"Cisco pushes the Zero Trust envelope the right way" — The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers Q3, 2020

Back in 2010, Duo Security’s co-founders Dug Song and Jonathan Oberheide set out to make cybersecurity stronger, easier, faster and accessible to all. Essentially, Duo’s mission was to democratize security

From the start, the principles of zero trust were baked into Duo’s core product, multi-factor authentication (MFA) and our ethos. Our goal was to secure how users and devices access applications — which is the foundational cornerstone of what became zero-trust security.

Fast forward eight years, and Cisco acquired Duo to add a key component to its growing zero-trust security strategy. Cisco’s idea was to build out a holistic zero-trust framework to help customers easily and cost-effectively achieve zero-trust security in their organizations.

The resulting Cisco Zero Trust platform has earned Cisco the designation of a zero-trust leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020.

Forrester gave Cisco the highest scores possible in the report in the criteria of ZTX vision and strategy, market approach, ZTX advocacy and the future state of zero-trust infrastructure.

Achieving Zero Trust With Cisco

Cisco Zero Trust gives our customers a comprehensive approach to securing all access across any applications and environment, from any user, device and location. Security is not a one-size-fits-all proposition, even within the same enterprise environment.

When approaching security using the zero-trust model, it is easier to break adoption down into three pillars: the workforce, workload, and workplace.

Cisco Zero Trust for the Workforce

Your workforce comprises the users and devices accessing applications and services. The easiest entry point for a zero-trust security model is to secure your workforce and their credentials. Homeland security recommends MFA to protect the most sensitive systems because MFA has been proven to prevent stolen credentials 99.9% of the time, according to ZDNet.com.

Cisco Zero Trust delivers solutions that establish trust in users and their devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application and are tailored to your unique organizational structure.

Protecting the Workforce With Duo

The Duo solution is pivotal to securing this workforce in the Cisco Zero Trust story. As a part of Cisco, Duo has continued its mission to democratize security and provide the balance between security and usability. New features like Duo Mobile instant restore, expanded WebAuthn support, and improvements to user sync make it easier to verify trust in users accessing systems.

We’ve also improved the way that users can access applications through enhancements in our policy engine, providing modern remote access, and a cloud-native SSO (single sign-on) solution. Another addition, Duo Trust Monitor, tracks and reports on anomalous user behaviour, helping organizations continuously verify that repeated access attempts can still be trusted.

Duo further demonstrates our commitment to verifying trust in devices with our release of the Duo Device Health App and expanding our Trusted Endpoint ecosystem with more integrations like Microsoft Intune. Cisco achieved the highest score possible in the device security criterion, we feel this validates the investments that have been made in this area.

Duo + Cisco: Better Together

Duo has been working diligently within Cisco to deepen our integrations across the portfolio. Through our integration with Cisco Secure Endpoints (AMP) we can leverage the solution's ever-evolving knowledge of threats and compromises to enable Duo to automatically block access to any Duo protected application from an endpoint that has an active compromise. To simplify and streamline deployments our integrations with Meraki Systems Manager (SM) provide secure, cloud-based endpoint control and provisioning to ensure that Duo Security is delivered and configured easily with security established before the first use. Integrations across solutions like Duo and Secure Network Access and Secure VPN allow us to bridge the connection between the workforce and the workplace and provide deeper and more streamlined layers of security. We believe Forrester recognized these efforts as well.

"The Duo Security offering has been fully integrated into the Zero Trust focused Cisco Zero Trust portfolio approach for the Workforce, Workplace, and Workload (WWW)." — The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers Q3, 2020

Paving the Way for the Future of Zero Trust

At Cisco and at Duo, we aim to shape the future of cybersecurity. Members of our team are involved in workgroups such as the FIDO Alliance, developing standards for WebAuthn, and the committee that worked to define NIST’s SP 800-207: Zero Trust Architecture (ZTA) guidance.

We aren't done yet! We have big plans. The mission to democratize security is ongoing. We think there is a reason Forrester gave us the top score possible in the future state of zero trust infrastructure criterion. Stay tuned.

Check out the full The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers Q3, 2020 report now and learn more.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Field Marketing Manager, Laura O’Melia to learn about what she does and her experience at Duo. 

Laura O'Melia

Employee Name: Laura O'Melia

Title / Department / Office Location

Field Marketing Manager / Austin, TX

How long have you been at Duo, and what do you do here?

I joined Duo in April 2017. I have an assigned territory and am responsible for lead generation from events. I decide what events are a good match for us.

What's your day-to-day like at Duo?

No day is ever the same, and I love that about my role. I spend time meeting with vendors to learn about different events and sponsorship opportunities. Depending on where I am in the planning phase for a particular event, I might work on deciding what the best content is to take to an event and what our overall messaging will be, which handouts will resonate best with the audience or what videos to display in our booth. I attend team meetings with sales to present on marketing campaigns, share results, and understand what their priorities are so we can align marketing programs to help achieve our goals. I travel about 30% to attend events so those days start early with setting up our space, working the event and end late after tear-down happens and networking with new friends.

What tools do you use to help you do your job? 

I use a handful of tools in my day-to-day to perform in my role. BrandFolder is our content repository of Duo Brand Assets, customer facing documents, images, and other resources I use when planning events. I live in Google Drive, that is where my planning folders, checklists, and notes for everything lives. When collaborating with my Cisco teammates, we use SmartSheets and Office 365. Salesforce of course for tracking my campaigns, leads, and pipeline results along with some dashboards and reports to give me insights and metrics into my campaigns. Slack and WebEx Teams for collaborating with team members. Another tool that the Marketing team relies on for project management and tracking requests for special projects is Wrike. Having the right tools that work together makes the work we do more seamless and efficient. I am so thankful to have access to great tools that help me get my job done.

How do you and your team collaborate with other teams within Duo?

To be effective, it is imperative that we work with other teams across the business. Customer facing events require a team effort. We have a regular cadence in place to request speakers as we often need them to keynote or take part in a panel at an event. The Field Marketing team along with the Demand Gen and Marketing Operations team meet regularly to sync on processes, share any changes or updates, and brainstorm on ways we can improve. I have found that at Duo everyone is more than willing to help out and learn together, so something as simple as sitting in the break room to chat about something or going to get coffee is a fun and easy way to work together to overcome any challenge.

How did you get your job at Duo?

I had worked in technology for large and small companies, but never a medium-sized start up, like Duo. A friend mentioned Duo to me and a quick LinkedIn search revealed that someone I used to work with was a Solutions Engineer at Duo. I reached out to him to see how he liked it, to learn more about the company, and if there were any open roles they were hiring for that I would be a fit for. The more I spoke with my recruiter and met the team, I knew this was the place for me. Everything I learned made me more excited for the opportunity and I’m so happy to be here, doing work I love with amazingly smart people.

What is the first thing you do when you come into the office? 

Prior to the pandemic, I would say hi to our friendly lobby ambassador who is always there when I step off the elevator.  I put my bag down and head to the kitchen where the cold brew is on tap. At my desk I review my to-do list, identify if there are any frogs I need to eat first then get to work. 

Any big projects or goals you're currently working on?

Duo is expanding internationally, and I am working on moving to Sydney, Australia for a two-year long term assignment. I’ve been building new relationships with vendors, partners, customers, and sellers in ANZ (Australia and New Zealand) and producing virtual events for our customers and prospects down under. I’ve been reading more Australian news and keeping up with the state of cybersecurity over there. Looking forward to actually being in region, when it is safe to travel again and doing live events for customers. 

What’s an important lesson you’ve learned while working at Duo?

Try new things, think outside of the box, and don’t be afraid of failing. I am a big believer in failing fast and failing often, but fail forward. Sometimes it will be the wrong decision, but you won’t know unless you try. Trying something new could just be the missing piece to helping you grow exponentially. To truly live up to our value of "Engineer the Business"  — risks and failures are inevitable. Knowing that failure is a stepping stone to success helps me to keep going and looking for new ways to be better.

How is Duo different than other places you've worked?

Everyone at Duo is happy to show up to work and brings their full "real" selves with them. We are one big (and growing) family that celebrate together, respect each other, and wants the best for everyone. It is not common to hear complaining or negative attitudes, which makes for a great work environment.

How is your role at Duo different from roles you've had with other companies?

I feel that our team dynamic is strong and continuing to get stronger every day. Rather than working in silos and trying to do everything on our own, we have a well-rounded team of people with different strengths. We leverage everyone on the team to do our roles successfully. I have support from other facets of the marketing team that are all critical in helping me achieve what I need to do. I have never had this much support in working in tandem with others as I have now.

What would you tell someone considering a role at Duo?

This is a special place filled with passionate people. A good book to read that describes the culture here well is “The Ideal Team Player” by Patrick Lencioni. If you are ready to be part of a team that works hard, has fun, and learns together, Duo is a great place.

####

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

In Customer Success, we help customers get the most from Duo, which means getting to security fast, integrating Duo with all sorts of applications, and enabling a smooth end user and admin experience. I have been a Senior Customer Success Manager at Duo in the UK for two years and have had most customers ask me for advice on how to best deploy Duo. There is a method to the madness and in the blog I will lay out the three top best practices for deploying Duo. 

Duo Care is hands-on help throughout the Duo deployment and once established, your Duo Care team will highlight any new features that are coming out with the opportunity to join a private preview or an active development program. On an ongoing basis, your Duo Care team will run through security health checks and account reviews with you. You can regard us as an extension of your team, there for you with continued guidance through the changing security landscape. 

