<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Thu, 29 Oct 2020 08:30:00 -0400 en-us info@duosecurity.com (Amy Vazquez) Copyright 2020 3600 <![CDATA[The View Up Here Is Great – Introducing Our New Cloud-Based SSO]]> canderson@duosecurity.com (Chris Anderson) https://duo.com/blog/the-view-up-here-is-great-introducing-our-new-cloud-based-sso https://duo.com/blog/the-view-up-here-is-great-introducing-our-new-cloud-based-sso Product & Engineering Thu, 29 Oct 2020 08:30:00 -0400

Announcing the General Availability of Duo’s new SSO and Duo Central!

Over the last few years we’ve seen our customers move increasingly more on-premises applications to the cloud. Single Sign-On (SSO) services are no different and we repeatedly had requests from current customers and prospects that Duo needs to develop a cloud-hosted SSO service. 

A few years ago, we embarked on the journey to develop a cloud-based SSO service that our customers will love. At Duo, we take research and design very seriously because we know that products that are hard to use end up being products people don’t use.

The SSO journey included:

  • Thousands of customer and community conversations
  • Numerous prototypes 
  • Usability testing
  • A year long preview producing valuable feedback that included:
    • Over 670 customers
    • More than 58,000 users 
    • 3.4 millions authentications into 1,500 applications 

After a lot of hard work by very smart people that took all that feedback to heart, I am happy to announce the general availability of our new cloud-based Duo SSO.

Cloud-based and hosted by Duo, it frees our customers from the burden of maintaining on-premises SSO components and instead allows them to focus on more pressing projects. Gone are the hours lost to  setting up machines, ensuring high availability, managing certificates, and keeping everything up-to-date. As one of our preview customers said it best: 

"Migrating to the Duo-hosted SSO service helped us by simplifying our local environment and added extra redundancy to our deployment. The nice thing was that our users didn’t even know that it happened." — Marco DiCicco, Senior Infrastructure Engineer, Ascent Aerospace

Let’s take a deeper look at how our new cloud-based Duo SSO provides simple, secure access to every application, whether it’s on-premises or cloud-based.

Organizations often are asked to make a terrible trade-off between increasing user productivity or providing better security. We at Duo challenge the idea that a user’s productivity must be hindered in order to have strong security. SSO and MFA should be easily configured for each application while allowing a seamless authentication flow for the user. This pairing of SSO and MFA is at the heart of our new cloud-based Duo SSO.

Cloud-Based Duo SSO Authentication Flow From Primary Credentials Through the Multi-Factor Prompt

Duo’s cloud-based SSO service is designed from a security-first perspective and allows you to configure access policies that can differ by application, depending on the sensitivity of its data, the privileges of the user and the device being used. This approach allows you to reduce user friction while protecting your most important assets.

Since our new SSO is cloud-based and Duo-hosted, that means you don’t have to worry about deploying and maintaining servers - saving your team time and resources. It also means that The new SSO service is also extremely easy to set up and configure.

You can be up and running in minutes, protecting your most important applications with not only SSO but also Duo’s industry leading multi-factor authentication (MFA), device trust and access controls!

All you need to get started is a Duo account and a user directory such as Active Directory or one that is SAML-based like Azure, Okta or OneLogin.

"We don’t have an army of people - technology needs to be simple and straightforward to use. Duo SSO is a great product that is designed well and really easy to use. Our users are happy and Duo is one of those rare IT projects that doesn’t drag on endlessly or ends up half-implemented." —Iasen Ognianov, Global Director of Cybersecurity, Diebold Nixdorf

For your users, Duo SSO now means they need to remember just one username, one password and one website - Duo Central - to access all their applications.

Duo Central Is a Single Place to Access All Your Organizations’ Applications

Duo Central makes life even easier by giving users a single place to access applications. Part of our new SSO, Duo Central is a cloud-based site where users login once to see and launch their cloud applications.

No more looking through bookmarks, searching your memory or asking a co-worker. One password and website means switching costs are drastically reduced and users can stay focused and productive. But don’t take our word for it, see what our customers are saying.

"I highly recommend Duo’s new SSO. It’s simple to set up and anyone should be able to breeze through it. The straightforward design makes it easy to use and it is great to have applications in one place with Duo Central." — Carlos Mosley, Senior Security Systems & Network Engineer , Beacon

While it has taken a lot of work to get here, this is just the beginning. Our team is excited to celebrate, but we are even more excited about what’s to come. Be on the lookout as we continue to add valuable features and updates to Duo SSO and Duo Central. You can follow along by subscribing to our release notes.

If you are interested in participating in future previews or research, let us know here.

You can learn more about the new Duo SSO and Duo Central by visiting our documentation.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[When the EMEA Duo Partner Kick-Off Goes Virtual]]> abristow@duosecurity.com (Abigail Bristow) https://duo.com/blog/when-the-emea-duo-partner-kick-off-goes-virtual https://duo.com/blog/when-the-emea-duo-partner-kick-off-goes-virtual Industry Events Tue, 27 Oct 2020 08:30:00 -0400

It's 2019, we have just finished the last group karaoke sing-a-long to Toto's "Africa” and said farewell to all of our amazing partners that attended our last partner kick off at Sopwell House. We spent the past couple of days discussing what the next year is going to bring us, and we naively said “can't wait for PKO 2020!” 

None of us could've predicted the year that we have had, but what stood out to us against all the odds is we can still come together, virtually, and give the best that we have got to make sure we deliver first class solutions to our customers.  After all “It's gonna take a lot to drag me away from you”

At the event, we delved into the Zero Trust Market Opportunity with Forrester’s Dr. Chase Cunningham. We showed you where Duo is heading with a look at our Product Roadmap, and we delved into how Duo’s Zero Trust offering can benefit your customers during a product walk through. 

We recognized the achievements of our partners, and we explored Umbrella’s solutions. We also sat down with Dug Song and Wendy Nather to learn about how Duo is handling this time of uncertainty with our speed of change and integrations. Lastly, we got a look at how attackers work with our guest speakers, Cygenta’s Dr. Jessica Barker and her husband, FC.

Watch the Session On Demand

All the on demand presentation can be found below, you will just need a Cisco.com account to access them - 

Introduction with Ryan Franks & Lothar Renner 

Market Opportunity with Forrester 

What’s New with Duo, Jim Simpson 

Live Demo with Josh Green 

How Duo Works with Umbrella 

Panel Discussion with Duo GM Dug Song, Duo Head of Advisory CISOs Wendy Nather 

Live Hacking with Dr Jessica Barker 

On behalf of Fiona Doak and Ryan Franks - “It was a pleasure to host the MSP and Strategic partner breakout sessions, and share knowledge and direction with so many of our partners. "It’s amazing what we can achieve when we do it together." We are excited to support and grow with our partners this year. As we did at the kick-off, we want to encourage Duo partners to try Duo yourself via the NFR, tell our story to your customers and lead the success of our customers who need Duo right now.

This year, we reviewed the many partnerships we have and looked at which stood out in the following categories: Best MSP Newcomer, Best Partner Newcomer, MSP of the Year, and Strategic Partner of the Year. We want to thank all four of these companies, and highlight why we’ve chosen them.  

The Award Winners of 2020 


Strategic Partner of The Year - CDW

Throughout 2020, our relationship with CDW grew significantly, and because of their demonstrated thought leadership and teamwork with Duo, CDW is a worthy winner in this category. Together we have educated teams, shared best practices and explored new routes to market, which resulted in some key customer wins, including the University of Liverpool.  We look forward to building on these foundations and repeating this success with them in FY21.

MSP of The Year - Telenor 

Telenor joined the Duo MSP program in mid-2018 after years of being a Duo customer for their internal deployment. They worked closely with our channel and MSP teams to ensure they understood the Duo product inside out, both from a technical perspective as well as the various ways of packaging it up for their customers, and they launched their MSP practise in early 2020. Since then, they have successfully managed Duo for an ever-expanding list of their MSP customers, and we look forward to continued growth together!

Best Partner Newcomer - Motiv

Since the adoption of the Cisco security suite of products, Motiv has proven to be a focused partner in these solutions. They value the Duo relationship, and great progress has been made in FY20. We look forward to a fruitful and successful FY21, and we embrace the trusted partnership between Motiv and Duo Security! 

Best MSP Newcomer - Paradyn 

Paradyn has been a valued Duo MSP Partner since the end of 2018, using Duo for their own internal deployment. Since March 2020 they have grown more and more in the Irish public sector and have worked very closely with our MSP Team to ensure that the customers they onboarded were protected with Duo. We thank Paradyn for a wonderful partnership so far and we look forward to growing even further with them in the future!

Congratulations to all four of our award winners. At Duo, we’ve made it our mission to democratize security, and with your help, we continue to widen our reach and ensure companies big and small are protected. Thank you again for your support and teamwork. We’re proud to have you in our partner community, and we’re excited to continue that partnership in the years ahead. 

More information on our partners can be found at https://duo.com/partners. Find out what Duo can do for you too. Take advantage of the free 30-day trial and experience Duo for yourself at https://signup.duo.com/.

We look forward to welcoming you to our next EMEA partner event 2021, and hope we get to see you all in person soon!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Plaintext Podcast Ep. 4 Featuring Akamai CSO Andy Ellis]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/plaintext-podcast-ep-4 https://duo.com/blog/plaintext-podcast-ep-4 Industry News Mon, 26 Oct 2020 08:30:00 -0400

Welcome back to the Plaintext Podcast with your host Dave Lewis, Global Advisory CISO for Duo Security, now part of Cisco.

In this installment, I have the honour of interviewing friend and former colleague Andy Ellis, CSO of my previous employer, Akamai.

See the video at the blog post.

In this episode, Ellis and I chat about his career path, how to adjust to a remote (or distributed) work life and advice for security pros, or those who are considering a career in information security.

If you the listeners have suggestions as to who you'd like to see join me on the show email me hacker @ duo dot com.

LIke what you hear? Be sure to check out previous episodes of Plaintext Podcast.

<![CDATA[A Truly Universal Prompt: Accessibility for All]]> kwainczak@duosecurity.com (Kevin Wainczak) https://duo.com/blog/a-truly-universal-prompt-accessibility-for-all https://duo.com/blog/a-truly-universal-prompt-accessibility-for-all Product & Engineering Thu, 22 Oct 2020 08:30:00 -0400

At Duo we like to make the right thing to do, the easy thing to do. Duo recently announced that we’re simplifying our multi-factor authentication experience by building our new Universal Prompt.

The goal of the project is to both make the authentication prompt more secure and reduce user experience friction. When it comes to reducing friction, one of the fundamental pillars of this project is to provide a better authentication experience for everyone, including the many Duo users with disabilities.

We know that not everyone uses technology in the same way, but it’s important that our users with disabilities are able to access their accounts easily without compromising security. That’s why we’re committed to providing a high quality authentication experience regardless of how you use a computer.

Whether you need text magnified, use software to read websites to you, or only use a keyboard, we have strived to make authentication easier for all people. No workarounds should ever be needed to quickly authenticate.

Duo’s Core Value of Democratizing Security

Duo values access for all. One of our core values is to democratize security.

In the words of our founder, Dug Song, we can democratize security “by making it easy and effective -- something the industry has never really cared about.”

