As I write, It’s been two months, one day, and nine hours since I began my internship at Duo. In celebration of Intern Week on the blog and my two months-ish milestone, take a step back with me as I reflect on my journey through the virtual doors of Duo!

How did you get here?

A few weeks before my sophomore year in college, I made a last-minute addition to my fall course load: the class Organizational Management in Startups. Not only did I find myself surprisingly fascinated by the fast-paced spontaneous startup environment, I also learned about Duo as a successful Ann Arbor startup.

My interest in people organization began in my senior year of high school, where I had the opportunity to take on a similar, albeit simplified, role. I fell in love with advocating for people and developed the belief that a company’s employees are truly its greatest assets. Imagine my excitement when I found not only internship openings at Duo, but coincidentally an opening on the Belonging Team — a more perfect opportunity could not exist! I immediately started working on my application, harboring hopes of working at Duo, and the rest was history.

Okay, so what exactly do you do as an Employee Programs Intern?

Great question! On a broader scale, I help out the Belonging Team with a number of internal programs. More specifically, I work with my manager Emily Boring, Global Events Manager, on Global Events. I’ve had the amazing opportunity to observe the planning processes behind successful events such as a Fireside Chat with Daniel Dae Kim and the Duo Pride Celebration. A day in my life at Duo is never the same, which I appreciate so much! One day I may spend hours brainstorming projects and writing, stopping occasionally to chat with vendors or ask for peer reviews. Or I may bounce from meetings with my manager to conducting listening tours around Duo and pitching in to help with other Belonging Team projects. Typically, my days are a mix of the two, with ample personal focus time and collaboration time.   

Duo's Decades Party, hosted by DJ Graffiti

Tell me more about the projects you’ve been working on this summer!

My main project for summer was to create a virtual summer social for Duo that would bring renewed fun energy and offer opportunities for Duo team members to connect. This culminated in the Duo Decades Party, featuring DJ Graffiti spinning songs from the 1970s to today, plus a throwback outfit contest and other activities.

Other projects on my plate this summer include a guide for virtual team building (coming soon to the Duo wiki) and a virtual event proposal for future company celebrations. 

The Duo Decades Party was a blast! What did you enjoy most about the experience?

On the other hand, did you run into any challenges? If so, what did you learn from them?

Something people may not know about event planning is that there are a lot of moving pieces. Originally, my main project consisted of a series of three to four events. After continuous discussions with the team, however, the focus narrowed to one event. Even a few days before Decades Party, details were still evolving. It was sometimes tough to navigate changes and feedback, but from this experience I learned the value of getting a diverse set of perspectives.

Without the Internal Communications team (thank you, fellow intern Hannah!), I wouldn’t have considered the cadence and tone of communications. I also consider myself lucky to be able to draw on the expertise of both Emily Boring and Head of Employee Programs Emily Reid in designing inclusive and fun social programs.

The best part is that nothing ever goes to waste! For example, one virtual event proposal I built out will make an appearance in a future Belonging Team event. Being flexible and open to new ideas was definitely essential in navigating these roadblocks and helped the experience tremendously. 

What advice do you have for future interns?

The first thing I’d say is to stay organized in whatever way that looks for you. I personally found it super helpful to block out times on my Outlook calendar to focus on completing self-designated action items. I also keep a notebook of notes from meetings that I can refer to later on.

Secondly, be flexible and receptive to feedback. Others may point out things you overlooked or offer creative new ideas. Be appreciative of them, because it helps enhance your work overall, but also feel empowered to stand up for your ideas!

Lastly, time goes by fast — take advantage of the resources available and get to know the lovely and kinder than necessary folks around you!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

If you’re considering passwordless authentication for your organization today, you’ve probably been thinking for a while about a holistic authentication strategy. Passwordless is a leap forward on the path to a strong and usable authentication system, consisting of many individual steps that you must navigate.

Let’s start by reviewing the high-level phases of the passwordless journey:

Phase 1: Establish Multi-Factor and Identify Passwordless Use Cases

Multi-factor authentication has been a critical component of strong authentication systems for more than a decade. Hopefully, you’ve already got this one — but if not, there are countless products that can help you mitigate the threats of password-based single-factor authentication.

Phase 2: Consolidate Authentication Workflows

A typical company runs hundreds of applications. Managing each application’s authentication methods and security policies quickly becomes untenable for administrators at this scale. Rather than attempt to augment the security of each application individually, Phase 2 focuses on consolidating authentication workflows into a place where the majority of the authentication events can be centrally managed.

This may take the form of single sign-on (SSO) or federated portals through standard protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). Even applications that aren’t web-based, such as SSH clients or remote desktop software, may be able to go passwordless by using a reverse proxy and client software that opens a passwordless web prompt. There are numerous products and services that will offer different experiences and features, and both the features you need and the protocols your applications support may dictate which products and services are suitable for your organization.

Phase 3: Increase Trust in Authentication

Next, focus on building a more comprehensive user authentication system and mitigating additional threats in your environment. Ensure user authentication is occurring from known and trusted devices with up-to-date software and operating systems. Detect anomalous user behavior and flag it for remediation. Identify safe conditions and risky behaviors and configure flexible policies that can reduce user friction without reducing security. Support for all of these things builds upon your work in Phase 2 and the selection of a vendor that supports the features you need.

Phase 4: Adopt Passwordless (We are here!)

Passwordless requires support from both your users’ access devices and your SSO portal or federation system. Microsoft, Apple, Google, and other system manufacturers have done an excellent job in rolling out access device support for passwordless, and security key manufacturers like Yubico, Feitian, and SoloKeys can help enable support for passwordless on devices that don’t support it natively. SSO and federation providers are beginning to bring passwordless solutions online. If you’ve done the hard work in Phase 2 to consolidate your authentication workflows into a centralized authentication experience, you may be able to enable passwordless across the majority of your organization by simply switching it on. Your existing authentication and authorization policies, device trust, and configured settings should ideally transfer over and take effect right away.

Phase 5: Optimize Passwordless

Unless you’ve managed to consolidate every one of your applications into using the same federation solution, it’s likely you won’t be able to completely eliminate the use of passwords overnight. This is where having a layered security model with MFA, configurable policy, device trust, and adaptive authentication pays dividends. Your organization is only as safe as your weakest authentication method, so ensuring every authentication method is strong reduces your risk as you transition towards Pure Passwordless. The goal here is to aggressively continue consolidating authentication workflows into centralized auth solutions where passwordless support exists and begin the process of disabling password-based authentication.

This will be a protracted phase, as disabling passwords will highlight all sorts of corner cases where passwords may be used in your organization, such as new user onboarding, account recovery, and that one server in the basement that you don’t want to touch in case something goes terribly, terribly wrong. Certain applications and protocols will most likely not be able to adopt passwordless initially, so some of your users may need to keep a password around to use with these systems for a while.

