<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2022 3600 <![CDATA[IT Cyber Hygiene: Why It’s Important, and Duo’s Role in Securing Everyday Access]]> jhopler@cisco.com (Joe Hopler) https://duo.com/blog/it-cyber-hygiene-why-its-important-duo-role-securing-access https://duo.com/blog/it-cyber-hygiene-why-its-important-duo-role-securing-access Industry News

In today’s environment, you cannot go too long without learning about the latest company breach, social media hack, or vulnerability compromise.  What likely ensues in the fallout are mass compromised user credentials, negative brand impact and significant financial consequences. The pervasive nature of these events has become almost commonplace, like talking about the weather. But it doesn’t have to be, or they can at least be minimized. Cyber hygiene – or cybersecurity hygiene – can help organizations secure their most critical data and mitigate security compromise. 

What is cyber hygiene?

Cybersecurity hygiene is a set of habitual practices for ensuring the safe handling of critical data and for securing networks. To maintain high-level safeguards against bad actors, organizations and individuals must perform these practices regularly to maintain the health and security of users, devices, networks, and data.

 Cybersecurity best practices include:

  • Awareness of what is on your network; identify critical and sensitive data

  • Access control; limit or control who can access what types of information and privilege access control

  • Implement security configuration settings

  • Patch/update applications, software, devices, and operating systems (OS) on a routine, scheduled basis

  • Train awareness of phishing and spear-fishing campaigns

How can Duo Care help?

Duo Care takes a holistic approach of incorporating elements of foundational security best practices, with Duo’s zero-trust security journey.

A dedicated Duo Care team helps to:

  1. Validate user identities – Ensure users are who they say they are at every access attempt, then regularly reaffirm their trustworthiness

  2. Establish device trust – See every device used to access your applications and continuously verify both device health and security posture

  3. Set adaptive policies – Assign granular and contextual access policies, limiting exposure of your information to as few users and devices as possible

  4. Secure access for every user – Provide appropriate permissions for every user accessing any application, any time, and from anywhere

  5. Secure access for every application – Reduce the risk of credential theft by enabling users to securely access their applications with a single username and password

Incorporating security best practices with a focus on cybersecurity hygiene and the support of a dedicated Duo Care Team provides the following advantages:

Implementation of cybersecurity best practices

This promotes improved cybersecurity posture for the workforce and workplace, while simultaneously mitigating data breaches and other security incidents. Securing sensitive data in a secure manner also protects it from either theft or attacks.

Faster deployment

A team of trusted advisors equipped with knowledge of best practices and resources help you deploy cybersecurity solutions across your enterprise faster.

Higher ROI

With the built-in expertise of a Duo Care team in navigating diverse and complex IT environments, organizations can maximize feature adoption and overcome challenges with speed and precision. Combined with the extended support hours, you’ll maximize your investment in Duo.

Instant access to experts

Change happens. IT infrastructures evolve. Duo Care addresses your needs as they change. Alternatively, you can engage your Duo Care team at any time or get guidance on changes that impact your existing Duo deployment.

VIP service

With Duo Care, you will be partnered with a team of experts, receive enhanced support hours, dedicated support lines, improved SLAs, early access to new features, and priority access to Duo events.

It’s time to start practicing cyber hygiene

While cyber threats are always evolving, deploying comprehensive security practices based upon sound cybersecurity hygiene – coupled with Duo Care support – helps mitigate risk, increases trust and drives improved security posture for your organization.

Want to learn more about what Duo can do for your enterprise? Sign up for a free trial today!

<![CDATA[To Cover or Not to Cover: The Cyber Liability Insurance Quandary Facing Small- and Medium-Sized Businesses]]> rosies@cisco.com (Rosie Samuels) https://duo.com/blog/cyber-liability-insurance-quandary-facing-small-medium-businesses https://duo.com/blog/cyber-liability-insurance-quandary-facing-small-medium-businesses Industry News

Much has been published about how the demand — and subsequent cost — for cyber liability insurance has skyrocketed in line with increasing incidents of cyberattacks. Some recent research has suggested that some businesses, particularly small to medium-sized ones, are terminating their policies altogether due to budget constraints. But what are the risks with this approach?

Here, we provide guidance for firms that have already, or are currently considering, taking the ‘no cover’ path.

The state of cyber liability insurance

The topic of cyber liability insurance is full of datapoints, statistics and graphs all showing upward trajectories. Whether that’s the number of global incidents and overall cyberattacks, the amount of insurance claims, the pricing of cyber insurance products, the general rise in firms applying for policies the only way is up.

However, one statistic that has come to light recently is around a proportion of the companies who are discontinuing their current level of cover. In fact, according to Spiceworks, ‘due to budget constraints, about 30% of small and medium-sized businesses (SMBs) discontinued their cyber insurance contracts in 2021’.

This is doubtless a symptom of the soaring costs of cyber liability insurance cover twinned with an increasingly precarious economic landscape that is hitting hard for SMBs in particular. Tech Wire Asia cites that premiums could be expected to reach anywhere between US$500 million and US$1 billion by 2025. And while budgets are being stretched every which way, the short- and long-term knock-on costs of defending and recovering from potential cyberattacks can far outweigh preventative up-front costs.

Of course, insurance cover is not the only measure that can be taken. Ideally those firms that have discontinued their policies are barricaded well enough to weather potential cyber storms through their own procedures, policies, and people in place. However, research suggests otherwise. Security Magazine reports less than 10% of companies with fewer than 50 employees have dedicated financial resources for cybersecurity.

There are of course some measures that SMBs in particular can and really should employ that can protect themselves:

1. MFA is a necessity, not a luxury 

There is a good reason that nearly every cyber liability insurance carrier requires multi-factor authentication (MFA) and why, according to wholesale specialty insurance distributors CRC Group, clients without MFA risk non-renewal or a retention hike of 100% or more. MFA has proven to be a strong preventative strategy against stolen credentials and brute-force attacks.

But MFA should not only be viewed as a prerequisite for obtaining cyber liability insurance. By verifying your users’ identities before they access your network, two-factor authentication protects your applications and data against unauthorized access something that makes sense whether you take or leave cyber liability insurance cover. In this day and age, MFA should be looked at as a cost of doing business not an optional extra.

Questions to ask when selecting an MFA solution should be:

  • Can the solution protect against unauthorized access and provide visibility of users and devices in your environment?

  • Is the solution compatible with remote work and cloud applications?

  • Does your solution work with modern and legacy systems?

For more on how to evaluate MFA solutions, check out our evaluation guide.

2. Think like an insurer

If the decision has been made not to apply for a policy or renew an existing one, but cyber security is still a concern for the business, it's worth going over the same questions that an insurer may ask and having a robust answer ready and a plan in place to mitigate potential risks.

Earlier this year, we held a webinar with providers of data-driven cyber risk analytics for the insurance industry CyberCube, in which its former head of cyber intelligence Darren Thomson shared insight into the topics insurers are prioritizing. One of the key areas he zoomed was why organizations should be doubling down on protecting themselves from ransomware attacks.

He states that five or six years ago, ransomware attacks demanded an average of $500 and targeted consumers, as opposed to enterprises, and ransom demands can now sometimes reach $10s of millions. “That has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy.”

"That has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy." - Darren Thomson, Head of Cyber Intelligence for CyberCube

Thomson outlined how the best practices that were best practices five years ago still tend still to be the best practices now, advising firms to: “go through traditional means to mitigate the ransomware risk. What are you doing about backups? How are you protecting your endpoints? Are all of your network ports closed?”

As outlined in our ebook Protecting against ransomware zero trust security for a modern workforce, zero trust is a security model that is built on the principle of “never trust, always verify.” It can help organizations proactively implement best practices known to protect against cyberattacks, including ransomware whether there is a cyber liability insurance policy in place or not.

3. Ensuring minimal rough patches

Another key area of investigation for insurers when making a decision on how much to charge for coverage is how exposed firms are to software exploits if patches are not rolled out when needed. This is because unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. So making sure this is managed effectively even if a company does not apply for or renew cover also makes business sense.

But ensuring all systems, computers, applications, and software within your firm are as current as possible is difficult to manage, especially considering the amount of technical debt held at many firms. Findings from McKinsey estimate that technical debt amounts to 20 to 40 percent of the value of firms’ entire technology estate before depreciation, and 60 percent of the CIOs we surveyed felt their organization’s tech debt had risen perceptibly over the past three years.

The best way to defend your organization in these cases is to install a system that warns you when your software is out of date, requires software updates before allowing access, and even blocks access from devices that don't meet your organization's requirements.

Next steps for small- and medium-sized businesses

If firms employ the three areas mentioned above, they will be well armed to protect themselves from a good amount of threats facing SMBs today. This proactive defense is especially crucial if a firm has decided to opt out of cyber liability insurance cover. In the long run, a solid cyber security practice could also bring premiums down, ensuring a ‘belt and braces’ approach for the company.

For more on this take a look at our guide: How Cyber Insurance Can Be a Lifeline in Today’s Evolving Threat Landscape.

<![CDATA[WebAuthn, Passwordless and FIDO2 Explained: Fundamental Components of a Passwordless Architecture]]> jefyeo@cisco.com (Jeff Yeo) https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture Industry News

When someone is told that passwords are going away in favor of a new, “password-less” authentication method, a healthy dose of skepticism is not unwarranted. After all, years of memorizing increasingly complex combinations of lower- and upper-case letters, numbers, and special characters have conditioned users to believe the fancier their password, the less likely they are to get breached.

While this isn’t entirely wrong, passwords are difficult to remember and rarely secure. Experts in the fields of data protection and information security now look towards new technologies to make system access much more secure.

Passwordless authentication refers to a system that does not require the use of passwords at all. A current IT security trend, the password is replaced by much more secure factors in passwordless authentication, allowing for smoother usability without compromising on the additional benefits of having multiple factors.

In this article, we will go in-depth on the basic building blocks of passwordless technology: WebAuthn, FIDO, CTAP, FIDO2, and how it all comes together for the user.

What is WebAuthn?

The Web Authentication API (WebAuthn) is a specification developed by the World Wide Web Consortium (W3C) and the FIDO Alliance, with participation from an international array of major technology companies – including Cisco Secure through Duo Security – actively contributing to WebAuthn development.

The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password. When built into browsers and platforms, it creates a private-public keypair (known as a credential), enabling passwordless authentication by connecting applications with strong biometric authenticators like Windows Hello or Apple’s Touch ID.

In summary, WebAuthn is a:

  1. Browser API for Passwordless Authentication

  2. Strong Authentication using Public Key Cryptography (which makes a credential)

  3. A specification developed by W3C and FIDO Alliance

What is the FIDO Alliance?