We care. So we have made some exciting changes to make it easy for administrators to set up Duo in all scenarios and deploy in hours. We made it easy for all users with different access needs to self-enroll, saving countless hours

Web Content Accessibility Guidelines (WCAG)

To make sure that we’re meeting the goals we have set, Duo is committing to meeting the Web Content Accessibility Guidelines (WCAG) 2.1 standards at the AA level. WCAG is a collaboratively created set of guidelines from contributors across the globe.

Duo chose the WCAG 2.1 AA standard to ensure that we are complying with the latest recommendations and to help our customers meet their compliance requirements. We are also watching these standards as they get updated so that we’re ready to support our customers' requirements as they evolve.

We’ve Set the Bar, Now Let’s Surpass It

The WCAG standard provides recommendations to help ensure applications are accessible, but with the Universal Prompt we want to be more than just accessible for users with disabilities. We want to give them a great, easy, secure experience. To accomplish this, Duo works with our customers to hear their individual needs and we test new features and products with users with disabilities.

From the first design concepts, we thought about how things would work for our users with disabilities. Some of the aspects that we focused on include providing easy to see text and interactable elements, making clean and intuitive layouts and honoring users’ accessibility preferences.

Early design documentation enumerating possible designs that differentiate between default, hover, and focus states.

The focus state design as it exists in the Universal Prompt today.

The hover state design as it exists in the Universal Prompt today.

Color Contrast

The current Duo Prompt includes buttons and elements with insufficient color contrast which could make discerning text from the background difficult. The new Universal prompt is an opportunity for us to introduce a color scheme where all text is comfortable to read for people with low vision and color blindness. In addition, we ensured that clickable elements like buttons and links have dark borders or underlines so they are clearly separated from plain text.

Reducing Primary Actions Per Page

The Universal Prompt employs a design principle of keeping primary actions reduced to one per page.

In the current version of the Duo Prompt, a user can see options for sending a Push notification, making a phone call, or entering a passcode all on one page. After selecting a method a message pops up at the bottom of the screen to tell you what the prompt is doing.

An image of the default screen for the current Duo Prompt. Note that it includes four links, a device selection dropdown, three buttons to initiate two-factor authentication, and one checkbox for remembering this authentication.

In the Universal Prompt, we show one authentication method per screen, with full screen messages relating directly to that authentication, instead of small popups. This will improve the ability of screen readers to announce messages correctly and make it easier for any user to see the text most relevant to what they are doing.

An image of the default screen for the Universal Prompt. Note that the push request has already been sent and it includes two links -- one to view other login options and another if you need help.

Honoring Accessibility Settings

The redesigned prompt includes animations to visually communicate status changes and progress, but we know that some users can find animations distracting. We’re detecting user settings such as preferences to reduce motion and turning off those animations when requested. In addition, the prompt was built in such a way that users can greatly increase their text sizes without any compromise to the user experience.

Rethinking Previous Design Decisions

By redesigning the elements of the current Duo Prompt that are difficult for our users with disabilities to use, we are surpassing the standards set by WCAG. Rather than making existing problematic elements merely usable, we are providing a new simplified design altogether.

An image of the current Duo Prompt with a “toast message” at the bottom of the screen. These toast messages have been removed from the Universal Prompt completely.


Duo recognizes the various needs that businesses and users have when it comes to accessibility. With the Universal Prompt we are helping businesses meet those needs while also designing user interfaces that work great for people with and without a wide range of disabilities. The Universal Prompt project embodies our mission of democratizing security and we are confident that users with disabilities will find the new authentication prompt both easy and pleasant to use.

While we continue working on this project, we’re performing accessibility audits, testing with screen readers, and getting feedback from folks with all types of abilities. When we make an accessible product, we are able to accommodate everyone.

What’s Next?

We’ve got a lot more to tell you about the Universal Prompt Project, so look for regular blog updates as we delve into more detail on each component of this project.

As we get closer to making these changes generally available, we will provide guidance on planning your migration to the Universal Prompt, including:

  • Communications templates for your organization and end-users
  • Updated documentation and Duo Knowledge Base articles
  • Tools in the Duo Admin Panel to track your progress

Today, we invite customers interested in participating in a private preview of the new Duo Universal Prompt to fill out this brief interest form

We will begin reaching out to you for your help in testing and deploying the future of Duo!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[The Student’s Guide to Two-Factor Authentication (2FA)]]> cnovas@duosecurity.com (Caroline Novas) https://duo.com/blog/the-students-guide-to-two-factor-authentication-2fa https://duo.com/blog/the-students-guide-to-two-factor-authentication-2fa Industry News Tue, 20 Oct 2020 08:30:00 -0400

Students all over the world are required to use Duo two-factor authentication (2FA)… and they hate it. You might be one of them.

They hate it because their phone is currently sitting on the other side of campus after a fun night out. They hate it because their phone is dead. They hate it because it’s one extra step to get their financial aid money.

But if you understood how Duo protects you, you might even secretly love it.

Why Do I Need Duo?

You see an email from your school telling you to enroll in Duo. Your first thoughts are why do I have to do this?

Does Duo even do anything? Yes! Duo performs an extremely valuable function that benefits not just your school, but also you personally. Let’s take a look at how Duo and 2FA protects you (and more importantly your private data)!

In January 2019, a popular online streaming gaming site reported a flood of hijacked accounts when the popular game “Town of Salem” had 7.8 million passwords stolen because many users had the same exact passwords for “Town of Salem” and the online game streaming site to login. Hackers successfully used a bot to test the “Town of Salem” credentials on the gaming site and stole stored payment information. The gaming site already allows users to set up free 2FA on their accounts. However, most end users did not opt-in, leaving them vulnerable. Breach researchers found the gaming site is no longer accepting email addresses to log in and is incentivizing users to set up two-factor authentication — because it would eliminate the problem.

How Duo Verifies Your Identity

2FA can be like a Bumble date. You agree to meet at a specific date and location (something you know) but pictures can be deceiving. You tell each other what you are wearing (something you have) to ensure you recognize each other.

Just like you needed the clothing description to verify your date, you need Duo to validate your identity! Like your password (something you know), the date and location are relatively easy to hack. To protect against this, Duo requires a second factor device that is unique to you, like your phone (something you have). Now if your primary credentials are stolen, attackers will have a much harder time gaining access to your accounts without having access to your phone. If the online gaming users had 2FA enabled on their accounts, it would be more difficult for hackers to gain access to the accounts because of the use of 2FA. 

Duo deployed at universities may result in up to a 96% decrease in stolen credentials

What Is Two-Factor Authentication?

Passwords are extremely vulnerable to hackers as a single factor by themselves. With multi-factor authentication (MFA or also known as 2FA - two-factor authentication) a user’s identity can be authenticated and user trust (authorization) established by using two or three factor combinations.

  1. Something you know (e.g., passwords)
  2. Something you have (e.g., your smartphone)
  3. Something you are (e.g., biometrics, like fingerprints)

How Breaches Happen

You may still be thinking along the lines of, 'I’ve got nothing they want.'

Think again! Your personally identifiable information is extremely valuable and its theft can have widespread implications. While a hacked and locked Instagram account is devastating, your school is trying to prevent phishing attacks, which often targets your largest assets: financial aid, your on-campus job paycheck, and other stipends. 

Don’t Get Phished!

Many students have been victimized by phishing attacks to gain access to Federal Aid Refunds. Federal Aid Refunds are what’s left over after you use aid to cover room, board and tuition. Universities transfer the remaining balance to students, often by electronic deposits. These electronic deposits are very vulnerable to attack. 

The attack begins with a phishing email sent to the student's EDU address. The students are taken to a website that replicates the school systems. After the student enters their username and password, the hacker has their credentials and can divert the student’s direct deposit destination to a bank account controlled by the hacker. 

As a result, Federal Student Aid intended for the student is sent directly to the attacker. The US Education Department recommends schools mitigate this risk through the use of 2FA. The attacker would need to have access to the second factor to divert the deposit. 

Improve Your Duo Experience and Save Time with Duo Push!

With Duo Push, you tap a notification and can access your applications in seconds instead of waiting for a text and entering a password.

In addition to being a faster way to authenticate, Duo Push is also more secure than SMS and phone calls, uses almost no data and contains passcodes you can use while offline (like when you are on a plane). Nothing can stop you from authenticating quickly!  

If you want to save even more time, your school may allow you to purchase a U2F token like a Yubikey to authenticate even faster. You simply tap a physical USB key plugged into your laptop. Check with your school to see if this is an option. You may be able to purchase one at the bookstore. 

Tick Tock! Which Factor is Faster? 2FA push! 

A user that uses SMS as their second factor could save time by switching to other, more secure, authentication methods like Duo's two-factor authentication aka Duo Push.

In Summary

While hackers will continue to try to access your accounts and steal your credentials, Duo decreases the risk of compromised credentials at universities by up to 96%.

Next time you have to approve a Duo Push to access your financial aid, you won’t be thinking about the inconvenience of one more tap, but instead of the security Duo provides.

Download Duo's free 2-Step Authenticator App available at Google Play and the Apple App store and start protecting all of your online accounts today. 

See the video at the blog post.

<![CDATA[#WeAreDuo Employee Spotlight with Jordan Wray]]> wtellache@duo.com (Whitney Tellache) https://duo.com/blog/weareduo-employee-spotlight-with-jordan-wray https://duo.com/blog/weareduo-employee-spotlight-with-jordan-wray Industry News Mon, 19 Oct 2020 08:30:00 -0400

Jordan Wray

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer or Account Executive Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Head of Americas for Technical Support, Jordan Wray to learn about what she does and her experience at Duo. 

Jordan Wray

Title / Department / Office Location

Head of Americas - Technical Support / Customer Success / Ann Arbor, MI

How long have you been at Duo, and what do you do here?

I started in March of 2019. I am the Head of our America’s Region, leading Technical Support Managers and Engineers in Ann Arbor, MI, and San Francisco, CA. Our teams assist Duo Administrators through phone, email, and chat.

What's your day-to-day like at Duo?

Most days you’ll find me alternating between meetings with my management team or their engineers, measuring team performance, and ensuring our Support team is meeting Service Level Agreements. I also contribute to cross-functional projects that vary quarter-to-quarter. These include reviewing and implementing technology solutions that help streamline operations and initiatives that cultivate ongoing, long-term customer loyalty. Occasionally, I also step in as an escalation point for customer issues should the need arise. Our Support Engineers and Managers are incredible at what they do, and it’s my job to ensure the support team is enabled and ready to take on any customer challenges.

What tools do you use to help you do your job? 

I rely heavily on Slack and Webex to communicate with my team daily. One of our team’s most important tools is Outlook Calendar, which we use for scheduling meetings, customer calls, and tracking staffing levels across mediums. I also use Monday.com quite a bit as a resource for tracking quarterly goals and project milestones.

How do you and your team collaborate with other teams within Duo?