Passwordless is exciting and promises both security and usability benefits. We mostly get the usability benefits in Phase 4 and the security benefits in Phase 5, but like anything, there’s a spectrum. So long as passwords remain an option, adversaries can apply the same attacks they use today to password-based auth methods. Adding passwordless auth as an option starts by making authentication easier. Removing passwords as an option makes authentication safer. 

For frequent use, adding additional factors behind a password may have been deemed too much friction, but it may be more acceptable as an infrequent fallback when passwordless is the primary authentication method. Security benefits can also come simply from user habit migration. For example, users who become conditioned to passwordless authentication will find an unexpected push or a password entry field conspicuous, even if they’re still allowed as options. This is one of the few exciting breakthroughs in authentication technology where a more usable option is more secure as well!

However, it would be remiss to say everything will be roses. Let’s dig in to Phases 4 and 5 and discuss some of the challenges you are likely to face as part of passwordless adoption and how to manage them.

Your First Few Weeks of Passwordless

When you flip the switch and enable your first passwordless login, it’s probably going to feel unfamiliar. If you’ve read this guide and have a general understanding of how authenticator devices store and use credentials, you’ll probably be able to infer how things operate. Your users, on the other hand, may have no idea what they’re supposed to do. Passwordless login is supposed to be quicker and easier than using a password, but most people have years or even decades of experience using passwords. We know what to do when we see a password input form. 

Your users will be old hats at passwordless in no time, but the first time seeing an unfamiliar prompt to scan a fingerprint or face can be unsettling. If a user thinks they’re entering their system password into a web form, being prompted to enter a PIN or local system password can be confusing or even suspicious. You’ll most likely want to evaluate the passwordless login flow yourself and work out a strategy for assisting your users through their first passwordless logins.

But before we even get to passwordless login, your users will need to enroll a credential or add an authenticator device to their account or profile. This can be just as confusing as a first login, if not more so. However, depending on your MFA configuration, your second-factor authentication method may be suitable, or nearly-suitable, for passwordless auth already.

If your users have adopted a WebAuthn-capable 2FA method such as Windows Hello, Touch ID, Face ID, Fingerprint/Face Unlock, or a FIDO2-certified security key and regularly use it as a second factor, your authentication provider may be able to use the same credentials for passwordless authentication if they support user verification. If not, then the simplest way to enroll a new passwordless device is to piggyback on top of a normal password-based auth and ask your users to enroll a device as part of their normal login process. This will probably feel pretty similar to how your users first enrolled their MFA devices after entering a password the first time. On next login, they’ll be able to use passwordless!

Now, imagine you’re a few weeks into your passwordless rollout and one of your users loses their first device. Even though their credential on the device should still be protected by a user verifying PIN or biometric step, we want to invalidate that credential as soon as possible because it’s now lost the something you have property. Your authentication provider should offer a control panel or other administrative console where you can view your users and see what devices they have enrolled. You should have a quick and easy way to invalidate the lost device and credentials through this interface. (In case you’re curious, each device is supposed to only have one credential per user account.) If you haven’t disabled passwords yet, your user should be able to use their password to enroll a replacement authenticator device the next time they try to log in.

Removing Passwords: Applications vs. Users

Throughout Phase 4, passwords remain a viable fallback option. Although these challenges in Phase 4 are likely to require lots of time, they’re more about helping your users acclimate to a new process than technical complications per se. You may wish to progressively roll out passwordless to smaller groups within your organization at first, to smooth the influx of help tickets and allow early adopters to share knowledge of passwordless with their peers.

Things get trickier as we move toward Phase 5 and start to remove passwords as an option. Any user who hasn’t acclimated to passwordless login will be stuck if they no longer have a password-based fallback. The goal of Phase 5 is to remove passwords from the environment to improve security, while minimizing new complications. Let’s explore a few complications that may come up as we remove passwords.

To start, not every application will be able to use passwordless. Take connecting to a wireless network for example. Unless you’ve rolled out client certificates to your fleet, the main WPA2 Personal and Enterprise authentication protocols expect either a pre-shared key, or a username and password. Not every protocol is web-based or can be proxied through a web-based gateway. Applications released years ago may never get updates that support SAML, OIDC, or other federation protocols. It’s likely that one or more additional applications or use cases in your environment may not be passwordless-capable, now or in the future. That’s okay. Each application from which you can remove passwords gains the security benefits.

Every user from which you can remove passwords is one fewer user who can be phished or introduce credential reuse into your organization. However, it’s much harder to completely remove passwords from users than to completely remove them from applications. If a user no longer has passwords, then they can’t fall back to a password if they lose their authenticator device. It becomes important that each user have two or more authenticator devices enrolled, so that they do not get locked out of their account. Once passwords are eliminated, your users will probably need to use passwordless authentication to enroll new devices.

Authenticator Management Considerations

Platform authenticators like Touch ID and Windows Hello are conveniently present on the access device but are also limited to being used on the specific platform they’re a part of. Let’s say you need to enroll a new device with a platform authenticator but no longer have a password. How do you bootstrap trust in your new device to get to where you can enroll its platform authenticator?

Roaming authenticators like security keys or mobile authenticators have the advantage that they can be used to authenticate across multiple machines. You can use a platform authenticator to enroll a roaming authenticator on one computer, then move the roaming authenticator to another computer and use it to enroll that computer’s platform authenticator.

It’s clear that the passwordless future involves lots of devices and a mix of both platform and roaming authenticators. However, increasing the number of authenticators introduces even further complications, as each authenticator must generate its own per-site credentials. Enrolling multiple devices with each of multiple websites will likely grow tiresome. You can partially alleviate this via federated login, centralizing login to a handful of sites or fewer. On the plus side, enrolling multiple devices gives your users the ability to self-remediate individual lost or stolen devices without losing access to their account.

Inevitably, some users will find themselves with one or more lost authenticator devices and no way into their account. You will need a recovery flow. There are many different recovery flows, including temporary passwords, recovery links, backup codes, and more. Your recovery flow may delegate the authentication decision to another provider, such as an email host, wherein if your user still has access to their email account, they may be able to self-remediate. If not, they may need to contact your help desk for an override. Recovery flows are also a potentially-viable option for bootstrapping trust across platform authenticators without a roaming authenticator to assist.

While it’s critical to have one or more recovery flows, know that the recovery flows you support, especially any self-remediation flows, are viable attack vectors. It doesn’t meaningfully improve your security posture to remove password-based authentication if your recovery flow isn’t ultimately stronger.

