<![CDATA[The Duo Blog]]> https://duo.com Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Mon, 23 Jun 2025 21:59:15 +0000 en-us info@duosecurity.com (Amy Vazquez) Copyright 2025 3600 <![CDATA[What’s new for you: Duo is now identity and access management]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/whats-new-for-you-duo-is-now-identity-access-management https://duo.com/blog/whats-new-for-you-duo-is-now-identity-access-management Product & Engineering Fri, 27 Jun 2025 00:00:00 +0000

Blog writing provides a great opportunity to drop some pop culture references that help illustrate your points. For example, “Your identity is your most valuable possession. Protect it.” is a great line from the film, The Incredibles. It’s also very relevant to Duo customers. Duo’s long been a leader in defending against identity-based threats and securely managing access to critical assets. However, we’ve evolved into something more. Duo is now a security-first Identity and Access Management (IAM) solution. You may have seen our recent announcement.

This is exciting news for Duo customers. We know traditional IAM solutions are failing to protect against attacks that target users’ identities. They’ve become insecure, costly, and overly complex to implement. And attackers have gotten really good at stealing user credentials to the point where they can simply log in, not hack in. They’re also using AI to automate and accelerate their attacks. Clearly something had to change.

This became the driving force behind Duo IAM. As a Duo customer, you may be thinking, "This sounds really cool.” And like Kevin Costner’s character in the film Field of Dreams, you may be wondering, “What’s in it for me?” Let’s take a look.

As a security-first IAM solution, Duo integrates all the components needed to serve as the sole IAM platform, while operating as a unified defense layer across your existing identity infrastructure. With the announcement of Duo IAM, we’re launching impactful new capabilities to help organizations achieve security by default, and usability that people love. Within those capabilities are new features Duo customers can take advantage of in their identity stack. So, here’s what’s in it for you.

At Duo, we take a security-first approach to IAM. This means we believe security should be a foundational component of an IAM solution, not an add-on. While Duo started out with MFA, over the years we’ve evolved by adding features like passwordless, SSO, and Device Trust. With the addition of our directory, we now have all the pieces to be a security-first IAM provider.

So what’s “new” new with this launch? That would be our Duo Directory functionality that enables Duo to be a full, or complementary, IAM solution. Here are some cool things Duo Directory can do:

  • User management — Duo can serve as your source of truth for managing identity directories, primary authentication, and user attributes.

  • Routing rules — Use Duo as a hub for authentication to route authentication requests between directories when you’ve got more than one.

  • Customer attributes — Go beyond the built-in attributes by creating and storing your own set of custom attributes to further define user identities.

  • Automated provisioning — Simplify user provisioning, changes, and deprovisioning to applications using direct API and SCIM (System for Cross-domain Identity Management) integrations.

  • AI Assistant — Duo’s out-of-the-box AI Assistant helps with all sorts of tasks like managing access, streamlining configuration, even speeding up user investigation when someone is stuck.

End-to-end phishing resistance means we protect your users from phishing attacks at every step of the identity lifecycle, starting with enrollment, to OS and application login, all the way to the help desk.

  • Proximity Verification — Prevent MFA bypass by verifying the authentication device (your mobile phone) and access device (your laptop) are in close physical proximity.

  • Session theft prevention — Guard against session hijacking by proactively removing session cookies and replacing them with a trusted signature Duo controls. That way there’s nothing for the attacker to steal.

  • Complete passwordless — A user never needs to have a password in Duo Directory. However, for uses cases still tied to passwords, we enable you to ditch passwords from attack points like the enrollment process and authentication fallback.

  • Identity Verification integration — Block social engineering attempts at the help desk from hackers pretending to be an employee in need of assistance by re-establishing trust via the use of a government ID.

Duo leverages identity intelligence to deliver deep visibility across your ecosystem, gathering identity insight and using AI to analyze that information. This ensures continuous monitoring, accelerates detection, and enables proactive responses to identity threats before, during, and after login.

  • User trust level — Dynamically assess user risk level by analyzing user behavior, context, and historical data across multiple identity sources—then seamlessly share this level to enrich relevant security tools and workflows.

Delivering an exceptional experience for users and admins has always been a Duo tenet. It underpins everything we do, including the features we build like the ones I just mentioned. Our goal in delivering a delightful experience for everyone is to frustrate attackers, not users.

These are exciting times for Duo customers. With Duo IAM, you get a full identity and access management solution that puts security first. You know what else is exciting? We’ve added almost all of the new features into our base edition, Duo Essentials, so they’re available to every Duo customer.

Not only that, we also haven’t changed our prices. That’s right. More features and more security for the same price. To quote Matt Damon’s character from the film The Martian: “Wow, this is amazing!” We hope you think so too.

]]>
<![CDATA[Duo Proximity Verification: Deployable phishing-resistant MFA]]> jaho2@cisco.com (Janet Ho) https://duo.com/blog/duo-proximity-verification-deployable-phishing-resistant-mfa https://duo.com/blog/duo-proximity-verification-deployable-phishing-resistant-mfa Product & Engineering Thu, 26 Jun 2025 00:00:00 +0000

Rolling out phishing resistant authentication is critical, but many organizations struggle with the complexity and cost of deploying hardware-based solutions like security keys at scale, all while trying to stay ahead of modern phishing attacks. That’s why we've introduced our new Proximity Verification feature. It removes friction, gives you a smoother and more secure experience, and it’s cost-effective for your organization.

Our proximity verification feature uses Bluetooth Low Energy to confirm that a user’s device is near their computer during login. Imagine logging in without entering codes or accidentally forgetting your hardware key. Proximity Verification makes this a reality.  By design, it prevents bad actors from tricking users into approving authentication requests when they are accessing a computer in a different location from end users.

Proximity verification also prevents users from clicking and entering information into malicious links by checking the origin of the website the request came from. If the request does not come from a valid domain, we will deny the authorization request. This is similar to how modern security standards like FIDO2 verify the legitimacy of login requests to block phishing attacks.

Proximity verification is a great fit for organizations that want strong security without added complexity. It’s especially well-suited for teams that:

  • Are focused on securing against modern phishing attacks

  • Have limited budget or operational capacity to purchase and distribute hardware like security keys

  • Have already made significant investment in mobile authenticators for 2FA or push based login

  • Phishing resistance that’s simpler: Stronger security that is just as secure as FIDO2 but is already included on your device via Duo Mobile. This security feature is built in, making it secure by default.

  • Cost-effective even as your company grows: allows you to securely authenticate from your laptop, no need to juggle extra devices like security keys or worry about biometric upgrades. It cuts down the operational hassles of purchasing, distributing, and managing additional hardware.

  • No more typing in codes: Bluetooth auto-fills verification codes, so users don’t have to. If you’re already using Duo, nothing changes in how you use it day to day, just a smoother experience with even stronger security behind the scenes

With Proximity Verification built into Duo’s security-first IAM solution, your organization gets strong, phishing-resistant authentication without the usual complexity and costs. It’s simple to deploy and scale, helps you meet security requirements, and keeps users protected from day one. There's no need to enter codes or carry extra hardware. Authentication just works when your device is nearby, making the log experience fast and seamless.

Want to learn more? Head to our phishing prevention page or check out our editions data sheet.

Ready to give it a try? Sign up today.

]]>
<![CDATA[End-to-end phishing resistance that's actually deployable]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/end-to-end-phishing-resistance-thats-actually-deployable https://duo.com/blog/end-to-end-phishing-resistance-thats-actually-deployable Product & Engineering Thu, 19 Jun 2025 00:00:00 +0000

In the modern cybersecurity landscape, attackers are no longer just one step ahead—they’re miles ahead. They know your organization likely uses multi-factor authentication (MFA). In fact, they’ve come to expect it. But here’s the problem: not all MFA is created equal, and attackers have learned to exploit its weaker forms.

Phishing-resistant MFA is the answer, but—it’s been notoriously difficult to implement at scale for all workers and all use cases. Traditional solutions often require complex setups, cumbersome hardware tokens, or clunky configurations that frustrate users and IT teams alike. And, if a security control isn’t deployable; it’s not usable. And if it’s not usable, it’s not protecting anyone.

We need a new way forward.

At Duo, we’re working to make phishing-resistant authentication not only the strongest defense against identity-based attacks, but also easy to deploy and manage.

The numbers don’t lie: Cisco Talos found that 60% of breaches today involve compromised identities. Yet, Talos isn’t the only threat research organizations uncovering the identity problem. Basically, all reports that include data on breaches conclude that: identity is involved in the majority of said breaches.

Attackers aren’t just targeting login credentials anymore—they’re expanding their scope and upgrading their techniques. From enrollment processes to fallback mechanisms and even help desk interactions, every step of the identity lifecycle is under fire.

At Duo, we’re expanding our functionality from providing MFA at application login—to defending the entire identity attack surface. We’ve built an end-to-end solution that secures every vulnerable point, from initial user enrollment through authentication and fallback to mid-session – all the way through to help desk interactions. And we’ve done it in a way that’s deployable—no special hardware, no endless configurations, no headaches.

Here’s how we’re doing it:

  1. Proximity Verification: The only phishing-resistant MFA that’s easy to deploy
    Proximity Verification is Duo’s breakthrough in phishing-resistant MFA. By using your mobile phone to verify that the legitimate user is physically near the device requesting access, we eliminate the need for hardware tokens or complex configurations. It’s simple, seamless, and highly secure—just the way it should be.

  2. Complete passwordless authentication
    Passwords are the weakest link in the authentication chain, and attackers know it. That’s why Duo is committed to eliminating passwords entirely, even at the most challenging stages like enrollment and fallback. Our passwordless solution removes stolen credentials from the equation, making it much more difficult for attackers to gain access

  3. Session theft protection
    Attackers are increasingly leveraging session hijacking—stealing an authenticated session cookie to bypass MFA entirely. Duo’s session theft protection technology defends against this advanced technique by removing the session cookie itself. Duo replaces the session cookie with a cryptographically signed proof of authentication that we control. This effectively removes the jewel from the safe and leaves an attacker with nothing to steal!

  4. Help desk identity verification
    Social engineering attacks on help desks are on the rise, and they’re shockingly effective. To counter this, Duo has partnered with identity verification provider Persona to protect help desk interactions. By adding a layer of secure identity verification, we shut down social engineering attempts before they can gain any traction.