Answers to the Top 3 Customer Questions on Deploying Duo

Let’s look at the three questions that we hear from customers and break them down below: 

1. Is My Timeline for Deploying Duo Realistic?

After a customer purchases Duo and Duo Care, they usually have an idea how long it might take to deploy Duo based on previous solutions they have rolled out or based on change control processes they have in place. 

I’ve worked with a government customer who recently asked if rolling Duo out to a few hundred users in six months was realistic. 

Previously, our teams have enabled customers to roll out Duo over a weekend to thousands of users in a breach situation.

More recently, we have rolled out Duo with shortened timelines due to the recent pandemic for customers and loads of new remote workers who need secure access. 

My standard answer to this question is that we can run or walk as fast as the customer needs. We have experience with all situations and can share recommendations based  on previous experience in that sector. 

2. What Factors Should You Take Into Consideration When Choosing Which Applications to Start With During Deployment?

Usually, I recommend starting with a risk assessment to the business and user groups and the most commonly used and applications with sensitive data like Microsoft O365.  

During a kick-off meeting with the customer, we will run through the customer’s specific situation and define the goals of phase 1 of the roll-out: which applications (sequential or at the same time), go-live dates, user numbers, etc. together as well as metrics to hit. Depending on the technical resources available and the specific customer context (breach, compliance requirement) the top priorities may change. 

The CSE (customer success engineer) is the technical expert who will work on the various technical integrations that can all be found in our documentation laid out here. 

3. Why Is End-User Communication Such an Important Element to the Duo Deployment?

As creatures of habit, changing any bit of the daily end user workflow may be met with resistance initially. Asking for any modification to the way someone starts their work day with their login process and coffee or tea requires succinct communication. We suggest that the user guide and the end user communication templates are used as they help explain to the end user why the change is coming, what is required of him/her and when.

As a Customer Success Manager, I work closely with the customer’s communications department to advise how to best reach the various end users. (Hint: it may not always be email and we may have to get creative with posters in warehouses).

In addition, Customer Success can point you to the most relevant bits in a wealth of marketing resources we have available, such as the customer deployment kit or security education, or other customer’s intranet pages with FAQs and enrollment tips.

Our Duo Care team is on hand to help tailor the messaging and work on a communication strategy as this is key for a successful deployment. When a deployment is done well, the impact on the Help Desk will be low. At Duo, we pride ourselves that our technology is drop-dead simple to use and Duo Care enables you to work through complex IT environments, challenges of advanced deployments, and limited resources while ensuring speed to security.

If you’re interested in Duo Care and would like to learn more, click here Duo Care. If you’d like to learn more, please speak to your Duo or Cisco Account Executive. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

Years ago I remember sitting in a cramped musty basement office surrounded by a curious array of computers, servers and old monitors. I was sipping tepid coffee and staring at a flickering CRT monitor that was slowly draining my joie de vivre. While to the external viewer this would have seemed depressing as an Eastern European art film, this was a challenging project. I was in the process of building a reverse proxy. Why? Because my boss thought it would be a neat project. There was no business case at the time. But that planted a seed in my mind that stuck with me ever since. 

If we think of Zero Trust as a journey, protecting cloud apps is a relatively easy first step. The real headaches come when dealing with those tricky applications that are on-premises or homegrown. How about remote access to servers? What type of access is given to contractors? The move to remote work has brought those challenges front and center for a lot of us. 

Flash forward to today and I find myself talking to customers around the world and drawing on that experience in the basement..Historically there has been a bent towards a fortified perimeter with guards on the castle walls but, if we’re being honest with ourselves, that is a depreciated and risky notion. 

The Remote Workforce is Everywhere

How do we secure internally-hosted applications and servers accessed by remote workers and contractors as well as we do our SaaS applications? Remote access is often painful and slows productivity or runs the risk of giving too much access to the wrong users. The modern perimeter is now anywhere an access decision is being made. 

Would it not make more sense to get a firm grasp on where and how those access decisions are being made? Case in point is that you would not want me sitting at a coffee shop in Toronto with the ability to log directly into your customer database or email solution simply because I knew the password. There is nothing to validate that I am in fact supposed to be there in the first place. A reverse proxy will sit inline to validate my credentials leveraging MFA to ensure I didn’t just have a lucky guess.

The Duo Network Gateway Secures Applications Remotely

Enter the Duo Network Gateway, or more succinctly, the DNG. It provides organizations with the ability to secure access to applications that you need in order to ensure that the lights stay on and your business can continue to operate. It allows you as an IT or security professional to control the users and devices that access these applications. 

To be able to better control access to your internal resources such as Jira or Splunk, as well as cloud delivered applications such as Outlook 365, Salesforce.  It even secures SSH connections allowing you to sleep at night knowing that the risk to your enterprise is being addressed. 

How the Duo Network Gateway Works

To better connect the dots we can use this example: users would first authenticate to the Duo Network Gateway and then they would need to approve a two-factor authentication request prior to accessing your enterprise protected services. Session awareness helps to minimize the need for repeated MFA prompts as users access additional services and hosts via your gateway.

When DNG is coupled with Duo’s Policies and Trusted Endpoints it helps to obviate the need to rely on passwords alone. Passwords, in their own right, have long outlived their usefulness. The analogy of leaving a key under the doormat springs to mind. If a passerby happened to discover your key beneath the mat they would be able to access the house. This does not mean that they are supposed to be there. Now when you apply this to the enterprise in the guise of an attacker with access to a legitimate password it helps to drive home the need to reduce the attack surface. 

Streamlining the access control to enterprise assets will help reduce risk to the company and reduce costs. For every password reset that needs to be dealt with there is a cost involved. With multi-factor authentication and a DNG at your disposal this cost will come down. 

That cost savings comes from reducing password resets will be replaced by the ability of users to self manage. The reduced number of authentications will streamline work for users who will need to authenticate once to the DNG to access the applications that they need in order to get their jobs done.

Reduction in risk. Reduction in costs. Improvement in sleep. What’s not to love? 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

More and more people have been working from home since the onset of the pandemic. While there are tons of resources on getting started working remotely, how to succeed in an office job without an office, and how to set up your new space at home, what about starting a new job altogether? How can you succeed with a brand new job without the resources of being in an office? 

Starting a new job is always hard, but imagine starting in a pandemic?

At Duo, we’ve been lucky to add amazing humans to our team since March when we began working from home. We knew we needed to bring our Kinder Than Necessary value to the center to help our newest team members succeed in this environment. And those folks have been succeeding!

And, our team keeps growing. Our team has grown by 21% since March. So we have some insight to share from the dozens of people who have only ever had their job at Duo remotely. 

Remote Work Goal Setting

Starting a new job is always going to be awkward because you don’t know what to do. One of your very first priorities, remote or not, should be to set a role-based goal. A role-based goal takes something you’ll be expected to do in your daily role and adds a due date for when you’ll be able to do it alone. It’s especially important when remote, as it will give you focus, direction, and priority as you learn about your new company. 

There is absolutely always a lot to learn. But don’t assume that your company will give you something specific to work toward. Nearly 60% of companies fail to set milestones or goals for their new employees. On top of that, 22% of employers don’t have a formalized onboarding plan. Folks can take control of those stats by setting a specific goal themselves.

While I work diligently to support new Duonauts with role-based goals from the start, I actually didn’t have one when I started. If you end up in this spot, I have some advice for you. Here is what I did — I spent the first 3 weeks really learning what I was supposed to do. Fundamentally, I’m a teach for Duo, so I had to learn all the things about Duo, then teach a full cycle on it. That was a lot. So I estimated what the most basic version of that was. For me, that was teaching a specific session within the full teaching cycle. I decided to do it by my 90 day mark. Then, I found someone who was already teaching to help guide me. Then, I told my manager. I told my team. And then I wrote it down.

Write down your goal. We know that folks who write down their goals are 33% more successful. Even if you are part of the few who get both a formalized onboarding plan and role-based goals (like new Duonauts), we still encourage you to write your own goal down. Vet your goal with an in-company mentor or new coworker, and then get working on it! Success in your role will help give you purpose and fulfillment while working remotely.

Making Friends While Working Remote 

We know that people with friends at work are happier, but how do you make friends when you won’t be really “meeting” anyone? Once you figure out how your company communicates, show up. It might feel weird, but just show up - yes, virtually. Comment in threads. Video-on in meetings. Attend optional events. Use your newness to your advantage and ask for a get to know you chat. And let’s level set - it’s not weird.

First, studies show - people like you more than you think they do. You are probably underestimating how much people want to talk to you. But what’s really important is the mere exposure effect. For the most part, folks like people more the more that they’re around. Since your face won’t be at the water cooler or coffee pot, show up online.

At Duo, we use chat and WebEx. Ways to show up there include engaging in online chat conversations, joining optional channels, emoji-respond to comments. Many companies (including ours!) have used apps like Donut to encourage cross-team conversations. Take advantage of what your new company has to offer. And, keep your videos on during calls as often as possible. Creating friendships in this way will help you feel more connected to your company and new role.

Creating Long Term Success While Working Remote 

But you can’t show up all the time. New employees tend to want to do their absolute best. In an office-based world, the boundaries for “doing your best” were a little clearer. At some point, you had to go home. But now? It’s not quite as clear when the day starts and when the day ends. And for new hires looking to really stand out and shine, the lure to just do one more thing can quickly become working longer and longer days than you should.