Our teams receive feedback from customers every day, and it’s important for us to raise it to stakeholders in the organization. One way we do this is by meeting monthly with Product Management to help remediate issues driving top ticket volumes. Support is usually the first team aware of any new bugs and service outages, too. When this happens, we trigger a Red Alert process that engages Engineering and enables them to investigate immediately.   We also collaborate frequently with the Enablement and Operations teams within our Customer Success organization. Our Enablement team helps us design targeted training content to level up our Managers and Support Engineers in essential skill areas. Our Operations team helps us build and coordinate staff schedules so that adequate coverage is maintained at all times. We couldn’t do our jobs without the support of our teammates in these organizations! 

How did you get your job at Duo?

At a previous company in Chicago, IL, I used Duo Mobile to authenticate into our work applications. I loved the simplicity of accepting a push notification and how easy it was to use their service to protect our sensitive information. I was relocating to Southeast Michigan to be closer to family, and I was so excited to discover Duo was headquartered there. I applied to a post on their website for a Technical Support Manager, and within a few days a recruiter contacted me about the position. As soon as I met the team, I knew I had found something special in Duo. I’ve loved working here ever since!

 What is the first thing you do when you come into the office? 

Normally, the first thing I did after arriving at the office was make a cup of coffee. These days, with a short commute from my bedroom to the bonus room above my garage, I’m at least a half-pot of coffee deep when I start working. Once I’ve logged on, I say hello and good morning to the team on Slack. Then I review my calendar for the day to prepare for any upcoming meetings and begin responding to emails.

Any big projects or goals you're currently working on?

To match pace with the speed at which Duo is expanding globally, we’re working towards increasing our support hours for customers by hiring weekend engineers in preparation for going 24x7. We’re also hiring more bilingual employees to expand our language offerings. Something near and dear to my heart is career development, so I’m really excited about ongoing investments we’re making in our team members by partnering with leadership across other teams at Duo to establish career paths for our Support Engineers.

What’s an important lesson you’ve learned while working at Duo?

Don’t be afraid to ask questions when you don’t understand something. At times in my career I shied away from asking questions out of fear it would undermine others’ confidence in me, when in reality, I was doing myself and others a disservice for not speaking up. At Duo we encourage Learning Together, and I have yet to find someone who wasn’t extremely kind and helpful in response to the many, many questions I have asked.  Another lesson I’ve learned (I can include two, right?!) is the importance of diversifying your teams through targeted hiring. Pretend you’re assembling a fantasy football team. You wouldn’t draft all quarterbacks, would you? Building well-rounded teams by hiring for skills and backgrounds your existing team lacks will benefit you tremendously! I promise you will see higher performance, more engaged teams, and individuals learning from one another. Unique perspectives will result in your team having stronger problem solving abilities, too. You can thank my husband for the football analogy used here.

How is Duo different than other places you've worked?

Duo is different in the BEST way in that they encourage their employees to prioritize family first. I’ve never worked for a company where when someone has an emergency with a partner, child, or parent, they’re told to leave work and do what’s necessary to take care of their family — no questions asked. Family members and children are also always welcome at company and team events, which makes it easier for employees to attend and also gives their teammates an opportunity to get to know them better. I feel confident I will be able to build a long-term career at Duo because of this value we both share.

 How is your role at Duo different from roles you've had with other companies?

How highly valued our Support team is. Our Support Engineers are on the front lines every day working with customers, and their job is NOT easy, but what they do is fundamental to the success of our business. We have really close partnerships with Product and Engineering, and they incorporate the customer feedback we share with them into their product design and development. Duo recognizes customers are our BEST resource for building user friendly and simple-to-use security solutions. Our Support team is essential to this, and on the daily they’re creating exceptional experiences for our customers that help make us the most loved company in security.

What would you tell someone considering a role at Duo?

APPLY! You won’t regret it! I feel so grateful to have found a company and teammates that are always kind, doing what’s right for our employees and customers, and challenging me to learn new things. There are so many opportunities to grow your skill set and build your career here.


We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[The Multi-Factor Factor (or How to Manage Authentication Risk)]]> wnather@duo.com (Wendy Nather) https://duo.com/blog/the-multi-factor-factor-or-how-to-manage-authentication-risk https://duo.com/blog/the-multi-factor-factor-or-how-to-manage-authentication-risk Industry News Thu, 15 Oct 2020 08:30:00 -0400

As we debate the necessity of various authentication factors, particularly for passwordless projects, it’s good to take a step back and remember how we got here. There are key three types of authentication:

The 3 Key Types of Authentication

1. “Something you know,” otherwise known as a shared secret.” This used to be something you memorized, but it turns out that fallible organic storage is not that great for storing complex character strings that now number in the hundreds (you ARE using unique passwords for every account, right? … Right?). 

2. “Something you have,” meaning something that can’t be possessed by more than one entity at a time. This could be something that is too difficult to copy or generate independently, that is tied to storage and can’t be removed, or that exists as a unique physical item (such as a hard token or a key).

3. “Something you are,” referring to an attribute that is physically unique to an individual, such as a fingerprint, a palmprint, a retinal pattern, a gait, a typing pattern, or even a heartbeat. 

Each of these factors comes with a downside:

“Something you know” = “Something you forgot,” or “Something that someone beat out of you.” 

A shared secret that is guessed or derived  … is not a secret any more. Worse yet, it can be silently stolen without anyone noticing. But it’s also the cheapest factor, in the sense that it can be created, changed, expanded, distributed and used without having to buy any extra technology. 

If you need to identify someone more definitively, you ask them for information they’re not likely to forget, such as the name of the street they grew up on. But any of that historical information is increasingly available on the Internet, or can be tricked out of the user through phishing or social media “quizzes.” 

Another downside to “something you know” is that it may appear to be cheap in terms of technology, but in terms of support cost — help desk time when someone forgets a username or password, or can’t log in for another reason — it can be more expensive than a better-designed factor that is harder to get wrong. 

This is why we’re working on the journey to a passwordless future.

“Something you have” = “Something you lost,” or “Something you broke.” 

One of the biggest threats today is SIM theft, in which an attacker manages to steal an assigned mobile phone number so that they can receive SMS authentication codes. This is nefarious because once again, it can be stolen silently; the victim still has the physical phone but may not realize that the number has been assigned to someone else until it’s too late. 

Hard tokens that generate codes can run out their batteries in a few years; they’re also unwieldy to carry around if you have several of them for different accounts. Generally speaking, if a user loses the “something you have,” the fallback is “something you know,” which we’ve just discussed above.

“Something you are” = “Something that aged” 

At least in my case; gait analysis for me would lose its baseline every time I had an arthritis flare-up. The other problem with biometrics is that you can’t change your retinal patterns or fingerprints if the records of them are stolen. 

Covid has revealed some problems with biometrics. For example: If you’re wearing a mask, FaceID doesn’t work; shared fingerprint readers aren’t sanitary these days. But biometrics are extremely convenient as a factor because you can’t forget them, you can’t leave them behind in the taxi, and chances are good that nobody can steal the originals without you noticing (water glasses in spy movies aside).

But what risks are these authentication factors actually trying to address? Let’s list some out.

Risks of Authentication

  1. Someone is trying to log in at the user’s machine with the real user’s username and password.
  2. The real user walked away from their unlocked machine and now an attacker is trying to use it.
  3. Someone is remotely connected to the user’s machine and is trying to pretend to be the user sitting at that machine.
  4. Someone is trying to log in with the real user’s username and password from a different system (such as a compromised machine in a botnet).
  5. The real user is trying to log in, but the machine is compromised and could be used to steal the username and password, or plant malware.
  6. The real user is trying to log in from one location, but someone else is also trying to log in as that user from a different location.
  7. Someone has gained access to the real user’s username, password, and second factor (such as a hard token or phone number for receiving SMS texts), and is trying to log in from a different device.
  8. Someone is listening in on the network stream and trying to hijack the user’s session in progress.

When we do threat modeling, we come up with these sorts of attacks and more. CISOs often run through a whole laundry list of possible attacks in their head whenever they’re looking at a new proposal. Then they have to pick the controls that address as many of the risks as possible. For example:

Controls to Authentication Risks

A 2FA factor that is physically separate from a user’s laptop would protect against 1), 2), 3), 4), and 6 listed in the previous section) — assuming that the user has that factor with them and doesn’t leave it near the laptop.

A session timeout, requiring reauthentication, is often used to protect against 2), 3), and to some extent 8).

Marking a laptop as trusted, bound specifically to the user, is used to prevent 4), 6), and 7).

Ensuring that the network connection is encrypted all the way between the user and the application protects against 8).

Using a biometric for authentication is intended to protect against 1), 2), 3), 4), 6), and 7), but that’s assuming that the user isn’t under duress (being forced by an attacker to supply it).

Checking the user’s device for security state and any evidence of compromise is meant to protect against 2), 3), and 5).

Using a second factor such as a U2F key, that requires a physical response from the user to activate, also protects against 3) and 5) -- it proves that the user is actually present and intends to authenticate.

Set Policy Controls As Guardrails

For added protection set policy controls, using other factors, as guardrails. Factors such as location (either by GPS or IP address) can help to narrow down the vectors of attack if, for example, you never expect a user to try to authenticate from anyplace other than a certain network or geographic region. But we know that IP addresses aren’t foolproof — all you have to do is gain access to a system on the “right” network.  So these can’t be the sole authentication factors to rely on. Think of these more as a narrowing function: you are blocking more attacks right from the outset, leaving fewer to sift through and validate. 


As you can see, there are layers upon layers of defense that you can build to try to address the most common risk scenarios. But you also have to take into account the downsides of each factor when designing the solution. 

If you have an endlessly changing roster of 30 people using the same point of sale system, you can’t register a biometric or phone app for each of them, make each of them log in and out of accounts if they are rushing to serve a line of customers, or make them all share a hard token. The modern enterprise ends up with a portfolio of factors, deployed where they work the best and where they address the right risks.

We’ve learned a lot this year about assumptions we made when choosing the original authentication factors for an organization — factors that stopped working so well when we became physically separated from other people. As we make plans for the future state of authentication, it helps to go back to first principles and update the above lists for a flexible outcome.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[My Journey from Engineer to AppSec]]> ccornutt@duo.com (Chris Cornutt) https://duo.com/blog/my-journey-from-engineer-to-appsec https://duo.com/blog/my-journey-from-engineer-to-appsec Industry News Wed, 14 Oct 2020 00:00:00 -0400

How Did You Make a Career Change?

I can remember the first time I got into programming. My family got an Apple IIe and I taught myself BASIC so I could make it “do cool stuff”. This kicked off years of tinkering with computers, writing code and even building a few of my own. I loved building things and solving problems so I could get my program working just right.

Fast-forward (many) years later to my college years. While I started out in Computer Science, I quickly decided it wasn’t for me and switched over to an art/marketing degree plan. I kept my passion for programming, though. The internet was just starting to really catch on and it was another puzzle I felt drawn to try and solve. I spent plenty of time sitting in the computer labs at school learning everything I could about HTML, CSS, Javascript and, eventually, PHP. When I graduated, my first job was using exactly that same technology. 

My Early Career as an Engineer

The next twelve years were spent working at a variety of companies building web applications. All the while I was growing my knowledge of how applications should be architected and where new technologies could be integrated. As I grew in my knowledge and experience, I moved up the line, first to Senior Engineer, then Lead Engineer but then I reached a certain point and I felt like my knowledge was plateauing. It seemed like a lot of the same functionality was being requested and the same problems kept coming up. That same spark in the work I was doing had faded, so I decided to make a change. 