What sets Duo apart from other providers isn’t just our technology—it’s the fact that we’ve made it deployable and user-friendly without compromising security. Traditional phishing-resistant solutions have been plagued by high deployment complexity, requiring organizations to choose between security and usability. We say: why not have both?

With Duo, you get:

  • No Hardware Hassle: Say goodbye to clunky tokens and complex configurations. Duo’s solutions leverage mobile devices to simplify deployment.

  • An End-to-End Solution: From enrollment through to the help desk, we have the broadest coverage over the identity attack surface.

  • A Seamless User Experience: Security that doesn’t frustrate users or administrators.

The identity threat landscape is evolving, but with Duo’s end-to-end phishing resistance, so can your defenses. Let us help you make the shift to stronger, simpler, deployable security that actually works.

Because at the end of the day, attackers are relentless. Shouldn’t your defenses be, too?

To learn more about Duo’s phishing-resistant MFA and how it can protect your organization, check out the new Duo site or reach out to an identity expert.

]]>
<![CDATA[New device? No problem: Enhanced Duo Instant Restore for Android]]> johbruce@cisco.com (John Bruce) https://duo.com/blog/enhanced-duo-instant-restore-for-android https://duo.com/blog/enhanced-duo-instant-restore-for-android Product & Engineering Tue, 17 Jun 2025 00:00:00 +0000

We’re excited to announce a major update to Instant Restore for Duo Mobile on Android. This update brings multiple improvements which make it easier to move to a new device without losing access to your MFA accounts.

Before we dive into the new feature, let’s quickly review how Instant Restore worked on Android prior to this update. When backing up both Duo and third-party accounts, the steps to start backing up are:

  1. Enable Instant Restore in Duo Mobile’s settings

  2. Select a Google Drive account for storing backups

  3. Enable the toggle to automatically reconnect third-party accounts

  4. Create and confirm a password for encrypting your third-party secrets

When restoring from a Google Drive backup, the steps are:

  1. Select the Google Drive account your backup is stored in

  2. Open Duo Mobile on your old device and generate a QR code

  3. Scan the QR code from your new device

  4. Re-enter the password created in step 4 above to reconnect third-party accounts

The new version is simplified to eliminate several points of friction from the old version, namely:

  • Your old device is no longer required to reactivate Duo accounts

  • No QR code to scan on your old phone when reactivating Duo accounts

  • No password to remember when reconnecting third-party accounts

Since there are less requirements to restore your Duo accounts, this will help Duo Mobile users resume authenticating more seamlessly without requiring support from their Duo administrator.

The new update integrates with Google’s system backup functionality built into Android. The new version of Instant Restore will be used when Duo Mobile detects Google backup is enabled and a passcode is set on the device. Once these conditions are met, Duo Mobile will create end-to-end encrypted backups of all Duo accounts which are eligible for Instant Restore as a part of your Google backup. This backup will also include third-party accounts when the third-party reconnect toggle is enabled in Duo Mobile’s settings.

Since the backup is end-to-end encrypted, no one else can read the backup without your device passcode, and there’s no need to remember a special password when restoring third-party accounts! Android schedules system backups based on several factors like battery level, usage, and network conditions–but in practice this happens every few days. A backup can always be manually triggered in Android settings. See Google’s docs for more info.

Your old device is no longer needed to reactivate Duo Accounts, since the reactivation secrets are stored in the encrypted backup. When setting up a new Android device, log in to the same Google account, select the cloud backup created by your old device, and enter your old device’s passcode. Android will automatically restore Duo Mobile’s backup. Your accounts will automatically be reactivated on first launch of Duo Mobile, and the corresponding Duo accounts will be deactivated on your old device. As a precaution, we’ll also send a push notification to your old device to make sure this reactivation was performed by you. If you confirm this reactivation was not done by you, then both devices will be deactivated and an email will be sent to your administrator.

The prior version of Instant Restore based on Google Drive is still available and can be used when system backup or a passcode aren't set up on your device. You can also still restore from your Google Drive backup and manually reconnect accounts with the QR code from your old device (for Duo accounts) and a password (for third-party accounts) in case your new device wasn’t set up from your old device’s cloud backup. Making the older version of Instant Restore available as a fallback helps ensure that you won’t be any worse off in case a step was missed using new restore.

Are you ready to upgrade? Here’s how to do it:

  1. Make sure you have Duo Mobile version 4.83 or higher installed.

  2. Enable Google Backup in Android System Settings. Make sure a backup has run since Duo Mobile was installed.

  3. Enable a pin/pattern/passcode for the lock screen on your device.

  4. Enable "Third-party account reconnect" in Duo Mobile's instant restore settings.

A couple of things to note:

  • Duo Mobile installs within a Work Profile are not supported, unfortunately.

  • The location of the Google Backup in Android System Settings varies by phone manufacturer. On Pixel devices, navigate to Settings > System > Backup. On Samsung devices, navigate to Settings > Google > Backup.

That’s it! Your next system backup will include encrypted account information from Duo Mobile. As aways, you can see the state of your Duo backup on the Instant Restore screen in Duo Mobile settings.

]]>
<![CDATA[Introducing Cisco AI Assistant for Duo]]> brpenney@cisco.com (Brianna Penney) https://duo.com/blog/introducing-cisco-ai-assistant-for-duo https://duo.com/blog/introducing-cisco-ai-assistant-for-duo Product & Engineering Thu, 12 Jun 2025 00:00:00 +0000

We know administrators are busy.

To make securing identity easier than ever, we’re excited to announce the Cisco AI Assistant for Duo, our newest addition in Cisco’s suite of AI Assistants enhancing the security and IT team experience.

Identity administrators today are strapped for time. They manage their directory, application implementations, system migrations, and more. When a user calls the help desk (sometimes a single administrator wearing many hats), their goal is to unblock that user as quickly as possible.

Duo’s AI Assistant is designed to help with this exact task in mind, bringing logs and user information together in one place to make quick access decisions securely. Administrators can now ask the AI Assistant in natural language about access problems instead of sorting through various pages in the Duo Admin Panel or searching for the most relevant documentation page.

For example, in the video below, the administrator asks why a user was denied access. Within a few seconds, the Assistant returns recent events impacting the user including authentications, directory syncs, and policy changes.

For one preview customer, an investigation that might normally take 10 minutes was cut down to 45 seconds with the Assistant.

Another customer specified benefits to help desk processes:

"The AI Assistant is providing helpful information to our help desk users, enabling them to resolve access denial issues faster." — Private Preview Customer

Our approach focuses first and foremost on using AI responsibly to augment admin tasks. We strive for accurate, trustworthy answers that always link to Duo data so you can double check the Assistant’s work.

Administrator permissions are respected like our role-based access control and administrative units, so you don’t have to worry about the Assistant leaking any data. In addition, no Duo customer data is used to train our Assistants.

Today, the Assistant can’t take any action on behalf of the administrator, and in the future actions will require some form of administrative approval.

"It works, it's simple, it's fast and then it will help gain trust in it quickly. People are picking it up and running with it." — Private Preview Customer

We’ve used our internal expertise to ensure answers are accurate and are constantly reviewing and augmenting the LLM to provide better support.

To make this AI Assistant one that will deliver real value to the important use cases, your feedback is essential. Our team looks at every note a user adds to improve the experience.

eedback form for 'Introducing Cisco AI Assistant for Duo' blog post, showing checkboxes and a text box for response improvement suggestions.

The Assistant today is focused on your primary use case of helping users fast. With continued user feedback, the Duo Product team plans to expand coverage of the Assistant to include intelligent capabilities to search through policies, endpoint data, and more.

Try using the AI Assistant next time you’re in the admin panel to help you with your tasks. Here are a few prompts to try:

  • Why is [username] having access issues?

  • Have any devices been registered recently?

  • Which authentication methods are most secure?

The Assistant is available today in public preview to Essentials, Advantage and Premier customers in the U.S. (excluding Federal customers).

AI Assistant is one part of how Duo is bringing strong, security-first IAM without sacrificing user experience. See the full announcement of how Cisco Duo Reimagines Identity Security.

Read the full Duo AI Assistant documentation.

]]>
<![CDATA[Why a security-first approach to IAM matters more than ever]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/why-a-security-first-approach-to-iam-matters-more-than-ever https://duo.com/blog/why-a-security-first-approach-to-iam-matters-more-than-ever Product & Engineering Wed, 11 Jun 2025 00:00:00 +0000

When it comes to securing your organization, one thing is clear: identity and access management (IAM) is no longer just an IT task. It’s a critical component of your security strategy. Yet, for many organizations, IAM solutions have fallen short of delivering security as a foundational feature.

In a recent Cisco survey of 650 IT and security leaders, 73% revealed that security is often an afterthought in identity infrastructure decisions, while 75% identified complexity in identity infrastructure as a key security challenge. In other words, security is taking a backseat in current solutions at the very same time that IAM is getting more difficult to secure. No wonder Cisco Talos found identity at the center of 60% of breaches.

It’s time for a new approach, one that prioritizes security as fundamental. At Duo, we believe in security-first IAM, built from the ground up to simplify identity management, secure workflows, and prevent identity-based attacks.

Traditional IAM tools were designed in a different era, a time when IAM was treated as an IT function with security bolted on later—if at all. This approach often leads to:

  • Increased complexity: Configuring and deploying security controls in many IAM solutions is clunky and frustrating—a hurdle that many administrators don’t want to deal with - creating gaps in security.

  • Added cost: Security features are frequently treated as premium add-ons, making them inaccessible for many organizations.

  • Outdated protection: Even when security features are available, they typically haven't been updated to defend against modern threats, leaving organizations exposed to new attacker techniques.

As highlighted in a recent open letter from the CISO of JPMorgan Chase, fierce competition among software providers has prioritized rapid feature development over robust security. The result? A focus on revenue driving functionality—with insufficient security baked in.

At Duo, we take a different approach. Security isn’t an afterthought—it’s foundational. We make security attainable, not a luxury or an upcharge. This philosophy informs everything we do, from design to deployment. Here’s what we mean by security-first IAM:

Security functionality should not be a way to nickel & dime customers. Organizations that choose Duo will get everything they need to secure their workforce in our base package. This includes:

  • MFA everywhere, by default: Multi-factor authentication (MFA) is a cornerstone of security. Duo enables MFA for all use cases—devices, applications, servers—without additional costs or complicated configurations. It’s not a separate SKU, and it’s not harder to turn on for some users than others.