And that lure can be even stronger for folks who have found jobs and careers that they love. But the risk is higher too. The thing is, people in purpose-driven work are more likely to experience burnout. A Canadian study found that employees driven by purpose are significantly more stressed and score lower in well-being. And, to top it all off, remote workers tend to experience higher rates of burnout too. It’s not all bad news though - since we’re at the very beginning of our time with an organization, we’ll be able to start this new role off with some healthy boundaries.

If you’re starting a whole new job remote, it’s okay to you should have a candid conversation with your manager about what working remote means for the organization and for your role in particular. Be prepared to acknowledge what you might need to change, or to ask for more time to think about how you can succeed. Ask your manager explicitly what you can do to stand out, make an impact, or achieve your goals more quickly - chances are they won’t say “work 14 hour days.” 

Our team members have had the most success by having general boundaries for their first 3 weeks while they learn about the company (e.g. start time, break times, email response times), and then reaffirming and solidifying their long-term boundaries at around the 1 month mark. At this point, they know more about the company and the role, and can make an informed decision about how they can engage longer term.

Adapting to Remote Work & Growing Your Career

You can still think long-term, make friends, and be successful in your new role - even though you’ll be starting remotely. Chances are that either your company has had a long-term plan for remote work (awesome!) or, they’re learning about this remote-only world right alongside you. 

The struggle of starting from scratch, learning new systems, and imposter syndrome are likely to creep in. Just remember that those growing pains would happen in-person too. And most importantly for starting a new gig - remote or in-person - remember that they chose you! Remember that your team, manager, and company are invested in you succeeding! 

Looking for a team that’s invested in you? Duo is hiring! 

See the video at the blog post.

Earlier this year, Duo announced a public preview of our new feature Duo Trust Monitor. As an access security company, we have a unique perspective into the ways users and devices connect to corporate applications. By leveraging these data and Duo's unique insight into devices, users and context when accessing applications, Trust Monitor can quickly surface actionable anomalies which make your business more secure without having to invest in your own machine learning program.

Traditionally, a customer would have to review or export raw authentication logs in search of strange behavior, a time-consuming and sometimes pointless exercise. We developed  Trust Monitor to shorten the time customers spend sorting through logs, while simultaneously highlighting suspicious logins automatically. The goal being to help customers find and remediate access threats early.

Getting Customer Feedback

Before officially launching any new feature at Duo, we preview it with current customers. So far, the feedback from customers in our public preview has been positive. In fact, we’ve had a variety of customers cite the risky logins highlighted by Duo Trust Monitor as directly illuminating a compromised credential threat. Once discovered, security teams quickly and effectively rectified the situations.

However, the point of a public preview is also to garner constructive criticism. 

Customers Want Programmatic Access to Risky Login Data

One piece of feedback we heard time and again was that the risky login events would be more useful if leveraged within a more central security tool. For example, a large hospital system in the Southeast told us that they wanted to see these events within the context of our whole environment and that context was in their SIEM tool. 

Furthermore, a consulting firm noted that while the risky login events were valuable, they felt that they didn’t want their threat intelligence team swiveling between Duo and their other tools.

To get more concrete, an export tool would be okay, but not enough. To really simplify the set-up and use of our new Trust Monitor, many companies wanted programmatic access to the anomalous events via API. A financial services firm noted that setting up an automated connection to get the Duo context to their Security Operations Center (SOC) would both save time and provide valuable context to their security team in the short and long term.

You Asked, We Listened: Introducing New Trust Monitor API Endpoint

Customer feedback is important to us at Duo. We’re constantly striving to improve our tools to meet the needs of our customers. In this case, the feedback provided in the public preview directly influenced our roadmap. Today, we’re happy to announce that the Trust Monitor feature will have an API endpoint that will enable companies to programmatically ingest suspicious access logs from Duo into other security applications. The functionality has been added within our Admin API, which many customers are already familiar with. 

When Can I Use Duo Trust Monitor and Its API Endpoint?

When Duo Trust Monitor becomes officially available later this fall, customers using the feature will not only see anomalous login activity highlighted in their Duo Admin Panel, but they’ll be able to GET relevant event information programmatically for additional analysis. 

In the first version of the API, events and supporting information like timestamps and risk explanations(i.e. new access device or unusual access IP) will be available. This way the new Trust Monitor events can be consumed in the way that suits each customer best - either directly in Duo or in another application.

We’re excited to be able to include this capability in our new feature - especially as it originated directly from customer feedback. While Duo Trust Monitor is still in Public Preview, the new API functionality is now available for customers in the preview. 

If you’d like to gain early access, please reach out to your Duo representative or contact support. As a final note, Duo Trust Monitor will be released more broadly later this fall  and official documentation will be available both for the feature and the new API functionality at that time.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Dear iFrame,

It’s hard to say this, but we need to break up.

It’s not you. It’s us. (Well, it is sort of you.)

We've been through a lot together. When Duo first launched our industry-transforming authentication prompt, you delivered secure end-user authentication to applications at companies big and small. You helped keep our customers safe! You weren't obtrusive. Most of the time, you just worked.

But things have changed.

Recently, we announced our Universal Prompt Project, a major technical and UX redesign of core Duo functionality, focusing on our authentication prompt.

This project isn't just a superficial change — though our new Universal Prompt is beautiful. The underlying technology required to deliver the new authentication experience needs to be reworked. And reworked without you.

All that being said, we can’t quit you outright. The current prompt will remain available and fully supported as we build out the new authentication experience, but we are heading for the door.

We see a future where iFrames lose browser support because you’re commonly affiliated with advertising. And to be frank, we also see that modern authentication standards like U2F and WebAuthn look at you skeptically — if they’ll allow you to call them at all.

Finally, your inconsistency when it comes to third-party cookie support across browsers makes it difficult to build reliable functionality with you.

So now that we’re breaking up, where are we headed next?

To start, we’re launching new Developer Tooling to enable an authentication flow without the iFrame. It may seem harsh, but it’s for the best. There are benefits for our customers and technology partners that come with this breakup.

For example, we’ve decided to adopt a new URL redirect flow that’s built on OIDC. By moving to a redirect model where Duo hosts the interim URL, the new tooling strengthens hostname security. As a note, OIDC is often associated with primary authentication, it’s also a suitable and effective way to deliver MFA. We’ll be expanding on why we chose OIDC in an upcoming post.

The new authentication flow provides out-of-the box benefits

For one, leveraging the new authentication flow allows partners to glean more contextual authentication information from Duo during the MFA process. While traditionally, applications were only provided whether the MFA check was successful or not, with the new tooling, we are providing additional contextual authentication data at time of access including attributes about the access and MFA device.

Additionally, the new tooling includes a dedicated Duo service check so that any partner can check the availability of the Duo service before delivering second-factor authentication to an end user. While the Duo service is incredibly reliable, in cases where the service is unavailable, app developers can now choose how to react — perhaps failing open or failing closed depending on the circumstance.

Finally, to come full circle, the new tooling enables our new Universal Prompt experience, which will be available only to integrations using these new tools. Enabling the Universal Prompt will provide a smoother, simpler, more secure authentication experience for all users — a prospect worth considering.

Introducing OIDC and WebSDK

Thus, today we are announcing two new pieces of functionality for developers that will enable customers and partners to add strong two-factor authentication to applications.

• OIDC standards-based Auth API
• WebSDK 4 Client Libraries

The OIDC standards-based Authentication API will allow customers and partners to build MFA support into their applications. Customers and partners with applications that support OIDC can directly utilize the API to implement two-factor authentication.

The WebSDK 4 Client Libraries make development as easy and simple as possible. Duo has developed open-source clients to make handling the OAuth authentication for you. This is the Duo-preferred way to implement two-factor authentication support for your application. Duo currently has Python and Java Clients available. 

The WebSDK 4.0 and OIDC standards-based Auth API are still in private preview, but if you’re interested in using the new tools, fill out this form.

If you would like to request support for other programming languages, please contact support to submit a feature request at support@duosecurity.com. We are adding support for additional languages based on customer requests.

And remember oh sweet, sweet iFrame, we’ll always care about you.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

I have two wonderful, intelligent, strong-willed and outspoken children. I wouldn't trade them for the world. Some days when I think I have finally figured them out and can speak their language they promptly inform me that I am already outdated and ‘that was so last week.’ The struggle is real my friends. 

Sometimes I feel like trying to keep up with the latest memes, trends and viral videos so that I can relate to them is like keeping up with the latest and greatest in InfoSec.  As soon as I have a grasp on the latest threats, security strategies and tactics, the industry has pivoted onto the next new shiny thing, often before we have even really fully realized the last thing.

The Next Best Thing

The one thing that is constant, is that our world is constantly evolving and changing. Innovation in technology is both exciting and exhausting. It seems like the tools, equipment and practices that we have integrated into our daily operations are outdated almost the moment they are put in place.

Consumer technology like mobile devices and gaming systems are great examples of this. Every year there is a new model offering bigger and better things. I recently had this discussion with my teen who wanted a new phone (there is nothing wrong with the old phone), the new phone was cooler and had a better selfie camera for Snapchat and Instagram. The pace of new shiny thing output is honestly dizzying and poses unique challenges for whether you are a parent or a security practitioner. 

Security teams have such a myriad of responsibilities, tools, and processes to keep track of, how in the world can they keep up and adopt new strategies and solutions at the rate and pace they are announced?

Unless there has been a major security event, why are they expected to pivot and change as rapidly as the most viral video or meme? Security is not a trend, it is a practice. The goal, keep the organization safe from threats and make sure the business can run.

Zero Trust is No Longer Hype

I had a discussion the other day and the comment was made that 'Zero Trust is last year's buzz word, the industry is onto something new now.. 