The FIDO Alliance, an open industry association consisting of members from across the global tech world, works to develop technical specifications for non-password-based authentication. Their findings are based on public key cryptography, aligned with the technology used in WebAuthn. The Alliance additionally certifies that solution providers are interoperable and meet the specifications established—denoted as FIDO® Certified.

In the case of passwordless, we focus on CTAP1 and CTAP2 specifications.

What is the difference between CTAP1 and CTAP2?

Established by the FIDO Alliance, Client to Authenticator Protocol (CTAP) is a specification that describes how an application (such as a browser) and operating system communicate with a compliant authentication device via USB, NFC, or Bluetooth Low Energy (BLE).

  • CTAP1 focuses on a universal second-factor enablement

  • CTAP2 focuses on communication between applications (browsers, operating systems, etc.) and external authenticators. It is a key standard for FIDO2-certified passwordless authentication.

CTAP1 and CTAP2 are fairly interoperable, with most WebAuthn authenticators able to support both.

What is FIDO2?

FIDO2 is a standard that uses modern authentication technology to enable strong passwordless authentication. A joint project of the FIDO Alliance and the W3C, FIDO2 combines the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn).

What are some examples of FIDO2 authentication methods?

  1. Biometric-capable devices and platform authenticators: These are built-in authenticators that require a biometric, PIN, or passcode. Examples include Apple’s Touch ID and Face ID, Windows Hello, or Android fingerprint and face recognition.

  2. Roaming authenticators or security keys: FIDO2-capable hardware tokens use USB, NFC, or BLE to communicate user verification via biometric or PIN.

In short: FIDO2 Framework = WebAuthn + CTAP2, and there are a few options for FIDO2-specific authentication methods. Passwordless authenticators can also come in the form of mobile applications, like Duo Mobile.

So how do all the pieces — hardware and software — come together to make passwordless secure?

How does passwordless authentication work?

The most significant difference between password-based authentication and key-based passwordless authentication is that no shared secrets are used to gain access to systems to verify the user’s identity. Multiple factors are still at play without having users remember a complex string of characters, namely the inherence factor (something you are - biometrics) and the possession factor (something you have - a registered device). Stronger factors significantly improve the user experience and mitigate the risk of phishing, stolen credentials, and man-in-the-middle (MiTM) attacks.

A keypair (the aforementioned “credential”) is generated during passwordless authentication. This keypair is always made up of a private and public key. In essence, the public key serves as a (public) lock that can only be opened with the private key. The combination of key and lock is unique per application, which greatly increases data security. A generated credential only works for the application or website it was created for, decreasing risk of being phished through fraudulent sites.

To generate the key pair of private key and public lock, users must use either a “external authenticator” (e.g., a security key) or a “internal authenticator” (e.g., a fingerprint reader). When a user logs into a system, the private key is kept by the user, while the public key (or public lock) is sent to the system. The public key is used to decrypt the private key by the system to which the user wishes to log in.

If the encryption and decryption sequence is successful – when the private key fits into the public lock – the user is also the owner of the private key.

Registering a Security Key or Biometric

For users to use security keys or biometrics, they would first have to register their devices to the Duo Cloud Service or another remote server. A challenge is returned with the relaying party ID, and in the third step, the system will check the TLS and generate the public and private key pair. Once the credential is created, this signed challenge with the credential ID generated by the key/biometrics system is sent back to Duo or the remote server service along with the public key. Finally, in the fifth step, the information is verified and saved along with the public key.

Authentication Flow

The authentication flow when user's login to a web application is simple and what makes passwordless a worthwhile investment. Using a web browser, the user would access the application server. The server would send a request to the user’s device, and in step 3 we see that a signed challenge using the private key is sent over to the server. This is verified with the public key stored on the remote server/Duo. Access is either denied or granted based on the successful cryptographic exchange.

Start your passwordless journey today

While there are several ways to start your journey to a passwordless future, I hope that this article has helped to understand the fundamental building blocks for a passwordless architecture.

For more technical explainers, read our Administrator's Guide to Passwordless series or learn more about Duo's passwordless solution today.

<![CDATA[Insert Tokens to Play! OpenID Connect (OIDC) Support in Duo SSO Is Now in Early Access]]> skathuria@duo.com (Seema Kathuria) cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/openid-connect-oidc-support-in-duo-sso-now-early-access https://duo.com/blog/openid-connect-oidc-support-in-duo-sso-now-early-access Product & Engineering

We are in an ever-changing world where tens, hundreds, sometimes even tens of thousands of applications are being used to keep your business moving forward. We see this here at Duo and Cisco every single day! As organizations work tirelessly to adopt these new business-critical applications, the identity and security industries are doing the same to ensure that end users have secure, frictionless access to all of them.

Today, we are excited to announce the Early Access release of Duo’s Single Sign-On (SSO) support for OIDC.

To date, Duo SSO has only supported SAML 2.0 web applications. Supporting OIDC allows us to protect more of the applications that our customers are adopting as we all move towards a mobile-first world and integrate stronger and modern authentication methods (e.g. biometrics).

What is OIDC?

OpenID Connect is a modern authentication protocol that lets application and website developers authenticate users without storing and managing other people’s passwords, which is both difficult and risky. Another benefit of OIDC is that end users find it easy to sign up and register on websites, thereby reducing website abandonment. Organizations that adopt and developers that build third-party OIDC apps want to enable users (B2C, B2B) single sign-on access to them.

OIDC is an identity layer that works on top of the open OAuth 2.0 protocol adding Authentication to what has historically been used for Authorization purposes. OAuth 2.0 offers a variety of grant types which support unique sets of use cases, both on their own and often when used in combination with another.  The most common OAuth grant types include:

  • Authorization code

  • Authorization code with proof key for code exchange (PKCE)

  • Client credentials

  • Device code

  • Hybrid

  • Refresh tokens

What can you protect today?

We have been on a journey to help various organizations in different industries (healthcare, IT, manufacturing) protect several OIDC based applications. We could not have done this without the amazing partnership with these Active Development Program customers. Here is one of our customers sharing their experience.

“OIDC has been phenomenal. It’s made everyone’s lives easier. Every time I click the button I am filled with joy.” – Iain McMullen, Director of Technology, Birmingham Consulting

In the Early Access release of Duo SSO support for OIDC, we will support two grant types: OIDC Authorization Code and OAuth 2.0 Client Credentials – with more coming before our Generally Available release. Organizations that use either or both grant types can participate in the Early Access release starting later this week!

Applications tested so far include Epic’s Haiku, Canto, and Rover mobile applications, Salesforce, IBM Spectrum Virtualize, IFS Cloud, Datto, and AWS Verified Access.

“We are very pleased that Duo SSO now supports OpenID Connect which allows us to secure more applications that our employees access on a regular basis. We use Duo SSO for securing access to Microsoft 365, Cisco AnyConnect VPN, and IFS Aurena, our ERP system. We will continue to integrate Duo in more applications and plan to expand usage to 50x more users over the next few months. We are glad we chose Duo for securing access to modern apps that our hybrid workforce depends on.” – Carlos Cortes, Business Systems Administrator, ASO Worldwide

How do I sign up?

OIDC and OAuth 2.0 support will start rolling out over the next week and be available to all customers using Duo Single Sign-On. To enable it, select Generic OIDC Relying Party or OAuth 2.0 Client Credentials from the Protect an Application list in the Duo Admin Panel.

We look forward to seeing what you protect with this new capability and invite you to share learnings and feedback with us. And if you want to learn more, check out our Duo + AWS Solution Brief.

<![CDATA[Amazon + Duo Continue to Provide Zero-Trust Access in the Cloud]]> gleishman@duo.com (Ginger Leishman) https://duo.com/blog/amazon-duo-continue-to-provide-zero-trust-access-in-the-cloud https://duo.com/blog/amazon-duo-continue-to-provide-zero-trust-access-in-the-cloud Product & Engineering

It is a truth universally acknowledged, that a single organization in possession of a good many applications, end users, and devices, must be in want of secure zero-trust access.

Adding to that complexity, we still have many organizations using the old method of a VPN to check a user’s identity before providing access to all applications regardless of who the user is, what device they are using and what permissions they SHOULD have based on their role. VPNs weren’t designed to serve the increasingly remote workforce of today. They weren’t built with the application-specific security controls nor for the enormous scale (users and sessions) required today. This is especially true for where employees are increasingly dependent on highly available, secure connectivity from anywhere, such as IT, education, and healthcare.

VPNs traditionally lack modern security features needed to protect the workforce and data in our hybrid reality. Let us not forget that while VPNs do not provide secure trusted access, they also slow down productivity. It can take minutes for a user to connect to the network. Sometimes you even have to restart your laptop and the fear of losing all your open tabs is real.

How do we then get around these challenges to provide secure access AND a great user experience?

Duo SSO + AWS Verified Access

About Duo SSO = Log in once, work everywhere

Single sign-on (SSO) from Duo provides users with an easy and consistent login experience for any and every application, whether in the cloud or on-premises. Cloud-based SSO is hosted by Duo, which makes it easy to set up and manage. It also features:

  • User-friendly dashboard to manage all access policies and applications

  • Customize granular access policies per-application to enforce security rules based on criteria like user, device health, location, and more

  • Vendor agnostic works across cloud platforms and all applications regardless of cloud-based or on-prem

  • Built with modern security features SAML and OIDC

About AWS Verified Access

AWS Verified Access delivers secure access to private, corporate applications in AWS, without a VPN. Through continuous evaluation for each access request in real-time, AWS Verified Access evaluates contextual security signals like identity, device security status, and location and then grants access based on the configured security policy for each application. Built on zero-trust principles, AWS Verified Access enables the networking team to create, configure, and manage a fine-grained set of policies for private application access in AWS.

Together, Admins can utilize Duo SSO + AWS Verified Access to protect applications, users and data while removing password fatigue. Employees will have one place to log in that supports multiple multi-factor options including biometrics, security keys, and also passwordless. Duo integrates with AWS Verified Access to check the user’s identity, location, device security posture and more before sending the user through AWS Verified Access to access the organization's private applications on AWS. The integration builds on Zero-Trust principles, ensuring only the right user at the right time has the right amount of access.

Both Duo SSO and AWS Verified Access are cloud-delivered services, making it very easy to set up and begin testing immediately.

Top use cases for Duo Single Sign-On (SSO) + AWS Verified Access

"Organizations are calling for security simplification and integration. With Cisco providing the data and signals needed for trust assessment with every authentication, AWS Verified Access can provide the consolidated, lightweight, secure access without needing an additional VPN. It’s ‘zero trust’ applied to the cloud environment from two strong security partners." - Wendy Nather, Head of Advisory CISOs, CISCO

Secure distributed users

No matter where a user is located, their access to private applications in AWS is based on zero-trust principles. Using AWS Verified Access, IT administrators can define policies and onboard new applications within minutes. AWS Verified Access integrates with Duo SSO to provide a single access dashboard with security contextual data like identity, location, and device security status that gives it the ability to set appropriate controls for granting application access. Go VPN-less!