  • Device trust out-of-the-box: Device trust means you can easily enforce policies that restrict access to corporate resources based on device security posture. Whether you want to allow only managed devices or block unpatched systems, Duo makes it simple.

  • Totally passwordless options: Passwords are a major security vulnerability. With Duo, you can eliminate them entirely. From enrollment to authentication, users can go completely passwordless, reducing phishing risks and improving user experience.

Duo’s approach to IAM isn’t just secure—it’s also flexible and simple.

  • Flexibility: Whether you’re starting fresh or integrating with an existing directory, Duo can adapt to your needs. Use Duo Directory as your primary directory or leverage its capabilities to enhance your existing identity infrastructure. Features like Routing Rules and Custom Attributes make it easier to use Duo in conjunction with existing identity infrastructure.

  • Simplicity: From AI-driven assistance to admin-friendly migration guides, we make deployment easy. Duo’s tools are designed to save you time and reduce frustration, so you can focus on what matters most: protecting your organization.

As organizations face an ever-growing landscape of identity-based attacks, a security-first approach to IAM is no longer optional—it’s essential. Duo redefines IAM by embedding security at the core, not as an afterthought.

Whether you’re looking to modernize your IAM strategy or adopt a solution built for today’s challenges, Duo delivers everything you need to secure identities without compromising on budget, ease of use, or flexibility.

Ready to put security first? Learn more about Duo’s security-first IAM solutions on the Duo Directory product page.

]]>
<![CDATA[Come see Duo at Identiverse 2025]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/come-see-duo-at-identiverse-2025 https://duo.com/blog/come-see-duo-at-identiverse-2025 Industry Events Mon, 02 Jun 2025 00:00:00 +0000

Identiverse 2025 is this week in Las Vegas, and the Duo team couldn’t be more excited to engage with the brightest minds in identity and access management (IAM). From June 3–6, 2025, the identity community will gather in Las Vegas to share groundbreaking innovations, critical insights, and strategies for addressing today’s identity challenges. And this year, Duo is showing up in a brand-new way.

That’s right, Duo has launched a directory, completing the set of functionalities required to be the only security-first IAM solution. As a part of this launch, we’re also delivering our deployable approach to end-to-end phishing resistance—the most robust way to defend against today’s identity-based attacks.

We’re thrilled to showcase how our new security-first IAM solutions are transforming identity management. Identiverse 2025 is your chance to learn about our cutting-edge capabilities, connect with our experts, and see how Duo is reshaping the future of IAM.

Here’s a preview of what we have planned this week at Identiverse 2025:

How Identity Resilience Will Improve Your Worst Day on the Job

When: Thursday, June 5th at 8:30 AM
Where: Oceanside
Speaker: Matt Caulfield, VP of Product, Duo & Identity, Cisco Systems

What happens when everything goes wrong? In his keynote, Matt Caulfield delves into the challenges IAM professionals face on their “worst day” and offers actionable strategies to build resilience into identity systems. With resilience becoming a critical aspect of identity, this session will reveal how to go beyond the buzzword and make resilience a reality.

Masterclass: Defining (and Using) Maslow's Hierarchy of Identity Risk

When: Wednesday, June 4th from 11:40-12:30 PM
Where: Breakers H
Speakers: Didi Dotan, Director of Engineering, Cisco Identity Intelligence (CII); Alex Zaslavsky, Data Scientist, Cisco Identity Intelligence

Learn how to categorize and address identity risk using a framework inspired by Maslow’s Hierarchy of Needs. Didi and Alex will share practical recommendations for grouping, addressing, and remediating identity risks.

IAM Built for the Imposter Era

When: Wednesday, June 4th from 2:00-2:25 PM
Where: Mandalay Bay D
Speaker: Chris Anderson, Duo Product CTO

Discover how Duo’s security-first approach to IAM tackles the challenges of today’s "imposter era." Chris Anderson will share strategies for reducing complexity and costs while enabling frictionless access and identifying imposters.

Achieve the Impossible: End-to-End Phishing Resistance That's Actually Deployable

When: Thursday, June 5th from 2:00-2:25 PM
Where: Mandalay Bay D
Speakers: Karianne Butler, Director of Duo Product Management; Ted Kietzman, Duo Product Strategist

End-to-end phishing resistance might sound like a pipe dream, but Duo is making it achievable. Karianne and Ted will unpack the hurdles organizations face in adopting phishing-resistant MFA and share deployable solutions that protect every step of the identity workflow.

"How do I...?" Answering Common Passkey Questions from Relying Party Devs

When: Friday, June 6th from 9:40-10:05 AM
Where: Mandalay Bay I
Speaker: Matthew Miller, Passwordless Technical Lead, Cisco Duo

A must for developers navigating FIDO2-based authentication, this session features Matthew Miller will addressing common passkey implementation questions and explores exciting new features in WebAuthn L3.

Be sure to stop by Duo Booth #501 in the exhibit hall to meet our team, see live demos of our new IAM capabilities, and learn how Duo delivers a security-first solutions that frustrate attackers—not your users.

If you're a current Duo customer, reach out to your account team to schedule one-on-one meetings with our product and engineering executives on-site. We’d love to hear your feedback and discuss how Duo can support your identity security needs.

Identiverse 2025 isn’t just an opportunity to hear about the latest trends in identity—it’s a chance to connect with the global IAM community and explore the future of identity security. Duo’s presence at this year’s conference reflects our commitment to driving innovation and empowering organizations to defend against today’s most sophisticated identity-based threats.

Whether you’re interested in attending our keynote, diving into one of our sessions, or connecting with us at the booth, we’d love to see you there. Let’s work together to build a more secure and resilient identity future!

]]>
<![CDATA[Meet the new Duo IAM]]> mcaulfie@cisco.com (Matt Caulfield) https://duo.com/blog/meet-the-new-duo-iam https://duo.com/blog/meet-the-new-duo-iam Product & Engineering Wed, 28 May 2025 00:00:00 +0000

Identity is under siege. Sixty percent of all Cisco Talos IR cases in 2024 saw identity as a key component of reported attacks. Organizations are facing relentless challenges in keeping their systems secure. As attackers grow more sophisticated, traditional Identity and Access Management (IAM) providers have fallen short, leaving critical gaps in their defenses.

At Duo, we’ve been watching this unfold, and honestly, we’ve had enough. That’s why we’re proud to announce that Duo is officially expanding into the IAM market, bringing our trusted security expertise to an area long overdue for disruption.

Traditional IAM providers have historically prioritized business enablement over robust security, resulting in clunky, costly, and inefficient solutions that are difficult to deploy and vulnerable to identity-based attacks. Duo’s new IAM solution changes the game by being security-first, easy to use, and built to frustrate attackers—not your users.

For too long, defenders have focused solely on login protection with multi-factor authentication (MFA). While that’s a critical step, attackers have learned to adapt, finding new ways to bypass traditional defenses. AI significantly exacerbates the situation by amplifying the scale, speed and sophistication of account takeover attacks, enabling automated and highly adaptive social engineering techniques. This creates a real identity crisis.

Duo’s IAM solution rises to this challenge by now offering end-to-end phishing resistance as a core feature, delivered right out of the box.

This experience includes innovative features like:

  • Proximity Verification: A new, easy-to-deploy form of phishing-resistant MFA that is designed to protect against adversary-in-the-middle attacks.

  • Complete Passwordless: Eliminating passwords from enrollment and fallback, so users never have to rely on outdated, insecure credentials.

  • Seamless Help Desk Verification: A new tech partnership enabling identity verification for help desks, safeguarding against social engineering attacks.

With Duo, organizations unlock a deployable, seamless experience for end users, ensuring the highest level of security while maintaining simplicity and ease of use.

At Duo, we believe protecting identity workflows isn’t enough. Organizations also need tools to continuously monitor and respond to changes in identity risk. That’s why we’ve introduced Identity Intelligence, which provides:

  • Comprehensive Visibility: Gain insights across your identity ecosystem, including on-premises, legacy, and non-human systems.

  • Proactive Security Insights: Stay ahead of risks with actionable recommendations.

  • Dynamic Risk Assessment: A distilled User Trust Level dynamically informs access decisions and accelerates threat detection across the Cisco Security stack.

And the best part? This functionality works with any identity stack, giving organizations the flexibility to enhance their existing systems—whether or not Duo IAM is the primary component.

We understand that identity isn’t exactly a new space. Every organization has some sort of existing identity infrastructure. That’s why we’ve built our solution to be flexible. For example, some of our preview customers run Duo IAM as a secondary directory for their contractors and third parties. We’ve also had customers place Duo “in-front” of their existing IAM stack as an “identity broker” enabling consistent, phishing-resistant, passwordless policy for their workforce, even with multiple backend identity providers from other vendors. Our robust user directory and identity routing engine make this possible.

For organizations ready to make the leap to a fully secure identity infrastructure, Duo now offers everything you need in one place. With Duo Directory, you can easily sync users and attributes with external sources and then leverage our popular SSO and MFA capabilities to provide seamless access management.

We’ve also made migration simple with tools like Routing Rules and an AI Assistant to help organizations transition without disruption. Whether you’re integrating Duo into your current stack or building from scratch, our solution is designed to make security effortless.

Duo’s expansion into the IAM market isn’t just about addressing the failures of traditional providers—it’s about doubling down on our commitment to an “identity-first” approach to zero trust. By integrating seamlessly with the broader Cisco Security ecosystem, Duo ensures organizations can protect their users, data, and systems with the most advanced tools available.

The days of weak identity defenses and clunky IAM systems are over. With Cisco Duo, organizations finally have a partner that prioritizes security without compromising usability. Together, we can defend against identity-based threats and make the digital world safer for everyone.

Are you new to Duo? Sign up for a free trial today!

Are you an existing Duo customer? Sign up for the public preview to explore Duo's IAM.

]]>
<![CDATA[No Agent Required: Duo & Microsoft Edge for Business improve device trust]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/duo-microsoft-edge-for-business-improve-device-trust https://duo.com/blog/duo-microsoft-edge-for-business-improve-device-trust Product & Engineering Wed, 30 Apr 2025 00:00:00 +0000

One of the key tenets of a zero trust security strategy is verifying a user’s identity before they’re granted access to network resources. Another important tenet is device trust. Does the device have a healthy security posture? Is the endpoint one that we “know” whether it’s company-issued or someone’s personal device?