Let me be clear, this is a dear friend who is an outside purveyor of InfoSec not a practitioner. But it struck me.Zero Trust, though it has many names since the early 2000s, is a philosophy and strategic approach that at its core is centered around verifying trust in the connections being made to systems and resources. How in the world can the notion of establishing trust be a fad or a trend? 

Zero Trust is Important for Remote Worker Security

The buzz word might be dying. But the use cases enabled by Zero Trust have never been more relevant. Take for example the trend towards an increase in remote work. Now more than ever we need to make sure that we can trust the users and devices connecting to our applications and networks. 

We need to make sure protections are in place for the workforce, workplace and workloads. Using tools like multifactor authentication, endpoint security, micro-segmentation, and network security.

Let's face it, our infrastructures are a hodge-podge of technologies, legacy investments, critical hardware components and tools that are built into the fabric of our operations. It is no small feat to lift and shift. This to me the real beauty behind a zero-trust strategy. It provides the ability to adopt the latest and greatest while still protecting those investments.

The best zero trust providers will have solutions that support what you have while building in security to ease the adoption of the new tools and technologies enabling a digital transformation.

What's New and What's Next

But I get it. If I've learned anything from my children, and being in InfoSec for as long as I have,  we are always on the lookout for what's new and what's next. We have to evolve our approach. I argue that Zero Trust isn't tired even if it isn't getting the same market buzz as it has in the past.

The amazing thing is that it is a security practice that can constantly evolve both with your organization and the industry. If you look at the most recent buzz words circulating — Secure Access Service Edge (SASE), Zero Trust Network Access (ZTNA), Passwordless — all of these play a part in establishing trust at different levels, in various areas of your organization. What excites me about the latest and greatest is that they focus on the same things. The greatest approaches remove the barriers of security, without removing the security.

Now excuse me while I go argue that we can't buy the new PlayStation because our hardware can't support it, and it doesn't support our existing investment in games and accessories with my teenager. Wish me luck!

Learn More

If you want to learn more about how Duo can support the realization of zero trust in your environment check out our white paper and learn more. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

It has returned again, but this year the idea of ‘back to school’ has taken on an entirely different approach. I used to remember the long walk to school on the first day of the year. There was often a chill in the air (or maybe it was just my dread). Either way that walk always seemed like the longest 10 minutes of my life. It would not be until years later when I would return to work on my masters degree from the comfort of my sofa that I would fully appreciate the technology-driven changes that occurred in education. 

To be fair, I started my grad program in the ‘before times’ when things were not flipped on their heads. So while I had a bit of a head start, this school year is entirely different for many returning students. Many will be taking their classes remotely. Security will be of paramount importance, even if students themselves don’t realize it. The venerable password offers cold comfort when being brandished as a security control. The key left under the doormat or in a plastic rock in the garden doesn’t dissuade an attacker, nor would a password if an attacker managed to access it. 

Watching my son, who is going into grade one, point out that he can guess his friend’s password is a perfect example of why this isn’t a security control. Improving access control to ensure the integrity of a student’s work and the safety of their personal information is key.

Multi-factor authentication (MFA) helps to greatly reduce the risk. There are multiple ways that this can be achieved. Using Push technology, biometric authentication, U2F, wearable technology and so on will push the security controls forward. One day leveraging such things as the W3C’s WebAuthn open standard will guide us towards a passwordless future. 

For the meantime, we need to do better than passwords. We need to ensure that data is encrypted in flight and at rest. We need to be ready. This school year marks a huge shift in the way education is delivered to students around the world. As security practitioners, it is incumbent upon us to be able to provide a safe and secure environment for children and adults alike to take their classes. 

When we look at the new schools that have joined Duo as a customer to help in their zero-trust journey we notice a 20% increase in customers in the last five months alone.

This gives me a moment of pause as I realize just how seriously higher education is taking the remote student experience. The democratization of security is all about making it easier for the students to attend their classes without having to worry about how to puzzle out an overly complicated set of tools. A good first step is security and a zero-trust philosophy. 

This school year is a strange new animal. When I joined my first graduate class this time last year I was pleasantly surprised to be greeted by the Duo login. I was happy to see that my school was taking security of my program seriously, and seeing the numbers of educational institutions signing up just in the last few months gives me great confidence that the students will be secure in their programs. However, I won’t be able to help students navigate just how to leave an apple on the teacher’s desk.

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

I’m sorry, do I know you? A typical query that people may ask when confronted by an unknown person who walks up abruptly and starts asking them questions. Oddly though, this sort of response does not happen in many network environments.

When someone plugs in their laptop from home and attaches it to the network, more often than not they can get an IP address from the DHCP server. A troublesome prospect. 

There was a time where a security practitioner might wander through the office seeking out rogue access points or mobile drives attached to computers. Some security practitioners would even go so far as to pour epoxy into USB ports on laptops and desktops in a bid to avoid data exfiltration. 

While some would hunt for rogue access points, oddly enough there was rarely a story shared where someone found a personal laptop attached to the network via visual inspection. Even if there were many of these stories it would not be something that would scale by any measure. 

Rogue wifi access points were very simple to identify. They would stand out like a sore thumb.

As a result this was a story that we would hear shared a lot. 

But if someone brought in a personal device such as a Thinkpad or MacBook it would rarely be given a second glance. This sort of visual inspection would offer little comfort for securing the environment. Device trust is paramount in a corporate environment. More so now with so many knowledge workers being distributed at their homes around the world. There is a real necessity to be able to verify the devices that are attaching to your networks and accessing your intellectual property.

Being able to manage devices in a non-intrusive fashion is of critical importance when working to ensure your fiduciary responsibilities to protect your company. Not all organizations were able to get access to all of the hardware that they needed to be able to provide their staff with the ability to work from home.

Having the ability to have clear visibility of patch levels and activity of laptops, desktops and mobile devices is a great step towards understanding the threat surface and ensuring compliance with corporate policies.

When we were small children we were all too aware of the sign at the amusement park that said “you must be this tall to ride.” We would stand on our tip toes in an attempt to make the grade. This analogy does not hold up when attempting to secure a company. Device trust is not something that we need to cross our fingers and hope that we’ll make the line when we have solutions that can give us clear guidance. 

Even in times where the “new normal” is simply a day that ends in “y” we still have staff, contractors and temporary staff that need access. By deploying solutions that provide for device trust we can have granular access controls which provide the right level of security for your organization which go a long way to establishing a zero trust framework for your workforce.

Duo's Device Trust Security for Remote Workers

That's right. Duo’s device trust can help you secure your remote workforce. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

“Digital transformation has been forced upon every company that has any sort of digital workforce. We’ve seen a tremendous rush for companies to figure out how they get every worker now to be a remote worker. There was always going to be a longer journey toward more free-range employees and not having all of your people, applications, data, and devices in the four walls of your building.” - Dug Song, Duo Co-founder and Cisco GM - Zero Trust.

Not too long ago, the ability to work remotely was an attractive benefit provided by some organizations. And, not all employees were eligible for remote work in those organizations. Well, things have changed! Any employee that isn’t required to be in an office has been working remotely for a while now — and, will most likely continue to do so in the near future. Many organizations, especially in the technology sector, have publicly declared remote work will continue for a significant portion of 2021. 

Organizations have been forced to adapt to keep the business running and employees productive. This transition may have been bumpy for organizations firmly entrenched in the old way of doing things, particularly if they have the additional baggage of an outdated technology environment. Even agile organizations that modernized their remote access infrastructure quickly are now evaluating their risk profile to identify and close new security gaps. 

According to Duo’s data science team, Duo saw a massive spike in out-of-date device authentication failures among customers during the first few weeks of the rush to work from home

Challenges To Securing A Remote Workforce

Many customers have approached Duo in recent times to understand how we can help solve the security challenges that come with remote work. These challenges include:

• Enabling remote work for contractors and employees that use personal devices, without compromising on security
• Eliminating VPN scaling issues to ensure easy, effective remote access 
• Gaining visibility into the health of all devices that access corporate applications 
• Restricting VPN access to corporate managed devices
• Enforcing adaptive access policies based on location and device posture
• Lowering the risk of IT audit failures due to non-compliance with HIPAA, PCI-DSS, NIST and other data security and privacy standards
• Reducing IT overhead in managing multiple solutions for remote access, access control and device management 

5 Reasons To Upgrade Your Duo Edition

Customers that have implemented Duo Multi-Factor Authentication (MFA) have completed the foundational step towards a zero trust security model — enabling strong authentication for the modern workforce wherever they are. 

As CISOs and IT directors get comfortable with remote work, and start planning for the future — below are the 5 reasons to consider upgrading your Duo edition:

1. Achieve your security objectives and keep your workforce productive

Security is at the forefront of empowering employees to be productive.  Whether it is  continuing the zero trust journey; implementing the BeyondCorp model for remote access; enforcing least privilege access for users and devices; meeting security controls for compliance requirements; or lowering operational costs through vendor consolidation  — Duo can help you achieve your organization’s security objectives while keeping your employees productive.   

2. Reduce security risks due to remote working

Leveraging known vulnerabilities in browsers and operating systems (OS) are common attack techniques. The organization’s risk profile increases when the IT teams have no visibility into or control of the devices (personal and corporate managed) used by employees and contractors to access applications. Duo can help IT teams ensure that all devices used - not just the ones managed by IT - meet the organization’s security requirements.  

3. Increase user productivity with better remote access experience

Forcing employees to use VPN to be productive creates a bad user experience and impacts productivity. As the footprint of cloud applications increases, the preferred method of access is directly over the internet, which bypasses perimeter based security controls. Duo has an unique vantage point to enforce inline security while delivering the direct internet access experience. This helps organizations to deliver the best remote access experience, and eliminate user friction with single sign-on for cloud and on-premises applications.  