Seamless user experience

Provide a simple and friendly access experience for users. Prevent password fatigue as AWS Verified Access and private applications are behind Duo SSO. Login once for all applications, making the experience easy and consistent, no matter which application users need to access.

Accelerate time to troubleshoot

AWS Verified Access evaluates each access request and logs all the requested data, including security signal input, using the information to authorize or deny requests. This provides visibility to the networking team into private application access requests, thereby enabling the team to quickly gather data and intelligence to direct a faster response.

Excited to learn more or get started with Duo SSO and AWS Verified Access? Here are a few resources:

<![CDATA[6 Networking Tips for Building Connections at the Start of Your Career]]> emsames@cisco.com (Emily Samar) https://duo.com/blog/networking-tips-building-connections-start-of-career https://duo.com/blog/networking-tips-building-connections-start-of-career Industry News

Whether you are someone who has access to a wide variety of professional resources or you are a first-generation college student, networking plays a large role in career success. This article addresses the importance of networking and shares tips for how early-in-career talent can build a professional network as you seek out your first, second, or third internship.

The importance of networking

Building a strong network can give you insight into industry trends, employment opportunities, and professional development resources. Networking can also elevate your career helping to make lasting connections.

“It's 100% about who you know,” said Brandan Montgomery, program manager on the Cisco Secure Employee Experience Learning & Development team. One of the advantages of networking is building relationships that help you stand out and land a role that aligns with your career goals and interests. The relationships you build through networking can influence your career, creating opportunities for you to learn and assess your current competencies, providing a benchmark for where you can grow professionally.

Leveraging your professional network can also open many doors to help you get ahead in the application process.

6 tips for networking

While networking can help get your foot in the door, networking is a privilege and privilege comes in different shapes and sizes. For some, your network starts at birth. For others, your network may come to fruition in high school, college, or later in your career. For those who don’t have access to a wide network, getting creative and thinking outside the box can help you discover ways to build professional connections.

For those who are currently enrolled in a university or bootcamp, explore the professional services these institutions have to offer.

Actions you can take when exploring academic and professional services include:

  1. Visit your university’s academic resource center and talk with your academic advisor.

  2. Utilize your university’s career development office and meet with a career counselor.

  3. Ask your professors to connect you with folk who graduated from your current program.

  4. Become friends with your classmates! If you have a network, offer to make professional connections. If you are interested in building your network, connect with your peers and don’t be afraid to ask for help

  5. Attend career fairs and hiring events that your school facilitates

  6. Join an academic fraternity, sorority, club, or group

Networking in your community

Another area to explore networking is through your community! Getting involved in your community is a great way to build connections personally and professionally.

  • Visit your community resource center or chamber of commerce to see what opportunities are available locally

  • Create a Meetup account; Meetup uses your personal and professional interests to help you explore opportunities to connect with like-minded individuals and discover company-sponsored events in your area

  • Research non-profit organizations who support early-in-career talent development. Below are a few examples of nonprofits Cisco Secure has partnered with and/or recommends

    • Toastmasters, a nonprofit organization that coaches people on public speaking and leadership skills, is a great example of community offerings to explore in your region

    • Students Rising Above breaks down barriers for low-income and first-generation students; their work support and invests in students from junior year in high school through college graduation, as well as into the workforce

    • Code2College does important work to increase the number of high school students from diverse backgrounds entering STEM education and careers

    • Technovation supports young women as they work in teams to code mobile apps that address real-world problems. Along the way, they develop collaboration, problem-solving and leadership skills

Making the connection

“Don’t be shy, shoot your shot,” said Veronica Toscano, Chief of Staff to the Chief Privacy Officer and Privacy Specialist at Cisco.

Following Toscano’s point, take bold steps to make connections. One quick and easy way to create your network is by using LinkedIn. LinkedIn can help you discover industry leaders in your desired field and connect you to people who inspire you.

Before reaching out, create a short introductory script. This script can include a bit about yourself, how you found the person you’re contacting and why you’re contacting them. The why can include requesting an informational interview for you to learn about their role, company or their journey. The why can also ask for recommendations on reading materials and information to help you grow in your career. Whatever your why is, make sure to include it.

If you decide to connect in person or virtually, make sure to come with questions and talking points so you can make the best use of both parties' time. It says a lot about a person when they come prepared to a meeting. By putting your best foot forward, the person you’re connecting with can see you shine.

Bonus networking tip: Once your meeting is over, send a note thanking your new connection for their time and reflecting on a piece of information they shared with you that you plan on implementing. This demonstrates professionalism and good manners.

Maintaining your network

Maintaining your network doesn’t mean you have to reach out daily. An easy way to maintain your network is by checking in, asking follow-up questions and sharing updates on any major events that occurred since last you spoke. Another way is to share articles, learnings, and growth opportunities you’ve experienced that you think would excite your contacts.

Finally, if you and your new connection are working together to get a job within a certain company, share your hiring results! Your wins are their wins, and I can assure you that they will want to hear about your accomplishments.

Closing thoughts

At the end of the day, you are the only one who can take the steps to achieve your networking goals. The tips in this article will help you get started on building your professional network and provide resources to help you take action. By getting started and expanding your network, your future options multiply. Internships are another great way to build a professional network.

If you value growth and a hands-on learning experience, check out Duo's internship program!

<![CDATA[Announcing the General Availability of Verified Duo Push]]> hmullman@duo.com (Hannah Mullman) https://duo.com/blog/announcing-general-availability-duo-verified-push https://duo.com/blog/announcing-general-availability-duo-verified-push Product & Engineering

As attackers have figured out ways to get around traditional multi-factor authentication (MFA), Duo has continued to evolve to prevent fraudulent access and protect the workforce. Every day, users are inundated with notifications on their phones, and it can be difficult to appropriately respond to each buzz or alert. Some attack patterns, like push harassment, rely on the assumption that if you bother an end user enough times, they will eventually relent and accept the request.

In response to MFA fatigue and push-phishing attacks, we announced the Public Preview of Verified Duo Push in August of this year. Now, we are thrilled to announce the general availability of Verified Duo Push to all MFA, Access, and Beyond edition customers.

Making MFA More Secure

Verified Duo Push strengthens MFA security by adding friction to the authentication process. With a normal push request, an end user might absentmindedly click ‘Approve,’ but a Verified Duo Push requires the user to input a numeric code in order for the authentication to be successful. If the request is from a bad actor, the extra steps the user has to take means they have more time to realize they should deny the request and mark it as fraud. The user also will not have the unique code, which creates another barrier to access if the request is not valid.

Lessons from Public Preview

During public preview, we learned a lot from the hundreds of customers who participated. And we have used that feedback to continue to evolve the user experience. Our initial implementation of Verified Duo Push required users to input a 6-digit code to make it difficult for attackers to randomly guess the code correctly. However, customers wanted the option to customize the code length. With our GA release, Verified Duo Push can be configured to be between 3-6 digits long, depending on the preferred balance of security and end user experience.

Verified Duo Push helps strengthen the initial promise of MFA, even in light of new and emerging push attacks. Duo already supports FIDO2 authenticators, which offer the strongest protection against MFA-based attacks. But we know that rolling this out across an organization is a journey, and Verified Duo Push can help along the way. This is highlighted by a recent CISA Fact Sheet that recommended implementing a solution like Verified Duo Push to make MFA more secure.

However, some organizations might struggle to get organizational buy-in to add friction for every login. As an alternative approach, Duo’s new Risk-Based Authentication solution only steps up to the more secure method when risk signals in the environment indicate there are potential threats. Whether security teams enable Verified Duo Push for all users, or through a risk-based approach, this allows organizations to make decisions based on their risk appetite and organization’s needs.

As we continue to add to our Risk-Based Authentication policy stack, we know that Verified Duo Push will continue to play a big role in keeping users and organizations safe. Verified Duo Push is one step in customers’ security journey and Duo will continue to work towards the balance of protecting customers and providing a good user experience.

<![CDATA[3 Lessons From Gartner Peer Insight’s Hybrid Work Survey]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/lessons-from-gartner-peer-insight-hybrid-work-survey https://duo.com/blog/lessons-from-gartner-peer-insight-hybrid-work-survey Industry News

Gartner Peer Insights and Cisco surveyed 100 network, IT, and security experts who evaluate or purchase cybersecurity and identity management tools to understand what they value and prioritize in today’s evolving threat landscape. One trend from this survey is clear: Hybrid work is here to stay. That means security leaders must continue to find better ways to secure access to corporate resources, without stopping employees from doing their jobs.

So, what can we learn from these survey results? Here are the 3 key challenges that security experts must navigate:

1. Managing a larger attack surface

Hybrid work means that employees are still logging in from the corporate network, but they are also logging in at home, on various devices, and changing locations. When companies had to manage one corporate device in one location, it was easier to differentiate between risky and normal user behavior. However, as the attack surface has increased, and the number of potential risk signals has increased, it makes it difficult for security teams to manage these new risks.

One approach companies can take to improve their security posture is to put controls in place to prevent bad actors from gaining access. This includes using multi-factor authentication to protect user accounts, using device trust policies to assess device health and control access across managed and unmanaged devices, and setting up remote access policies to protect applications, regardless of user location.

2. Balancing risk signals and privacy

Organizations can evaluate risk in the environment by tracking contextual signals to determine if there is any anomalous activity. However, analyzing risky behavior can sometimes lead to violating individual’s privacy if those signals are too intrusive.

In Duo’s new Risk-Based Authentication solution, we have developed a new risk signal, called Wi-Fi Fingerprint, to evaluate changes in location without invading the user’s privacy. Wi-Fi Fingerprint evaluates location by turning the Wi-Fi network information into a new data point that also anonymizes the user location. Then, Duo can compare current and past Wi-Fi Fingerprint data points to determine risk-level, without ever knowing that specific user location to begin with.

3. Making it easy for trusted users

Ultimately, security teams want to make it difficult for bad actors to gain access, but don’t want to get in the way of trusted users doing their jobs. However, if a company cannot differentiate between a low and high-risk scenario, then they cannot make it easier for trusted users to login. Duo’s new Risk-Based Remembered Devices policy allows users to automatically gain access to corporate resources when risk is low, and revoke that trust and require re-authentication if there is a change in behavior.

This allows security teams to feel confident about allowing their users to have longer sessions, and authenticate less frequently, without sacrificing security.

Want to learn more about securing hybrid work?

It is clear that the nature of work is rapidly changing. Security teams face a variety of new challenges as they seek to defend a larger attack surface against an evolving threat landscape. Duo is here to partner with organizations to help them achieve their security goals, without preventing trusted users from doing their job.

To learn more, check out the Gartner Peer Insights Survey Results.