It’s with this latter question in mind that Cisco Duo is excited to announce an extension of our partnership with Microsoft. Together, we’re introducing the Microsoft Edge Device for Business Trust Connector (DTC), a native integration between the Edge for Business browser and Duo Trusted Endpoints. The integration identifies trusted endpoints through the managed Edge for Business browser so you can control application access and enforce browser-based protections without installing an agent on the endpoint.

"We are thrilled to announce the integration of Cisco Duo Trusted Endpoints with Microsoft Edge for Business. This collaboration empowers our mutual customers to extend the reach of their security investments, offering robust and seamless browser protection without the need for additional agents. As the browser has become a vital tool for work, we look forward to building even greater capabilities together."
Arunesh Chandra, Principal Product Manager, Microsoft

Increasingly, organizations are moving to hybrid environments. This means you may need to support flexible work patterns (remote and in-office), different device types (company-issued and personal), or a varied workforce (employees, contractors, etc.). You also face aggressive cybersecurity threats, rising expectations to protect sensitive information, and the need to stop unauthorized AI use. Central to these concerns is the web browser which often serves as the primary gateway to your corporate resources and AI.

The new Duo Trusted Endpoints integration with Microsoft Edge for Business enhances security in hybrid work environments. It addresses cybersecurity threats caused by stolen credentials and protects sensitive information by verifying trusted devices within Microsoft Edge for Business. When the browser is managed by the Edge management service, the integration allows Microsoft to assert a device's trust and share its status with Duo, which then incorporates device trust into the authentication process, verifying user and device security. By identifying trusted endpoints, you’re able to restrict application and resource access to only those devices you know through a Trusted Endpoints policy.

Diagram showing how Microsoft Edge for Business and Duo Trusted Endpoints work together for secure authentication.

In addition to greater security, your users also get a better experience. Organizations often require employees to install an agent on their endpoint to identify if the device is managed. This doesn’t always go over well with employees, especially if it’s a personal device. By establishing trust through the Edge for Business browser, the Device Trust Connector removes the need for users to install an endpoint agent. It’s a win-win.

The Device Trust Connector integration provides some great benefits. Let’s take a look:

  • Simplified security: Easily verify users are interacting with a trusted Microsoft Edge for Business browser

  • Agentless data collection: Remove the need for an endpoint agent by collecting and sharing device trust signals through the Edge for Business browser

  • Support for hybrid environments: Create a Trusted Endpoints policy that supports company-issued, shared, and personal Bring Your Own (BYO) devices

  • Conditional access control: Allow application access only from known, trusted devices, while blocking access from unknown, untrusted endpoints

  • Simple setup and management: The Device Trust Connecter is an out-of-the-box integration, making administration fast and easy via the Duo Admin Panel

Duo makes it easy to extend and enhance security by verifying trust in every device, whether corporate or personal, without an installing agent through the Microsoft Edge for Business Device Trust Connector. Trusted Endpoints is available to Duo Essentials, Advantage, and Premier edition customers at no additional charge.

To get started setting up the integration, read our Microsoft Edge for Business Device Trust Connector documentation. You can also watch our Duo + Microsoft Edge for Business Device Trust Connector demo.

Finally, visit our Cisco Duo + Microsoft partner page to learn more about Duo’s partnership with Microsoft and how it benefits customers.

]]>
<![CDATA[Introducing Duo Wear: Seamless MFA from your wrist!]]> dykite@cisco.com (Dylan Kite) https://duo.com/blog/duo-wear-seamless-mfa-from-your-wrist https://duo.com/blog/duo-wear-seamless-mfa-from-your-wrist Industry News Thu, 24 Apr 2025 00:00:00 +0000

We’re thrilled to announce Duo Wear, a companion app for Duo Mobile that brings fast and easy multi-factor authentication (MFA) to your Wear OS smartwatch!

Duo Wear is an app designed specifically for Wear OS smartwatches. It works together with the Duo Mobile app on your Android phone. With Duo Wear, you can:

  • Generate One-Time Passcodes (OTPs) — Type passcodes in your login prompt without ever opening your phone.

  • Answer Duo Push Notifications — View information about your login attempt and approve or deny login requests.

  • Answer Verified Duo Push Notifications — Effortlessly enter Verified Duo Push codes using a wearable-first user interface.

It’s quick, simple, and offers a frictionless authentication experience.

Wearables are a growing component of our technological lives. In 2023 alone, the Wear OS userbase grew by 40% thanks in part to the beautiful hardware and powerful technology of devices like Pixel and Samsung Galaxy watches. As our reliance on smartwatches grows, so do our expectations of what they can do. We make payments, navigate our towns, and message our friends right from our wrists—why not protect our log ins too?

Our customers made it clear: you want a world-class wearable authentication experience and at Duo, we couldn’t agree more.

When it comes to logging in, we want a frictionless experience and when secured with a pin or passcode, Duo Wear delivers—no more stalking through rooms or rifling through your bag to unlock your phone for login. A quick tap on your smart watch and you can verify your identity.

With Duo Wear, enabling Google Smart Lock is no longer necessary—meaning there’s no added vulnerability when using your smart watch to login.

Setting up Duo Wear is simple:

  1. Ensure your Wear OS smartwatch is connected to your Android phone

  2. Make sure you have Duo Mobile version 4.83.0 or higher on your Android phone

  3. Download Duo Wear on your Wear OS smartwatch

  4. Open Duo Wear to enable watch notifications and set a device pin if needed

Welcome to the future of authentication, right on your wrist!

]]>
<![CDATA[5 key criteria for choosing the perfect MFA solution for your business]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/key-criteria-for-choosing-the-perfect-mfa-solution-for-your-business https://duo.com/blog/key-criteria-for-choosing-the-perfect-mfa-solution-for-your-business Industry News Wed, 23 Apr 2025 00:00:00 +0000

"Ninety-nine percent of attacks can be blocked with multi-factor authentication (MFA)” is an oft-discussed quote from 2019. Since then, MFA has since become a necessary defense for any cybersecurity strategy to defend against attacks.

But times change, and what solved our challenges in the past doesn’t necessarily work today, at least not in the same form. Attacks have evolved. New threat types such as push-bombing, social engineering, and spear phishing are forcing organizations to do more than rely on MFA alone. To stay protected, you need to increase the effectiveness of your MFA with powerful next-generation capabilities such as passwordless, risk-based authentication, adaptive access policies, and identity visibility tools. But with so many MFA solutions available, how do you identify the one that best suits your organization?

In our MFA Buyer’s Evaluation Guide, we go in depth on the five key criteria you should look for in any security solution.

  • Security Impact — The most critical security aspects of an authentication solution are how effective it is against threats related to credential theft and account takeover as well as its underlying security and reliability. If the primary goal is to reduce the risk of a breach and a solution is easily bypassed or doesn’t provide comprehensive protection that keeps up with and responds to new and changing threats, it’s not worth implementing.

  • Strategic Business Initiatives — Consider how MFA integrates with your business initiatives, both now and in the future. This includes legacy systems, bring your own device (BYOD), remote work, and the adoption of cloud applications. Another business driver to consider is compliance regulation requirements, which can vary by industry and location.

  • Total Cost of Ownership (TCO) — TCO is everyone’s favorite topic. It’s another way of saying, “What’s this really going to cost me?” Total cost of ownership includes all direct and indirect costs of owning a product. For an MFA solution, that can include hidden costs such as upfront capital, licensing, support, maintenance, and other unforeseen expenses over time, like professional services and ongoing operation and administration costs.

  • Time to Value — Another favorite topic is time to value, something we like to call time to security. Time to value refers to the time spent implementing, deploying, and adapting to the solution. Determine how long it takes before your company can start realizing the security benefits of an MFA solution. This is particularly important if you ever experience a breach or security incident.

  • Required Resources — You’ll want to consider the time, the personnel, and any other resources required to integrate your applications, manage users and devices, and maintain your solution. Your MFA provider should be able to tell you what they cover and where you need to fill in the gaps.

With the increase in attacks targeting your users’ identities, you also want to look for a solution that delivers identity security. According to a report from Cisco Talos, Cisco’s threat intelligence and research organization, in the last year, 80% of breaches leverage identity as a key component. So, when you’re evaluating MFA solutions, make sure you look into their identity security capabilities so you can protect against threats designed to steal your users’ identities and then use those credentials to launch attacks that can lead to a breach.

Now that we’ve identified the criteria to evaluate in an MFA solution, let’s take a look at how Duo can help you achieve modern protection without getting in the way of your users:

  1. Security Impact

    Duo protects access to all your apps including enterprise cloud apps, on-premises and web apps, and custom apps that use SAML or OIDC. Pretty much any app you can think of. Duo passwordless reduces your reliance on passwords, improves user experience, reduces IT overhead, and strengthens security posture.

    Duo Risk-Based Authentication takes baseline authentication behavior and evaluates contextual signals to dynamically adjust authentication requirements in real time. With Duo and Cisco Identity Intelligence, you can detect identity-based risks from all your identity sources—identity providers, HR and ticketing systems, and more—to take the right remediation action. You can also identify gaps in MFA coverage, dormant accounts, and privilege creep to reduce the risk of a breach.

  2. Strategic Business Initiatives

    Achieving the initiatives that drive your organization forward is critical to its success. Moving to the cloud? Duo is built on a scalable, cloud-based platform that requires minimal setup and removes costly maintenance. Need to lock down application access to only managed devices or allow access from personal devices with a bring your own device (BYOD) policy? Duo Trusted Endpoints lets you do both.

    With Duo Passport, you can provide a secure and seamless sign-in experience that increases workforce productivity and lowers the administrative burden for IT. Duo can also help meet compliance requirements and regulatory framework guidelines such as PCI, HIPAA, GDPR, NIST, and others.

  3. Total Cost of Ownership (TCO)

    Duo makes it easy to understand the full cost of acquiring an MFA solution. We offer a simple subscription model priced on a per user basis, billed annually, with no extra fees for new devices or applications. With Duo MFA, you get the most value with no hidden costs such as upfront capital, licensing, support, maintenance, operating or other unforeseen expenses over time.