4. Reduce help desk burden with self-service workflow for users

Enabling employee self-service workflows for common IT tasks saves time for both end users and IT helpdesk teams. Duo’s focus on ease of use and self-service empowers users to be in control of their work, without requiring them to raise tickets and waiting for a resolution.

5. Easily demonstrate regulatory compliance to IT auditors

Many customers chose Duo MFA to satisfy a compliance requirement. But those compliance requirements go beyond MFA and include controls to ensure only secure devices can access sensitive data environments. Administrators can align access policies in Duo to meet those controls and can confidently prove compliance using Duo’s detailed logs and reports. 

Hear It From Your Peers

Still on the fence? Check out how our customers use Duo to secure their remote workforce:

1. Bird, FinancialForce, Ballance Agri-Nutrients, LevelOne Bank and Zenefits improved security using Duo’s Device Trust to gain insights and enforce endpoint access control.
2. Globe Life, Tanium, Optimax and University of Louisville Hospital aligned Duo’s adaptive access policies to meet their regulatory compliance requirements.
3. Lyft, Sophos and Sentara Healthcare improved protection while reducing operating costs by consolidating access security with Duo.

If you are curious to learn how Duo can help your organization, check out Duo offerings and get in touch with us!

Recommended Watching:

Verifying Device Trust with Microsoft + Duo Security = Zero Trust, Explained (34:18)

See the video at the blog post.

Recommended Reading:

Zero-Trust: Going Beyond The Perimeter

The Essential Guide to Device Trust

How to Successfully Deploy Duo at Enterprise scale

Duo for Compliance

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Ouch!! 

This is definitely not what you want to hear from your customers after developing a great product. If you want to batten down for this situation,  hire rockstar Site Reliability Engineers (SRE) – the team I’m an intern on here at Duo Security.  

Before you lookup what SRE is and what they do, let me make an attempt to explain quite abstract SRE basics in a seemingly easier quite non abstract way:

Site Reliability Engineer (SRE) in Layman’s terms: 

A Site Reliability Engineering team, which originated at Google, is responsible for making sure that the product is unfailingly available to customers for use at any given time. 

You might now wonder how a product built by smart engineers could ever fail to be available? 

A bunch of reasons. Sometimes nature has a hand; for example, the data centers that house your application code via servers might fall victim to natural calamities. OR sometimes an event could create a traffic spike, limiting the availability. 

Imagine Beyoncé going live on Facebook with her latest song and millions of fans are accessing their Facebook accounts all around the world at the same time hoping to not miss it. The web servers at Facebook that serve you your personalized Facebook content when you log in to ‘facebook.com’ might crash due to the sheer volume of users utilizing it. Thankfully, in reality, Facebook SREs hold these types of problems at bay. 

During such unprecedented times, Site Reliability Engineers bring out their lasersharp troubleshooting skills from their ultra awesome bag of technical tricks to effectively rebound these services and keep them running.  

A Quick Look Into the Work of a Site Reliability Engineer: 

Previously, system administrators were the only superheroes tasked with keeping the IT infrastructure – hardware, software and network components –  robustly functional. Times have changed and the capabilities of computers quadrupled and the organizations are embracing cloud computing services more than ever before at an increasingly whopping pace! 

Manually performed IT operational tasks can now often be replaced by novel software technologies. Site Reliability Engineers, (aka the software engineers who marry software and computer systems knowledge), now handle these operational tasks. 

What Do Site Reliability Engineers Do? 

To achieve highly reliable working systems, Site Reliability Engineers:

• Focus on automating (e.g: automating provisioning new    servers) 
• Scale the systems
• Demand forecast for capacity planning 
• Monitor the systems (Logs are to SRE as medical reports to doctors – but in this case, it’s a computer system’s history) 
• Remain on call: Come any problem, I am alert, 24 hours, armed with energy, ready to tackle any outage problems  
• Don’t let their coding skills depart: Yes! They work on innovative software projects too

These are just the highlights of the higher-level work a Site Reliability Engineer carries out. One more thing worth mentioning about SREs is that they are revered for their expertise in a large scale production systems. Isn’t that doubly awesome?

My Internship Experience at Duo

My decision to join the Site Reliability Engineering team mainly stemmed from my innate desire to learn how large scale production systems work, how the infrastructure of a Software-as-a-service (SaaS) product is designed and the hidden underlying complex mechanics that let Duo customers access the product seamlessly. I believe knowledge about a product, product’s infrastructure and a product’s reliability is instrumental for building a great product– divine knowledge not easily amassed at universities. 

Why was acquiring basic knowledge about a product’s infrastructure a great investment for me?

Every piece of code requires computing resources for its execution, and large software products made up of thousands of lines of code require even more computing resources, which means complex infrastructure — more servers, etc. 

Duo is a SaaS multi-factor authentication (MFA) provider, protects more than 20,000 of the world’s most top titans like Bird, Facebook, Lyft, University of Michigan, Zillow and more, receives 700+ million authentications every month and integrates with customers’ growing IT infrastructure, which makes establishing scalable and robust infrastructure its No. 1 priority. 

Hence, learning about Duo’s infrastructure exposed me to the beautiful landscape of large scale production systems. I now know how code works in a production environment consisting of many systems, which is very different from the code running locally in one computer system! 

What’s more? The architectural skills you learn are transferable! 

For instance, later down the road, if you make a switch to machine learning and the organization positions you to build machine learning infrastructure, you could then easily chant “Cotton candy, my infrastructural skills are super handy!” 

What do I think now that I did not think before?

In the world where adding more features and building new products are reckoned as the only “business driving factors”, with the majority of  efforts expended in that direction, one must always always wear a reliability-oriented mindset cap because reliability of a product matters. Customers will only be able to trust your services if they work, not momentarily, but consistently, not slowly, but rapidly!  

While programming, it is critical to keep virtues like reliability, scalability and efficiency in the back of the mind. A great software engineer must indeed not only focus on writing efficient code but also on harnessing hardware resources efficiently such as CPU, memory, storage – especially, when it comes to a large scale product. 

We're hiring and looking for interns! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

NIST has released the final version of SP-800-207, Zero Trust Architecture.

Even with nearly everyone working from home, government guidance and policy folks have been hard at work to modernize our ability to deliver a holistic, risk-based security framework.

I’ve written a lot about how zero trust is the inevitable security framework for agencies looking to modernize their infrastructure. As a matter of fact, way back in 2018 I put these thoughts down just as some of these groups were starting on their zero-trust “journey of discovery.” It seems like so long ago, and many things have changed in the meantime. We’ve all been hunkered down and dealing with an extreme telework situation, which has slowed things down a bit, but has also put in stark relief just why we need to take this journey. We need to provide for security flexibility whatever may come.

Alongside the zero-trust journey, CISA has released some of the final pieces of their Trusted Internet Connection (TIC) 3.0 guidance. This guidance brings us into the 21st century with regard to how we architect and secure our access to cloud services and works with the zero-trust guidance to help agencies focus on what matters, protecting data and a user’s access to it.

These things didn’t happen in a vacuum. This is a concerted effort towards alignment of important core tenants of security that every agency should be paying attention to while also figuring out the roadmap for their own zero-trust journey.

Those of us who have been working with the ACT-IAC Zero Trust working group over the past two years have been thinking about what zero trust means to agencies and now, in phase two, we’ve been thinking about what that journey may look like for agencies.

 Now, keep in mind, as John Kindervag, who is credited with coining the term “zero trust,”  has always said, a zero-trust journey is a “bespoke” journey. That means every organization’s journey will be a little different, and this is so true. But it’s also worth pointing out that every organization is starting with basically the same raw materials. 

It’s just like playing guitar. Every guitar player is using the same instrument – the same frets, the same strings, access to the same amplification. Very few folks build their own gear from scratch. The difference is how you play and how you practice. The more you practice and plan the better you are. Your “solo” might not be the same as other agencies’ “solos,” but they can both be good if you focus, and practice the basics.

At Duo, we’re good at the basics. The basic security components that make up a strong, fundamental, capability that agencies can deliver to help them on their Zero Trust journey, AND, just as important, allow agencies to deliver a security capability that users will love.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Universities are prime targets for malware and phishing attacks. With large groups of people gaining access to a network from all over the world through personal devices and computer labs, often for short periods of time — maintaining cybersecurity can be tricky. Universities have to verify trust in the devices connecting while adopting a frictionless "trust no authentication to the network that cannot be verified through a variety of factors" stance. Otherwise known as a "zero-trust" policy.  

The Problem

The Texas A&M University System needed to ensure that 183,500 users across 11 campuses and nine state government agencies could connect to the internet without becoming vulnerable to malware and phishing attacks, accessing prohibited websites, or opening the door to information theft. 

The Solution

Using Cisco Umbrella and Duo Security, now part of Cisco, to support its security strategy, the Texas A&M University System has been able to reduce malware and phishing attacks, protect employee paychecks, secure application access, and enable faster incident investigation and response – ultimately freeing up 100 hours per week previously spent on investigation and remediation. 

“At times, people would get a password and log in to our HR system hours before payday, change the routing number and have that paycheck routed into another location. Cisco Duo stops a significant number of those activities.” 

According to Texas A&M University System CISO Danny Miller, “Attackers were setting up new sites for just a day or two and luring our users to them to distribute malware.