I took a step back and looked at what I enjoyed and where I felt I could grow. I had learned a bit about securing applications during my engineering career, but something about it struck a chord with me. I saw new challenges and new problems to solve. I saw how important security had become and wanted to be on the front lines, bridging the gap between development and security. 

Pivoting Into Application Security

Application security was a natural fit so I started digging in. I read as much as I could from multiple sources - books, online articles, tutorials - all refreshing some concepts and learning entirely new ones. 

My day-to-day was still programming, but I had a different perspective on it. I started to see places where the security of the application I was working on could be improved. I also learned more about security testing and, after trying my hand at it, found some endpoints that weren’t protected. Fortunately, we caught it before it was released and it felt good knowing I’d done at least a bit to secure the application. I knew that this was the direction I wanted to go.

Once I realized that I wanted to focus on application security, the next step was to find a role where I could not only explore this passion but also grow and improve my skills. I was definitely stepping outside of my comfort zone.

I interviewed at a few different companies but they weren’t quite a match. Finally, I interviewed with Salesforce for an AppSec role with a product with a large PHP codebase. It turned out to be a good fit and I got my first official application security job! 

I spent the next three years drinking from the security firehose, learning as much as I could. I worked directly with the development teams, collaborating with them on security reviews and implementations. My background in development came in handy too, helping me to see things from their perspective and make sure that I was putting things into a context where they could apply it easily in their day-to-day work. 

Ready to tackle my next security challenge, fearful of another plateau, I chose a security company. I came here to Duo, excited about moving into a more security-focused team. I’ve been here about two and a half years and am still learning new things every day and loving it.

My Advice to My Past Engineer Self Would Be...

The main piece of advice I would have given to myself back in my days of just writing code would be to take the time to learn some of the best security practices and, most importantly, integrate them into your daily work. Some of the resources linked down below are a great place to start.

I can remember thinking, especially when I was first starting out in the industry, that security was something to consider later. There was a time when the only concern in my mind was to make sure the code that I was writing was functional.

We’d take the feature request in, break it down into its parts and split out those tasks among the team. Unfortunately, security considerations weren’t included in that list and there wasn’t a push for it from those higher up the chain.

It sounds terrible to say now, but back then I didn’t care as much about whether what I was developing was secure. Most early-career developers focus on proof-of-concept vs. security. I knew about some of the basics about securing web applications like “there should be authentication” and “SQL injection is bad” but I had no idea about more complex attacks. It wasn’t until later, after I really started digging into application security, that I realized how vulnerable some of the code I had written was. 

I think every application security engineer that has come over from the development world has a story similar to mine. You don’t know what you don’t know, but once you learn something new you can work hard to better secure your code.

How Do You Think AppSec Engineers Can Work Best With Software Engineers?

Software engineers and security engineers have a lot in common. True, when I first started working in application security, I was surprised that some Application Security Engineers hadn’t done much programming at all. Others were like me and had come from a development background. While they have different areas of focus, the drive to learn and grow in their knowledge and experience was the same. We work best when collaborating. 

That’s the main thing I’d recommend to anyone in a security role. Don’t work in isolation, just passing a report back or just filing bugs. You need to build a relationship and trust with the engineers. Sit down and really understand what they’re working on and what they’re asking for. Sometimes that is just a report at the end of an assessment. Other times engineers need someone to work through a concept or feature to make sure they’re making the most secure product they can.

The engineer is not the only one who benefits, this collaboration is positive for the security engineer too. In working with the software engineer who spends the majority of their time in the code, they gain more perspective on the inner workings of the system and what really makes it tick. That way the security engineer doesn’t have to be an expert in the codebase, they just need to know who to ask for what kinds of details. 

Each side brings their own specialized knowledge to the table, making for a good balance of knowledge and not requiring either to be a “jack of all trades.” Having engineering connections like this can be an invaluable resource and security engineers shouldn’t be afraid to ask questions to gain more context . In my experience, software engineers are more than happy to share if they know they’re being listened to.

My Favorite AppSec Resources

One of the recommendations I’d make to those either wanting to get into application security or those new to the field is to check out some of the resources the OWASP group has released. More specifically, I’d recommend their OWASP Top 10 list (most common vulnerability types, refreshed every few years), their “OWASP cheatsheets”, and some of the tools like the ZAP Proxy. Some of their information can be a bit out of date, as it’s a community-driven project so just be mindful of the date the resource was published on.

Outside of that I found that learning organically works well, starting with a source (like the Top 10 list) and working out from there, researching any terms or concepts I’m not familiar with. There’s some topics that are a bit more elusive than others, though. Cryptography is a good example. I’ve always had difficulty wrapping my head around its concepts and with it being such an important part of cybersecurity, it was frustrating. 

The basic concepts were easier to grasp but when I started to dive into the specifics of ciphers, block modes, and algorithms things started to get a little fuzzy. So, instead of trying to bite off a big chunk of knowledge, I took it slow. I learned more “hands on” during my day to day work, reading up on concepts and technology as they came up. This “bite size” approach still grew my knowledge without it being overwhelming and frustrating.

One last thing I would recommend to those security engineers that don’t have much experience in development that they set aside some time to read about programming-related topics or, even better, write something in the language of their choice. It gives some amazing perspective on what software engineers do day-to-day and can help improve communication through common understanding. 

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Clear & Simple: Monitoring Access with Duo Trust Monitor]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/clear-and-simple-monitoring-access-with-duo-trust-monitor https://duo.com/blog/clear-and-simple-monitoring-access-with-duo-trust-monitor Industry News Tue, 13 Oct 2020 08:30:00 -0400

Trust is a fickle thing. Some people in life assume that trust should be implicit -  that you can trust others based on little more than intuition, a smile or a handshake. Trust is a natural human condition and, as Malcolm Gladwell pointed out in his book “Talking to Strangers,” we have a tendency to default to trust. 

Problems With Defaulting to Trust

However, defaulting to trust comes with its share of problems, the proverbial “wolf in sheep’s clothing” comes to mind. Good thing there are ways to verify trust and make sure we aren’t getting duped. In the real world to establish trust we might rely on an initial verification like an introduction from a trusted friend.

The tricky part comes in maintaining trust after an initial verification. In the real world, there’s no need to be actively suspicious of an acquaintance. But, if things start going missing from your home when this, and only this, acquaintance stops by - well, then your level of trust may alter. Without jumping to the worst conclusions - it may be worth monitoring their behavior. 

In the digital world, multi-factor authentication can be an initial verification of trust - but there are strange contextual variables that should throw off red flags when it comes to assessing trust. 

Ockham’s Razor - The Simplest Explanation is Typically Right

But before we move into that discussion I can’t help but to turn attention to Ockham’s Razor. This was attributed to William of Ockham who was a monk born in the year 1285. He has been credited with the problem solving idea that "entities should not be multiplied without necessity." To put that in simpler terms, the simplest explanation is most likely the right one. So when we’re dealing with computer security we want to be sure that we have clarity in our information.

"Entities should not be multiplied without necessity" — William Ockham

Simplicity and Clarity in Security

Simplicity and clarity are two key tenets when thinking about monitoring trust. It is important to remember that the simplest answer when something goes missing is: you lost it. That being said, if you have a security camera above your garage and it shows your acquaintance entering and leaving with the lost item, the camera provides clarity into the situation.

For the perspective of trusting access to our networks and systems, simplicity and clarity take on different forms. For simplicity, it’s important to remember that humans act in strange ways - they go on business trips, they log in from coffee shops, they use their mother-in-law’s computer to access work email. The simplest answer is probably that strange access is probably just that: strange. 

However, clarity means setting up the proper controls to provide context around access. When something goes wrong we need to be able to ascertain what has transpired in a clear and coherent manner and rather than defaulting to trust we need to be able to discover the likely answer with clear data. 

Get to Know Duo Trust Monitor

Enter Duo Trust Monitor. Duo is known for providing easy-to-use MFA to verify users are who they say they are. 

To expand on that offering by monitoring the trust of users, we are releasing new access analytics functionality. This Duo feature analyzes and models user authentication telemetry in order to create a baseline of normal user behavior. Once typical access patterns are observed, Duo Trust Monitor highlights high risk logins. 

Find anomalous behavior with Duo Trust Monitor

Reducing False Positives

A key difference between Duo Trust Monitor and many other access analytics tools on the market is our commitment to simplicity and clarity. It is easy to sound an alarm for every new device or login location — but this is a little like kicking your acquaintance out of the house for wearing a new outfit (false positive much?). The simplest answer is that if most of the variables are consistent — the user can still be trusted. 

However, Duo Trust Monitor does give customers clarity as to the historical context around user access behavior. The feature monitors many access variables, looking for anomalies along a variety of dimensions and between commonly associated variables (ex: it’s typical for a user to use X device while accessing from Y). This way, if an “acquaintance” shows up at your house at 3AM with a crowbar —you have the clarity to turn on the lights and sound the alarm.

Reduce false positives with contextual clarity

In a nutshell, Duo Trust Monitor helps the CISO sleep at night knowing that the information needed to ensure access trust is being actively monitored. The feature will seek out anomalies, but also reduce the number of false positives to ensure that we get to clear and concise answers.

We are born into this world hardwired to trust each other. We are set up with an ability to build connections with others. But, that doesn’t mean we shouldn’t monitor that trust, hopefully remembering that though the simple answer is probably the right one, it doesn’t hurt to have clarity and context. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.

<![CDATA[How 2FA Can Help Tesla Cars Stay Secure]]> fgonzalez@duosecurity.com (Felipe Gonzalez) https://duo.com/blog/how-2fa-can-help-tesla-cars-stay-secure https://duo.com/blog/how-2fa-can-help-tesla-cars-stay-secure Industry News Fri, 09 Oct 2020 08:30:00 -0400

There is no denying that the era of electric vehicles is upon us. These vehicles become evermore capable with new features and improvements being delivered via over the air software updates. As software-centric vehicles become more ubiquitous one question has been left unanswered. How do we protect them as individual owners and at scale for organizations?

Perform a quick Google search of Tesla MFA and you will find that many Tesla vehicle owners have requested the ability to protect their Tesla accounts, which controls various car features, with some form of MFA (multi-factor authentication). It may sound like a dystopian future in which your car can be digitally compromised or remotely controlled — but the truth is that this is a reality in today’s world.

In 2019 alone, Tesla delivered close to 368,000 vehicles to customers, officially making it the leading electric vehicle manufacturer. Other electric vehicle manufacturers provide similar remote control capabilities of the vehicles through mobile applications as well. This remote control feature works very similar from a network communication standpoint by leveraging API’s built for each vehicle type.

Reverse Engineering Telsa’s API is Possible

As with other technologies, if you understand the software architecture of the target and have the appropriate credentials to execute commands, then you are in control of that target. Tesla, for example, does not grant users access to their API, so consumers might think that security through obscurity is enough. However, there are many people with the skills necessary to reverse engineer APIs in today’s technology driven culture.

While obscure to many Tesla owners, teslaapi.io is a website dedicated to doing just that. Through their research they have deconstructed the commands necessary to achieve things like unlocking doors, setting a speed limit and stopping charging. This combined with phished credentials poses the threat to software-centric vehicles.