  4. Time to Value

    Duo lets you try before you buy, helping you set up pilot programs before deploying Duo to your entire organization and realizing the value of your investment.

    Quickly add new users through bulk enrollment, self-enrollment, or a directory sync. The Duo Mobile app allows users to easily download the app onto their devices, while a self-service portal also lets them manage their own accounts and devices, reducing help desk tickets and support time.

  5. Required Resources

    Duo integrates with all of your apps with no need for extra hardware, software, or agents. Extensive documentation, APIs, and SDKs make implementation seamless. Because Duo is a cloud-hosted solution, updates are rolled out frequently and automatically to patch for the latest vulnerabilities, so you don’t need to hire a dedicated team to manage the solution.

Regardless of where you are today with your MFA, it’s important to evaluate any solution in the context of these criteria. If you’d like to dig deeper into each criteria, we’ve got more information in the MFA Buyer’s Evaluation Guide.

You can also watch our on-demand webinar, Get Defensive With Your MFA, as well. Remember, times change, and threats evolve, so your MFA solution should as well.

]]>
<![CDATA[Duo Desktop: Packed with features to ease MFA and boost security]]> alexro2@cisco.com (Alex Rodriguez) https://duo.com/blog/duo-desktop-packed-with-features-to-ease-mfa-boost-security https://duo.com/blog/duo-desktop-packed-with-features-to-ease-mfa-boost-security Product & Engineering Fri, 18 Apr 2025 00:00:00 +0000

Throughout my career, I've had the privilege of working across several diverse industries. One aspect that consistently captivates me is the unique jargon associated with each role—terminology that often seems bewildering at first. For instance, in the semiconductor industry, "doping" isn't related to any athletic scandal; rather, it refers to altering the electrical properties of silicon. In the pipeline corrosion prevention field—which, believe it or not, is quite real—a "holiday" isn't about taking time off but rather indicates a spot where the pipeline's coating has chipped away, exposing the metal to potential damage. Working with IT administrators, I've learned that "agent fatigue" doesn't relate to a weary CIA operative. Instead, it describes the challenge they face when managing multiple vendors' applications on their organization's devices.

Given the saturated landscape of applications, IT administrators must be discerning about which ones to deploy across their fleet of devices and users. The process doesn't stop at deployment. Administrators also face the ongoing challenge of maintaining these applications and ensuring they operate smoothly within the organization's infrastructure. Additionally, gaining approval from leadership adds another layer of complexity, as they must demonstrate the application's benefits and align it with strategic goals. It's no surprise then that selectivity is crucial, as each application must deliver significant value to justify its integration into their systems.

Understanding these challenges has driven our strategy for building out Duo Desktop, our lightweight client application. To be a contender for prized space on a user's machine, we need to deliver substantial value to our users. For this reason, we have evolved the application from merely providing health checks to incorporating a myriad of features that ease the burden of MFA, enhance security, and offer an additional method of authentication.

Imagine logging into your work device and being able to navigate through all approved web and local applications without the constant interruption of authentication prompts. Duo Desktop with Passport makes this a reality by providing a streamlined login solution that minimizes MFA fatigue. Users enjoy a single, secure login experience, allowing them to move effortlessly across applications, browsers and thin/thick clients while maintaining productivity. Duo keeps your users secure without getting in their way with relentless authentication prompts.

Duo Mobile and Duo Desktop's Proximity Verification offers a powerful defense in the fight against phishing. Utilizing Bluetooth Low Energy (BLE), this feature ensures your devices are nearby when logging in and automatically responds to the push verification without requiring user input. The magic lies in the secure communication between Duo Desktop and Duo Mobile, providing seamless, phishing-resistant authentication.

There are times when a smartphone or hardware token might not be available, and Duo Desktop Authentication is ready to fill that gap. It allows for secure authentication directly from your laptop or desktop, ensuring you're always equipped for secure access, regardless of the situation. It’s a straightforward solution that simplifies authentication, making security accessible and reliable.

Security needs can vary greatly depending on context, and Duo's Risk-Based Authentication adapts to this reality. By assessing risk levels in real time, it tailors authentication requirements based on user context, location, and device proximity. This means you get a higher level of security without compromising user experience. It's dynamic security at its finest, ensuring protection while keeping the process smooth and user-friendly.

Maintaining the security of your devices is a continuous process, and Duo Desktop's Health Checks are here to help. This feature acts like a vigilant guardian, continuously assessing your device's security posture. It checks critical elements such as your OS version and patch level, password protection, disk encryption, firewall status, and security agents. By ensuring your devices meet security standards, Health Checks play a pivotal role in protecting access and maintaining compliance, giving you peace of mind.

Duo's Trusted Endpoints feature identifies and verifies devices that are owned or managed by the organization, effectively blocking access from untrusted endpoints, like unmanaged devices with poor security or devices used by an attacker. This proactive approach ensures that your resources are safeguarded against unauthorized access, providing a robust layer of security. This can be really helpful in scenarios where users have limited access to advanced second factors or are at greater risk to MFA phishing attacks.

Duo Desktop has been thoughtfully designed to provide substantial value that earns its place on users' devices. With advanced features like easy MFA and strong security, it simplifies management and fits right into your strategic goals. As you consider the applications that will best serve your organization, count on Duo Desktop to be the reliable partner that not only meets your needs but goes above and beyond. We're dedicated to constantly improving Duo Desktop, ensuring it remains the top choice for IT admins by making deployment and maintenance as simple as possible.

]]>
<![CDATA[Not just for unlocking content: How attackers are leveraging personal VPNs]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/how-attackers-are-leveraging-personal-vpns https://duo.com/blog/how-attackers-are-leveraging-personal-vpns Industry News Thu, 17 Apr 2025 00:00:00 +0000

As many a podcast host will tell you, it’s about time you used a consumer or personal Virtual Private Network (VPN). VPNs have become commonplace, serving various purposes from the noble, like protecting an individual’s digital footprint, to the dubious, like accessing geo-restricted content.

However, personal VPNs present a hidden threat when misused by attackers to obfuscate their location, posing significant security risks to organizations. Understanding and addressing personal VPN use is crucial for IT and Security teams to protect their networks effectively.

VPNs are often touted as tools for privacy and security, but they can also be exploited by threat actors. The Cybersecurity and Infrastructure Security Administration (CISA) has highlighted their effective use in attacks. To subvert detection logic that relies heavily on IP address, threat actors are adopting personal VPNs to blend in with typical users. This tactic can make malicious connections harder to distinguish, enabling attackers to sneak through the cracks more easily.

To safeguard your organization's security, it is vital to have a clear policy on personal VPN use. Depending on your organization's security requirements, you might consider banning them altogether or regulating their usage. Policies should be designed to prevent unauthorized access while allowing legitimate use cases under strict guidelines.

Effective detection and response to personal VPN usage begins with understanding personal VPN use within your workforce. One way to gain this visibility is to use Cisco Identity Intelligence. This tool aggregates identity and access data across multiple sources and then provides a powerful analytical layer on top. One of its popular checks is designed to identify users logging in from personal VPNs, potentially evading IP-based controls and detections.

With compatibility across platforms like Microsoft Entra ID, Okta, Google Workspace, Salesforce, and Duo, Identity Intelligence provides a comprehensive view of VPN-related activities, helping teams verify usage against corporate policies and clarify access policies with users.

Incorporating a robust detection mechanism for personal VPNs is a proactive step towards enhancing your organization's security posture. Evaluate Duo and Cisco Identity Intelligence to gain deeper insights and control over VPN activities within your network. By taking these steps, you can ensure that your defenses remain effective against evolving threats.

If you’d like to learn more or see a demonstration, contact your Duo representative or reach out to a Duo expert.

]]>
<![CDATA[Six ways modern MSPs accelerate response times with Duo]]> kyang@duo.com (Katherine Yang) https://duo.com/blog/ways-modern-msps-accelerate-response-times-with-duo https://duo.com/blog/ways-modern-msps-accelerate-response-times-with-duo Industry News Tue, 08 Apr 2025 00:00:00 +0000

Customers expect their managed service providers to be knowledgeable, reliable—and fast.

When a business faces an IT issue and needs assistance, every minute lost means a hit to productivity and mounting frustration on the part of the customer. As time ticks on, the MSP responsible for fixing the problem bears the brunt of this frustration, especially when it takes too long to even acknowledge there’s a problem.

Angry clients are more likely to find a new MSP, which makes fast response times crucial to maintaining a healthy, long-lasting relationship. IT issues happen, but helping employees get back to work quickly reassures clients that they’re in safe hands for future issues. It avoids a “snowball effect” where one small mishap creates bigger problems elsewhere as delayed tasks cause work to grind to a halt.

Unlike other emergency services, MSPs can’t respond faster with a blue light and a siren. Instead, MSPs can do two things to improve their response time: first, take steps to make sure they can act quickly and second, prevent future issues—and tickets—from happening in the first place.

As security’s new first line of defense, the right identity solutions offer a lifecycle advantage that delivers on both fronts.

Speed to security is critical for clients facing an active attack or meeting an audit deadline. Duo helps MSP deliver on MFA, SSO, and device trust quickly—starting with the initial rollout.

Duo’s user-friendly and guided interface makes onboarding easy and makes sure a client’s first contact with the MSP’s support team is a good one. Complete deployment in minutes and have users choose between different authentication options, selecting the one that works best for their needs.

Watch: Duo MSP Tech Talks Customer Deployment in 60 Minutes

With many clients to manage, centralizing day-to-day operations delivers a valuable speed advantage. The Duo multi-tenant Admin Panel dashboard allows MSPs to monitor and manage all client accounts from one place, simplifying oversight and speeding up incident response. Managing access from a single platform reduces the time support teams spend switching between different screens and systems so they can find and resolve real issues faster.

Sometimes the most critical security step is verifying the caller on the other end is who they say they are, which is not always an easy feat. With Duo’s built-in helpdesk verification tool, send a push notification to the person requesting assistance directly from the Admin Panel.

Duo Push Verification window showing user info, confirmation code, and status 'Waiting for response…' for a support request.
Verify Users with a Duo Push. Get the documentation for Help Desk Push

The MSPs with the fastest response times aren’t necessarily going to be those with the largest support staff — although that doesn’t hurt. Rather, ensuring that support teams that aren’t buried in unnecessary requests can definitely contribute to a speedier reply and greater focus on improving security.