With Cisco Umbrella’s ability to block malicious and newly seen domains, we could say, ‘If that site’s less than X days old, we’re not going to allow connections to it,” said Miller

The Texas A&M University System now sees millions of security blocks every day, and billions of DNS requests. They are able to stop malware before it even gets to the download phase.

“Duo and Umbrella are key components that allow us to stay on top of our changing work environment and the changing network of bad actors that are constantly coming at us,” adds Basile.

They can also demonstrate the value they realized from Cisco Umbrella through its reporting. 

“We can show our Board of Regents as well as our CEOs at each of the universities how much malware we’ve blocked and how many sites we’ve blocked to prove how effective we are,” says Miller. “Plus, we can now focus on much deeper threats versus the mass of different malware that’s filtered out. That’s a big deal.”

Miller continues, “And Duo really helped us defend our folks at the individual level. Prior to us having Duo, we were having cases where the bad guys knew exactly when people were getting paid, they knew exactly who to go after, they were spearfishing them. Once we put in Duo, it went from a variety of different phishing attacks that were successful down to practically zero now.”

In addition to using the Investigate console for threat intelligence, the Texas A&M University System security team discovered another use case: they use Investigate as a training platform for students studying to be security analysts. 

“By teaching our security interns, we’re giving them two years of experience so they can immediately pivot out into the industry as thought leaders,” Basile says. “I’m very privileged to be able to use tool sets such as this not only to train our students, but to protect our users no matter where they are, as we see the security landscape really changing.”

“Duo and Umbrella bring a different portion of the security stack towards the customer. While they may not see Umbrella working in the background, and they definitely see Duo every time it protects them; both are working to protect that user no matter where they are... and that is a huge win for us in cybersecurity. They give us a greater level of visibility into authentication and internet activity, while showing how we’re protecting users out there in the field,” reflects Basile. 

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Technical Training Manager, Kim Driscoll to learn about what she does and her experience at Duo. 

Kim Driscoll

Employee Name: Kim Driscoll

Title / Department / Office Location: 

Technical Training Manager / Customer Success & Support / Ann Arbor and Detroit

 How long have you been at Duo, and what do you do here?

I've been at Duo for about one year. I work with the new hires in the CS&S department to help them learn all of the things they need to be successful in their roles here at Duo. Essentially, I'm a Duo teacher.

 What's your day-to-day like at Duo?

My role sits on the Customer Success Operations team, which means there is no "normal" day-to-day for me. Being on Ops is an adventure because we're always partnering with new teams or working on new interesting projects to help our teams scale, grow or learn. A typical day includes working on content that folks will learn from, chatting on Slack with hiring managers throughout our organization to coordinate for new teammates, probably a cross-team WebEx meeting or two, and catching up with our newest team members. About once a month, I lead a training cycle dedicated to learning about Duo's products. We're also regularly working on future-planning, creating efficiencies across our teams, and so much learning from data. Operations is so fun!

What tools do you use to help you do your job? 

Now that we're working from home (and onboarding new folks at home too), the most important tool I have is my WebEx video chat. As an extrovert, videos-on has been a life-line to me, but also makes collaborating with teammates and teaching new Duonauts much, much easier! After that—Slack is my go-to.

How do you and your team collaborate with other teams within Duo?

Operations = collaboration. I almost feel like the question should be how “aren't” we collaborating with others? As a trainer, I work with Product and Sales to ensure a consistent and accurate understanding of our Duo product suite. We work with the awesome folks throughout CS&S to make sure the have all the materials they need to succeed—which includes so much listening, learning, innovating, and iterating. We work with our Data team for actionable, reliable data so we can take action with customers, our amazing People and internal Support teams to coordinate new hire onboarding, and with our Creative friends for fun Duo swag. At Duo, there's pretty much always an opportunity to work with someone new!

How did you get your job at Duo?

I wanted to land at a company whose values matched my own. Living in Southeast Michigan, it's hard to miss the impact of Duo in our area, so I turned here pretty quickly. I saw the Trainer role and reached out to a friend who already worked at Duo to see if she thought I'd be a fit (hey Taylor!). She was so supportive, I applied, and I've been learning along with these awesome people ever since!

What is the first thing you do when you come into the office? 

Well, now that my office is a whopping 20 feet from my bedroom, it's a lot different than it used to be in Ann Arbor. I grab my coffee, open up my computer, and check Slack to say good morning to my team. The new restrictions got us all a little mixed up, so I start every day with a gif or emoji to remind us what day of the week it is. Good news is that in the last 4 months of WFH, I've only got the day of the week wrong twice.

Any big projects or goals you're currently working on?

The big goal I'm working on right now is continuously iterating on how to get our newest hires to feel the Duo Love and Awesome Duo Vibes from their very first day. Even though we can't get together in the Duo offices, it's so important to me that our newest teammates feel the joys of Duo when working entirely remotely.

What’s an important lesson you’ve learned while working at Duo?

Just ask. Everyone at Duo is so much kinder than necessary, and if you're curious about something, you can always ask! Folks here are so excited to share and help other people learn, I've never been met with frustration, condescension, or dismissal when asking a question, no matter how silly that question seemed to me at the time.

How is Duo different than other places you've worked?

I cannot understate how committed everyone is to Doing The Right Thing. Folks consistently, and at every level of the organization, step up, put their ego aside, and search for the best possible solutions. I love problem-solving here.

How is your role at Duo different from roles you've had with other companies?

Frankly, I think it's the scale. The role I do today sort of fits into "teacher" roles I've played in the past, and my "class" size at Duo is so much smaller than before. It's awesome to be able to help folks more individually and get to know them better. Oh! And it's still getting to see them after they "graduate" and are actually using the skills we worked on together!

What would you tell someone considering a role at Duo?

You belong here! You have a skill or perspective that is unique and needed. We can learn the security stuff together - take the leap and apply!

####

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

With the release of NIST SP 800-207, many cyber security professionals are reviewing their environments, and examining how Zero Trust principles and practices can enhance and aid their architectures. Among the many tenets of Zero Trust, ensuring dynamic policies are incorporated into the authentication and authorization of accounts requesting access to resources is critical. This ensures the authentication of an organization's workforce can adapt to changing and emerging threats and needs. In short, the key for cybersecurity professionals is to make sure they avoid the Red Queen.

The Red Queen Effect

The Red Queen effect is a concept borrowed from the Biological Sciences. The concept revolves around the need for prey to keep pace with predators through adaptive responses to camouflage, speed, agility, ect. For predators, they need to adapt twice as quickly if they look to gain an edge in this timeless struggle.  

The name comes from Lewis Carroll’s "Through the Looking Glass" where the Red Queen is chasing Alice. 

What cybersecurity professionals can learn from the Red Queen effect is the need to be dynamic and to avoid static solutions. This has been a key takeaway from the last decade, where traditional IT practices of strong perimeter defenses, and static IT security practices have led to compromises and breaches. 

The other takeaway is the pressure dynamic security practices and solutions place on attackers; forcing adversaries to put forth significantly more effort to compromise systems protected with a  Zero Trust architecture.

Dynamic Cybersecurity Solutions

So what does it mean to have dynamic solutions in a Zero Trust landscape, and how does this relate to Identity Assurance; one of the most targeted and vulnerable pieces within the enterprise?  

Over the past decade, identity practices have been built and positioned around leveraging strong multi-factor authenticators (MFA). For the US Federal Government, this has led to development and deployment of one of the strongest enterprise capable authenticators with the x.509 smart card. Often referred to as a PIV or CAC card, these smart cards are powerful multi-factor authenticators providing strong identity binding to authorized individuals. But while a smart card is an excellent example of a smart authenticator, the authentication these cards provide is still rooted in static authentication workflows.

When a user leverages their smart card to authenticate, what they assert is proof of possession of the private key embedded within their PIV or CAC. Once this proof is established, a typical smart card authentication workflow allows the user to proceed. While much stronger than a simple username and password, this is still an example of a static authentication, as it does not contain any dynamic security controls embedded within the authentication workflow.

Smart Policies for PIV and CAC Cards

What is needed is to enhance smart card authentication through a dynamic authentication workflow which allows for smarter policies to be implemented before the user is granted access to a resource. Here, not only would the user need to perform a traditional certificate authentication, but the broader security posture of their workstation, account type, and even their browser would be examined to determine the overall health of the authentication request.  

Once the overall health of the user’s broader identity is validated then, and only then, the user would be allowed to proceed to the protected resource. By enhancing certificate authentication with this smarter authentication workflow, PIV and CAC authenticators can be modernized into a Zero Trust architecture.

Get Stronger Authentication with Zero Trust Policies

This need for dynamic authentication workflows extends beyond smart cards, and applies to authentication in general. Through the looking glass of Zero Trust, we can see the benefits of smarter authentication workflows and inline policy controls to address a number of organizational needs and requirements.

Dynamic authentication can help organizations to:

• Ensure only approved browsers are used to access resources, and quickly enforce browser updates should critical vulnerabilities be discovered
• Prevent older or outdated Operating Systems from being used
• Limit or control mobile device access to resources
• Enforce or prevent specific versions of Java and Flash
• Limit Privileged Account access to domain controllers or critical servers only
• Set special permissions around local administrative accounts
• etc.

What makes these controls valuable is the ability for an organization to quickly react to security incidents, and adapt their authentication workflows to minimize risk on a global, application, or individual account basis. This keeps the authentication workflow from relying solely upon static security practices, and helps an organization to keep pace with the Red Queen.

Examples of the Red Queen in Action

Endpoint device management is something that has been in place in many organizations for a number of years. It is easy to look at dynamic authentication and Zero Trust recommendations and question whether these solutions are necessary in an environment where workstations and mobile devices are fully managed. 