Customers Are Asking for MFA for Tesla Accounts

YouTuber Alex Venz even goes as far as demonstrating how to unlock and drive away in a Tesla in this video:


Tesla CEO, Elon Musk, acknowledged customer’s request for greater security in May 2019 with this tweet:

Elon followed up on this comment in November of 2019 with this tweet:

On his most recent tweet on the subject, he explains that a solution is on the horizon:

With time, we are certain that Tesla will deliver MFA Security as it has for other customer requested features, but until then the security gap still exists.

How Duo’s MFA Helps Software-Centric Cars

There are many security and user experience complexities that can come into play when deploying MFA at scale to an established user base. Duo is a leader in the industry not only for its world-class product — but also for the ability to make the user experience as easy and intuitive as possible.

Ease of use will be the leading factor in adoption and reception when Tesla deploys MFA to its consumers. As noted by user Pueo in this Tesla Motors Club forum thread, “Hopefully 2FA happens in a timely fashion”

On the other end of the spectrum, Porsche’s recently released Tycan shares similar remote control features with an added cost service they call Porsche Connect. The security layer requires an owner to register via a website and obtain an activation code before being able to register their mobile device for remote control. While the website itself implements MFA via SMS for first time logins, the process is cumbersome and does not directly protect the vehicle, but rather the service which makes remote control possible.

Individual owners might not find this security gap concerning but organizations that use these vehicles as part of their business will seek to protect their assets. We hope to see the reach of these vehicles expand to ride sharing and rental services in the near future. With that comes a new perspective on the ability to manage these vehicles. Organizations go through great lengths to protect their digital infrastructure, and we believe that electric vehicles will soon fall into that category.

As Jim Simpson, Director of Product Management at Duo put it, “What are the security implications of having a fleet and how do you manage that?”

We believe support for MFA is a good starting point in protecting these assets, but that will only be the beginning of the security journey for software centric vehicles and the organizations which leverage their incredible technology. 

UPDATE: At the time of this writing it appears Tesla has just added 2FA. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.

<![CDATA[WEBINAR: 4 Election Security Educators Walk Into a Panel]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/webinar-4-election-security-educators-walk-into-a-panel https://duo.com/blog/webinar-4-election-security-educators-walk-into-a-panel Industry Events Thu, 08 Oct 2020 08:30:00 -0400

What happens when four election security specialists gather together to talk shop? They dispel myths, share deep knowledge, and bring clarity to the state of our elections. As confusing contradictory messages abound on both sides of the aisle, we’ve assembled a crack team of election security educators in different fields to help explain to voters what exactly is going on.

(Pro tip: Don’t panic! Disinformation campaigns on the regular is normal and happens every election)

If you have questions about the security around the logistics of holding national elections during a pandemic, the increase and safety of mail-in ballots, the growing adoption of electronic voting machines and online registrations and how hackers might try to use malware to disrupt them — then this is one webinar you will not want to miss, as we round the homestretch toward the November 3rd election.

Meet Our Panelists

  • Maggie MacAlpine, a co-organizer of DEF CON’s Voting Village and recently featured in HBO’s “Kill Chain,” will outline what we’ve learned from security testing electronic voting machines as well as her experience as an election volunteer.
  • Michael Daniel, an election security policy expert and former cybersecurity coordinator for the Obama administration, will share historical context we can apply to the current election and why our election systems are more resilient than one may think based on the news.
  • Matt Olney from Cisco Talos will review recent research by his team on foreign disinformation tactics for election disruption, and why election results are not their true target.
  • Rachel Tobac, CEO of SocialProof Security and a frequent commentator on social engineering stories for outlets like CNN and the New York Times, will explain why those managing elections often pose a more attractive target for attackers than hardware.

“I’m looking forward to this panel because we’re getting to dig past the ubiquitous surface-level discussion of election security, and really break down the puzzle pieces that make up the whole picture. Our goal is that everyone who attends will walk away with a deeper understanding of the election safeguards we have in place and why this election isn’t as unique or unprecedented as one might think!” — Zoe Lindsey, Security Strategist at Duo

Recommended Election Security Info

To prepare for the big day, we’ve also assembled some great election security information for your consideration: 

  • LISTEN: Cisco’s “Security Stories” podcast brings CISOs center stage to discuss important topics. The podcast recently explored election security with Curtis Simpson, Chief Information Security Officer at Armis.
  • WATCH: This Government Matters webinar brings together thought leaders from the public and private sectors at all levels of that effort – to outline the challenges, share the best practices, and address the impact COVID-19 could have on election security in 2020.

The webinar will be recorded and we look forward to seeing you soon!

Try Duo For Free

With our free 30-day trial, you'll see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[How to Secure Your Amazon Account With Duo 2FA]]> joshking@duosecurity.com (Josh King) https://duo.com/blog/how-to-secure-your-amazon-account-with-duo-2fa https://duo.com/blog/how-to-secure-your-amazon-account-with-duo-2fa Industry News Mon, 05 Oct 2020 08:30:00 -0400

Secure Your Amazon Account

You have upped your Amazon game and find that you are ordering more and more things online from groceries to gifts, when suddenly you notice it. Uh oh. You’re looking through your purchases and Amazon and see a few things that you definitely didn’t buy. Looks like someone gained access to your Amazon account and is spending all your hard-earned cash on an Amazon shopping spree! 

Keeping hackers out of your Amazon and other shopping accounts is simple with Duo's two-factor authentication (2FA) which is available for free at the Google Play and Apple App store. 

You can use Duo to secure your other online accounts like Instagram and Twitter too!

With the shopping season right around the corner, I wanted to show you how easy it is to secure your online purchases using Duo Mobile!

How To Set-Up Duo 2FA With Your Amazon Account

Let’s take a look at how to protect your Amazon account using Duo Mobile. 

Step 1

Log in to your Amazon account, and go to “Your Account” settings.

Step 2

Click on the “Login & Security” settings.

Step 3

At the bottom of the list, click “Edit” in the “Two-Step Verification Settings” section

Step 4

Click “Get Started”

Step 5

Select “Authenticator App” for your Two Step Verification

Step 6

Open Duo Mobile on your smartphone. Tap the “+” button in the top right corner, and scan the barcode that appears on screen

Step 7

Once you scan the QR code, an Amazon account will appear in Duo Mobile. Type this passcode that appears in Duo Mobile into the text box under the QR code in your browser

Step 8

Amazon requires a phone number as a backup form of Two-Factor. Put in your phone number, and click “Call me now” to verify your phone.

Success! Your Amazon Account is Secure!

You’re all set! Whenever you log in, you’ll use a 6-digit passcode from Duo Mobile after your username and password. You’re now secured with two-factor authentication (2FA) and you can be confident in your online shopping, knowing Duo has your back.

Duo Restore for Third-Party Accounts

Ditching your old phone? Don't forget to transfer your two-factor authentication (2FA) accounts to your new phone. Knowing how important it is to access your accounts when you need to, Duo has developed an easier way to get your Duo-protected accounts set up on your new phone or tablet so you can continue to verify your identity when logging in, preventing a potential account lockout. It’s really easy. Learn more. 

Download Duo's free 2-Step Authenticator App available at Google Play and the Apple App store. 

See the video at the blog post.

<![CDATA[How Duo + Microsoft Zero Trust Integrations Work: SANS, Azure & BYOD]]> noelle@duo.com (Noelle Skrzynski Hardie) https://duo.com/blog/how-duo-microsoft-integrations-work-sans-azure-and-byod https://duo.com/blog/how-duo-microsoft-integrations-work-sans-azure-and-byod Industry News Fri, 02 Oct 2020 08:30:00 -0400

The Current Security Landscape

The shift to remote work has had IT security ramifications: not only are people using both their personal and corporate-managed devices to access business applications, they’re also logging onto systems from various locations, sharing devices with family members, and installing various software for personal use. While these changes are in some ways necessary to adapting to all that’s happened in the last year, they also provide opportunities for attackers.

This year has seen a rise of attacks targeting cloud services, with Microsoft Office 365 being the most commonly targeted service. So how can organizations better track what’s happening in their environments and protect their employees’ identities while securing access to their Microsoft applications from any device? 

A Better Approach to Security: Zero Trust 

Zero trust is an approach where trust is established for every access request, regardless of where the request is coming from, by requiring multiple factors to confirm before granting access. This method secures access across applications and networks, ensuring only the right users and devices have access. Taking a zero trust approach to security can extend trust by providing visibility and adding layers of protection which are easy for end users and support modern enterprises with BYOD (bring your own device), cloud apps, hybrid environments, and more.

Duo delivers zero trust for the workforce by verifying the identity of users and the health of their devices before connecting to the applications they need. 

The Three Pillars of Duo’s Zero-Trust Approach:

1: Establish User Trust 

Duo provides a set of tools for verifying a user’s identity through our strong multi-factor authentication (MFA or two-factor authentication,) which asks for validation via something you know, something you have and something you are. According to Microsoft, using MFA prevents 99.9% of account hacks. By gathering information in the context of the user’s access request, such as location of access, time of access, network of accessand the device used to request the access, Duo can greenlight or block a user’s access.

Our MFA solution is one of the most easy-to-use and secure solutions out there, both for end users and administrators. Administrators can deploy our solution quickly and efficiently (rollouts can take merely a few days,) and end users have the option of self-enrollment, which empowers the user to enroll themselves without impacting productivity, therefore saving time. 

Our MFA solution is also incredibly secure, supporting out-of-band methods such as Duo Push, and providing flexible authentication options such as SMS, OTPs, and soft tokens through our mobile application, as well as more advanced methods such as universal two-factor authentication using security keys such as Yubikey.

Duo can work with any application, whether it’s a cloud-based Saas application like O365, an on-prem environment, or a hybrid environment.

2: Establishing Device Trust

Because Duo is in the application access path, we can provide complete visibility into all devices accessing Duo-protected applications. Many organizations underestimate the number of devices accessing their networks, but Duo can help inventory previously undetected devices. For example, we had a customer’s IT team discover that there were twice as many devices connecting to their network than they had accounted for.  

Duo can also perform posture (security risk) assessments on these devices by checking if the device is corporate-managed, if the operating system and browsers are up-to-date, whether Java plugins are installed, or if password encryption is turned on. And because we follow the zero-trust framework of “never trust, always verify,” these checks are performed every time access is requested, creating a tight ring of security around your organization’s network

3: Enforcing Adaptive Policies

Duo enables rich user and device context, as well as adaptive granular policy controls. For example, a typical policy of Duo customers might limit access to users in the US who are using a particular set of networks with a particular set of IP addresses from a managed device. In this way, Duo allows the organization to adhere to whatever compliance frameworks are required.

Duo’s policy engine is quite robust, enabling organizations to set policies at a global level for the entire organization, at each application level based on the sensitivity of the application, or at a user group level based on that group’s set of privileges. There are many levels of controls and policies for access that can be set at a granular level. This is truly one of the most important security features Duo offers. 

Providing Duo’s Zero-Trust Security Framework to Microsoft Environments

Duo has a great partnership with Microsoft. Currently, we have over 10,000 joint customers, including Qualcomm, Expedia, 3M, and MIT, and over 5,000 of these customers use Duo to protect Azure Active Directory. And these customers are not just using Duo for our expertise in MFA, but for our expertise in security, including our device hygiene and policy engine. 