Your organization may likely reach Phase 4 quickly but spend years optimizing passwordless in Phase 5, which is to be expected. Over time, the passwordless space will expand to support additional applications and use cases, and someday, we hope, passwords will be a relic of the past. 

If you’d like to see how Duo can help bring passwordless to your organization, visit the product page for our passwordless authentication solution.

Duo’s Passwordless Authentication Resources

• Explore more of our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

When I announced that I was returning to Duo for my second internship, I was met with a great deal of congratulations — and occasionally with surprise. In a few cases, I even experienced some soft criticism about this decision. “You should be trying to have a variety of experiences,” some said, “Your early career is a time to explore.”

However, I must take this advice with a grain of salt. By returning to Duo, I would say that I am having a variety of experiences, and I have lots of opportunities to explore! The work I’m doing this summer, both technically and organizationally, is markedly different from last summer. Beyond this, my work will continue to evolve as I communicate both my short- and long-term goals with my extensive support system.

Also, variety alone isn’t enough. To make informed decisions about the future, we need to consider which experiences will likely bring us the most value. That’s what led to my decision to return to Duo. The work I’m doing this summer is a strategic step in the right direction for what I aim to do in my future career.

Last summer, I worked with an excellent team on a rewarding project. I was involved in the frontend development of the new Universal Prompt, implementing features that are seen by users millions of times daily. Throughout the summer, I gained immense experience in both the hard skills of programming as well as the intangible skills of structuring my time and working within a team setting.

In addition, the summer taught me a lot about myself and helped me understand what kind of work excites me the most. The most interesting problems that I faced included how the new Universal Prompt would work in front of the users. At the end of the day, any decisions that we made in this area had to be reinforced by some kind of data. When we had more data to work with, the decisions would become easier, and we could develop the product much faster. This work specifically sparked my interest in the engineering behind data-driven solutions.

At Duo, when anything sparks your interest, you’re generally free to pursue it. When I expressed my interest in working with the Data Engineering side of the business, I was quickly set up to do so. Honestly, in terms of switching teams, I felt like I had pretty much carte blanche access to the entire organization. Everyone is open to discussing opportunities and more than willing to offer advice and help along the way.

While it was tough to say goodbye to my team, I was met only with support in my decision to move forward onto the Data Platform team, where I’m working this summer. As Duo team members, our job is to support the company, but Duo reciprocates this deal and supports us just as much. At Duo, everyone seems to sift into the positions where they want to be.

My story is not unique — many other people around Duo can speak to this experience. We frequently receive emails about job promotions at Duo, and typically there are too many to read! In fact, my former hiring manager who interviewed me for my new role this summer was only on the team for a period of weeks at the time of the interview (I had spent more time at Duo than he did!).

However, over just a few months’ time, he was deservingly promoted into another role. I think it’s a great fit, and I’m very happy for him, as well as my new hiring manager who was promoted to fill his place. You can also find other blog posts where Duo teammates share more experiences like these.

My decision to return to Duo was also complicated by the possibility of working for another company. I did work with other companies over the fall recruiting season, but none of them could really match the freedom that I was given at Duo. Honestly, it was a pretty black-and-white decision. With every other company’s software engineering internship, I had essentially no information about where I would be working, which product or sector I would be working on, or what kinds of technologies I would be working with. While this kind of uncertainty is inevitable and often leads to growth, I couldn’t turn down the work at Duo for this summer, especially because it’s such a certain, targeted leap forward in my career.

It’s also worth mentioning that working on the Duo product is motivating in and of itself. The company is growing rapidly, and Cisco continuously releases news to us about how our product is being used more widely and making a difference in the industry. I’m instantly motivated in an environment where I’m attempting to build technology that’s more innovative, clean, and efficient than all of our competitors. 

This summer, on the Data Platform team, I’m already in the midst of a project that involves making product data immediately available for analysis. The project involves linking together multiple technologies into a system, and I’m pushing the boundaries of how these technologies can be used with one another.

Finally, I can’t forget to mention that the culture at Duo is fantastic. There’s a specifically-designed, multi-pronged approach to keeping a fun, exciting, and lively team environment, and this does not come by accident. On that note, I’d also love to thank Emily Samar for inviting me to write this blog post about my experiences. It really feels special to be heard, especially as an intern. I’m very happy to be back at Duo, excited for everything to come this summer, and encourage you to consider the program if it’s the right time in your career!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

With only a handful of years of wisdom under my belt, I’ve come to realize that the world works in ways you never expect. The big “P” was a challenge that no one could have prepared for, but one outcome of 2020 surprised me in the best way possible: interning from home is kind of nice, and I want to share a few reasons why.

The Home Office™: Working Here, There, and Everywhere

I hear that Duo’s offices are the pinnacle of an open-office tech start-up floorplan, complete with cool wall art and unlimited fancy coffee. However, I’d like to think that my humble remote setup can still spark joy. For starters, it exists wherever I want it to be.

Although I primarily sit at my crammed (but cable-optimized!) desk, seven feet from my bed, some other Home Office choices include: at the living room/kitchen table with my other fellow WFH roommates, outside in a hammock under some trees, and in an air-conditioned university building when the heat becomes too much. I have the freedom to choose where I work best and the flexibility to continue working, even if I choose to move back to my hometown or spend a few weeks in a different city.

This luxury of comfort and mobility is facilitated by the way teams here at Duo adopted remote working. While the initial shift to remote was challenging, Duo workshopped processes and programs (like summer internships) that adapt to needs and feedback. I frequently find myself hopping on quick calls, sharing my screen to get quick troubleshooting advice or creating a collaborative board to brainstorm with my team.

Tools like chat programs, Webex, and Mural, when complemented with supportive management and an openness to learning new methods of working together, contribute dramatically to establishing digital best practices that create a healthy and collaborative work culture. These are changes with longevity — a third of the Product Marketing team works in places without any Duo offices, so these practices will continue even as buildings begin to open.

A Broader Scope: Variety is the Spice of Life

Speaking of chat programs and Webex, one of the greatest advantages of a digital-first internship is the variety of conversations, projects, and unique learning opportunities I’ve been able to experience.

This internship I set a goal for myself: overcome my fear of “coffee chats” and talking to strangers. There were definitely a few factors at play here, like re-learning post-quarantine social skills, but for the most part I was successful — driven by both the ease of setting up 30-minute Webex meetings and the knowledge that the people I reach out to in a direct message are excited to talk to me. As a result, I’ve learned that CS stands for Customer Success (and not just computer science), compiled a list of more than 50 pieces of life advice (a go-to question particularly around my 20th birthday), and honestly met a bunch of really cool people.

