploited. What we’re talking about is true passwordless authentication.

Leveraging WebAuthn for MFA

We are currently in the process of building support for WebAuthn as an authentication method. We have been privately beta testing U2F support in browsers beyond Chrome for the past month. What we’re truly excited about is leveraging WebAuthn as a bridge to passwordless authentication in the enterprise. We believe that user interactions for secure authentication will eventually collapse to built-in biometric solutions.

Customers will look to use WebAuthn because it will enable the most convenient and secure authentication method for end users - the device that they are already using - to validate that the user is who they say they are via a biometric.

Stay tuned for our next blog post in this series to find out How Duo Will Support WebAuthn.

<![CDATA[The History of Biometric Authentication]]> stevew@duosecurity.com(Steve Won) https://duo.com/blog/the-history-of-biometric-authentication https://duo.com/blog/the-history-of-biometric-authentication Product Updates Tue, 28 Aug 2018 08:20:00 -0400

At Duo, we’ve made multi-factor authentication (MFA) easy to deploy and use. We were the first to implement push-based MFA, and we’re also proud to say that we were first to support Universal Second Factor (U2F) security keys.

While we firmly believe that U2F is the best and most secure authentication method available for customers, we also know that adoption has been relatively slow. Even among our customer base, U2F is used by a small minority of customers. Internally, we jest that we ourselves are one of the top five users of U2F tokens among our 10,000+customers.

Why is that the case? Well, in reality, it starts with the tokens. Our customers don’t want to manage hardware tokens. It’s the fundamental reason why they chose to go with Duo - because they want to get away from the security team becoming a de facto hardware fulfillment vendor. But we’re extremely bullish about the fundamental security properties of U2F, and we think that the biggest change in strong authentication is soon coming.

Five Years of Biometrics

Think back to five years ago when the iPhone 5S was announced and launched. It’s hard to remember now, but back then, biometrics just did not work. Although fingerprint sensors have been available since the late 90s and are somewhat commonly deployed on enterprise worksystems, users rejected them.

They were riddled with inaccuracy, poor security properties, and, most importantly, unreliability. They just didn’t work. Even on mobile devices, the Motorola Atrix was the first widely-available consumer device with fingerprint sensors, but it was the same slow and unreliable finger-sliding mechanism.

When the iPhone 5S launched, it came with TouchID - a simple fingerprint sensor built into the home button. Within six months, competitors in the Android ecosystem also delivered built-in biometrics, and a year later, Google made a native framework for biometric authentication available in the operating system.

Just five years later, it’s almost impossible to find a consumer smartphone without a built-in, strong and reliable biometric authenticator.

“It Just Works”

So how did Apple make this possible after over a decade of failures from other vendors bringing biometrics to endpoints?

First, there’s the user experience. Apple created a strong authentication experience...that was 10x better. There are apocryphal stories about how even Steve Jobs refused to use a passcode on his iPhone because he hated the UX. In fact, Apple Product Managers have spoken about how, according to their data, a minority of iPhone users chose to use PINs to protect their devices.

Once TouchID became available, Apple proudly touted that 89 percent of users choose to use biometrics on their device, which means better security for everybody. And why wouldn’t they? Users were already tapping the home button to unlock their device; Apple made sure to build their authenticator into the most natural place that a user would place their thumb. On Android, where devices don’t have home buttons, Google and Samsung have settled on the back of the device where the index finger naturally rests as the ideal spot for their sensor.

Second is the technology to securely store keys. For years, fingerprint readers relied upon software and drivers that could be tampered to enforce biometric authentication. You could probably fill an entire day with Black Hat talks about bypassing biometric authenticators via software from the early-2000s.

What was missing was a means to store and secure keys that is tamperproof. And we’ve seen tremendous innovation in this area in the last half decade. Apple has built a Secure Enclave Processor (SEP) into their flagship AX processors that power their iPhones and iPads. Intel, the worldwide leader in processor development, has built Trusted Platform Modules (TPMs) onto their Core iX series chips since 2015. The TPM is, in Intel’s words, a discrete “microcontroller that stores keys, passwords and digital certificates.”

What About Laptops?

Despite all the innovation on the mobile side of things, biometrics on laptops have not taken off as quickly. Windows Hello was launched with Windows 10. Windows Hello is a built-in framework that allows for the delegation of authentication to: biometric authenticators, companion devices, or device PINs. Windows Hello had a rocky launch as laptop manufacturers balked at the cost of adding the expensive infrared (IR) sensors that Microsoft required for Windows Hello, but in the last two years, we’ve seen reliable fingerprint readers similar to those used in mobile devices deployed on enterprise laptops.

In early iterations, there were some gaps in the security properties of the hardware, but ever since 2015, most new laptops ship with processors that contain TPMs for secure secrets storage.