While endpoint management, whether through a mobile device management (MDM), enterprise mobility management (EMM), or some other management platform, can be a valuable component of an enterprise architecture, these solutions do not necessarily provide the same level of agility and flexibility as a Zero Trust-based authentication workflow.

Mobile Device Management Policies

The perimeter is shifting. MDM policies only apply to those devices protected by the MDM profile set by the organization. Partners and other third parties, who may still require access to protected resources, typically cannot be forced to install an MDM on their mobile device, forcing an organization to issue a managed mobile device to these individuals, driving up hardware costs.  

There also remains the challenge to ensure only MDM configured mobile devices can gain access to protected resources. These challenges often lead to a number of unknown or unmanaged devices gaining access to protected resources with no insight into the device health and hygiene of those mobile devices, exposing an organization to greater risk.

Verifying Device Trust

With Zero Trust dynamic authentication, device health and device trust or the security posture of a mobile device can be evaluated, and those devices that are out of compliance can be prevented from successfully authenticating. 

Oftentimes, the security posture of a mobile device, including operating system, browser version, etc., can be determined without requiring any intrusive software to be installed on the mobile device, making these controls better suited for partners and unmanaged devices. By enforcing these security posture policies inline as a part of the authentication, device health can be enforced without having to directly manage every endpoint attempting to authenticate.

For workstations, the need for inline dynamic authentication workflows can be even more valuable. Most organizations have practices in place to manage the software and patches installed on workstations within their network. 

While these are good security practices to have, this management can take time to ensure every device is updated.  This often results in workstations that are out of compliance and insecure for a number of hours, days, weeks, or even months accessing critical resources, before all of the workstations in an organization are updated accordingly.

Think of a large enterprise organization 120,000 accounts, factoring in privileged, partner, and contractor accounts, which utilizes several applications that are accessed through close to 400,000 endpoints, with the average worker having access to several mobile and workstations devices. 

Should a critical vulnerability be discovered in a browser, such that every endpoint needs to be updated, how long would it take traditional IT security practices to ensure that every device is updated? Clearly, this could take days (if your organization is very efficient) and likely months.

With dynamic authentication, a global policy can be set to ensure the vulnerable version of the browser cannot be used to successfully authenticate across the entirety of the organization in a matter of minutes. That is the speed and agility of smarter Zero Trust authentication and a way to outpace the Red Queen.

Learn More About Zero Trust

• Download and read the Zero Trust Evaluation Guide
• Check out Duo’s Federal solutions

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

The first-ever Duo Community Impact Award celebrates our team members who are impacting their communities and making the world a better place. Get to know our five winners, each of whom received a $5,000 grant for Bright Funds, our workplace charitable giving platform, to donate to non-profits they're passionate about.

Patrick Fraser
Patrick and his wife serve on the council for Tomorrow's Leaders Central Texas chapter. Tomorrow's Leaders is the Cystic Fibrosis Foundation's (CFF) young professional program, designed to offer like-minded professionals leadership skills and networking opportunities while they make a difference in the lives of those with cystic fibrosis. The mission of CFF is to cure cystic fibrosis, and to provide people living with the disease access to care, allowing them to lead fulfilling lives. Patrick has done it all: event participation, organization, fundraising, marketing, advocacy, and more.

Jaclyn Freeman
As a child, Jacyln and her sister joined their mom on Meals on Wheels deliveries, teaching them early on the impact of a hot meal and a little human touch, especially for their underserved community members. Currently, Jaclyn drives delivery routes monthly for Meals on Wheels PALS (Pets Assisting the Lives of Seniors), along with ad hoc deliveries throughout the month. She also organized two volunteer days for her Duo team in Austin this past holiday season to pack up holiday gifts for all of the pets!

Julie Kramer
Julie has been instrumental in making Cisco check-ins, Duo all-hands meetings, and other events more accessible for other deaf and hard of hearing employees. From connecting the dots within Cisco to include a real-time ASL interpreter and closed captioning, to leading ASL learning sessions for the Duo community, she has gone above and beyond to foster a culture of belonging. Outside of work, Julie is very active in the deaf community and helps educate and provide assistance to families with deaf children. She's also eager to get involved in Deaf Arts Festival (DAF), a platform for arts workshops, exhibitions, and performances.

Valerie Kosiadi
Valerie works with I’RAISE International Girls & Boys in New York, NY, where she does survey design and administration that measures the psychological and mental health impact of COVID-19 and racial injustice incidents on NYC adolescents. She also does international pro bono work with Freedom Business Alliance, a global network that invests in the personal and professional development of human trafficking survivors, by coordinating and helping to sell face masks created by survivors from Thailand, Bolivia, India, and Israel. Locally, Valerie volunteers with City Impact, organizing food pantry volunteering events with friends and creating care packages for people experiencing homelessness in San Francisco's Tenderloin neighborhood.

Bryan Rosensteel
Bryan volunteers with Project Healing Waters Fly Fishing (PHWFF), an organization dedicated to the physical and emotional rehabilitation of disabled active military service personnel and disabled veterans through fly fishing and associated activities including education and outings. When all in-person meetings and events were canceled, he led the effort to make meetings virtual and move from a biweekly to weekly meeting schedule. Bryan has supported these sessions for more than four months on his YouTube channel, VA Fly Tying, and the positive reactions have cemented his belief that helping in our communities can come in a variety of ways.

With so many amazing submissions, we couldn’t help highlighting three more honorable mentions! Each of these Duo team members, along with all of the nominees for the Community Impact Contest, earned a $150 Bright Funds grant to donate to non-profits they're passionate about.

Kyle Lady
Kyle has been involved in the Membership & Chapters Committee of Eta Kappa Nu (HKN), the honor society for electrical and computer engineers, and is the chief advisor for the UM chapter of Tau Beta Pi, the engineering honor society. He supports the chapter officers by mentoring the leadership team, providing one-on-one advice to officers, and coordinating long-term initiatives and relationships with university staff. Kyle also supported the Detroit Water Project's partnership with the Michigan Independent Citizens Redistricting Commission by notarizing commission applications (for free!) as they worked to increase the diversity of the applicant pool.

Zoe Lindsey
Last August, Zoe spearheaded communication and promotion to Duo team members around donation and donation matching information for a US Immigration Support Fund campaign. Her efforts inspired the Duo community to give $17,000, which General Manager Dug Song subsequently matched. Additionally, on her own social media page, Zoe offered to personally match any donations for LGBTQIA+ or Black Lives Matter organizations made by her friends. In the community, Zoe hosts and DJs a weekly drag show in Ann Arbor that has grown into a welcoming, celebratory space for LGBTQIA+ youth.

Maddie Webb
Maddie has raised more than $25,000 for organizations during the Black Lives Matter fundraising movement, collecting donations from her friends and family via social media outreach. By leveraging Bright Funds' matching gifts, she’s multiplied her impact to support multiple causes that she's passionate about. And through it all, Maddy spreads positivity that inspires her teammates and broader community to take action.

We're hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Visit our Careers page to learn more.

See the video at the blog post.

Duo's CISO Advisory team members are legends in their fields. They have seen it all, and they are ready to share their insights with you!

If two crows make an attempted murder, then a group of Advisory CISOs surely make up a Murder Board. A Murder Board is a group of people pulled together to provide critical review. The idea is to prepare someone for a difficult situation such as a presentation, or for our meaning, your career in security.

See the video at the blog post.

This month, the CISO Murder Board, comprising our Duo Advisory CISOs Dave Lewis, Richard Archdeacon, Sean Frazier and Wolf Goerlich) takes on the topic of remote work and look to the future. You’ll hear:

• A lively around-the-horn of hot topics and current events
• A conversation on the state of remote work
• How remote work requires a culture change
• The future of work and where we go from here
• How zero trust can lead to remote work cost savings

Tune in now.

Check out previous episodes of the Murder Board podcast. You may also enjoy Duo's Plain Text podcast, in which Dave Lewis speaks to other CISOs about their personal career journey and experience.

Try Duo For Free

With our free 30-day trial you can see  how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

There is a tradition at Duo that every new employee, down to the newest intern, must give a three- to five-minute presentation introducing themselves to their team. There is even a slide deck of past examples. When it became my turn to present my biography to the Product Design team as their new intern, I copied those examples almost to the T: a slide on my hometown, a few slides for hobbies and interests, and of course, a slide on how I came to Duo in the first place. 

Non-Traditional Backgrounds Welcome

My path to Duo is one of detours and backroads, but on the surface-level (what I would call the “resume-level”) my background is clear: I studied creative writing; I taught English composition as an adjunct professor; and I am getting my MSI (Master of Science in Information) specializing in user experience research and design. Mine is a background that has confounded classmates and recruiters alike, nontraditional in its leaps across fields and of logic.

When I applied to Duo's internship program, a few months into switching careers and starting graduate school, I had already come to anticipate one of two responses from recruiters: polite confusion, or outright silence. Imagine my surprise when I received a response not only immediately, but enthusiastically, especially regarding those very experiences that didn't fit into a neat box. 

I'm no longer surprised. Having spent a summer at Duo, absorbing its learner's mindset, and its culture of privileging how one acts over what one knows. More to the point, when I presented my slide on my swervy road to Duo, I quickly found that I was not the only one with a nontraditional background. I met former teachers, journalists, and radio DJs. I talked to a program manager who’d spent years studying trees, a psychology major turned software engineer, and a designer who’d once worked in an immunology lab (with a white coat and everything). 