Being able to reach out across the organization also allowed me to dive into functional areas that interest me. For example, I’ve been able to explore the international marketing scene in ways I probably wouldn’t have had the chance to if I were sitting in the Ann Arbor office. I’ve been in meetings with people from London and Sydney to Canada and Japan, giving updates, working on campaigns, and generally growing a deeper understanding of markets beyond North America through firsthand experience, rather than feeling confined by the small office area I would’ve been assigned. 

After a few months’ experience in the remote world, the number of digital experiences drastically expanded. At Duo, I was surprised to learn about the “Intern Learning and Development Budget” — and that’s on top of the pre-existing unlimited book fund. I’ve been able to attend specialized conferences, read recommended books, and even sign up for training and certifications without the significant costs of travel and time.

Imagine my surprise when I heard a fellow intern animatedly sharing her early-morning dance session that kicked off a virtual Customer Success Festival she was attending, all in week two of the Summer Internship. Duo hosted several virtual guest speakers, webinars, and learning sessions, and I somehow found myself interviewing Daniel Dae Kim for AAPI Heritage Month (first name basis, 100% bucket list accomplished). Suddenly, something I’d never even considered an option became a major part of making this internship memorable.

Breaking Barriers: Unlocking Opportunities and finding Connection

This summer cohort is the biggest at Duo yet — 26 undergraduate and graduate interns across both technical and non-technical roles. Remote internships have mitigated a lot of traditional barriers to work experience: cost of living in cities; logistics of leasing and housing; commuting; and even time zone challenges. In the cohort, people log in from New Jersey and New York to California, Texas, and… throughout the Midwest. For many, including myself, this is a first exposure to roles like technical writing, program management, and product marketing. It also opened the opportunity to co-op and get professional experience while taking classes in the winter and spring (shout-out to the three-person intern chat during hard winter months).

Feeling connected during the workday is a real challenge, and it takes more than beloved “meeting icebreakers” to fix. Rather, I’ve found that frequent, smaller interactions can help drastically humanize the WFH experience: quick messages, virtual working hours, drop-in lunch, and maybe even some happy hours putting our trackpad drawing skills to the test. As an intern cohort, we have our own chat channels, attend Design Thinking training together, and keep each other in the loop on our diverse projects. All of this, and more, felt more genuine than I had expected — even though only four of us are located near the Ann Arbor headquarters.

Reflections: The WFH Internship Experience and the Future of Work

In an ode to myself rediscovering and watching “The Suite Life of Zack and Cody,” I’d like to kick off this conclusion with a quote from the iconic 2005 theme song:

“Here I am in your life, here you are in mine.”

As I enter week 24 of my second fully remote internship at Duo (they don’t call me a “senior intern” for nothing), I’ve come to appreciate many of the things working from home has brought to my attention. Overall, there’s a greater focus on work-life balance, building accessible experiences, and giving people more autonomy to decide for themselves how they work best. Maybe it’s because I grew up in a generation where technology has touched almost all aspects of my life, or maybe it’s because I’ve admittedly never worked a “real-life, in-person, 9-to-5 cubicle office job” before, but the shift online felt like a natural progression of where I would find myself.

In school I took a class on the future of work, reading articles about applying machine learning to customer service bots and discussing the implications of autonomous vehicles. We explored the different fields of application — healthcare, education, manufacturing, global economics, public policy — and zoomed out to see the greater (exponential) rate of growth of technology. It’s interesting to think that in January 2020 the future meant a looming workforce of robotics, AI, and automation, and only a few months later it shifted to mean finding a solution for the most human-centric needs for connection, collaboration, and balance.

While a fourth wave of COVID-19 is definitely still something to consider, I think in the closer future is a work world where in-person and online hybridize. Maybe in the coming months and years there will be a visible shift in office spaces. Maybe interactive calls and virtual experiences become the default, building for accessibility and opportunity. And maybe it’ll be led by the interns who know that it’s positive, healthy, and feasible because they’ve experienced it before. After all, sometimes the world works in ways you’d never expect.

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Giving back to our local and global communities has always been a big part of Duo’s culture. This tradition inspired us to launch the Duo Commmunity Impact Awards, now in its second year, which recognizes and celebrates how Duo team members made an impact in their communities over the past year. 

Joining me on the awards committee were Megan Furman, Chief of Staff / Head of Operations; Emily Reid, Head of Employee Programs; Stephanie Frankel, Head of Brand Team; and Kristina Birk, Release and Documentation Manager / Duo Gives Planning Team.

We received a wide variety of nominations across Duo, and we loved hearing about all the amazing things our team is doing to make the world a better place — volunteering, coaching, mentoring, running community initiatives, and so much more both inside and out of the workplace. We also loved seeing how many people nominated someone else. Each nominator shared that they’re personally inspired by seeing their colleagues’ efforts, and we think they’ll inspire you, too. 

We’re really excited to highlight our five winners, who each earned a $5,000 grant for Bright Funds, Cisco’s charitable giving and matching platform. This allows our winners to award non-profits that they’re personally passionate about, further spreading their positive impact and kinder-than-necessary attitude.

Andy Peterson, Technical Solutions Architect, volunteers at nonprofit animal welfare organization Friends of Upland Animal Shelter in Upland, California. He spends most of his free time working to drive animal welfare education and activities to improve the situation for lost and abandoned animals. He typically volunteers around 100 hours per month doing various activities including fostering puppies, supporting as a volunteer board member, committee member, and everything in between.

Rose Putler, Data Scientist, volunteered with Our House, a southeast Michigan-based organization helping young people with foster experiences transition successfully into adulthood. She not only participated in one-on-one and group mentoring with the organization, but also reached the milestone of more than four years working with her mentee, Alexis! (You can learn more about Rose and Alexis in this interview.) Having moved from Michigan to Boston after working with Our House for so long, she’s thrilled to be able to support them from afar and hopes to find a similar organization to work with in her new hometown. Rose hopes folks get inspired to be more compassionate and to advocate for policies which respect the dignity of the disadvantaged and the value of their time.

Jim Salmonson, Federal Systems Engineer, has been giving back in a variety of ways over the past year. He volunteers for the development of future Cyber Warriors as well as promoting music and arts in high school programs. Jim has been able to connect his network of cyber professionals and resources to help Junior ROTC leadership mature their programs, where he consults and mentors the senior directors to engage Cisco Systems and expose this community to current security capabilities, while developing good cyber citizens. In addition, Jim has been an active volunteer on the weekends for the local philharmonic and high school band programs to keep music active in the community. Jim provides audio/video services to the programs to keep kids connected and active safely during the pandemic.

Ted Stockton-Smith, Account Development Representative (ADR) Manager, has spent countless hours volunteering within COVID-19 vaccination centers since the beginning of the year. He has selflessly given his spare time, along with his Time2Give hours (a Cisco benefit providing team members 40 hours per year to give back to our communities) to one of the most important causes of the past 18 months. Being able to regularly spend three hours in the morning or on weekends assisting a team that vaccinated thousands of people a day, and then start work at 9AM ready to mentor, coach, and manage the ADR team is really inspiring.