<![CDATA[Spot the Difference Between Suspicious & Legitimate Authentications With Duo Trust Monitor]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/spot-difference-between-suspicious-legitimate-authentications-duo-trust-monitor https://duo.com/blog/spot-difference-between-suspicious-legitimate-authentications-duo-trust-monitor Product & Engineering

If you’ve ever worked a long day (and we all have at some point), you’ve probably taken a pause to give your brain a break. Some of us prefer to do nothing, while others like to keep their mind engaged and play a game. One of the more popular games over the years not named Wordle has been Spot the Difference. For the uninitiated, Spot the Difference is a puzzle game that presents you with two similar images, one of which has been altered slightly, and challenges you to identify the differences between the two. Finding the differences can be a real test of one’s patience and ability to concentrate on details.

As fun as that sounds, if you’re a Cybersecurity Analyst, you may be doing something similar; searching through mountains of log data to find something different that could be a potential threat to your organization. This can be tedious and time-consuming. To illustrate the point, we’ll focus on a particular type of event that generates logs: user authentications (aka “logins”). Every time one of your employees logs into the network or an application, an auth log is created. Depending on the size of your organization this could result in thousands of new logs each day. There goes your break time.

Identifying “different” authentications

Searching through auth logs to identify a login that looks suspicious is one thing. But how do you know if it’s truly different and poses a threat? To understand that, you need visibility into both normal and anomalous authentications. If you don’t know what a normal, or “expected,” login looks like, it’s hard to spot the difference between them. This requires creating a baseline authentication profile against which other logins are compared. Doing so will help you spot the difference(s) between the two and identify suspicious auths that could spell trouble.

But what happens if you don’t have the time to search through log data for atypical access attempts? Well, bad things possibly. One is account takeover using compromised credentials where the cybercriminal has stolen someone’s username and password. Based on responses in the IBM Security Cost of a Data Breach Report 2022, stolen or compromised credentials are the most common vector for a data breach, responsible for 19% of breaches with an average cost of US $4.5M.

Another is insider access abuse, or privilege misuse. Findings from the Verizon 2022 Data Breach Investigations Report indicate the attacker is typically an employee who uses their legitimate credentials to access a privileged account to steal data, often for financial gain. While this doesn’t paint a pretty picture, the signs for identifying anomalous logins that could lead to a data breach are there. You just need the right tool to surface them.

See the signs with Duo Trust Monitor

So, what are the signs to look for? Here are a few along with some questions to consider:

  • The User Is the person a current employee? Are they part of a group with privileged access?

  • The Auth Location – Do we have employees working in this country?

  • The Auth Time Do we expect people to be accessing data or applications at 3:00am?

  • The Device – Is the authentication from a Windows device but our employees use Macs?

  • The Application – Does the user need access to this app to do their job?

Duo provides a tool to help you see the signs and “spot the difference” between authentication attempts. Duo Trust Monitor is an advanced anomaly detection feature that does all the work of searching for risky authentications for you. It ingests all the authentication logs in your environment and runs them through proprietary machine learning algorithms.

The algorithms set a baseline of normal user and device activity. Using this baseline, Trust Monitor compares future authentication attempts against it and highlights anomalous or risky login attempts in the form of a security event. With just a few clicks, administrators can create a Risk Profile for the organization that prioritizes and surfaces security events that match profile elements. For example, you may want to keep a closer eye on authentications related to certain Duo-protected apps, specific user groups or countries. Security events that deviate from the Risk Profile are given more weight and appear at the top of the Security Events board with a yellow shield designation that provides an explanation of the connection between the event and the Risk Profile.

Can I get some context here please?

I’ve touched a bit on the “What” and “How” of Trust Monitor and its ability to surface atypical logins, but let’s take a closer look at the “Why.” Why is a particular authentication considered anomalous? The answer has to do with context. While there are other risk analytics tools on the market, many focus on a single model like novelty which looks for a variable that’s new such as a new device or application that’s being accessed for the first time. This approach is simplistic and doesn’t offer much context into the access attempt. Basing a decision on just one model alone can lead to an increase in false positives.

Trust Monitor on the other hand takes a more holistic view of each authentication using contextual analysis. By analyzing historical login data across multiple models and variables, Trust Monitor is able to provide a much richer picture of the access attempt, enabling administrators to make a more informed decision as to whether it is legitimate or suspicious and requires action. Let’s take a look at some examples:

  • Security Event: The VP of Sales is accessing the company’s CRM app at 4:00 a.m.

  • Analysis: In this case Trust Monitor analyzes the application being accessed and the timestamp. Is it unusual for the VP of Sales to access customer information? No. Is the timing unexpected? Hopefully. A solution focused on Rarity would flag this event as risky.

  • Security Event: Someone is requesting access to a sensitive app from a Windows device using an unusual multifactor authentication method (SMS).

  • Analysis: Here we have three variables flagged. The organization uses macOS devices, not Windows. Also, the user has not accessed the app for six months and a push notification is their preferred authentication method, not an SMS text. These three together are a strong indication that this is a fraudulent authentication attempt.

  • Security Event: A Marketing manager is traveling to an event in another country and needs to access email.

  • Analysis: Without the right context, this access attempt could be marked as suspicious based on location, timestamp and a new device IP. However we know there is a big event happening overseas so it’s not unusual to see these three variables associated with this user and therefore we can dismiss the event.

The goal of any risk analytics tool is to surface potential threats so that organizations can step up or step down their security policies to shore up any gaps. By providing contextual analysis, Duo Trust Monitor helps you spot the difference between legitimate and fraudulent access attempts while limiting false positives. Trust Monitor is included in our Access and Beyond edition subscriptions. It’s also integrated into the Cisco SecureX ecosystem so that you can access Trust Monitor telemetry data from the SecureX dashboard for enhanced threat intelligence. And, if you already have a SIEM (Security Incident and Event Management) solution, you can export Trust Monitor security event data directly to your favorite SIEM via API.

If you’d like to try Trust Monitor and experience how Duo can help you spot the difference between legitimate and suspicious access events that could be potential threats, sign up for a free 30-day trial.

<![CDATA[Announcing General Availability of Duo’s Device Health App-Based Manual Integration Feature for Trusted Endpoints]]> shilv@cisco.com (Shilpa P. Viswambharan) https://duo.com/blog/general-availability-duo-device-health-app-based-manual-integration-feature-trusted-endpoints https://duo.com/blog/general-availability-duo-device-health-app-based-manual-integration-feature-trusted-endpoints Product & Engineering

Today we announce the general availability of Duo’s manual integration feature based on the Duo Device Health Application. The manual integration feature allows IT administrators to manage devices that are not present in an enterprise device management system, such as ‘bring your own devices’ (BYOD) and contractor owned devices. The manual integration feature also provides an easy way to upload device inventory, add a single device, or delete and edit the device information via the Duo Admin panel. Furthermore, the administrator can view the list of devices added via manual integration in the Duo Admin panel. This feature is available to all Duo Beyond edition customers.

Use Cases

We recommend using the mobile device management (MDM)-based integration for devices that are present in an MDM supported by Duo. For non-corporate managed devices – such as contractor, partner or vendor devices – and for BYOD devices, we recommend using the Manual Integration to add the devices to Duo Device inventory via the Duo admin panel. This feature also allows you to upload a CSV file containing device identifiers, a description and a trust expiration date.

Trust Expiration Date

The trust expiration date helps you define the duration for which the device is considered trusted. After this date, the device is considered ‘untrusted’ and not allowed to access enterprise data. This ensures that you can control the time period during which a particular device gets access to enterprise data.

A trusted device will expire at 00:000:00 UTC on the chosen expiry date. Expired devices are not removed from the inventory but will not be trusted in the same way they would if they were not in the inventory. They are also shown with an “Expired” label in the table to indicate that they have expired.

What is the Duo Trusted Endpoints feature?

Duo's Trusted Endpoints feature secures your sensitive applications by ensuring that only known devices can access Duo-protected services. When a user authenticates via the Duo Prompt, we'll compare device identifiers collected by the Duo Device Health application installed on that endpoint with the identifiers of known Windows and macOS devices stored in Duo. You can monitor access to your applications from managed and unmanaged devices, and optionally block access from devices not managed by your organization.

This feature is only available to Duo Beyond tier customers.


To use the manual integration feature, you will need to know the unique device identifier for each Windows, macOS or Linux device that you plan to add. We have provided helpful information and a script that will help you retrieve this identifier.

You will also need to install the Duo Device Health App on the end user's desktop or laptop for it to work with a trusted endpoint.


1.  Select “Add Integration”

2.  Scroll down to “Manual Integration” and select the operating system of the end user device

3.  Select the right OS, then click “Add” to go to the screen below; if you need help retrieving the unique device identifier, click the “How to Retrieve Device IDs” on this page

4.  Provide the device identifier, the trust expiration date and, optionally, a device description like so:

5.  Once the administrator clicks on the “Add devices to inventory,” the device will be added to the Duo Device Cache

6.  Finally, the administrator will need to change the integration status to “Active” to turn on this integration for all devices; alternatively, the administrator can test this feature with a group of devices prior to activating it for all of them

To learn more, see Duo Documentation, and to learn more about the other trusted endpoint integrations, visit the trusted endpoints documentation page. We look forward to hearing your feedback.

You can also take a look at our Trusted Endpoints Knowledge Base articles or community discussions. For further assistance, contact Support.

All Duo customers have access to Level Up, our online learning platform offering courses on a variety of Duo administration topics. To access Level Up content, sign in with the same email address you use to sign into the Duo Admin Panel.

<![CDATA[Working From Anywhere With Purpose and Openness]]> mkschmermund@duo.com (Mary Kate) https://duo.com/blog/working-from-anywhere-with-purpose-openness https://duo.com/blog/working-from-anywhere-with-purpose-openness Industry News

Esther Kho is no stranger to taking leaps. Joining Duo in 2017 as a customer success manager, Kho now leads the Managed Service Provider (MSP) team. Kho’s lived around the world and after 18 years in London, she was ready for another adventure. With Cisco’s support, Kho recently relocated to Austin, TX where she’s delighting in warmer weather. Driven by Duo’s mission of democratizing security and Cisco’s culture of openness and empowerment, Kho shares her experiences and advice for working from anywhere.

Product that fulfills a need + Strong team culture = Fulfilling job

What do you like most about working here?

Esther Kho: Besides the amazing people, what I love most is that Duo serves a real purpose and makes a real difference by fulfilling a need for our customers and partners. We’re not trying to create a problem just so we can sell our product to solve for it.

Duo has also stayed true to welcoming people of all backgrounds. It’s very much a case of, “We want you to be different. We don’t want you to be coming from the same places that everyone else comes from, because you bring your own unique spin on everything.”

In your current role, what are your typical goals and day-to-day?