My typical day at Duo

Most importantly I discovered that, like me, these Duonauts have found not only ready acceptance for their special skill sets, but also ways of paying this acceptance forward, seeding opportunities for future employees and building from within a company that is as creative and nontraditional as the people they hire.

Diverse Duonauts

Higher Ed: Alicia Fleming, Product Manager

Alicia Fremling is a product manager who has been with Duo since July 2019. Her background is in higher education, with a post-college stint at Teach For America, but it was during what she jokingly referred to as a “sabbatical” working for a pet resort that she made the ultimate career switch. 

“I noticed that the leaders of these animal welfare organizations all had corporate backgrounds,” Alicia said. Her passion for animals and a desire to be their advocate led her to a product management internship at Comcast, where she stayed for two years, and where she found that her past teaching experiences made her uniquely well-suited to the responsibilities of a PM. 

“Product management requires you to understand the importance of relationship building,” Alicia said. “Teaching taught me how to create trust and rapport, to make people care about what I was teaching, just as now I have to make people care about the products I’m managing.”

Ultimately, Alicia is primed to draw from her past experiences to tackle new challenges at Duo. Even her time at the pet resort gave her product management practice, as she reflects that she went through PM motions when trying out different dog training packages and talking to customers to deduce the best training classes to offer. 

Now Alicia, who hired her first intern this summer, sees an opportunity to spotlight the value of candidates who come from nontraditional backgrounds.

“Someone took a chance on me, a person who had never worked in tech before,” she said. “At the end of the day, we’re here to solve the customer’s problems. The more diverse the mix of backgrounds, the more well-rounded our problem solving is.” 

Teacher: Hannah Mullman, Product Management Intern

Her intern, Hannah Mullman, was getting her PhD in Education before pivoting into tech mid-stream, and Alicia recognized that Hannah’s research in teacher-training curricula had her acting like a PM (product manager)without the actual label. Perhaps more valuably, however, Hannah brings both a perspective and an attitude that makes her an asset to the team:

“She has a novice’s point-of-view, but a learner’s mindset. It allows her to dig in, be comfortable with not knowing all the answers, and to ask questions that us ‘insiders’ would never think to ask,” Alicia said

This learner’s mindset is a value frequently espoused at Duo – from onboarding onward – and it speaks to a comfort with transitions, ambiguity and not knowing. A comfort, in other words, with not being the expert in the room. More of an attitude than a skill, this mindset is not as easy to deduce from a resume or a technical test.

Journalist: Andrew Dooley, Manager of Customer Enablement

“There are a lot of former journalists on my teams.” Andrew Dooley told me. Andrew joined Duo five years ago and now manages two teams within Customer Success. “We don’t specifically look to hire former journalists, but they tend to be a good fit for roles creating content for customers. Journalists are good at making sure they actually understand what they’re writing about, even if you think you know something, you still ask the ‘dumb question.’” 

A former journalist himself, Andrew started in Customer Success as a technical writer. He asked “a million questions” and was willing to leverage his lack of knowledge to challenge development teams to implement even easier and more customer-friendly features. 

When hiring for roles creating technical content for customers, Dooley said having a non-traditional tech background can be an advantage. “Thanks to our amazing enablement team in CS, we can teach you technical skills,” he said. “So we look for the traits we can’t teach as easily. Can you put yourself in a customer’s shoes when looking at a problem? Do you like getting and giving feedback? Are you willing to learn on the spot?”

Designer: Ben Barrie, Program Manager

Ben Barrie, a program manager who also helps run the internship program, has a similar criteria when evaluating the many resumes that come into his inbox. He looks for people who are good at wearing a lot of hats, who are able to think about the skills needed for a job and how they have demonstrated these skills even in less-than-obvious ways. 

As someone with a nontraditional background himself (with stints adjuncting, designing educational signs for the Detroit Zoo, and mapping plants in nature reserves), Ben believes his own hiring manager saw beyond his background when he came to Duo two years before, and this seeded a desire to put less emphasis on the traditional markers of “success.” His own time working for nonprofits allowed him to learn how to interact with and influence people despite only holding “soft power”-- for this reason, he also sees the benefit of Duo candidates with food-service experience. 

“I’m developing resources for hiring managers. How do we write inclusive job postings, what are the minimum qualifications we actually need?” He wants to remove signifiers of privilege that are often mistaken as accomplishments. “I want people to ask, ‘Do we really need someone with a four-year degree?’”

Psychology: Brittney Braxton, Software Engineer

Brittney Braxton, who joined Duo back in January, is all too familiar with restrictive job qualifications. A psychology major who worked in customer service for three years before entering a coding bootcamp, Brittney found that companies she applied to were wary of her training. 

“They would say, ‘We don’t hire people like you,’ or ‘Talk to us in two years,’” she remembers. Other companies that her fellow bootcamp classmates found work in would make them jump through hoops that revealed a fundamental distrust in their abilities. “They would have to take a certification in Java when no other engineers had to do that.” 

Duo, on the other hand, never made Brittney feel doubted for her nontraditional background. “From the interview to joining the team, I felt very validated that I was vital to what we were building.” 

Diverse Teams Make Better Products

At the same time, Brittney does want Duo to keep finding more ways to hire outside-the-box and she has begun to work with Duo’s Employee Programs to recruit from often overlooked sources such as bootcamps, which tend to have people with experiences that vary from food service to academia. “I want to celebrate people who have been underestimated,” she told me.

Scientist: Fraser Marshall, Designer

The ethical considerations of building teams with a wide range of backgrounds and skill sets is clear, but perhaps less obvious is how diverse teams help the bottom line. Again and again I heard that diverse teams make better products, but it took a former scientist-turned-designer, Fraser Marshall, to bring his unique worldview to get at the source of this truism. 

“In both science and design, we try not to assume,” he told me. “A variety of designers, with different backgrounds and expertises, are able to creatively see all angles of what shouldn't be assumed, see beyond their own internal biases, and collectively test and experiment to find the truth. When you're designing for a variety of users (especially if you're democratizing security), that diversity and variety is essential.”

I’ve only scratched the surface of the Duonauts who have traveled a long and winding road to get to where they are today. After all, a nontraditional background can be more than just a job history; a learner’s mindset is not just for those who go back to school. If anything, it is Duo’s openness to all backgrounds – straight paths and swervy – rather than a preference for one over the other, that allows an openness in its own employees. An openness towards those with backgrounds both similar and utterly different, but perhaps more importantly, an openness towards one's own path and a trust in one’s inherent value.

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

It’s often said that technology deployments for federal agencies are a different animal. In fact, usually, that is not the case. Government agencies have the same needs, the same use cases and the same security concerns as any other entity with users and data to protect. But… the exception always proves the rule. While the rest of the world has been living with the consequences of living a password life, we folk in the public sector solved that problem way back in 2004…. Sorta.

Credential threats came early to the federal government. Long before the current state of affairs with regards to phishing were “mainstream”, the federal government recognized the risks associated with relying solely on a password for data protection. In 2004, HSPD12 was born and the whole of government moved (or attempted to move) to a password-less authentication scheme by leveraging the best technology available at the time, Public Key Infrastructure (PKI). PKI, coupled with a smartcard as the user’s tool (and the certificate’s delivery method) became the standard. It was a noble pursuit and PKI was the best thing, at the time, to deliver this capability and make this actually come to pass.

Fast forward 16 years and the government is still using smartcards and still struggling to use them. PKI, it turned out, was really, really expensive to deploy and even more expensive to maintain but yet the government continues to shovel money into this insatiable hole. The smartcard form factor, and its “plumbing” also hasn’t aged well. 

It has been super hard to get these things to work with mobile devices (nearly every access device is now mobile) and cloud-based applications (cloud adoption has grown and continues to accelerate). As we look to offload some of the IT weight to the identity owners (federation), we’ve discovered that federating PKI is brittle and monumentally expensive.

Thankfully technology never stands still. While the government has struggled with their passwordless journey over the last 16 years, the commercial world, struggling under the constant barrage of credential breach after credential breach and after relying for years on the password as the only thing standing between an attacker and their data, finally cried uncle. From this pain, WebAuthn was born.

What is WebAuthn?

For those who don’t know, WebAuthn is an open standard that takes human focused authentication to the next level. Still leveraging the PKI we know and love but it does it in a “behind the scenes”, transparent way. It works more like TLS/SSL than the standard PKI we’ve been using in public sector for the past 15 years. This means it has all the strengths of the strong authentication we’ve been working towards without the residual side effect of poor user experience. This includes not only usage but also the painful current experience of on-boarding and off-boarding users from an authentication system.

For those of us who pay attention to what NIST is doing/thinking, it’s encouraging that they have started putting out the feelers on SP-800-63-4. If you remember, 800-63-3 was a bridge to modern authentication with references and guidance on technologies such as FIDO and U2F. WebAuthn (part of FIDO2) is the next step in that journey and I for one will be looking for NIST to help move us closer to realizing this dream within a dream.

Duo Security is “all in” on WebAuthn and is also helping agencies map out a path to get to this next plateau of enlightenment of authentication. We’ve published quite a few resources to help on this journey, including some well written thoughts from my Advisory CISO co-conspirators Dave Lewis and Wolfgang Goerlich.

Recommended Reading

What is WebAuthn?

What does WebAuthn look like?

So you like what you see? How do I do the WebAuthn dance?

Now, what are all of the questions you didn’t know you needed to ask?

As you can see we’re all super passionate about finally, finally killing the password. Won’t you join us? Follow along on our Passwordless blog series. 

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.