Kevin Wainczak, Software Engineer, was driven to get involved in his community after a year when many people felt a strong sense of disconnection. He is a volunteer coach in pole vault at a local high school, working with athletes of all skill levels. Developing trust within such a difficult sport really allows the kids to achieve their best, and Kevin has fun and takes pride in seeing the enthusiasm and hard work that they show up with every day. He hopes that the athletes come away more confident than when they started, and that they feel like part of a team.

With so many impressive submissions, we wanted to highlight five more honorable mentions! Each of these Duo team members was awarded a $100 Bright Funds grant to donate to the non-profits that matter most to them.

Daniel Bagwell, Software Engineer, assisted with the distribution of COVID-19 vaccines at the Dallas, TX Fair Park Vaccine Mega Center. Because the site was only open during business hours, Time2Give allowed him to volunteer when others could not.

Courtney Eastman, Account Executive, organized a group to convert a trailer into a home for a family who lost their father and were living in a hotel. Donating replacement flooring, cabinets, and appliances, along with painting, cleaning and landscaping, took about five days.

Madhavi Kongara, Data Warehouse Developer, has been involved with Wayne County Senior Services initiative, providing meals to homebound senior citizens through Meals on Wheels. For the past nine months, she’s delivered meals to 10-20 seniors each week.

Amelia Lombard, Learning & Development Lead, volunteered twice a week in a virtual Algebra 2 classroom from January through June. During the one-hour classes, she and the teacher divided the class and supported their respective groups as they worked through math activities.

Mike Spitz, Head of America SMB Sales, is part of the Ann Arbor Community Academy, a volunteer group of citizens who connect with the city to understand more about what goes into day-to-day operations in Ann Arbor, Michigan. Through AACA, Mike learned about and got involved with several other initiatives, including one to plant 10,000 trees!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

When I open my laptop for the first time in the morning, one of the first things I check is my email. As a Duo team member, and as part of the greater Cisco organization, I am one of more than 258 million monthly active subscribers of Microsoft 365. Because this service is integral to the working lives of our customers and ourselves, we wanted to ensure that you can easily yet securely access your emails, documents, and presentations from any device and any location.

That’s why we’re happy to share that Duo now offers a Microsoft 365 application for Duo Single Sign-On (Duo SSO), allowing you to federate your Microsoft 365 domains with Duo SSO. 

Where We Started: Duo Access Gateway, 2015

In 2015 we introduced the Duo Access Gateway (DAG), which used SAML 2.0 to authenticate users into Office 365 (now Microsoft 365). Next, we added support for legacy authentication protocols (Basic Authentication).

Since its inception, nearly half of all customers using the DAG consistently leverage it for at least Microsoft 365 — both for Modern and Basic Authentication. Many customers even use the DAG exclusively to protect Microsoft 365!

For these customers, the many pain points of maintaining an on-premises SSO offering — configuring servers, managing certificates, configuring high-availability, making sure everything is kept up-to-date — increasingly consume more time and resources that could be used to solve and improve other IT issues. That’s a lot of overhead for a single, albeit business-critical, application.

Building a Better Solution

Because the metrics we observed with the DAG are not trivial by any means, and we’d begun work on our hosted Duo Single Sign-On (SSO) offering, we knew that we had to deliver the best experience possible for Microsoft 365, for administrators as well as users. 

Keeping that in mind, we worked hand-in-hand with Microsoft to design, build, and validate according to their best practices by using WS-Federation, WS-Trust and WS-MetadataExchange, instead of SAML 2.0.

This allows us to fully support a wider range of modern and legacy authentication workflows, improving the end user experience, and aligning with Microsoft’s current and future product plans. These include, but are not limited to:

• Web browser logins
• Microsoft Office application logins
• Azure AD Management Tools
• Legacy email client logins
• Azure AD and Hybrid Domain Joins
• Windows Autopilot

When using WS-Trust for legacy workflows, we also give the option to limit access based on IP address, user agents and/or groups. We want to help customers move toward more modern authentication workflows, but we also recognize this isn’t always an overnight shift. These controls allow organizations to incrementally scale back on legacy usage. 

We’ve also made it easier than ever to get Microsoft 365 working with Duo by providing a prebuilt configuration script after entering some information about your tenant into the Duo Admin Panel. Long gone are the days of typos that have plagued our customers, and often technical support teams!

What’s Next with Microsoft and Duo?

Our partnership with Microsoft is stronger than ever, and we’re incredibly proud and excited to provide our joint customers with one more place to take advantage of Duo SSO. In addition to providing more options today, it also prepares our customers for the release of our upcoming Passwordless authentication solution!

Duo SSO is just getting started. Want to follow along? Subscribe to our release notes.

To learn more about Duo SSO and Duo Central as a whole, view our official documentation.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

This blog is part of an ongoing blog series for Duo’s Universal Prompt Project. The project is a major re-architecture and redesign of the Duo multi-factor authentication experience. In this post, we’d like to discuss a “behind the scenes” change we’ve made that helps achieve the overall project goals — improving security and delivering a better user experience. The change involves adopting the OpenID Connect (OIDC) standard to integrate with supported applications to deliver the prompt for MFA. But before jumping into the details, it might help to understand the open standards in discussion.

Understanding OAuth 2.0 Framework and OIDC Protocol

Problem to solve: Apps and services need a way to share data with each other

Years ago (back in the early 2010s!), applications shared sensitive information by asking users to enter their credentials from one application into another. Many applications offered services which would tie together functionality from other sites. For example, mobile applications such as Yelp requested your Gmail address book to encourage more signups by emailing your contact list on your behalf. Similarly, budgeting applications like Mint.com needed access to your banking credentials to help track your spending, and website developers wanted ways to post users’ tweets on their own websites.

These were all great services that provided benefits to everyday users, but users needed to share their username and passwords with these services to realize those benefits. Sharing credentials or passwords with multiple applications not only increases the risk of a compromise (yes, that same password you also use for online banking), but also gives third-party applications full access to your account.

This is a big no-no! Once credentials are compromised, hackers can take over user accounts; even change the passwords and lock users out. Even today, according to Verizon’s 2020 Data Breach Report, 37% of credential theft breaches use stolen or weak credentials. 

The main problem to solve here was authorization — in particular, how can we verify that an application or service is authorized to access information about the user?
This problem was solved with the creation of the OAuth framework.