Esther Kho: I currently lead Duo’s MSP team. This is a team of 20 people consisting of MSP partner managers spread out across the U.S., London, and Sydney, as well as the MSP business development, go-to-market and MSP sales operations teams, which are each led by incredible first-line managers. Apart from the typical sales goal of “grow the numbers to hit that target,” what drives me is removing blockers for the team so that they can succeed, and that they can do so in a way that aligns with their values and personal goals.

This has been the most fulfilling role that I’ve ever, ever had, and the team is an amazing collection of authentic, collaborative, ambitious and supportive people driven by integrity. This applies to not only my core team, but also the MSP solutions engineers, account development representatives, marketing managers, and teams and leaders I work with on a daily basis.

The people manager’s role can be challenging because you think it’s a simple assignment: I have the business goals. I know as a sales leader I have to grow the MSP business. But now we have to figure out who the right people are to do that, what they need, what drives them to make sure that we’re giving them the space to highlight their strengths, what processes need to be in place and who the stakeholders outside of the team are…then also not forgetting that it is people that we’re working with. Everyone thinks and operates differently, and we do have a limit as to how much we can ask of anyone before burnout creeps in. Yes, we’re all in sales but as people leaders — and peers, and co-workers in general — our responsibility should be to the well-being of the team. If they’re in a good position and have what they need, the numbers will follow.

Growing as a manager

As a manager, how have you found support?

Esther Kho: A lot of it is from my leader, Ryan Franks, the director of global partner sales and business development for Duo. He’s an amazing leader and everyone in his org is incredibly fortunate to have him at the helm...

When I moved into my role, one of my biggest challenges was going from being a peer to being a manager of that peer group. In some ways that’s great because I know and trust the people around me. But it’s also really hard suddenly being the manager of people that you used to share all the everyday struggles with at the same level and re-learning the appropriate level of involvement — taking a step back in certain situations took a lot of getting used to. And sometimes I still catch myself trying to problem-solve for someone, rather than coaching them along their own problem-solving path.

Duo’s values center around engineering the business, assuming positive intent and learning together. This is reflected in the culture, and I have a safe space in my leadership, peer group and team to be able to ask questions, be vulnerable and not have to pretend to know all the answers at the drop of a hat. I also recognized that I wouldn’t be the only person moving from a peer to manager role, so created an online channel for those of us in similar situations to work through challenges that we share.

The Learning and Development team at Duo is also great at highlighting resources, books and courses that will help you be a better leader as a person, and also from a process perspective.

How has Duo supported your professional growth?

Esther Kho: A former leader instilled a lot of confidence in our team. He would say, “You own this, and this is what you can do, so don’t sell yourself short.” That’s been a huge part of the culture that we have. When I speak to other leaders and I hear about some of the challenges that they face, it is very much, "We fight for what is right, and we fight for what is best for our people."

Sunnier skies

What prompted you to move from London to Austin?

Esther Kho: I’m originally from the Netherlands, but I grew up in Singapore and then South Africa, then moved to London, moved to Melbourne for 18 months, and then came back to London. So the move to Austin was me thinking it was time for a change, time for the next chapter, and I was lucky enough to be able to do that with work.

One huge driver was that my boyfriend lives here. We did long distance for a year or so and then I started looking into moving over. Everything was pretty much set for me to apply for my work visa, and then COVID happened. It just added a couple of years to the whole process, but at least it showed us that the relationship could survive long-distance (now we just need to make sure we can survive without the distance)!

Pre-COVID the MSP team was headquartered in Austin, so it also made sense for me if I wanted to be closer to the rest of the team. By the time I relocated, about 85% of my meetings were with co-workers in the U.S. so not moving also wasn’t sustainable with the time zone differences.

What has challenged you about relocating to Austin?

Esther Kho: One of the most challenging parts of moving over — apart from leaving family and friends behind and getting used to wearing sunglasses 90% of the time — was getting to grips with the tax and healthcare systems in the U.S.

The tax system here can be incredibly lucrative if you’re on top of it, and a little dangerous if you’re not. There are a multitude of accounts to set up and contribute to (401k, various types of IRAs, HSA) and even after you’re set up, there are a ton of things you can do to make sure you’re maximizing your money, so it’s both good and bad!

In terms of the healthcare system, coming from the U.K., where you register with the National Health Service and can walk into a doctor’s office or hospital without having to worry about paying, this was a big one to wrap my head around. I’ve heard horror stories of people accidentally being sent to hospitals outside of network and incurring thousands in bills, so it’s definitely something I triple-check whenever I make any appointments now.

Want to work from anywhere? Just go for it

How has Cisco supported your relocation?

Esther Kho: Another huge call-out to the Duo leadership team for making this possible. Additionally, Carl Walton on Cisco’s Employee Mobility Team is really good and clear on the process. He’s amazing because he understands what needs to happen, but he also empathizes with the frustrations that people have when they realize, “Hey, this is a huge life change for me.” He was very patient, very understanding and very much a therapist at certain points in time with all the COVID delays.

Cisco works with Fragomen for legal support on the visa process, and they are so responsive. They never made me feel like any of my questions were silly when I felt daunted or overwhelmed and thought, “This is a 20-page questionnaire, and one mistake could blow it all to smithereens.” Their approach is just, “We totally get it. You want to get it right the first time around. Don’t worry if you don’t, because we will be checking over everything, and we’ll follow up if anything needs changing or clarifying.” Knowing that we have a team at Cisco that does this day in, day out, and helps people like this is really reassuring.

What advice do you have for others who want to move and work in a new region?

Esther Kho: If it’s possible, and if it’s the right time, Cisco has the resources to help make it happen. There are so many what ifs like, “What if I hate the city or the country? What if something doesn’t work out?” The answer can generally be answered with, “Well, then at least you know.”

Nothing is permanent. If you hate it, you can always go back or try somewhere else. It’s a big decision, but it doesn’t have to be something set in stone if it turns out it wasn’t the right move for you.

Just go for it. Don’t be afraid to ask the question of, “Hey, Cisco, what needs to happen to make this possible?” Your manager is definitely the right person because they’ll kick off the process with Employee Mobility. Like anything in life, it’s always worth asking the question. In Dutch we have a saying, “Nee heb je, ja kun je krijgen” that my dad loves to throw at me whenever I’m at a junction — it means “you have a no, but you could get a yes.”

Are you ready to work from anywhere?

If you’re energized by making a difference and working from anywhere, check out our open positions.

<![CDATA[How to Start Your Passwordless Journey: Enable Flexible Authentication Options]]> cdemundo@cisco.com (Chris Demundo) https://duo.com/blog/start-your-passwordless-journey-flexible-authentication-options https://duo.com/blog/start-your-passwordless-journey-flexible-authentication-options Product & Engineering

If you already read our first post about getting started on your passwordless journey, you’ve already learned about the importance of cataloging the applications in your environment and building a plan around them.

Once you’ve done that though, a critical next step is answering this question: Once you remove the password, what exactly are users going to use to authenticate?

Evaluating your authentication options

Duo has always focused on providing a variety of authentication options for end users.  We understand that your business needs often determine what factors are possible to use, and we designed our product to meet those requirements.

However, for 2FA, we do have strong opinions on the security value of different authenticators. You can see this reflected in how we present authentication registration options to end users in our Universal Prompt!  Our end goal is helping you encourage end users to enroll the most secure factors: FIDO2-backed biometrics or security keys.

However, we also recognize that this may not be feasible for your organization. In fact, you may have spent the last few years just focusing on getting your users away from things like SMS and Phone Calls and looking at biometrics is a significant uphill climb! This is why we provide a variety of other more flexible factors, including Verified Push, which is designed to increase the security of our most common authentication method, Duo Push.

Finally, we advocate actively evaluating the context of each authentication using Risk-Based Authentication (RBA), which can dynamically determine what authenticator types are appropriate given the risk of a specific authentication.

For passwordless, however, we have even stronger opinions.  A passwordless authentication must always still be a true multifactor authentication. This means only certain factors like FIDO2 backed biometrics and security keys, or Duo Push for Passwordless are appropriate in a passwordless context.

Choosing the right authentication for your organization

So how can you think about deploying these in your environment?

First, start by evaluating what FIDO2 options are available in your environment today that you may not be leveraging:

  • Biometric-Capable Devices: Many organizations are already buying laptops that are biometric-capable, but do not have a process instituted to actually get users to enroll in them! We’ve seen customers in our preview drive biometric adoption from low numbers to a high majority of end users simply by focusing on this problem alone.

  • Security Keys: If you’re already spending on hardware tokens, evaluate the potential to leverage FIDO2-capable security keys instead. Duo’s solution allows for seamless self-service enrollment of security keys leveraging our Self-Service Portal, which reduces the management overhead you may be familiar with from older hardware tokens. 

  • Duo Mobile: Leverage Duo Mobile for Passwordless! We recognize many customers rely on mobile devices as a critical part of their authenticator strategy for 2FA today and we don’t expect this to change right away in a passwordless world.

Second, start with a small set of users and build a plan around them.  Duo’s Device Insights can help you identify users already leveraging modern authenticators or Duo Mobile in your environment today.

If you don’t have a ready set of users with authenticators, you can consider purchasing a set of Yubikeys and doing a pilot or enabling Windows Hello for a group of users. In many cases, we’ve found customers’ help desk processes are built around password-based use cases, and there are things you have to consider and plan for in a passwordless world that may not be top of mind today. Starting with a small group can help you iron these out before scaling to your wider organization.

<![CDATA[Available Now! Passwordless Authentication Is Just a Tap Away]]> gumapathy@duo.com (Ganesh Umapathy) https://duo.com/blog/passwordless-authentication-is-just-tap-away https://duo.com/blog/passwordless-authentication-is-just-tap-away Product & Engineering

We are excited to announce that Duo Passwordless is now generally available across all Duo Editions. Read our announcement to get the full scoop.

In this post we’ll go over how we are enabling organizations to use Duo Mobile authenticator app for passwordless authentication using a more secure version of Duo Push.

Why we’re excited about passwordless authentication

How Passwordless Authentication with Duo Mobile works

Duo Mobile for passwordless authentication is inherently multi-factor authentication (MFA). Duo Push notification for passwordless logins requires a screen unlock (biometric or PIN) of the mobile device to approve the request. In this flow, the user proves “something you are” (biometric) and “something you have” (a registered device).

Further, we have built additional security into the login workflow to bind the browser session and the device being used to access the application. This mitigates phishing attacks that leverage tactics such as MFA prompt bombing. Duo achieves this in the following ways:

  • Trust this browser: When the authentication is complete, the user is presented with a “Trust this browser?” option. If the user chooses not to trust the browser, they will continue to receive Duo Verified Push on subsequent authentications. If the user chooses to trust the browser, a stronger binding with the access device is established and on subsequent logins, the user will then be presented with a regular push along with screen unlock. This reduces the friction for users as we have sufficiently established trust in the login flow.