Wherever you are in your journey to the cloud, whether your directory is in AD or Azure AD, or you’re in the process of migrating from Outlook to Office 365, Duo can protect your applications securely and with the same ease of use. 

How Duo Protects Microsoft Azure

Duo natively integrates with Azure AD’s conditional access policies, as well as secures access to remote desktop, Exchange, and O365 deployments. In fact, with the move to remote work, Duo has seen RDP authications go up by over a million authentications a day. Duo also has the ability to protect offline access into Windows machines using OTP and U2F tokens.

How Duo Secures Managed Devices

In a basic use case, organizations want to set policies to allow access only to managed devices into certain applications. There are different ways to do this, but in today’s remote world, where the VPN load is being tested for many organizations, IT administrators are asking users to select VPN only if they are using it to log into network devices and accessing SaaS applications over the internet to manage the bandwidth. 

In this situation, there’s no easy way to check whether the device is managed or not. However, Duo’s authentication workflow can intercept the access request, and thanks to our recent integration with Microsoft's Intune, allows you to check if the device is enrolled in your Intune management system. Alternatively, we can check to see if the device is a Windows AD domain-joined device. 

How Duo Protects Unmanaged Devices

A second use case we’ve seen embraces bring your own device (BYOD). Typically these devices are outside of IT’s control, and it can be hard if not impossible for them to check if the device has a high enough level of hygiene to grant application access.

Luckily, Duo has several options, including an agentless option, which assesses device hygiene through browsers. We also have a lightweight client, the Duo Device Health application, which checks the device hygiene at the time of access, and only performs certain checks.

Duo's Device Health Checks Include: 

  • Is the Windows OS updated? 
  • Is the device encrypted?
  • Is it password protected?
  • Is Windows Defender running?
  • Is the firewall enabled?

In Summary

Duo protects Microsoft applications by verifying the trust of the user and the health of the device before granting access to the application, and we do this each time access is requested. 

We do this with our consistent access policies, whether the applications are in the cloud or on-prem, online or offline. We do this through speed to security through our native integrations with Office 365, Azure Active Directory, and Intune and self-service workflows, which can be deployed in minutes. (Yes, minutes! In previous speed tests, one of our security engineers was able to set up a native integration in Azure AD in less than five minutes.) 

We balance security with user experience by reducing friction, boosting productivity, and allowing for customizable policy controls and self-remediation options to decrease helpdesk tickets. All of these things allow you to mitigate your risk due to BYOD, and Duo helps you do this by improving device visibility and risk assessment options without agents and without performing actions without the user’s permission.

For a more in-depth discussion on simplifying remote work and reducing risk with Microsoft and Duo, please take a look at this recent webinar (below), hosted by SANS Analyst Dave Shackleford, and Duo’s Leya Leydiker and Ganesh Umapathy. 

See the video at the blog post.

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.

<![CDATA[Making Duo Even Easier: Improving UX With the Universal Prompt Project]]> swolfkostin@duosecurity.com (Sierre Wolfkostin) https://duo.com/blog/making-duo-even-easier-improving-ux-with-the-universal-prompt-project https://duo.com/blog/making-duo-even-easier-improving-ux-with-the-universal-prompt-project Industry News Thu, 01 Oct 2020 08:30:00 -0400

As verifying our identity becomes a more fundamental and frequent part of our regular online experience, ease of use becomes paramount. First, it can change how we see the role of security in our lives.

Beyond our personal experience, making two-factor authentication easier can also impact the overall productivity of our company or organization.

"If we make “the right thing to do the easy thing to do,” then staying safe online can be a positive part of our regular routine." — Sally Carson, Duo Design Leader.

Fundamentally Redesigning Duo

We recently announced the Universal Prompt Project, an extensive redesign to Duo’s core authentication product. It is part of our mission to combine the most secure with the most user friendly experiences, making online safety feel as easy as possible.

Today we’ll be taking a deeper look at one of the project's core pillars — ease of use — and examining how we’re making the Universal Prompt and Duo Mobile app a more seamless experience for our users.

An Easier Prompt Experience

Over the last two years, we’ve been extensively researching how our users (internally, we use a persona named Lee) normally login and experience the Duo Prompt. Our interviews and usability tests revealed a few key areas that, together, could have a huge impact on improving its ease of use.

Last Used Method

Our research shows that most Duo users only use a single authentication method — a Duo Push, text message, and so on — when logging in. However, the current Duo Prompt displays a bunch of options every time, even if you only ever choose one.

To speed up the experience, our new Universal Prompt will display your last used authentication method whenever you login, saving you a click and making the experience even faster.

Pick your favorite option, and it automatically displays the next time.

Auto-Push Notifications

Duo Push is by far the most popular method for 2FA, representing over 45% of Duo’s identity verifications worldwide. It’s already one of the easiest methods, allowing you to tap a single button that sends a push notification straight to your phone, to approve or deny. During the redesign process, though, we challenged ourselves to ask — how might we make receiving a Duo Push even easier?

One feature that we’re actively testing for the Universal Prompt is having auto-push set as the default behavior, so at the moment you need to verify your identity, a push notification is already available on your phone.

Simply check your phone and tap to approve

Remember Me

The Duo Prompt has an awesome feature called “Remember Me” that allows you to trust your browser and thus bypass 2FA in the future, saving lots of time and energy. In our user research, however, we discovered that the “Remember Me” checkbox was relatively easy to miss, and buried underneath a few other options that made it hard to distinguish on the screen.

With the new Universal Prompt, there’s a more visible call to “Remember Me” that makes it easier to discover, select, and save. Now you can more easily remember your browser and save time logging in when visiting the prompt in the future.

We’re actively A/B testing a few variants to determine what can save the most time, for both you and your organization.

Easily remember a session and bypass 2FA in the future

An Easier Mobile Experience

Guiding Users Along the Way

As mentioned earlier, Duo Push is by far the most popular option with end-users to verify their identity. The onboarding experience is pivotal because it is the very first impression a user has with a product. This is the critical moment to educate and build trust with a user. In user research, we observed users onboarding to use Duo Push for the first time, and took note of where and when the process might be simplified and improved.

The new onboarding experience will provide security education along the way and allows users to practice when to deny or approve a Duo Push. In testing, we've found a dramatic increase in Duo Mobile's ease of use score. This means that users feel more confident about their Duo Push onboarding experience, and they are enabled to set up Duo without needing IT admin support.

Educating end-users during onboarding

Designing For All Types of Users

The Mobile experience is also updating to a modern card-based approach for organizing accounts. We know from usage data that Mobile end-users range from having one account to having 4 or more. And from power user feedback, we heard how cumbersome it is to scroll through many accounts and recognize the difference between them. To address this, the new card design enables similar types of accounts to be grouped together without complicating things for users with only one or two accounts.

In addition to a new card base layout, we updated how to manage each account. In user research, we found it was difficult to locate how to do this in today's app. Now, this functionality has moved to the top right-hand corner of each account, which drastically improved discoverability in usability testing.

New card based design to support multiple accounts


Ease of use is important, especially as verifying our identity becomes a more fundamental and frequent part of our regular online experience. It can change how we see the role of security in our lives, and help large groups save thousands of hours for their people.

As Duo continues to scale with the Universal Prompt Project, one of biggest — and most rewarding — challenges has been to keep radical simplicity at the heart of everything we do.

“The true enemy of security is complexity. The most important thing we can do to stay safe is simplify and get the basics right.” — Dug Song, general manager of Cisco Zero Trust and Duo Security

What’s Next?

We’ve got a lot more to tell you about the Universal Prompt Project, so look for regular blog updates as we delve into more detail on each component of this project.

As we get closer to making these changes generally available, we will provide guidance on planning your migration to the Universal Prompt, including:

  • Communications templates for your organization and end-users
  • Updated documentation and Duo Knowledge Base articles
  • Tools in the Duo Admin Panel to track your progress

Today, we invite customers interested in participating in a private preview of the new Duo Universal Prompt to fill out this brief interest form. We will begin reaching out to you for your help in testing and deploying the future of Duo!

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Duo Central: Securely Access All of Your Cloud Applications]]> dgainer@duosecurity.com (Darcie Gainer) https://duo.com/blog/duo-central-securely-access-all-of-your-cloud-applications https://duo.com/blog/duo-central-securely-access-all-of-your-cloud-applications Industry News Mon, 28 Sep 2020 08:30:00 -0400

Less Effort = A Single Dashboard For Apps

I am guessing most people have experienced that feeling of excitement when you finally decide to press buy for something you have been thinking about for a long time. Perhaps it is a site that you purchase from a few times a year and you already have an account. But the first three passwords you try fail and then you have to reset it. That reset email goes to an account you aren’t signed into and ugh - that 2 minutes of happiness turns into a 15+ minute affair to finally buy the darn thing.

When applied to our workworlds, that sort of delayed access experience can have a profound impact. It’s what is called “switching costs” — when we have to complete a new task with new information. Not only does it take us out of our current flow, but it can continue to impact our focus and productivity after the fact. (By the way, we stink at multitasking and this only exacerbates that issue). Add that to our daily deluge of emails, chats, meetings, social media and news and it starts to become clear why we are all stressed and tired. Our brains seldom get the time to truly focus on one thing and do that thing well.

It may seem silly, but every little thing we can do (especially in these times) to lessen that cognitive load matters. It matters to you and your users’ health, it matters to the security of your organization and it matters to the quality of the work we do.

Duo’s new SSO (single sign-on) helps by enabling your users to access applications with the same username and password. That takes care of one part of the equation. The other is locating applications.

Introducing Duo Central

Duo Central makes life even easier by giving users a single place to access applications. Part of our new SSO, Duo Central is a cloud-based site where users login once to see and launch their cloud applications. No more looking through bookmarks, searching your memory or asking a co-worker. One password and website means switching costs are drastically reduced and users can stay focused and productive.

We are excited to announce that Duo Central is available starting this week in public preview. It is a part of our new cloud-based SSO that is included in our MFA, Access and Beyond editions.

It will be available in your admin panel - you will first need to set up the new SSO. We host it and best of all, it's a simple process to enable and configure. It typically takes less than a half hour.

“Everything in our new SSO has been designed with both security and ease of use in mind. Duo Central is the culmination of that effort. The overwhelmingly positive reaction from our test customers has us excited for the impact it will have.”

                                                                                     — Chris Anderson, Duo Product Manager 

Duo Central is unique to your organization and users will only see the applications to which they have access. You can create universal policies and security requirements or customize by group membership or applications. Duo Central is our cloud-based single dashboard for all of your apps in one place. Duo’s Access Gateway or DAG, is our on-premise SSO single dashboard for applications.

Early adopters love that their apps are in one central location — especially the ones they may access less often. Using SSO to reduce passwords and locate applications in one place improves security, reduces frustration, and lowers support costs. This is just the beginning for Duo Central - we will continue to add more features and as always - we love to hear your feedback.

You can learn more about Duo Central by visiting our documentation.  

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.