The OAuth 2.0 framework essentially allows a third-party application to access information on behalf of the user. Think about how you might provide a friend an extra set of keys when they’re visiting so they can come and go as they please. However, there’s a key difference: You already know your friend, so you don’t need to authenticate them. Instead you just need a way to authorize them to access your home.

Once applications were able to successfully share data with each other, developers realized that this framework could also be used to implement some form of authentication. The OAuth 2.0 framework gained popularity and significant adoption to become an industry standard. However, it was not explicitly designed to support/enable authentication. And that’s why the OIDC authentication protocol was developed as an identity layer on top of the OAuth 2.0 framework, to explicitly provide support for authentication. Specifically, OIDC protocol allows you to log into multiple websites using a single set of credentials. Depending on the use case, the protocol provides several workflows. 

This entire workflow is like checking into a hotel. To make this flow more understandable imagine that a traveler, let’s call him Bob, is checking into Hotel Duo. 

Authentication workflow: Bob arrives at Hotel Duo and walks up to reception. Here the receptionist checks that Bob is who he says he is, actually has a reservation, and provides him with a key card (access token) for access to his room. 

• The hotel receptionist here is the OIDC provider, who is responsible for verifying Bob is who he says he is and that he meets the right criteria to get a key card. 

Authorization workflow: Next, Bob enters his room with his key card. Once Bob settles down in his room, he has time to get in a quick workout, maybe at the gym or at the swimming pool. Bob’s room key card also authorizes him to access other amenities like the gym or the swimming pool, but not facilities like the conference room unless Bob explicitly requests it. 

Benefits of Adopting OIDC for Duo MFA: Reliability and Security

One thing to note is that today, Duo does not support OIDC for identity federation. Rather, Duo leverages the protocol to integrate with applications for MFA. 

Now, let’s take a look at what the new Duo authentication experience looks like when using the OIDC-based integration:

1. Bob is authenticating with an application
2. Bob succeeds his first factor
3. Bob is redirected to the Duo prompt
4. Bob succeeds his second factor with Duo
5. Bob is redirected back to the application

The new Duo MFA experience for Bob is very similar to the current experience, but the prompt is now on a Duo-hosted web page. While only the savviest of users might notice the change, this approach enables Duo to deliver strong authentication that is more reliable and secure.  

Ultimately, by utilizing the OIDC Auth API or WebSDK 4 to integrate with an application, Duo provides developers a familiar and simple way to build MFA into their products and applications. Also, because this integration mechanism redirects to a Duo-hosted page for MFA, developers and customers need to build an integration only once and continue to get improvements for security and user experience.

We've received a lot of positive feedback from customers who have participated in the private preview. And we can't wait for all our customers to try Duo’s next-generation authentication experience. Until then, you can get started by learning more with:

• New guide for Duo administrators: Universal Prompt Playbook
• How to update to Duo Universal Prompt: Duo Universal Prompt Update Guide
• Duo Knowledge Base: What is the Duo Universal Prompt?

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

In some ways, the term “passwordless” is a misnomer. Yes, it’s a password-less authentication method, greatly streamlining the login experience, and while that’s a great incentive to use passwordless for logging in, it’s not an improvement in authentication security in and of itself. 

Passwordless uses multiple factors in one step. Unlocking authenticator devices locally removes the threats of credential reuse and shared secrets. But on top of all of that, passwordless should also raise the bar by substantially reducing or even eliminating the risk of phishing attacks. Any “passwordless” solution that cannot meet this bar is simply inferior. 

That isn’t to say that every password-less solution needs to be phish-proof. There may be other properties of an authentication solution you’re considering that make it a better fit for your environment, and you may be able to mitigate the risk of phishing using additional authentication factors. While not every solution will use the same mechanisms to prevent phishing, there are some properties that will be common to every solution that is truly phish-proof.

To prevent phishing, there are a few general properties that your authentication solution needs:

No Shared Secrets is the property that secrets are never shared and are always kept local to the authenticator device. The authenticator will use these secrets to sign messages, which can be verified by the other party to only have been able to come from the authenticator device. Unlike passwords or other shared secret-based approaches, the solution should guarantee that the secret used for one website is distinct and separate from any secrets used for other websites.

Origin Binding is the property that the site you (as a user) are attempting to log in to must match the domain, or origin, of the site you’re actually on. The history of active phishing has taught us that this is not something that the user can be relied upon to do, so any solution must avoid being dependent on the user checking the domain before authenticating.

Secrets, or credentials, should be linked to the domain upon which they were registered, and should not be unlockable without an automated check that the user is actually on that page. From our first No Shared Secrets property, we should be guaranteed to have different credentials for different sites, and so while a phishing site should be able to gain access to credentials for its own domain, it must never be able to access credentials for another site.

Channel Binding is the property that the communication channel from the authenticator to the website must be strongly tied to the browser session attempting to authenticate. Put another way, an attacker attempting to log in as the victim should be unable to reach the user’s authenticator to prompt the user to log in. Doing anything else would make push phishing attacks viable. There must be a guarantee that only the user’s browser (or other legitimate software) can activate the authenticator device. The channel between the browser and authenticator must be bound. This is the most nebulous of the three properties, and the one that authentication solutions most often fail.

Let’s dive into how WebAuthn and FIDO2 implement these properties and provide a very robust resistance to phishing. To start, compliant authenticator devices exhibit the No Shared Secrets property by design. The authenticator generates a new keypair, or credential, for every website, and then registers the public key with the website so its signed messages can be verified during later logins.

In a WebAuthn login, the browser itself (not the website) passes the origin of the page to the authenticator device to be included in the signed assertion response. Because of this, the signed assertion is only usable by the page matching the origin. No other site will accept it. This eliminates the ability for passive phishing, such as a site with UI elements that mirror a victim site. Because the origin also includes the https:// scheme (and WebAuthn requires TLS), this also prevents active phishing attacks, even those using a TLS-stripping attack.

The WebAuthn protocol supports only a few mechanisms for invoking authenticators. One such method is looking for a platform authenticator built into the access device, such as Windows Hello, Touch ID/Face ID, or Fingerprint/Face Unlock on Windows, Apple, and Android devices, respectively. Because this authenticator is built into the access device itself, the channel binding between the authenticator and browser session is straightforward. An attacker cannot, without already having substantial privileges on the victim’s device, invoke the victim’s platform authenticator to push phish the victim.

The other category of WebAuthn-compliant authenticators are roaming authenticators. These authenticators are not attached to the access device itself, and can be used across many different devices. They may plug in via a USB port, like a Yubikey, or connect via Bluetooth or Near-field communication (NFC). In each case, it is critical that an attacker cannot invoke the authenticator.