Flavors of Duo Push

Duo Push is a popular method of authentication used by customers because of its ease of use. We have enhanced Duo Push to make it more secure. One evolution of our push is the Duo Verified Push which includes a number matching component. Now, Duo Push for passwordless introduces a 3rd flavor of Duo Push, which incorporates a biometric screen unlock in order to approve the request.

Duo Push

  • Requires users to tap “approve" on a registered device

  • Low user friction

  • Weak device binding

  • Susceptible to MFA prompt bombing or MFA fatigue attacks

  • We recommend using in conjunction with the Trusted Endpoints policy to create strong device binding

Duo Verified Push

  • Includes number matching

  • Increase user friction deliberately

  • More secure, creates device binding

  • Mitigates MFA prompt bombing or MFA fatigue attacks

Duo Push for Passwordless

  • Typically, Duo Verified Push with biometric authentication. Changes to Duo Push with biometric authentication when users trust the browser

  • More secure, creates device binding

  • Mitigates MFA prompt bombing or MFA fatigue attacks

Duo Mobile as passwordless authenticator is available across all Duo Editions, including Duo MFA edition. Many of our customers have already begun their passwordless journey. If you are looking to get started as well, sign-up for a free trial and reach out to our amazing representatives.

To learn more, check out the updated eBook – Passwordless: The Future of Authentication, which outlines a 5-step path to getting started with passwordless. And watch the passwordless product demo in this on-demand webinar.

<![CDATA[The 2022 Duo Trusted Access Report: Logins in a Dangerous Time]]> ccherrie@duo.com (Chrysta Cherrie) https://duo.com/blog/the-2022-duo-trusted-access-report-logins-in-a-dangerous-time https://duo.com/blog/the-2022-duo-trusted-access-report-logins-in-a-dangerous-time Industry News

As global conflicts spill over into the digital realm, the idea of protecting the individual through to the enterprise has taken on a greater sense of urgency.

In the 2022 Duo Trusted Access Report: Logins in a Dangerous Time, we examine the dramatic shift beyond discussions of password complexity to those where investing in multi-factor authentication (MFA) and passwordless technology are mandatory costs of doing business. To help protect against the wide array of adversaries we face, these technologies go a very long way to helping to reduce risk for organizations.

For this report, Duo partnered with the Cyentia Institute to analyze data from more than 13 billion authentications on 49+ million devices, 490+ thousand unique applications and roughly 1.1 billion monthly authentications from across our customer base, spanning North America, Latin America, Europe and the Middle East, and Asia-Pacific.

“Strategies such as zero trust in conjunction with passwordless solutions will make great strides to improve overall security, reducing risk by way of democratization of security with a stronger focus on the user experience.” —Dave Lewis, Global Advisory CISO, Cisco Security

Five Key Findings

Here are five top trends from the 2022 Duo Trusted Access Report. Get the full report to explore all of the data.

Passwordless Adoption Continues to Rise
Our data shows a 50% increase in the percentage of accounts allowing WebAuthn authentication and a fivefold increase in WebAuthn usage since April 2019.

MFA Continues to Strengthen Passwords
Multi-factor authentication holds strong while adding to the security of only traditional password usage. The number of MFA authentications using Duo rose by 38% in the past year.

Cloud Usage Continues to Rise
An increasing number of authentications are attributed to cloud applications with a 24% rise in 2022.

Locations Blocked
Ninety-one percent of Duo customers who implement device-based policies restrict access from China or Russia, and 63% block both countries.

Push Preferred
Duo Push is the most used authentication method, accounting for 27.6% of all authentications.


The last year — even the last several months — have really rewritten the narrative for defenders around the globe. Organizations have spent considerable time and effort designing their hybrid work functions, and now they must be doubly certain that they have security resilience built into their deployments to contend with the current threat landscape as outlined by the Talos Intelligence team here at Cisco.

Lingering security debt that remains in organizations will continue to provide adversaries with targets of opportunity. Companies need to hone their craft and better focus on access control and dealing with deprecated systems that may continue to operate in their environments long past their life expectancy. Patching has been much maligned by security practitioners over the years — not because it shouldn’t be done, but rather because no one ever wants to do it. As a result, issues crop up with long-published vulnerabilities being made into exploits that realistically should not hold any sway in modern enterprises. Yet, they wait on the wire.

Making use of multi-factor authentication and / or passwordless authentication models are essential for the modern business enterprise. When we consider the tremendous amount of threat intelligence available to us as defenders from sources such as Talos, we must take advantage of this knowledge and translate it into capability to protect our environments as effectively as possible.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

<![CDATA[How to Land a Cybersecurity Internship?]]> emsames@cisco.com (Emily Samar) https://duo.com/blog/how-to-land-cybersecurity-internship https://duo.com/blog/how-to-land-cybersecurity-internship Industry News

When it comes to cybersecurity internships, there isn’t a one size fits all approach to landing a role. Everyone's unique abilities, experiences, interests, and competencies are different. As such, the steps you take vary person to person. While I may not have all the answers to your career questions, I do have some tools that can help guide you on your quest for a cybersecurity internship.

First things first, what the heck is a cybersecurity internship?

Great question! There are many cybersecurity intern roles across a multitude of focus areas.

If you’re looking for a technical cybersecurity role with Duo or Cisco Secure, you’ll likely see positions like: Security Solutions Engineer, Data Analyst, Software Engineer, UX/UI Designer, Product Management Specialist, and Product Marketing Specialist.

For those interested in non-technical cybersecurity roles with Duo or Cisco Secure, you may look for Program Management, Internal Communications, or Business Operations in the job title.

Do you need to know a lot about cybersecurity to land an internship?

If you made it this far, I imagine you’re feeling a bit uncertain about cybersecurity internships and I'm here to tell you not to let the titles scare you! I cannot stress this enough, but your value is not determined by a job description. At Duo and Cisco Secure, we recognize that Intern applicants are in school and likely junior in their career. The whole purpose of an internship program is to give Interns a chance to apply fundamentals learned in school through meaningful project work that aligns with their interests and skill sets to help them grow!  

For those who are unsure, that’s ok too! Regardless of your interests, the cybersecurity industry is bigger than you think and there are plenty of opportunities for growth and career advancement in your desired field. Before you leave this page, I recommend visiting the Duo Internship page to read our current cybersecurity intern job descriptions so you can get a better understanding of the scope of each role.

Now's the time to do some career exploration! Before you get started, I encourage you to look for a role that aligns with your interests and find a company that aligns with your values. I’m no expert, but I can promise you working for a company whose values align with your own makes a difference, I want that experience for you!

I may be biased but Duo, a part of Cisco Secure, offers a one-of-a-kind cybersecurity internship experience. If you haven’t had a chance to visit our internship page, I highly recommend taking a look to learn more about the program offerings! 

Unsure of your interests? That’s ok! You don’t need to decide your entire career path today but it is important to consider what you’d like to do so you can identify the steps to achieve your goals. Self-reflection can be your best friend and while I know it can be overwhelming to think “big picture”, being real with yourself can help pave the way for future success. As someone who is neurodiverse, I tend to get overwhelmed when I look at the big picture. To help curb this feeling of angst, I like to take bite size pieces to help break down what I’m interested in and what aligns to my strengths.

“Be humble, you don’t know what you don't know” said Robert Warner Software Security Engineer undergraduate intern, on the Security Tools team. For early in career talent or career transitions, you’ll never be done learning! Going into a cybersecurity internship with a growth mindset (we call it Security Mindset) is a life changing experience. I can assure you that whatever cybersecurity internship program you are interested in, the company is not expecting you to be an expert on your first (or last) day.

Don’t wait until your internship begins to join the cybersecurity community

Networking is important. I know networking can be scary – I myself struggle in social situations (especially after the pandemic) – but we’re in this together and I’m here to share some techniques to help you to navigate these muddy waters.

LinkedIn is your friend, make sure to use it. For those just getting started, LinkedIn is a networking platform that allows you to connect with folks who are passionate about career development, topics, and of course jobs! LinkedIn is a powerful tool and as such, it comes with some “do’s & don’ts.” Use it wisely, it will be the key to your success!


  • Follow companies and people who align with your interests

    • This way you can see what they’re talking about and receive notifications about internship opportunities

  • Reach out to folks & schedule an informal “interview” (or coffee chat)

    • This isn’t an interview for the role but more of a conversation about the person's current role and to help you learn more about the company

  • Read through job descriptions to help shape your resume

    • Your resume should align somewhat with the job description so I would recommend grabbing words or phrases from the job description to make your application stand out

  • Share content! – showcase project work, ideas, successes, personal / professional milestones


  • Make assumptions about your value or compare yourself to others

    • At the end of the day, LinkedIn is still a form of social media and as such, it is easy to feel discouraged

    • Your journey is yours alone, and things will happen at different times. This is a part of life, embrace your strengths and have fun learning along the way!

  • Expect an immediate response or feel defeated if someone doesn’t reply

    • People on LinkedIn are people, the same as you and me. We all get busy with personal and professional lives. My recommendation would be to reach out, follow up, and if you don’t hear back, move on.

Seek help and you will flourish! Professional mentors or coaches are a game changer. I cannot stress this enough but if you find someone who inspires future self, seek them out. Ask if they’re looking for a mentee or, if not, perhaps they could connect you with someone who is? Having someone to guide you on your journey will change the way you see yourself and have a positive impact on your growth.

I want to acknowledge barriers to entry. Privilege comes in many different shapes and sizes and that folks reading this may feel overwhelmed at the idea of networking or seeking mentorship due to the lack of a professional network. Whoever you are and whatever your background is, I see you and am proud of you for taking the time to explore cybersecurity internships. In the coming weeks, I’ll share more blogs on topic of barriers to entry & networking for those who may not have a professional network at their fingertips.


If you see a role that appeals to your interests, apply! Putting yourself out there is the key to your success. I know it can be scary, but you won’t know unless you try!

Not sure about your skills? Apply anyways! Duo & Cisco Secure are currently recruiting for our 2023 internship program, and I encourage you to visit Duo’s internship page & Cisco Secure’s internship page to view more open roles.


<![CDATA[How to Start Your Passwordless Journey: Get the Applications Ready]]> cdemundo@cisco.com (Chris Demundo) https://duo.com/blog/start-your-passwordless-journey-get-applications-ready https://duo.com/blog/start-your-passwordless-journey-get-applications-ready Product & Engineering

Tell me if this sounds like you - over the last few years, you’ve steadily increased the length and complexity of your password requirements for users.  Now, you’re constantly feeling the pain as users grapple with the poor experience of managing passwords.

You’ve heard the hype around passwordless and you’re actively exploring how you get your organization from A to B, but you’re wondering where to get started. 