<![CDATA[Cisco Rides the Wave of Zero Trust and Is Named a Leader]]> arogerson@duosecurity.com (Amanda Rogerson) https://duo.com/blog/cisco-rides-the-wave-of-zero-trust-and-is-named-a-leader https://duo.com/blog/cisco-rides-the-wave-of-zero-trust-and-is-named-a-leader Industry News Thu, 24 Sep 2020 08:30:00 -0400

"Cisco pushes the Zero Trust envelope the right way" — The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers Q3, 2020

Back in 2010, Duo Security’s co-founders Dug Song and Jonathan Oberheide set out to make cybersecurity stronger, easier, faster and accessible to all. Essentially, Duo’s mission was to democratize security

From the start, the principles of zero trust were baked into Duo’s core product, multi-factor authentication (MFA) and our ethos. Our goal was to secure how users and devices access applications — which is the foundational cornerstone of what became zero-trust security.

Fast forward eight years, and Cisco acquired Duo to add a key component to its growing zero-trust security strategy. Cisco’s idea was to build out a holistic zero-trust framework to help customers easily and cost-effectively achieve zero-trust security in their organizations.

The resulting Cisco Zero Trust platform has earned Cisco the designation of a zero-trust leader in The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers, Q3 2020.

Forrester gave Cisco the highest scores possible in the report in the criteria of ZTX vision and strategy, market approach, ZTX advocacy and the future state of zero-trust infrastructure.

Achieving Zero Trust With Cisco

Cisco Zero Trust gives our customers a comprehensive approach to securing all access across any applications and environment, from any user, device and location. Security is not a one-size-fits-all proposition, even within the same enterprise environment.

When approaching security using the zero-trust model, it is easier to break adoption down into three pillars: the workforce, workload, and workplace.

Cisco Zero Trust for the Workforce

Your workforce comprises the users and devices accessing applications and services. The easiest entry point for a zero-trust security model is to secure your workforce and their credentials. Homeland security recommends MFA to protect the most sensitive systems because MFA has been proven to prevent stolen credentials 99.9% of the time, according to ZDNet.com.

Cisco Zero Trust delivers solutions that establish trust in users and their devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application and are tailored to your unique organizational structure.

Protecting the Workforce With Duo

The Duo solution is pivotal to securing this workforce in the Cisco Zero Trust story. As a part of Cisco, Duo has continued its mission to democratize security and provide the balance between security and usability. New features like Duo Mobile instant restore, expanded WebAuthn support, and improvements to user sync make it easier to verify trust in users accessing systems.

We’ve also improved the way that users can access applications through enhancements in our policy engine, providing modern remote access, and a cloud-native SSO (single sign-on) solution. Another addition, Duo Trust Monitor, tracks and reports on anomalous user behaviour, helping organizations continuously verify that repeated access attempts can still be trusted.

Duo further demonstrates our commitment to verifying trust in devices with our release of the Duo Device Health App and expanding our Trusted Endpoint ecosystem with more integrations like Microsoft Intune. Cisco achieved the highest score possible in the device security criterion, we feel this validates the investments that have been made in this area.

Duo + Cisco: Better Together

Duo has been working diligently within Cisco to deepen our integrations across the portfolio. Through our integration with Cisco Secure Endpoints (AMP) we can leverage the solution's ever-evolving knowledge of threats and compromises to enable Duo to automatically block access to any Duo protected application from an endpoint that has an active compromise. To simplify and streamline deployments our integrations with Meraki Systems Manager (SM) provide secure, cloud-based endpoint control and provisioning to ensure that Duo Security is delivered and configured easily with security established before the first use. Integrations across solutions like Duo and Secure Network Access and Secure VPN allow us to bridge the connection between the workforce and the workplace and provide deeper and more streamlined layers of security. We believe Forrester recognized these efforts as well.

"The Duo Security offering has been fully integrated into the Zero Trust focused Cisco Zero Trust portfolio approach for the Workforce, Workplace, and Workload (WWW)." — The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers Q3, 2020

Paving the Way for the Future of Zero Trust

At Cisco and at Duo, we aim to shape the future of cybersecurity. Members of our team are involved in workgroups such as the FIDO Alliance, developing standards for WebAuthn, and the committee that worked to define NIST’s SP 800-207: Zero Trust Architecture (ZTA) guidance.

We aren't done yet! We have big plans. The mission to democratize security is ongoing. We think there is a reason Forrester gave us the top score possible in the future state of zero trust infrastructure criterion. Stay tuned.

Check out the full The Forrester Wave™: Zero Trust eXtended Ecosystem Platform Providers Q3, 2020 report now and learn more.

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[#WeAreDuo Employee Spotlight with Laura O'Melia]]> wtellache@duo.com (Whitney Tellache) https://duo.com/blog/weareduo-employee-spotlight-with-laura-omelia https://duo.com/blog/weareduo-employee-spotlight-with-laura-omelia Industry News Wed, 16 Sep 2020 08:30:00 -0400

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer, Account Executive etc. at Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Field Marketing Manager, Laura O’Melia to learn about what she does and her experience at Duo. 

Laura O'Melia

Employee Name: Laura O'Melia

Title / Department / Office Location

Field Marketing Manager / Austin, TX

How long have you been at Duo, and what do you do here?

I joined Duo in April 2017. I have an assigned territory and am responsible for lead generation from events. I decide what events are a good match for us.

What's your day-to-day like at Duo?

No day is ever the same, and I love that about my role. I spend time meeting with vendors to learn about different events and sponsorship opportunities. Depending on where I am in the planning phase for a particular event, I might work on deciding what the best content is to take to an event and what our overall messaging will be, which handouts will resonate best with the audience or what videos to display in our booth. I attend team meetings with sales to present on marketing campaigns, share results, and understand what their priorities are so we can align marketing programs to help achieve our goals. I travel about 30% to attend events so those days start early with setting up our space, working the event and end late after tear-down happens and networking with new friends.

What tools do you use to help you do your job? 

I use a handful of tools in my day-to-day to perform in my role. BrandFolder is our content repository of Duo Brand Assets, customer facing documents, images, and other resources I use when planning events. I live in Google Drive, that is where my planning folders, checklists, and notes for everything lives. When collaborating with my Cisco teammates, we use SmartSheets and Office 365. Salesforce of course for tracking my campaigns, leads, and pipeline results along with some dashboards and reports to give me insights and metrics into my campaigns. Slack and WebEx Teams for collaborating with team members. Another tool that the Marketing team relies on for project management and tracking requests for special projects is Wrike. Having the right tools that work together makes the work we do more seamless and efficient. I am so thankful to have access to great tools that help me get my job done.

How do you and your team collaborate with other teams within Duo?

To be effective, it is imperative that we work with other teams across the business. Customer facing events require a team effort. We have a regular cadence in place to request speakers as we often need them to keynote or take part in a panel at an event. The Field Marketing team along with the Demand Gen and Marketing Operations team meet regularly to sync on processes, share any changes or updates, and brainstorm on ways we can improve. I have found that at Duo everyone is more than willing to help out and learn together, so something as simple as sitting in the break room to chat about something or going to get coffee is a fun and easy way to work together to overcome any challenge.

How did you get your job at Duo?

I had worked in technology for large and small companies, but never a medium-sized start up, like Duo. A friend mentioned Duo to me and a quick LinkedIn search revealed that someone I used to work with was a Solutions Engineer at Duo. I reached out to him to see how he liked it, to learn more about the company, and if there were any open roles they were hiring for that I would be a fit for. The more I spoke with my recruiter and met the team, I knew this was the place for me. Everything I learned made me more excited for the opportunity and I’m so happy to be here, doing work I love with amazingly smart people.

What is the first thing you do when you come into the office? 

Prior to the pandemic, I would say hi to our friendly lobby ambassador who is always there when I step off the elevator.  I put my bag down and head to the kitchen where the cold brew is on tap. At my desk I review my to-do list, identify if there are any frogs I need to eat first then get to work. 

Any big projects or goals you're currently working on?

Duo is expanding internationally, and I am working on moving to Sydney, Australia for a two-year long term assignment. I’ve been building new relationships with vendors, partners, customers, and sellers in ANZ (Australia and New Zealand) and producing virtual events for our customers and prospects down under. I’ve been reading more Australian news and keeping up with the state of cybersecurity over there. Looking forward to actually being in region, when it is safe to travel again and doing live events for customers. 

What’s an important lesson you’ve learned while working at Duo?

Try new things, think outside of the box, and don’t be afraid of failing. I am a big believer in failing fast and failing often, but fail forward. Sometimes it will be the wrong decision, but you won’t know unless you try. Trying something new could just be the missing piece to helping you grow exponentially. To truly live up to our value of "Engineer the Business"   risks and failures are inevitable. Knowing that failure is a stepping stone to success helps me to keep going and looking for new ways to be better.

How is Duo different than other places you've worked?

Everyone at Duo is happy to show up to work and brings their full "real" selves with them. We are one big (and growing) family that celebrate together, respect each other, and wants the best for everyone. It is not common to hear complaining or negative attitudes, which makes for a great work environment.

How is your role at Duo different from roles you've had with other companies?

I feel that our team dynamic is strong and continuing to get stronger every day. Rather than working in silos and trying to do everything on our own, we have a well-rounded team of people with different strengths. We leverage everyone on the team to do our roles successfully. I have support from other facets of the marketing team that are all critical in helping me achieve what I need to do. I have never had this much support in working in tandem with others as I have now.

What would you tell someone considering a role at Duo?

This is a special place filled with passionate people. A good book to read that describes the culture here well is “The Ideal Team Player” by Patrick Lencioni. If you are ready to be part of a team that works hard, has fun, and learns together, Duo is a great place.


We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

<![CDATA[Rolling Out Duo in EMEAR – Answers to the Top 3 Customer Questions]]> yerbil@duosecurity.com (Yasemin Erbil) https://duo.com/blog/rolling-out-duo-in-emear-answers-to-the-top-3-customer-questions https://duo.com/blog/rolling-out-duo-in-emear-answers-to-the-top-3-customer-questions Industry News Mon, 14 Sep 2020 08:30:00 -0400

In Customer Success, we help customers get the most from Duo, which means getting to security fast, integrating Duo with all sorts of applications, and enabling a smooth end user and admin experience. I have been a Senior Customer Success Manager at Duo in the UK for two years and have had most customers ask me for advice on how to best deploy Duo. There is a method to the madness and in the blog I will lay out the three top best practices for deploying Duo. 

Duo Care is hands-on help throughout the Duo deployment and once established, your Duo Care team will highlight any new features that are coming out with the opportunity to join a private preview or an active development program. On an ongoing basis, your Duo Care team will run through security health checks and account reviews with you. You can regard us as an extension of your team, there for you with continued guidance through the changing security landscape. 

Answers to the Top 3 Customer Questions on Deploying Duo

Let’s look at the three questions that we hear from customers and break them down below: 

1. Is My Timeline for Deploying Duo Realistic?

After a customer purchases Duo and Duo Care, they usually have an idea how long it might take to deploy Duo based on previous solutions they have rolled out or based on change control processes they have in place. 

I’ve worked with a government customer who recently asked if rolling Duo out to a few hundred users in six months was realistic. 

Previously, our teams have enabled customers to roll out Duo over a weekend to thousands of users in a breach situation.