For USB-attached authenticators, the act of plugging the authenticator into the access device typically gives the access device exclusive access and control over the authenticator, very similar to platform authenticators. Bluetooth authenticators require an explicit pairing step by which the user links the access device and the Bluetooth authenticator. An attacker should not be able to invoke the Bluetooth authenticator remotely, unless they can somehow trick the victim into pairing the Bluetooth authenticator to the attacker’s device.

NFC is only usable over short distances of a few inches. This should give similar properties to those of a USB-attached authenticator, under the assumption that an attacker would have to bring a physical device in very close proximity to the victim’s authenticator. Proximity-based controls, such as those for NFC, are vulnerable to relay attacks that can break the important channel binding property. In practice, however, relay attacks are typically targeted and affect individual victims. They are more similar to biometric spoofing attacks in complexity and specificity than the more widespread phishing techniques used against passwords and 2FA today.

Because WebAuthn and FIDO2 achieve these security properties, products based on them tend to be some of the most secure, phishing-resistant authentication methods. However, let’s also talk about some common anti-patterns among password-less solutions, where they violate these properties, and what vulnerabilities they introduce.

Push 2FA

Push notification-based methods are great for mitigating the risks of password-based authentication, but they’re often phishable. Whether the notification comes from an SMS message or an app, or whether the push requires biometric verification (making it multi-factor), push-based solutions typically have weak or nonexistent channel binding properties. An attacker who is able to enter a victim’s username into a login prompt configured to initiate a push becomes capable of initiating pushes to the victim’s phone on demand. This is because normal operation lacks a channel binding the user’s browser session to the user’s phone, so it’s difficult to differentiate (and block) an attacker’s browser sending a push to the victim’s phone. 

When push is used as a second factor in conjunction with a primary factor, such as a password, this risk is reduced because an attacker must additionally know the victim’s password. However, if push-based authentication is used as a primary factor, push phishing becomes a much greater threat.

Tip: In evaluating any Push-based passwordless solution, look for documentation on how the solution binds the access device’s browser session to the push device in such a way that anonymous actors cannot push phish your users.

QR Code Scanning

Some authentication solutions rely on QR codes to bootstrap or transfer trust from one device (often a mobile phone) to another (often a PC). Take the following example: A user attempts to log in to a website on their PC. The website displays a QR code for the user to scan with their phone. The user scans the QR code and their phone initiates an authentication, such as a Face ID scan. When they complete the Face ID scan, the phone informs the website of the user’s identity and the website allows the PC to log in as that user.

Unfortunately, this authentication model breaks the channel binding property we need as well. To illustrate, a victim can be phished and end up on a page that looks identical to the site they’re where they’re attempting to log in. However, the QR code displayed to them could come from an attacker, which when scanned, ultimately allows the attacker’s browser session to log in as the victim. This general category of attacks is known as QRLJacking.

The victim doesn’t even need to land on a phishing site for QRLJacking attacks to be effective. QR codes are indecipherable to humans, but can contain virtually any text, including various URI schemes. App Links or Universal Links are links designed to automatically open and invoke some mobile application. Imagine someone scanning a QR code on a digital billboard, only for their authenticator app to be invoked, use Face Unlock and WebAuthn to authenticate them, and position them only one confirmation click away from returning a response that will log an attacker into their account. Authentication methods that use QR codes to proxy authentication between devices are scary.

It’s also important to note that the risk of QR code scanning is reduced depending on the context in which it is performed. There are many solutions that use QR codes to initially set up an account or an authenticator for the first time, such as during the creation of an initial OTP seed. Since these QR codes are typically scanned just one time to set up the account and the user is typically already engaged with the specific enrollment session, the risk of an attacker breaking the channel binding by man-in-the-middling the QR code is greatly reduced compared to solutions that use QR codes for every login.

Tip: There is no guarantee that just because an authentication product uses FIDO2 or WebAuthn for part of its solution that it will achieve the same phishing resistance properties as the base protocol. Each solution must be evaluated as a whole.

Fallback Authentication Methods

Wait, hang on. Non-passwordless authentication methods are a passwordless anti-pattern?

Well, no. But also yes.

When rolling out passwordless authentication to your organization (more on this in Part 4 of this series), your users are only as secure as their weakest authentication method. Passwordless authentication may be quicker and easier to use, but if an attacker can phish your users’ passwords and push-phish their second factors, your organization is still susceptible to those attacks.

Recovery flows are also important. Even if you have entirely removed passwords from your environment, if a user gets locked out of their account but can recover access using an automated email recovery flow, the email recovery flow is part of the attack surface. An emailed link the user clicks on to initiate a recovery flow is less susceptible to phishing than a temporary access code they must copy and paste into the correct field. Emailed recovery links are not typically subject to the same sorts of push-phishing attacks as described above because the recovery link will create a new browser session on the user’s device, rather than authenticate an existing browser session that may have been initiated on an attacker’s device.

Despite early work on new recovery flows for passwordless authentication, it is likely that fallback authentication methods and current recovery methods will be used to some extent for the foreseeable future. When evaluating your passwordless rollout, make sure to consider not just the highest bar you can reach, but the lowest bar you’ll support as well.

Duo’s Passwordless Authentication Resources

• Explore more of our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

You can always expect certain things at the height of a Las Vegas summer: sunshine, sweltering heat, and Hacker Summer Camp. While last year was different because most of the events were either virtual or cancelled, this year is looking up — Black Hat is dipping its toes back into in-person events with a hybrid approach! 

So some of you will be breaking out your hacker t-shirts, dusting off your sneakers, and heading out to steamy Las Vegas for the conference. Meanwhile, if you aren’t traveling you can still attend from home, enjoying a different kind of glow from the light of your computer screen.

What does this mean for Duo? You bet your USB sticks we’ll be joining the fun, but we’re taking it a little slower by participating virtually this year. (Remember: we’re all learning to navigate this new approach, which means we’re all testing the waters at different rates.)

In either case, whether live or online, this promises to be another exciting conference! Starting with a few days of training on Saturday, July 31 and ending with briefings on Thursday, August 5, Black Hat is back, chock full of informative keynote talks, engaging sponsored sessions, friendly Business Hall exhibits, and more!

Featured Duo Talks

Evaluating Passwordless: Cutting Through the Noise with Three Metrics

In this talk, Duo Product Marketing Manager Ted Kietzman will share three technical metrics you can use to assess a passwordless solution, highlighting some potential pitfalls of “passwordless” along the way. Join Ted on Wednesday, August 4 at 1:10 p.m. PT to learn what’s what when it comes to passwordless, and come prepared to think about the implications of quick response logins (QRLs) and the type of binding necessary for secure passwordless solutions. For more information about how Duo is paving the way for passwordless authentication, visit our Passwordless Authentication preview page, where you can also sign up for updates about our upcoming passwordless solution.