If this sounds like you, here are three steps you can think about as you’re defining a passwordless strategy for your organization!

Step #1: Understand your environment and goals

The most important first step is having a clear view of how the applications in your environment authenticate today.  For each application, you have to ask - is there a way for me to remove the password from the authentication flow?

For some applications, this is easy! Modern applications that authenticate via SAML or OIDC can delegate control of the password to a single-sign-on provider, like Duo SSO.  Older applications that use protocols like RADIUS may give you less control over removing the password.

It’s important to note that you should be thinking about more than just the password here! Business-critical applications that don’t support modern authentication cannot leverage critical security features beyond just passwordless, like Duo Risk Based Authentication and Duo Trusted Endpoints

Once you have a firm understanding of your existing landscape today, you can move to step 2 and start building a plan for making these applications passwordless.

Step #2: Take one small step, not one giant leap

Take the applications that you’ve catalogued and break them down into three buckets:

Modern Applications

  • If you already have applications in your environment that support modern authentication, you can start to go passwordless today.

  • Duo’s Passwordless solution offers granular application and user group controls, providing you the ability to roll out passwordless to subsets of your organizations that are ready for it. A benefit of taking this approach is we often see these early-adopter groups helping to act as evangelists, touting the benefits of passwordless to the rest of the organization. This helps you drive change and builds support for your overall roadmap.

New Net Applications

  • A question to ask yourself - are you ensuring that every new application added in your environment supports modern authentication?  We commonly see customers institute processes around this to ensure that any new application (either external or internal) has to support SAML or OIDC as a requirement.

Legacy Applications

  • For applications that don’t already use modern authentication in your environment today, check if the application supports modern protocols like SAML and build a plan to upgrade it!  Many major applications are increasingly adding support for modern protocols - for example, Citrix added SAML 2.0 support for Netscaler in 2021. Duo strongly recommends planning and upgrading to modern authentication wherever possible as a first step.

  • If the application doesn’t support SAML, look to identify other integration methods, like the Duo Network Gateway, that can give you control over a passwordless experience. The DNG can sit in front of many applications, providing a modern and secure authentication experience, even if the application itself doesn’t natively support it.

It’s important to realize this might not happen quickly. Duo defines passwordless as a journey for a reason! Modernizing your infrastructure to improve security and the user experience can be a large undertaking, but is worth the benefits.

Step #3: Put your plan into action

By now, you have a clear understanding of which applications can easily go passwordless today and a plan for the applications that can’t.  You don’t have to wait for an all or nothing approach - get started today with the low-hanging fruit! 

However, there’s one more big thing to consider - you may be ready to remove the password, but what are your users going to authenticate with, if not a password?!

We’ll address that hurdle – and unpack how to define your authenticator strategy in a passwordless world – in our next post on starting your passwordless journey.

<![CDATA[Transformational Thinking: Why a Focus on Outcomes Drives Zero Trust Progress]]> wgoerlich@duo.com (J. Wolfgang) https://duo.com/blog/transformational-thinking-why-focus-on-outcomes-drives-zero-trust-progress https://duo.com/blog/transformational-thinking-why-focus-on-outcomes-drives-zero-trust-progress Industry News

Tired: Zero Trust is a Journey

Wired: Zero Trust is a Transformation

Inspired: Zero Trust is About Relationships

So many CIOs and CISOs I engage with are over it. They’re done with hearing from vendors who endlessly repeat the phrase “zero trust is a journey.” Yes, it’s true that implementing zero trust principles across your users, devices, apps, clouds, and data doesn’t happen overnight. Anyone who tells you otherwise is not being honest.

That said, thinking of zero-trust security as a journey adds fuel to the Sisyphean fire. It provides no guidance for helping you know if you’re pointed in the right direction, choosing the right paths to take, how well you’re doing, or how long it will take to arrive at your destination. Are we rolling the same boulder up the hill every day, or are we making progress? Who knows.

Adopting a zero-trust architecture across your enterprise is transformational. It requires a change in mindset, not just in toolset.

No matter what a vendor tells you, zero trust cannot be solved quickly or with technology alone. The transformation zero trust inspires is one that requires a change across people, process, and technology. It demands strong relationships within the organization, even as the transformation strengthens those relationships. Cultural changes as well as operational are on the table.

Yes, that's a tall order. But not impossible.

Anytime one is faced with a transformational challenge, it’s useful to consult others who have made progress and have found the quick wins. How do they do it? What are some common practices that others can replicate for their own zero trust goals?

According to recent analysis based on data from the Security Outcomes Study, Volume 2, zero trust progress can be achieved no matter the level of complexity in the IT infrastructure. Across the spectrum of simple to complex IT environments, organizations can simultaneously make progress towards zero trust security while also improving outcomes.

In fact, those organizations who report making progress towards zero trust or have mature implementations of zero trust all focus on well-defined outcomes: from gaining executive confidence to creating a security culture, from streamlining IR processes to meeting compliance, and more.

Teams with more mature implementations of zero trust have achieved outcomes consistent with building security resilience by prioritizing these practices: 

  • Accurate threat detection

  • Proactive tech refresh

  • Prompt disaster recovery

  • Timely incident response

  • Well-integrated tech

Other findings from this guide:

  • Relationships are tied to zero trust successes. Organizations that claimed to have a mature implementation of zero trust were 2X more likely to report excelling across desired outcomes such as greater executive confidence (47%), peer buy-in (45%), keeping up with the business (46%) and creating a security culture.

  • Zero trust progress can be achieved no matter the size of an organization or the level of complexity in the IT infrastructure. Across the spectrum of simple to complex IT environments, we discovered that organizations, large or small, can make measurable progress towards zero trust security.

  • Organizations that reported a mature implementation of zero trust were more than twice as likely to achieve business resilience (63.6%) than those with a limited zero trust implementation.

  • Organizations with modern IT infrastructures were more than twice as likely to have a mature implementation of zero trust.

  • Integrations drive zero trust maturity. And even within organizations that chose integrations, a platform approach of sourcing integrated technology from a preferred vendor was prioritized by 51% of organizations with mature implementations of zero trust compared to out-of-the-box integration at 28.8%.

  • Organizations with mature zero trust implementations leverage automation (64.4%) in order improve the actions a zero-trust security model can take.

There are many more lessons learned in Cisco’s Guide to Zero Trust Maturity: How to Find the Quick Wins. Download it today to help you determine where you are today with zero trust, how to gain momentum, and continue to make progress towards zero-trust security.

<![CDATA[MFA Fatigue: What It Is and How to Respond]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/mfa-fatigue-what-is-it-how-to-respond https://duo.com/blog/mfa-fatigue-what-is-it-how-to-respond Industry News

Too many pushes pushing users over the edge?

As people and organizations find new and exciting ways to transform digitally, we also see bad actors find new and creative ways to gain fraudulent access. While security teams work to stay vigilant and put defenses in place, it can be difficult to keep up with the evolving threats. One of these threats that has gained attention includes circumventing an organization’s multi-factor authentication (MFA) protection.

MFA fatigue, or when an attacker gets an authentic user to accept a request when that user is not trying to login, is one attack method that has made headlines. When it comes to MFA fatigue, it’s important to know what to expect and how to arm your organization with the tools to combat it.

What is MFA fatigue?

If an adversary has stolen a valid username and password, each time that adversary attempts to login, the owner of those credentials gets an MFA request (“is this you trying to sign-in?”). Most users will ignore or deny an MFA request if they are not trying to sign-in.

However, because many users are so familiar with the process of accepting a push request, MFA fatigue might lead them to absent-mindedly or accidentally hit the “accept” button, even if it’s not them. From there, the attacker has the freedom to roam a company’s internal resources.

Additionally, there are some MFA attacks that can be even more burdensome to the end user. In a push phishing attack (also known as push bombing, push harassment, or MFA fatigue attack), the attacker sends MFA requests repeatedly until the authentic user caves and accepts the request to stop receiving the push notifications.

Are MFA fatigue attacks a good thing?

It is counterintuitive to think about any kind of attack in a positive light. It can be even harder to see the silver lining on attacks that play on MFA, as it has been a reliable tool against identity-based attacks in the past. But what it does show is a sign of maturity and that we have reached a level with MFA where adversaries are incentivized to work around this control.

Before, if an attacker had a stolen username and password, that was all they needed to gain access. Strong MFA forces them to develop new methods to get around this defense. So now it’s time to respond. Cybersecurity has always been a back and forth between tactics and responses. And organizations need new responses to protect themselves.

How we can fix it

There’s not one silver bullet that can stop all types of attacks, but there are best practices that organizations can follow to improve their security posture.


FIDO2 compliant authentication, through solutions like passwordless authentication or security keys, use public-key cryptography to make the login credentials unique on every website. Essentially, an attacker is unable to use the typical MFA attack methods because the FIDO2 key is physically with the trusted user in the device, in the form of a biometric or security key.

FIDO2 offers the strongest defense against these new types of attacks, but also presents challenges for organizations if they do not have devices with biometrics or the means to ship security keys to all end users. Therefore, for organizations that need an alternative solution today, Duo recommends moving towards a risk-based approach. In order to fully benefit from Duo’s new solutions, we also recommend upgrading to Duo’s Universal Prompt as a first step to unlocking these features.

Risk-based authentication

The goal of Duo’s Risk-Based Authentication is to dynamically detect threat signals and adjust security requirements accordingly. There are two key benefits of using a risk-based solution:

  • Remove Unnecessary Friction: In a trusted scenario, Duo can reduce the number of times a user is asked to re-authenticate. Using Risk-Based Remembered Devices, Duo gives users the option to remember their login on a device. This allows users to only be prompted when the policy expires, or when there is a new login attempt. By reducing the number of MFA requests, user fatigue can also decrease, causing users to pay more attention to each individual authentication request.

  • Step Up Security: Duo can remove friction when a situation is trusted and increase that friction when there are new risk signals in the environment. Evaluating the device, location, network, and data from attack patterns, Duo can use Risk-Based Factor Selection to step up to a more secure method, like a Verified Duo Push, which requires the user to enter a 3 to 6 digit code (rather than simply hit the green “approve” button) to stop an MFA fatigue attack, but not block legitimate users.  

Device trust

In addition to improving MFA security, it is important to know what devices are managed and can gain access to internal applications or sensitive data. Therefore, even if an attacker has compromised credentials and gets a trusted user to accept a fraudulent MFA request, the attacker would not be able to proceed because they are not using a compliant or managed device. Duo administrators using Trusted Endpoints can easily set policies to block access from these unmanaged devices.

Ultimately, we want organizations to have the tools they need to set up the best defenses to protect their users and data from bad actors. To learn more or to test these solutions out, visit Duo Free Trial to get started today.