Making authentication as simple as possible for trusted users means they are far less likely to need help. Duo lets MSPs reduce the need for repeated logins and manual intervention by setting security policies that automatically adjust based on the context of end-users’ access requests. A risk-based approach changes the level of authentication required based on factors such as location, device, and network connection.

Avoid having a user submit tickets in the first place with built-in self-remediation. When users do need help updating OS, Duo guides them through a remediation process can avoid the need for a support ticket altogether. Many people prefer to reset their passwords or update devices on their own, and self-service reduces the workload for the MSP at the same time.

Demo: Guided User Self-Remediation

Automated alerts and comprehensive reporting let the MSP team identify and address potential threats — before clients get in touch. Parsing through authentication logs can help reveal issues that can be fixed before the customer is even aware, especially for MSPs managing larger organizations.

With Cisco Identity Intelligence, get a level of visibility across a client’s Duo deployment and other identity storages. Set up email alerts for the security issues your clients care about, like dormant accounts, shared authenticators, and over-permissioned users. Or, MSPs can directly integrate findings with ticketing services to open new tickets and display existing tickets related to discovered users.

Cisco Identity Intelligence dashboard showing a critical alert for 160 users with no MFA configured.
Use Cisco Identity Intelligence to drill down into and report security concerns, like which client accounts aren’t protected by MFA.

Stay on top of security and compliance concerns and show clients the value of identity threat detection and identity posture management.

Learn: Duo + Cisco Identity Intelligence

"MFA is often the first step in a cybersecurity journey. Duo ignites those 'what else are we doing?' thoughts with our customers, and that’s been very positive for us as well." — Michael Piekarski, Director of Cybersecurity at Arraya

The MSP business model relies on recurring revenues, and this depends on delivering fast, reliable service. Profitability also depends on resolving queries without having to make a site visit whenever possible.

Clients judge MSPs on how well they handle day-to-day support requests as much as they do IT infrastructure overhauls and new software rollouts. The more responsive and resilient the service an MSP provides, the happier customers will be—and the more profitable their own business will be – in the long run. Secure, simple identity workflows reduce response times in the right way to keep users and clients happy, reduce support teams’ workloads, and scale to drive future growth.

Duo’s “no-barriers-to-entry” MSP model allows products to be deployed with no downtime or lengthy sign-up and certification processes. Strong documentation and a simple, straightforward app and intuitive admin panel make it easy to roll out new services quickly.

Learn how to join the partner program today by visiting the Duo MSP page.

]]>
<![CDATA[Making seamless authentication a reality for MSP customers]]> kyang@duo.com (Katherine Yang) https://duo.com/blog/making-seamless-authentication-a-reality-for-msp-customers https://duo.com/blog/making-seamless-authentication-a-reality-for-msp-customers Product & Engineering Thu, 03 Apr 2025 00:00:00 +0000

Users don’t like passwords and logging in, period. MSPs should like passwords even less since, according to Gartner, 40% of all help desk calls are related to password resets. That’s valuable time the staff could spend resolving bigger problems faster.

While the enforcement of multi-factor authentication (MFA) makes logging in more secure, it inevitably runs the risk of adding steps to a process users already find annoying. When people get frustrated by juggling too many credentials, PINs and devices, they tend to find workarounds.

These shortcuts creatively circumvent security practices in favor of convenience — like saving passwords to a browser, or extensions that automatically enter MFA codes. While this may avoid authentication fatigue, it certainly risks and may even violate some security standards.

MSPs have the opportunity to deliver better, faster, more secure authentication that clients will actually adopt. Turn on Duo Passport in two clicks and offer a true single sign-on experience with all of Duo’s award-winner, user-friendly interfaces.

Most users don’t mind logging in once at the beginning of the day, but logging into multiple services several times a day would test anyone’s patience. Each attempt is a point of friction for the end-user, having to pull out their phone or punch in yet another 6-digit code just to check their email.

MSPs can solve this with a single sign-on experience that begins with the first operating system login and carries clients’ employees through their entire workday. Duo Passport enables seamless access even as the user switches to new applications, including browsers, traditional SSOs, and thick client apps like Outlook or VPN, reducing logon fatigue.

With Duo Passport, the user logs in once, and their authentication status is maintained across all applications, both in the browser and on the desktop. Once authenticated, Duo continually verifies trust for every access request based on adaptive and risk-based policies behind the scenes — without re-prompting users for authentication. This seamless experience means that end-users can focus on their work without constant interruptions, and administrators still get a comprehensive log of login attempts.

"Duo Passport reduced end-user authentication by more than 65% in one customer, who tested it over several months."

For MSPs looking after multiple customers and many users, the number of authentications necessary each day drops dramatically—as do the number of issues that the MSP needs to resolve.

Securing Windows Logon continues to drive demand for managed security services and is one of Duo’s most popular MSP use-cases. Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon is now generally available in all Duo Editions.

An improved user experience makes adopting new security a welcome change instead of an imposition. Duo Passwordless was built to make the experience of logging in faster and easier than ever, without compromising on strong authentication.

Duo Passport and Passwordless build upon Duo’s popular Windows Logon protection to enable authentication at the OS level, making it the first thing people do and the last time they need to authenticate, unless there is a risk-based reason for more security. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

Read the full GA announcement: Announcing Passwordless Authentication for Windows Logon

For MSPs, rolling out new security functionalities can be a more involved process. Even so, the benefits of reduced costs and stronger security are hard to ignore.

Administrators have been pleasantly surprised by the ease of setting up Duo Passport, with only two clicks required. Designed to be a layer of security that works with any customer environment, Passport is compatible with most identity providers and supports managed and unmanaged devices. This simplicity translates into reduced administrative burden and faster implementation. Once Duo Passport is up and rolling, the ongoing care and feeding of the feature is minimal.

"Duo Passport is an essential step on our road to making secure access the default for our customers. We selected Duo as our partner because of their attention to ease of use and their expertise across platforms. We are accelerating our deployment of Duo Passport to maximize the strength of our customers’ defenses while we keep interruptions of their workflows to the minimum." — Justworks, a pure play MSP founded in 1996

Add Duo Passport, Passwordless, and advanced identity security to your managed offerings through the Duo MSP Program. Duo allows MSPs to manage all customers in one console, offering pay-as-you-go pricing to scale with the business, lower TCO, faster ROI, and the support needed to start your customers on the path to stronger security.

The best way for MSPs to get started is by trying out Duo Passport and passwordless functionalities themselves with program NFR licenses. Learn more about setting up Duo Passport on our documentation pages.

To offer your customers world-class identity security with fast ROI and a beloved user experience, visit the Duo MSP page.

]]>
<![CDATA[Four security updates to get ahead of proposed 2025 HIPAA amendments]]> kyang@duo.com (Katherine Yang) https://duo.com/blog/security-updates-to-get-ahead-of-proposed-2025-hipaa-amendments https://duo.com/blog/security-updates-to-get-ahead-of-proposed-2025-hipaa-amendments Industry News Mon, 31 Mar 2025 00:00:00 +0000

A new set of 2025 HIPAA security updates are on the horizon, bringing significant changes that aim to bolster the protection of electronic protected health information (ePHI). As cyber threats intensify, these updates are more than just regulatory formalities; they are critical measures to safeguard sensitive data.

Published in early January, the 2025 HIPAA Security Amendments are set to significantly enhance the protection of ePHI. The proposed changes are based off the US Department of Health and Human Services’ (HHS) goals of both addressing changes in the health care environment and clarifying what compliance obligations look like for regulated entities.

Organizations have 180 days to reach compliance according to stricter standards of identity cybersecurity if the proposed updates pass.

In order to be prepared, here are four things your organization or managed security service provider should focus on:

  1. Deployment of mandatory security controls

  2. Securing against known vulnerabilities

  3. Documentation for annual audits

  4. Clear goals for visibility, prevention, and remediation

But first, a quick recap of how the standard has evolved.

The last major revision of the HIPAA Security Rule dates back to 2013 and the “Omnibus HIPAA Final Rule,” introduced to strengthen patient privacy and security protections. Amongst other requirements, the HIPAA Omnibus Rule of 2013 made business associates of covered entities directly liable for HIPAA compliance and adopted a four-tiered civil monetary penalty structure for violations that bumped the maximum fine from $25,000 per year to up to $1.5 million. That is to say, healthcare organizations and business partners may face greater liability in case of a security breach.

Between 2022 and 2023, the HIPAA Journal reported a jump from 51.9 million to 168 million records impermissibly disclosed. In 2024, the average data breach size jumped from 225,000 to nearly 400,000, though reports are still being counted. These alarming statistics underscore an urgent need for an amendment that encourages more stringent security measures to protect patient information.

Line graph showing individuals affected by healthcare security breaches from 2009 to 2024, peaking sharply in 2024.
Imaged sourced from HIPAA Journal, January 20, 2025

"[The Department] provides that MFA as a source of identity and access security control is an important means to control access to infrastructure and conduct proper change management control." — HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 2025, p. 87

The implementation of multi-factor authentication (MFA) is no longer optional. While the current Secure Rule allows distinction between “required” and “addressable” implementation specifications, the 2025 update makes all implementation specifications required with only specific, limited exceptions. That makes deploying security controls like MFA to all users essential for reducing unauthorized access risks.

In the proposal, regulated entities would be required to apply the proposed rule’s specific requirements for authenticating users’ identities through verification of at least two of three categories of factors of information about the user:

  • Information known by the user, including but not limited to a password or personal identification number (PIN).

  • Item possessed by the user, including but not limited to a token or a smart identification card.

  • Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.

Cisco Duo’s award-winning MFA strengthens access control, providing an additional layer of security that is crucial for protecting PHI without adding unnecessary friction for busy end-users and health practitioners. Importantly, it protects against advancing identity-based attacks by offering wide coverage of authenticators—and the option to intelligently “step-up” login security according to detected risk patterns and access behaviors.

With the widest range of supported authenticators, Duo helps organizations transition away from weaker SMS and phone-call 2FA and towards push-based smartphone apps with verified number matching and phishing-resistant or passwordless authenticators.

Learn more about the types of Duo authenticators available.

With the proposed amendment, organizations must now identify potential threats and vulnerabilities with greater accuracy, and with increased frequency at least once every six months (p.385). This includes insights across the supply chain, including external contractors and any partners who may have access to ePHI.