Apple shipped TouchID with their MacBook Pro line starting in 2016. Apple made this possible by shipping a separate security co-processor (effectively the SEP) on the new line of MacBook Pros, and we’ve seen similar investments in the desktop line with the iMac Pro, although there is no built-in biometric authenticator on that device. Industry observers are particularly excited about the application of FaceID, which launched with the iPhone X as a biometric authenticator in future iterations, enabling “contextual computing,” which has only been theorized in science fiction for decades.

While biometrics are slowly becoming widely available on hardware and built into operating systems, adoption by enterprise applications and web services has been relatively slow. While mobile applications broadly support biometrics for authentication, there’s a huge gap with web services. Now, it’s obvious why this hasn’t been an issue on mobile platforms. Native applications have proven to be far better experiences on smaller screens, but on laptops and desktops, web applications reign supreme. In fact, many newer enterprise “native” applications are effectively containerized web applications.

Stay tuned for our next blog post in this series to find out what the next step is for biometric authentication - What is WebAuthn?

<![CDATA[Available Now: Achieving Zero-Trust Security in Federal Agencies]]> ahickey@duo.com(Andrew Hickey) https://duo.com/blog/available-now-achieving-zero-trust-security-in-federal-agencies https://duo.com/blog/available-now-achieving-zero-trust-security-in-federal-agencies Industry News Thu, 23 Aug 2018 08:30:00 -0400

Federal IT modernization initiatives fueled by cloud and mobility have made it prime time for agencies to consider the shift to a zero-trust security model.

While the concept itself isn’t new – it’s actually more than a decade old – it’s risen in popularity recently due to Google’s BeyondCorp architecture, which is based on zero-trust principles.

In a zero-trust model, the access conversation shifts from traditional perimeter-based security and instead focuses on secure access to applications based on user identity, the trustworthiness of their device and the policies you set. The perimeter is now anywhere you make an access control decision.

For federal agencies to achieve zero trust, there are four underlying methods that can be coordinated: continuous authentication, device assessments, user controls and application access. In our new ebook, Achieving Zero-Trust Security in Federal Agencies we examine each of them.

Achieving Zero-Trust Security in Federal Agencies

In this ebook you’ll learn:

  • Why verifying user trust through continuous authentication is step one on the path to zero trust
  • How agencies can overcome the challenge of bring your own device (BYOD) with device assessments and visibility
  • The benefits of setting access policies based on user roles.
  • How to ensure secure access to all applications – cloud and on-premises – with a zero-trust model

For federal agencies, transitioning away from perimeter-based security and adopting a zero-trust model can accelerate IT modernization efforts. Download Achieving Zero-Trust Security in Federal Agencies now and learn how.

<![CDATA[Spoofed Domains Target U.S. Senate and Political Organizations]]> thu@duosecurity.com(Thu Pham) https://duo.com/blog/spoofed-domains-target-us-senate-and-political-organizations https://duo.com/blog/spoofed-domains-target-us-senate-and-political-organizations Industry News Wed, 22 Aug 2018 08:20:00 -0400

In a blog post by Microsoft's president, the company has identified six spoofed domain names created by the hacking group, Fancy Bear (also referred to as Strontium or APT28).

Who Are They Targeting?

The domains are mimicking the websites of political think tanks and nonprofits, such as the Hudson Institute and the International Republic Institute.

Three others appear to be related to the U.S. Senate's email and Active Directory Federation Services (AD FS), the system that handles user identity and authentication. Another could be mistaken for Microsoft's own Office 365 service, OneDrive, a cloud-based file system.

Microsoft has executed a court order to gain control of the domains. While they haven't identified an actual attack yet, they've expressed concern about the recent activity targeting political groups and elected officials.

What Are the Threats?

Spoofed sites can present a number of threats to politicians or any user visiting the fake domains.

  • Drive-by download. Simply by visiting a malicious site, a user could unintentionally download malware onto their computer. With the help of an exploit kit hosted on the site, attackers can run code that checks your operating system, web browser, plugins, etc. for vulnerabilities before launching malware.
  • Credential or other data theft. For example, with sites pretending to be email, single sign-on or cloud-based file systems associated with the U.S. Senate, attackers could create a convincing login form that steals Senators' credentials - and gives attackers access to accounts protected only by a password.

Protecting Accounts

Installing the latest security updates can help political officials and organizations make their systems more secure and protected against vulnerabilities and potential malware infection.

Half the battle is getting visibility into which devices are out of date - as well as which devices are actually connecting to your network, applications and data.

Duo's Device Insight and Trusted Endpoints gives you insight into both mobile devices, laptops and desktops, plus allows you to define and manage access to applications with device access policies. That way, you don't allow any risky or potentially compromised devices to access your resources.

Using multi-factor authentication on every account login, from email to single sign-on (SSO) to AD FS, can also deter the success of credential theft or brute force password attacks.

Learn more about Duo + Microsoft, including how to protect access to both on-premises and cloud-based Microsoft applications, securely migrate to the Microsoft cloud with native integrations, protect your Exchange and Office 365 accounts and more.