More recently, we have rolled out Duo with shortened timelines due to the recent pandemic for customers and loads of new remote workers who need secure access. 

My standard answer to this question is that we can run or walk as fast as the customer needs. We have experience with all situations and can share recommendations based  on previous experience in that sector. 

2. What Factors Should You Take Into Consideration When Choosing Which Applications to Start With During Deployment?

Usually, I recommend starting with a risk assessment to the business and user groups and the most commonly used and applications with sensitive data like Microsoft O365.  

During a kick-off meeting with the customer, we will run through the customer’s specific situation and define the goals of phase 1 of the roll-out: which applications (sequential or at the same time), go-live dates, user numbers, etc. together as well as metrics to hit. Depending on the technical resources available and the specific customer context (breach, compliance requirement) the top priorities may change. 

The CSE (customer success engineer) is the technical expert who will work on the various technical integrations that can all be found in our documentation laid out here

3. Why Is End-User Communication Such an Important Element to the Duo Deployment?

As creatures of habit, changing any bit of the daily end user workflow may be met with resistance initially. Asking for any modification to the way someone starts their work day with their login process and coffee or tea requires succinct communication. We suggest that the user guide and the end user communication templates are used as they help explain to the end user why the change is coming, what is required of him/her and when.

As a Customer Success Manager, I work closely with the customer’s communications department to advise how to best reach the various end users. (Hint: it may not always be email and we may have to get creative with posters in warehouses).

In addition, Customer Success can point you to the most relevant bits in a wealth of marketing resources we have available, such as the customer deployment kit or security education, or other customer’s intranet pages with FAQs and enrollment tips.

Our Duo Care team is on hand to help tailor the messaging and work on a communication strategy as this is key for a successful deployment. When a deployment is done well, the impact on the Help Desk will be low. At Duo, we pride ourselves that our technology is drop-dead simple to use and Duo Care enables you to work through complex IT environments, challenges of advanced deployments, and limited resources while ensuring speed to security.

If you’re interested in Duo Care and would like to learn more, click here Duo Care. If you’d like to learn more, please speak to your Duo or Cisco Account Executive

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

<![CDATA[How to Secure Internally-hosted Applications and Servers Accessed Remotely]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/how-to-secure-internally-hosted-applications-and-servers-accessed-remotely https://duo.com/blog/how-to-secure-internally-hosted-applications-and-servers-accessed-remotely Industry News Wed, 09 Sep 2020 08:30:00 -0400

Years ago I remember sitting in a cramped musty basement office surrounded by a curious array of computers, servers and old monitors. I was sipping tepid coffee and staring at a flickering CRT monitor that was slowly draining my joie de vivre. While to the external viewer this would have seemed depressing as an Eastern European art film, this was a challenging project. I was in the process of building a reverse proxy. Why? Because my boss thought it would be a neat project. There was no business case at the time. But that planted a seed in my mind that stuck with me ever since. 

If we think of Zero Trust as a journey, protecting cloud apps is a relatively easy first step. The real headaches come when dealing with those tricky applications that are on-premises or homegrown. How about remote access to servers? What type of access is given to contractors? The move to remote work has brought those challenges front and center for a lot of us. 

Flash forward to today and I find myself talking to customers around the world and drawing on that experience in the basement..Historically there has been a bent towards a fortified perimeter with guards on the castle walls but, if we’re being honest with ourselves, that is a depreciated and risky notion. 

The Remote Workforce is Everywhere

How do we secure internally-hosted applications and servers accessed by remote workers and contractors as well as we do our SaaS applications? Remote access is often painful and slows productivity or runs the risk of giving too much access to the wrong users. The modern perimeter is now anywhere an access decision is being made. 

Would it not make more sense to get a firm grasp on where and how those access decisions are being made? Case in point is that you would not want me sitting at a coffee shop in Toronto with the ability to log directly into your customer database or email solution simply because I knew the password. There is nothing to validate that I am in fact supposed to be there in the first place. A reverse proxy will sit inline to validate my credentials leveraging MFA to ensure I didn’t just have a lucky guess.

The Duo Network Gateway Secures Applications Remotely

Enter the Duo Network Gateway, or more succinctly, the DNG. It provides organizations with the ability to secure access to applications that you need in order to ensure that the lights stay on and your business can continue to operate. It allows you as an IT or security professional to control the users and devices that access these applications. 

To be able to better control access to your internal resources such as Jira or Splunk, as well as cloud delivered applications such as Outlook 365, Salesforce.  It even secures SSH connections allowing you to sleep at night knowing that the risk to your enterprise is being addressed. 

How the Duo Network Gateway Works

To better connect the dots we can use this example: users would first authenticate to the Duo Network Gateway and then they would need to approve a two-factor authentication request prior to accessing your enterprise protected services. Session awareness helps to minimize the need for repeated MFA prompts as users access additional services and hosts via your gateway.

When DNG is coupled with Duo’s Policies and Trusted Endpoints it helps to obviate the need to rely on passwords alone. Passwords, in their own right, have long outlived their usefulness. The analogy of leaving a key under the doormat springs to mind. If a passerby happened to discover your key beneath the mat they would be able to access the house. This does not mean that they are supposed to be there. Now when you apply this to the enterprise in the guise of an attacker with access to a legitimate password it helps to drive home the need to reduce the attack surface. 

Streamlining the access control to enterprise assets will help reduce risk to the company and reduce costs. For every password reset that needs to be dealt with there is a cost involved. With multi-factor authentication and a DNG at your disposal this cost will come down. 

That cost savings comes from reducing password resets will be replaced by the ability of users to self manage. The reduced number of authentications will streamline work for users who will need to authenticate once to the DNG to access the applications that they need in order to get their jobs done.

Reduction in risk. Reduction in costs. Improvement in sleep. What’s not to love? 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust. 

<![CDATA[Starting a Job Remotely Shouldn’t Slow Down Your Onboarding or Success]]> kdriscoll@duosecurity.com (Kim Driscoll) https://duo.com/blog/starting-a-job-remotely-shouldnt-slow-down-your-onboarding-or-success https://duo.com/blog/starting-a-job-remotely-shouldnt-slow-down-your-onboarding-or-success Industry News Mon, 07 Sep 2020 08:30:00 -0400

More and more people have been working from home since the onset of the pandemic. While there are tons of resources on getting started working remotely, how to succeed in an office job without an office, and how to set up your new space at home, what about starting a new job altogether? How can you succeed with a brand new job without the resources of being in an office? 

Starting a new job is always hard, but imagine starting in a pandemic?

At Duo, we’ve been lucky to add amazing humans to our team since March when we began working from home. We knew we needed to bring our Kinder Than Necessary value to the center to help our newest team members succeed in this environment. And those folks have been succeeding!

And, our team keeps growing. Our team has grown by 21% since March. So we have some insight to share from the dozens of people who have only ever had their job at Duo remotely. 

Remote Work Goal Setting

Starting a new job is always going to be awkward because you don’t know what to do. One of your very first priorities, remote or not, should be to set a role-based goal. A role-based goal takes something you’ll be expected to do in your daily role and adds a due date for when you’ll be able to do it alone. It’s especially important when remote, as it will give you focus, direction, and priority as you learn about your new company. 

There is absolutely always a lot to learn. But don’t assume that your company will give you something specific to work toward. Nearly 60% of companies fail to set milestones or goals for their new employees. On top of that, 22% of employers don’t have a formalized onboarding plan. Folks can take control of those stats by setting a specific goal themselves.

While I work diligently to support new Duonauts with role-based goals from the start, I actually didn’t have one when I started. If you end up in this spot, I have some advice for you. Here is what I did — I spent the first 3 weeks really learning what I was supposed to do. Fundamentally, I’m a teach for Duo, so I had to learn all the things about Duo, then teach a full cycle on it. That was a lot. So I estimated what the most basic version of that was. For me, that was teaching a specific session within the full teaching cycle. I decided to do it by my 90 day mark. Then, I found someone who was already teaching to help guide me. Then, I told my manager. I told my team. And then I wrote it down.

Write down your goal. We know that folks who write down their goals are 33% more successful. Even if you are part of the few who get both a formalized onboarding plan and role-based goals (like new Duonauts), we still encourage you to write your own goal down. Vet your goal with an in-company mentor or new coworker, and then get working on it! Success in your role will help give you purpose and fulfillment while working remotely.

Making Friends While Working Remote 

We know that people with friends at work are happier, but how do you make friends when you won’t be really “meeting” anyone? Once you figure out how your company communicates, show up. It might feel weird, but just show up - yes, virtually. Comment in threads. Video-on in meetings. Attend optional events. Use your newness to your advantage and ask for a get to know you chat. And let’s level set - it’s not weird.

First, studies show - people like you more than you think they do. You are probably underestimating how much people want to talk to you. But what’s really important is the mere exposure effect. For the most part, folks like people more the more that they’re around. Since your face won’t be at the water cooler or coffee pot, show up online.

At Duo, we use chat and WebEx. Ways to show up there include engaging in online chat conversations, joining optional channels, emoji-respond to comments. Many companies (including ours!) have used apps like Donut to encourage cross-team conversations. Take advantage of what your new company has to offer. And, keep your videos on during calls as often as possible. Creating friendships in this way will help you feel more connected to your company and new role.

Creating Long Term Success While Working Remote 

But you can’t show up all the time. New employees tend to want to do their absolute best. In an office-based world, the boundaries for “doing your best” were a little clearer. At some point, you had to go home. But now? It’s not quite as clear when the day starts and when the day ends. And for new hires looking to really stand out and shine, the lure to just do one more thing can quickly become working longer and longer days than you should.

And that lure can be even stronger for folks who have found jobs and careers that they love. But the risk is higher too. The thing is, people in purpose-driven work are more likely to experience burnout. A Canadian study found that employees driven by purpose are significantly more stressed and score lower in well-being. And, to top it all off, remote workers tend to experience higher rates of burnout too. It’s not all bad news though - since we’re at the very beginning of our time with an organization, we’ll be able to start this new role off with some healthy boundaries.

If you’re starting a whole new job remote, it’s okay to you should have a candid conversation with your manager about what working remote means for the organization and for your role in particular. Be prepared to acknowledge what you might need to change, or to ask for more time to think about how you can succeed. Ask your manager explicitly what you can do to stand out, make an impact, or achieve your goals more quickly - chances are they won’t say “work 14 hour days.” 

Our team members have had the most success by having general boundaries for their first 3 weeks while they learn about the company (e.g. start time, break times, email response times), and then reaffirming and solidifying their long-term boundaries at around the 1 month mark. At this point, they know more about the company and the role, and can make an informed decision about how they can engage longer term.

Adapting to Remote Work & Growing Your Career

You can still think long-term, make friends, and be successful in your new role - even though you’ll be starting remotely. Chances are that either your company has had a long-term plan for remote work (awesome!) or, they’re learning about this remote-only world right alongside you. 

The struggle of starting from scratch, learning new systems, and imposter syndrome are likely to creep in. Just remember that those growing pains would happen in-person too. And most importantly for starting a new gig - remote or in-person - remember that they chose you! Remember that your team, manager, and company are invested in you succeeding! 

Looking for a team that’s invested in you? Duo is hiring

See the video at the blog post.