The Department also specifically updated the Security Role to define vulnerability, identifying that: “...exploitable vulnerabilities exist across many components of IT infrastructures including, but not limited to, servers, desktops, mobile device operating systems, web software, and firewalls” (p. 99).

In addition, HHS recommended that regulated entities “install vendor patches, make software updates, and monitor sources of cybersecurity alerts describing new vulnerabilities,” (p. 99) citing the NIST National Vulnerability Database and CISA’s Known Exploited Vulnerabilities Catalog.

Outdated software and operating systems pose common challenges for organizations looking to improve security—especially in a field like healthcare with several types of devices and legacy applications. One option is to install device managers like Cisco Meraki, Jamf, or Intune onto endpoints to enforce updates. However, for healthcare practices with contractors, unmanaged and BYOD devices, or simply desiring a less-invasive option, the management and maintenance of vulnerability patching can quickly become an IT strain.

Duo’s agent-free approach enforces device trust is at every point of authentication, checking for OS patches, firewall, encryption, and other security policies before granting access into sensitive ePHI. Without heavy, permission-demanding clients to install, Duo Desktop verifies the health and security of endpoint devices. The Duo Authenticator app also picks up on mobile device telemetry like if a device is running the latest OS patch, has full disk encryption enabled, and whether the device is jailbroken or rooted.

Duo device health check showing macOS status: up to date, password set, FileVault enabled, but firewall not enabled.

A lightweight client application for macOS, Windows, and Linux, Duo Desktop checks for device vulnerabilities before granting access. Available in Duo Advantage and Premier editions.

Duo analyzes what’s running on all users’ devices—managed or unmanaged, without the use of an agent. With data in an actionable device health report, administrators can easily see:

  • An analysis of users’ devices, including current device OS, browsers, Flash and Java versions.

  • Security health trends of all devices accessing business applications, including which devices are outdated or need to be updated by end users.

  • The latest security events that may result in outdated devices, including a new browser or plugin update released by a software vendor.

Rather than pushing an update to the device, Duo encourages end-users to self-remediate out-of-date endpoints by only allowing access to protected applications if the device passes an organization’s configurable policies. This also cuts down on costly and unnecessary helpdesk and IT costs.

Annual audits will now be a requirement for ensuring ongoing compliance according to proposed updates.

While the Security Rule does not currently require regulated entities to conduct internal or third-party compliance audits, such activities are important components of a robust cybersecurity program. Cybersecurity audits for insurance and regulatory bodies typically request paper trails documenting users, the applications they access, and the devices they’re accessing resources from. This can be challenging to deliver on—especially for supply chain partners or contractors with unmanaged devices.

Duo’s identity security solution provides complete device visibility into both managed and unmanaged devices. With Duo, you can maintain an inventory of all trusted devices accessing corporate resources, identify at-risk devices, and gain a deeper understanding of your security environment. This not only helps in preparing for audits, but more importantly continuously reduces risk by verifying trust of users, patching device vulnerabilities, and minimizing instances of shadow IT.

Duo’s dashboard provides security administrators with a snapshot of the overall access activity across their organization. The Duo Admin Panel simplifies ongoing compliance processes with comprehensive audit logs and reports for all users, applications, devices, and associated authentication behaviors, facilitating easier audit preparation and certification. Admins get timely lists of access attempts and the MFA protections in place for a specific user. They can also identify how many accessing devices have out-of-date operating systems and enable self-remediation.

Authentication log dashboard showing denied and granted login attempts, including location, risk status, and Duo Push verification details.

"The dashboard gives us a high-level view of our organization. Useful information such as login failures, who logged into which application and when, number of deployed licenses and inactive users are all available right there. I can then easily drill down to the details of a specific login event with just a few clicks. We did not have this level of information before Duo." — Security Architect, on how Duo helps to meet compliance and protect private patient information for a major healthcare provider in the Pacific Northwest. Read the full case study

It’s clear that identity security will be a growing priority in 2025, especially with 80% of breaches leveraging identity as a key component according to Cisco Talos incident response reporting. Having complete visibility across an organization’s entire user environment is essential to reducing the risk of compromised credentials or other vulnerabilities—and a helpful tool for generating security reports.

With a complete view of your entire user inventory—including employees, contractors, and vendors—you can significantly reduce the risk of a breach and protect sensitive PHI data. Duo and Cisco Identity Intelligence pool insights across identity providers and storages, which make it easy to clean up dormant accounts, expand multi-factor authentication usage, and reduce administrator privilege creep. It also enables continuous status checks on the compliance requirements that are important to the industry.

Cisco Identity Intelligence adds a comprehensive layer of visibility, detection, and remediation that defends against security vulnerabilities outlined by HHS:

  • Filter for users and identities that do not have MFA configured across all storage locations and MFA providers

  • Get detailed insights on the devices accessing organization resources on a per-user basis, and set alerts for critical resources

  • Run security checks that search for known vulnerabilities and align to security frameworks including MITRE ATT&CK, NIST, and CIS

  • Generate reports on common audit requirements like MFA enrollment, license utilization, device operating system information, and shared accounts

Cisco Identity Intelligence dashboard displaying compliance checks with severity levels, number of failing checks, and report status.
A view of the checks performed by Cisco Identity Intelligence across all identity storages. Set up automated alerts for your organization’s security priorities, including checks aligned to industry and compliance frameworks. CII is available with the Duo Advantage and Premier editions.

The financial implications of these changes are significant, with estimated costs of $9 billion in the first year according to the Department of Health and Human Services (p. 302). However, the cost of inaction—potential data breaches, compromised patient safety, and legal repercussions—could be far greater. The Security Rule updates are not just about compliance; they are about safeguarding critical infrastructure and patient data, so visibility is key.

"The HHS 405(d) Program’s ‘Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients’ recommends a <strong>layered approach to cyber defense</strong> (i.e., if a first layer is breached, a second exists to prevent a complete breach)." — HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 2025, p. 86

The 2025 HIPAA Security Updates mark a significant shift in healthcare security practices. While MFA is a powerful tool that offers significant benefits in protecting PHI, it is no longer sufficient for the fight against unauthorized access. Identity security features like Duo’s device trust and adaptive authentication establish additional layers of security that both protect ePHI and defend organizational liability. For example, the ability to enforce security posture on the devices accessing sensitive patient health information with system reporting can help provide evidence of device encryption if equipment is lost or stolen.

Organizations that achieve compliance avoid audit penalties and enhance their overall security posture for future requirements. Duo’s easy-to-use interface and clear pricing reduces the TCO associated with traditional security tools like hardware tokens as well as deployment costs and undue burdens on IT teams.

Duo helps protect confidential patient information by integrating with Epic’s EHR to provide secure remote access that’s tailored to the needs of the healthcare industry. Duo supports Epic's newest Hyperdrive e-prescription workflow and continues to support the original Hyperspace workflow.

When it comes to the go-live of this specific Security Rule update, stakeholders have a 60-day window to submit comments on the proposal. In the meantime, healthcare organizations should begin reviewing their security programs internally or with their security providers and prepare for upcoming changes.

  • For a fact sheet on the new HIPAA Updates, visit the HHS website.

  • For more details on why Duo for Healthcare, visit the Healthcare solutions page.

  • If you’re a managed service provider looking to become a Duo partner, visit the Duo MSP page.

]]>
<![CDATA[MFA adoption: The most important security metric you can measure]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/mfa-adoption-most-important-security-metric https://duo.com/blog/mfa-adoption-most-important-security-metric Industry Events Thu, 27 Mar 2025 00:00:00 +0000

Most people understand that multi-factor authentication (MFA) is important. Among the myriad of security measures, MFA stands out as a crucial control to safeguard sensitive information and prevent breaches. Despite its effectiveness, many organizations still face challenges in achieving comprehensive MFA adoption across their entire user base and applications.

MFA significantly reduces the risk of unauthorized access by requiring users to provide multiple forms of verification. According to Microsoft, enabling MFA can block over 99.9% of account compromise attacks. This statistic underscores the vital role MFA plays in an organization's security posture, making it an essential component in the fight against cyber threats.

Partial MFA deployment is akin to locking every door to your house—except one. If there’s a door open, attackers will find it—it's just much easier to waltz in an unlocked door! Organizations that roll out MFA only to select users or applications inadvertently create vulnerable points. To secure the organization more fully, it is imperative to extend MFA coverage universally, ensuring no aspect of the system remains exposed.

Not all MFA methods provide the same level of security. Basic forms like SMS-based MFA are susceptible to SIM swap attacks and push-based MFA can fall victim to push bombing. Hence, organizations are advised to adopt phishing-resistant MFA options, such as Passwordless or FIDO2-based options. Don’t just take our word for it, phishing-resistant MFA is consistently and repeatedly recommended by the Cybersecurity & Infrastructure Security Agency (CISA). Research also indicates that as attackers become more sophisticated, they are increasingly able to bypass traditional MFA mechanisms, highlighting the need for stronger, more resilient authentication methods.

To help organizations maximize their MFA effectiveness, Duo’s Identity Intelligence functionality is introducing a pivotal tool: the MFA Adoption Dashboard. It synthesizes complex data into actionable insights, addressing the common challenges of MFA deployment:

MFA hygiene stats showing counts of accounts with no MFA, weak MFA, and strong MFA configurations.

1. MFA Hygiene and Threats: Prioritize key areas for improvement by identifying critical gaps and behaviors that may compromise security.

Donut chart of factor usage over 30 days: 24 low, 29 medium, and 2 unknown assurance level usages.

2. Factor Usage and Enrollment: Analyze enrollment versus actual usage to ensure MFA factors are not just installed but actively protect against breaches.

Bar chart of passwordless login adoption from Oct 2024 to Mar 2025, showing nearly 100% usage.

3. Passwordless Adoption: Highlight progress and areas needing attention in the transition to passwordless authentication.

These insights empower organizations to refine their MFA strategies, fortify their defenses, and maintain transparency with stakeholders through easy-to-understand reports and visualizations.

In conclusion, widespread and strong MFA adoption is a critical element in securing an organization's digital assets. By leveraging tools like the MFA Adoption Dashboard, organizations can gain a comprehensive understanding of their MFA posture and take actionable steps to enhance both coverage and strength. As cyber threats continue to evolve, it is essential for organizations to remain vigilant and proactive in their MFA implementation strategies, ensuring robust protection against potential breaches.