<![CDATA[Cisco Secure Access by Duo MFA Secures Epic Hyperdrive Against Cyber Threats]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/cisco-secure-access-by-duo-mfa-secures-epic-hyperdrive-against-cyber-threats https://duo.com/blog/cisco-secure-access-by-duo-mfa-secures-epic-hyperdrive-against-cyber-threats Industry News

Controlled substances are often in the news for both bad and good reasons. In the wrong hands they can lead to drug addictions or other serious health issues. However, when prescribed appropriately by medical professionals they can be a blessing to alleviate or treat sickness. Therefore, government agencies like the DEA and FDA have created strict policies and procedures for prescribing controlled substances to ensure they get into the right hands.

Epic Hyperdrive

Hyperdrive is Epic’s new flagship EPCS healthcare management software delivered through modern web protocols. Hyperspace is an Epic, application client based, EPCS software often delivered through virtual application delivery solutions provided by Citrix or VMware. “Hyperspace” will be replaced by the newer web service based Hyperdrive in the future. Until then both are expected to be able to run in parallel on clients’ endpoints.

The challenge

Due to the nature of Epic Hyperdrive for EPCS the FDA mandates support for a variety of security protections including Multi-Factor Authentication (MFA) to protect against weak passwords or stolen credentials. According to the 2022 Verizon Data Breach Investigations Report (DBIR) basic web application attacks are the leading cause of digital security breaches in the healthcare sector and over 80% of the breaches in this pattern can be attributed to stolen credentials. These types of attacks can lead to ransomware or malware that may result in data loss, exfiltration, or compliance violation fines.

The solution

Cisco Secure Access by Duo is a leading healthcare MFA provider. Duo uses a zero-trust security model by establishing trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies to protect applications.

Duo integrates with Hyperdrive to provide multi-factor authentication. It includes authenticator methods like secure hardware tokens, Duo mobile OTP (One-Time Password), Phone Call Back and Duo Mobile Push.

Duo also integrates with Epic Hyperdrive seamlessly to provide a strong second authentication factor to protect patient electronic health records. During the setup of Duo for Epic Hyperdrive a trust is established between Epic Hyperdrive and Duo. This trust is established by registering a public key, obtained from the Duo Admin Panel, with Epic Hyperdrive.

When an MFA request is initiated by Epic Hyperdrive, the Epic Hyperdrive client requests secondary authentication with Duo who produces a Security Assertion Markup Language (SAML) Token in response to a successful authentication. The Epic Hyperdrive Client presents the signed SAML assertion to Epic Hyperdrive service. Epic Hyperdrive verifies the SAML Token for authenticity using a public key, previously downloaded from Duo, and installed by an Epic admin. Access is then granted if the SAML Token is successfully verified by Epic Hyperdrive.

Epic Hyperdrive With Duo MFA

After the admin downloads a key from the Duo Admin Panel and uploads it to Epic (0) to be used during authentication to establish trust:

  1. Client submits username and password to Epic

  2. Epic validates the credentials, then sends a response to let the Client know

  3. The Client presents MFA options; the user selects one and the Client sends a request to Duo for MFA

    1. Assuming the Push option is selected in this flow, Duo sends a Push authentication request to the user’s mobile phone

    2. The user confirms the Duo Push on the mobile phone

  4. Duo validates and returns a SAML assertion

  5. The Client forwards the SAML assertion to Epic for validation

  6. Epic validates the SAML assertion and grants access

Want to learn more about how Duo fits into a zero-trust model?

Duo is a cornerstone in healthcare MFA and is leading the fight to secure applications like Epic Hyperdrive with the latest protection technology. Duo provides the foundation for a zero-trust security model by establishing client trust before granting access to applications, ensuring secure access for any user connecting to Epic Hyperdrive.

Download the Duo Zero Trust Evaluation guide to learn more about user trust, device visibility, device trust, adaptive policies, and access to all apps with Duo.

<![CDATA[Women in Cybersecurity: Thriving in Cyber as an Asian-American and Mother]]> skathuria@duo.com (Seema Kathuria) https://duo.com/blog/women-in-cybersecurity-thriving-in-cyber-asian-american-mother https://duo.com/blog/women-in-cybersecurity-thriving-in-cyber-asian-american-mother Industry News

It is a great time to be a woman in cybersecurity! If you’re curious about technology enjoy problem-solving, want to save the world from cyberattacks and effectively collaborate with people who might think differently but are on the same mission as you, you can enjoy an amazing career in cybersecurity. My early childhood experiences using personal computers and later earning a computer engineering degree helped me get my foot in the door into a cyber career. As a woman in cybersecurity for the past 15+ years, I get a lot of satisfaction helping keep people safe.

Have you considered a career in cybersecurity? If you are driven by the mission to help secure the world every day, I welcome you to join us!

My journey into cybersecurity

Growing up in the Silicon Valley, I was exposed to technology in primary school where I first got a chance to type “Hello World” into a terminal on a very early Apple Mac desktop machine at the computer lab. Also, in the 1990s my Dad brought a very early Windows desktop computer. I would play games and use it to do some basic word processing.

I worked in a few companies in technical roles, but simultaneously kept seeking a full-time role in marketing, knowing that I loved to communicate and tell stories and could easily and quickly learn new technologies. I used the job sites available at that time, primarily Monster.com, to post my resume and positioned myself as seeking an entry level marketing role in broadly the technology field. As luck would have it, a hiring manager at Check Point Software was looking for a Product Marketing Specialist and I fit the bill. They appreciated my technical background and that I was early in my career and had the drive to jump right into the role and learn new things - in this case cybersecurity. Hence, I would say cybersecurity found me and I haven’t looked back ever since.

What was it like being one of the few Asian-Americans in cybersecurity and marketing?

Did you know Asian Indian Americans are the second largest Asian origin group in the USA, accounting for 21% of the total population or 4.6 million? From my own experience working in cybersecurity for 15+ years, I can confidently say that today, we have more Asian Indian Americans working in this field than ever before.

What are some challenges and rewards of a career in cybersecurity as a woman?

First, the biggest challenge for women in cybersecurity is the same as that of most cyber defenders: threat actors have the upper hand while we are forced to not only try our best to put in place proactive measures to reduce risk but also to react when threat actors are successful. A threat actor can be successful just once, but defenders must be continuously alert to potential threats. This can quickly take a toll, especially on Security Operations Center (SOC) teams.

For marketing professionals like myself, we can also run the risk of being reactive in our marketing messages. We must be careful to not use “scare” tactics when it comes to positioning our solutions. We need to take a calm and empathetic approach when conveying the benefits of investing in and adopting security solutions - that is the only way to establish trust with prospective customers. For us women in cybersecurity to succeed, both the organization and culture of the organization we work in matter.

Both parenting and having a career as a woman in cybersecurity require you to be flexible and adapt quickly. We don’t know when we will get a phone call from the school to come and pick up our child who got hurt or just misses “Mommy”. However, the rewards of being a woman in cybersecurity and being a parent are many. You feel great knowing that your work is directly or indirectly helping people stay secure and keep data safe. You feel at peace watching children bloom and become responsible adults, treat others with respect and thrive at whatever they set out to do.

Importantly, in most companies that I have worked as a cybersecurity marketing professional I felt very supported by managers and peers whenever I had to prioritize my family and take intermittent time off to be fully present for my children amidst my career as a woman in cybersecurity.

As a cybersecurity professional, maintaining sound mental health can be challenging. The CISO of Tessian, Josh Yavor, shared his own experience, saying,

“As security leaders, we try to shield the organization by taking on the heroics ourselves. Then we miss family events or doctor’s appointments, and we get burned out – and our leadership by example drives unsustainable behavior…I forced myself to stop working after a certain number of hours, and to hold myself to that. It was one of the hardest things I have done professionally.”

It is imperative that if you are considering a role in cybersecurity, during the interview stage you gauge what the leadership and tone from the very top is with regards to personal health and work balance. Josh and other security leaders have shared 5 strategies to help security leaders and teams combat burnout. Keep these in mind as you work in this challenging but rewarding profession.

What do you enjoy most about your career in cybersecurity?

First, I enjoy bringing to life the stories of customers who are successfully adopting security solutions that have played a critical role in defending their organization against cyber-attacks or at least mitigated risks. I write and share those stories as a product marketing professional.

Finally, I value partnering with many people and teams with diverse perspectives - including Product Management, Marketing, Sales, Customer Success and Business Development - to build product marketing strategy, enable sales teams and evangelize products to prospective customers via digital content, social media, webinars, and events. 

How important were mentors, sponsors, and advocates as a woman growing a cybersecurity career?

Having advocates and sponsors plays a very important role for women in cybersecurity. Working with and learning from managers, peers and your team members is so important, and in cybersecurity we need diversity of ideas and viewpoints to be able to discover and take on the ever-evolving threats.

I will never forget the first manager and mentor I had when I joined Check Point many years ago who believed in me and my potential to start and continue a career in cybersecurity. Without that trust and belief, I wouldn’t have passed that interview and wouldn’t be here sharing my story 15 years later with the same passion as I did back then: to learn and keep learning and helping the world be more secure, a day at a time.

I stay in touch with many other women in cybersecurity virtually, on the phone, and at cybersecurity events where we catch up on our personal life and events.

What advice would you give women who are not familiar with cybersecurity?

Firstly, don’t shy away from pursuing a career as a woman in cybersecurity. There are many different roles - technical and non-technical - which require a diverse set of talent. We need people who are passionate and driven to join this field to help secure everyone from ever-present cyber threats.

In the USA alone, there are about 1 million cybersecurity workers, but there were around 715,000 jobs yet to be filled as of November 2021. I cannot emphasize how important it is to have you join us in the mission to secure the world, a day at a time.

Secondly, stay curious. Even while you are in a job, keep taking classes or practicing new skills. Keep reading and gaining knowledge about the threat landscape and what challenges individuals and companies are facing with keeping data safe from breaches. Be sure to read cybersecurity news and about the latest data breaches and what transpire. Join solutions and webinars where you can ask questions of cyber experts. Prepare well for interviews and make sure you aren’t just answering questions in the formal interview, but also sharing your knowledge of and perspectives on the latest cyber events, offering ideas and maintaining a curious and humble stance.

We are lucky that today there are so many opportunities to learn and showcase your willingness to keep learning, whether you are an intern or entry-level cyber professional. Every company needs security.

If you want to take on a technical role to protect the organization and users from threats, take some technical courses online or in person to build those skills and apply for roles. Consider programs such as Code2College, which I personally volunteer for, to get feedback on your coding and communications skills which are essential to build a foundation for a career in cybersecurity.

Finally, build relationships by reaching out on LinkedIn and seeking mentors who have been in the field for some time. Ask if you can shadow them or interview them about how they got into the field, what they do, what they like and what is challenging.

Want to get into cyber?

Being a cyber professional is fulfilling and never boring! Check out our open positions at Duo Security.