If you’re interested in learning more, reach out to your account representative or contact a Duo expert today.

]]>
<![CDATA[Introducing User Trust Levels: Calculating identity risk to improve security outcomes]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/introducing-user-trust-levels-calculating-identity-risk-to-improve-security-outcomes https://duo.com/blog/introducing-user-trust-levels-calculating-identity-risk-to-improve-security-outcomes Industry News Tue, 25 Mar 2025 00:00:00 +0000

Users are weird. That’s not a value judgement—it's just true that end users in an organization do all sorts of things. The job of IT and Security professionals is often to label this weirdness with value. Are these actions “good weird” (ex: taking a trip to a new location to close business)? Are they “bad weird” (ex: a user’s account has been dormant but now tries to sign in without MFA)?

The faster teams can make these judgements the better. Duo’s Identity Intelligence feature offers a powerful tool in this domain: the User Trust Level. This innovative approach helps organizations manage user-related risks more efficiently by assigning trust levels based on a comprehensive evaluation of user behavior and context.

The User Trust Level is a dynamic assessment of risk associated with each user in your organization. Cisco Identity Intelligence calculates this level by analyzing various factors such as user behavior, context, and historical data from multiple identity sources.

Trust level marked 'Questionable' due to new IP, ISP, unmanaged device, and impossible travel activity.

The algorithm first sets out a framework of risk types. For example, there is “inherent risk” or the elevated risk of a powerful user like an administrator or executive. There is also “posture risk” or the risk of account takeover given the current security controls assigned to and used by the user. The algorithm maps risk to each of the various components using the data available (the more data available, the better) and then distills those components into an overarching User Trust Level. User Trust Levels range from "Trusted" to "Untrusted" and serve as indicators of how safe or risky a user is at any given time.

Bar chart showing user distribution across trust levels from Trusted to Untrusted.

In an ideal scenario, User Trust Levels would be shared in real-time across all systems, seamlessly enhancing security workflows and policy decisions. Imagine a world where the slightest change in user risk is effectively accounted for and shared instantly with relevant access points like Secure Service Edge (SSE) or Firewall tools. These tools could always make the most informed decision possible about access. And, to be clear, Cisco is building this vision by integrating the User Trust Level into its broader portfolio. The philosophy of this effort is critical – because sharing enriched user context across the broader networking and security ecosystem is fundamental to an “identity-first” approach to Zero Trust.

While the theoretical benefits of User Trust Levels are significant, practical implementation requires some consideration. One key aspect to understand is that today’s User Trust Levels, though informed by a multitude of data points, should often incorporated into decisions as a directional variable, but not the only variable. They provide a holistic view of a user's risk profile over time and therefore should be used like IP reputation to inform actions and decisions.

User Trust Levels are best utilized in workflows where they can be assessed as part of a broader context. For example, in threat detection and response workflows, the trust level can help prioritize which users require immediate attention and remediation. An "Untrusted" user signals high priority and should prompt further investigation, especially when correlated with alerts from other security tools.

Another practical use case involves access policy decisions. As a concrete example, Cisco Secure Access can ingest the User Trust Level—and in the future, will be able to designate which resources a user can access or authentication requirements for users with a specific trust level. However, while it seems fine to use User Trust Levels for dynamic access control, the implications of doing so are important to consider.

“What happens when a user is blocked?” is a key question to answer. If access is denied based on a low trust level, there must be a clear process for users to regain access, preventing unnecessary disruptions. There are other ways to approach the problem as well. Perhaps risky users are not blocked outright—but they must perform a form of phishing-resistant MFA to gain access after being labeled “untrusted.”

On the flip side, when trust levels are "Trusted," there must also be stop gaps in case that User Trust Level calculation was missing a critical piece of information. Therefore, policy should never be so lenient such that the User Trust Level assessment is the only thing standing between an attacker and a valuable resource.

However, all this being said, User Trust Levels are still a great way to enrich all of these workflows and decisions! A User Trust Level is not a silver bullet, but it is a fantastic way to improve defenses.

The User Trust Level is a transformative tool in the realm of identity security, offering a nuanced approach to managing user risk. By understanding its theoretical value and practical implications, organizations can better integrate it into their security strategies, leveraging it to enhance detection, response, and access decisions. As Cisco continues to innovate in identity intelligence, User Trust Levels will undoubtedly play a pivotal role in shaping the future of cybersecurity.

To understand more about how to use User Trust Levels to secure your organization—contact a Duo expert.

]]>
<![CDATA[Announcing Passwordless Authentication for Windows Logon (now Generally Available)]]> kehankin@cisco.com (Kevin Hankins) https://duo.com/blog/announcing-passwordless-authentication-for-windows-logon https://duo.com/blog/announcing-passwordless-authentication-for-windows-logon Product & Engineering Tue, 25 Feb 2025 00:00:00 +0000

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon—the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now generally available (aka GA) in all editions!

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Duo Mobile Proximity Push

Driven by Bluetooth Low Energy (BLE), users would automatically receive a biometric push once they are enrolled to PWL OS Logon, which cannot be approved unless they are within proximity of the endpoint machine requesting their approval to logon

Cryptographic Nonce

Proof of proximity to mitigate MFA phishing attacks / spoofed network responses / replay attacks in that nonces can only be used once.

Works with most Identity providers and supports managed and unmanaged devices

Active Directory, Entra ID, domain-joined, non-domain joined, etc. – we understand that deployments vary! We intend to meet our customers where they are today, with what they have today. If you have an existing password in your local environment today, PWL OS Logon will work with it.

Simple Upgrade Path

If you use Duo Authentication for Windows Logon, upgrading to this solution is as simple as getting on the latest supported version.

Scalability

PWL OS Logon also supports User Groups, so administrators are now able to choose which groups of users are given the option to enroll into the feature.

Compatible with Duo Passport

Given the step-up in security with the proximity push + biometric challenge, Duo Passport can pick up the OS session created by PWL OS Logon.

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.

This version of Passwordless for Windows Logon also will not work with the Remembered Devices policy (aka ‘Remember Me’) yet. This is because the removal of passwords at the entry point will require end users to prove they are who they claim to be via proximity + biometric while logging into the workstation to resume a session. We plan to investigate this as a feature offered in future versions, however!

Passwordless Offline Mode is coming soon—it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

If you’re interested in trying out the release, you can find the release note. For installation specifically, look for the GA build, Version 5.0.0.0 on the checksums page. All are welcome!

]]>
<![CDATA[Defending against identity-based threats using the Shared Signals Framework]]> hmullman@duo.com (Hannah Mullman) https://duo.com/blog/defending-against-identity-based-threats-using-the-shared-signals-framework https://duo.com/blog/defending-against-identity-based-threats-using-the-shared-signals-framework Industry News Thu, 13 Feb 2025 00:00:00 +0000

For the past few years, we’ve observed an increase in identity-based attacks across all sectors. To illustrate the point, last quarter our own Cisco Talos team saw “a surge in password-spraying attacks.” In one of their documented cases, an organization reported that 13 million authentication attempts were made in 24 hours against known accounts. In the case of password spray, looking for startling increase in authentication traffic can be vital.

However, other identity-based techniques are difficult to detect because uncovering one stolen credential in a sea of valid sessions is like finding a needle in a haystack. IT environments are increasingly complex, and applications, security products, and identity providers don’t speak the same language, leading to more silos, even when everything was designed in the name of simplicity.

The Shared Signals Framework is a standard from the Open ID Foundation that seeks to solve this problem. The framework provides a secure way for entities involved in identity management to exchange signals that help ensure the integrity, trustworthiness, and security of user activity, even post-login. Service providers can broadcast any anomalies that could indicate session hijacking, account takeover, or fraud, so that other providers can quickly take action to verify that the user account is safe.

Cisco has played a key role in the development of the Shared Signals Framework, and we plan to continue our investment in the evolution of the standard. In 2021, we launched SharedSignals.guide to help developers learn about the framework and how to adopt it. One of our principal engineers serves as a co-chair of the Open ID Foundation’s Shared Signals Working Group, where he helps with the development of the standard. Most recently, in December of 2024, we attended the Gartner IAM conference interoperability event, where we demonstrated the power of Shared Signals in detecting and preventing session theft, a top security concern for our customers.

AppOmni detects threat, Duo revokes sessions, and SGNL revokes access to other SaaS apps in a threat response chain.

We partnered with AppOmni and SGNL to showcase a powerful story in which AppOmni identified a risky and compromised session and transmitted that event to Duo. Duo then revoked the Duo session and required the user to authenticate with a more secure factor via step-up authentication. In the final part of the demo, Duo transmitted the event to SGNL, who revoked the user’s SaaS application sessions. This helps security teams reduce the potential for lateral movement once a user’s credentials have been compromised, and importantly, significantly reduces the time to resolution. Attackers have easy access to toolkits that allow them to exfiltrate large amounts of data faster than a human can reasonably respond to. The Shared Signals Framework allows customers to respond to threats in real-time and ensure that the user is who they say they are.

Session theft is just one threat that the Shared Signals Framework can help protect against. Many different kinds of security vendors participated in the interop event in December, highlighting the capabilities of this new framework. We saw demos from MDM products, IGA vendors, and other identity providers that showed how Shared Signals can be used to dynamically change user permissions based on risk. If risk is detected on a device, for example, Shared Signals can help an organization minimize possible damage by locking down the identity and application sessions. Today, this would take a lot of correlation and time, all the while allowing the attacker to try and gain access to more sensitive resources, but Shared Signals makes this enforcement happen in real-time.

We are also exploring how Shared Signals helps deliver a better experience across Cisco products. Customers who use multiple Cisco security products together can look forward to Duo sharing identity data to a variety of products all in real-time for better security outcomes. Imagine, for example, that Duo detects a pattern of logins that are highly suspicious from a particular user. With Shared Signals, Duo could send that data to Cisco XDR to help enrich the detections happening there. With Cisco Secure Access, Shared Signals can help Duo communicate risk to cut off access to the network. We are very excited to see how Shared Signals with Duo can help on your identity security journey.

If you’d like to learn more about how Duo and Cisco are using Shared Signals—please feel free to reach out to your account team or contact us.

]]>