Bridge the Gap with Cisco: Best Practices for Balancing Productivity and Security

Stolen credentials and unpatched software are common attack vectors used by cybercriminals in many types of attacks, including ransomware. Organizations have invested in security tools such as MFA, EDRs, MDMs, VPNs and more to mitigate these attacks. However, for maximum security efficacy, these tools need to be supported with simple processes and great usability.   In this session led by Cisco Secure CISO Josh Yavor, you’ll learn about best practices that Cisco implemented to enable secure access for a global remote workforce, providing the best experience for productivity without compromising on security. Join him on Thursday, August 5 at 1:10 p.m. PT to learn more.

All in the Family: Other Interesting Talks

Make sure to keep a spot in your schedule for these other sessions featuring Cisco speakers:

Rock ‘Em, SOC ‘Em: Intel Director vs. CISO Battling for Better Incident Response​

In this talk, Wendy Nather, Duo’s Head of Advisory CISOs, and Matt Olney, Director of Talos Threat Intelligence and Interdiction, join forces to present on security operations and incident response. Matt will provide an Intelligence Director’s take on the lessons learned from facing some of the most notorious cyber attacks to help answer the question: what makes a world-class incident response program? Wendy will give the CISO perspective on how to build a sustainable, ongoing program using evidence-based practices. 

Making Zero Trust Work in Your Organization

In this live-streamed Dark Reading virtual panel, join Dark Reading editors and top security experts for a discussion that not only explains the zero trust approach, but also offers practical advice on how to implement it in a real-life, operating IT environment. You’ll get an overview of the tools required, the processes you need to put in place, and the impact you can achieve by making zero trust a core piece of your cybersecurity strategy.

Moderating this panel is Timothy Wilson, Editor in Chief and co-founder of Dark Reading. Recognized by his peers as one of the top cybersecurity journalists in the US, as well as named one of the 50 Most Powerful Voices in Security by SYS-CON Media, Tim will be sure to keep the conversation candid and engaging. 

During this panel, you’ll also hear from:

• TK Keanini, Distinguished Engineer, Security Platform & Response, Cisco Systems
• Gal Shpantzer, Security Consultant, Virtual CISO, Faculty at IANS
• Elena Kvochko, Chief Trust Officer, SAP
  
  

Getting Rid of the Password: The Next Wave of Enterprise Authentication

For this live-streamed Dark Reading virtual panel, top experts will discuss real-life strategies you can use to shore up endpoint security and decrease your reliance on passwords. You'll learn about some of the latest multi-factor authentication tools, and hear how other security teams have implemented more effective processes for managing end user access. Tune in Wednesday, August 4, 2:50pm-3:20pm PT.

Joan Goodchild, Senior Editor at Dark Reading, will moderate this panel. Joan has spent more than a decade covering security for a variety of publications, and served as editor-in-chief for CSO online, so she’s no stranger to these subjects and won’t hesitate to press for forthright answers from the panelists:

• Ash Devata, General Manager of Cisco Zero Trust
• Andy Ellis, founder and CEO of Duha, Operating Partner at YL Ventures, and former CSO of Akamai
• Jim Routh, Cybersecurity Advisor, Former CISO, MassMutual

Even More Passwordless

If you’re interested in a demo of Duo’s passwordless authentication, look no further than the Cisco virtual booth. Find out how Duo can help you transition to passwordless seamlessly and securely. On your journey to passwordless, build a holistic strategy that reduces authentication friction while simultaneously increasing trust in every authentication.

BSides Is Back, Too!

We were all saddened last year when BSides announced there would be no BSides Las Vegas, but luckily, this year BSides is back with a virtual twist. Happening on July 31 and August 1, this event will include eight tracks covering a variety of security topics, with talks hosted on Twitch and interactive discussions hosted through Discord. Cisco Secure is sponsoring the event — look for our goodbye to passwords video, or if you’re interested in careers at Cisco/Duo, stop into the #job-postings Discord channel to see what roles are open.

With so much to look forward to, we can’t wait for Black Hat to begin. Until then, stay hydrated, wear that sunscreen (or if you're joining from home, be sure to step away from the screen occasionally!) and get ready for another Hacker Summer Camp adventure.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

The insidious nature of malicious software has not been lost on any of us. Computers and networks have been dealing with malware in one form or another for decades. Though in recent weeks ransomware has firmly been in the forefront of people’s minds, the first documented instance of what we now know as ransomware dates back to Dr. Joseph Popp in 1989. This raises the question, why is ransomware in such clear focus now?

Honestly? Because we’ve all had enough of it. 

When Popp’s AIDS ransomware was released, it didn’t rely on an internet connection, nor did it have the benefit of Satoshi’s brain child (which was still years away). It would install from a CD onto the hard drive where it would overwrite the AUTOEXEC.BAT file and wait until the system rebooted 90 times. Next, it would encrypt files on the victim’s system and deny access until they sent a $189 payment to a post office box in Panama. 

Bait CDs were then distributed at the World Health Organization’s AIDS conference. From there the malware found its way onto multiple systems. Now, extortion is nothing new. According to James Lindgren’s paper, “The Theory, History, and Practice of the Bribery-Extortion Distinction,” extortion has been used for manipulation and profit since the 1200s. But the act of doing so in a digital medium was indeed novel at this point in history. 

Back in 1989, there was the maddening aspect of having to produce and send out CDs via the postal service. Apparently, Popp’s plans included a proposed further distribution to an additional 2 million potential targets. At that volume, the production and distribution costs alone would have been staggering, hence the (then) high cost of $189 to the victim.

Today, an attacker only needs to upload code to a file share and send out a link, and they’re off to the races. Costs for the criminal element have dropped. Ease of distribution has skyrocketed, and collecting extortion payments has become very simple. 

So simple, in fact, that anyone can get in on the action. Sometimes this happens with extremely unfortunate consequences. For example, a hospital in Düsseldorf, Germany became infected with ransomware that managed to encrypt its systems. The attackers were able to gain access to the systems via a well known vulnerability in one of their systems. The hospital had in fact patched the system the day the patch was available, but it is a very real possibility that the damage had already been done. 

The attackers actually intended to target the systems of an associated university of the same name as the hospital, ultimately hitting the hospital in error. However, this error proved to have tragic implications. A patient was being rushed to the hospital but couldn’t be admitted because the healthcare-related computer systems were offline. As a result, the patient’s ambulance was rerouted to another hospital miles away. She never made it.

This starkly illustrated how quickly the tables can (and have) turned. What was once merely an attempt to steal money led to, well, death. 

What makes this possible? Well, attackers are leveraging today’s technology. No longer reliant on the postal service and PO boxes, they can use cloud computing platforms to build and sell their malicious software. Ransomware as a Service is here, allowing attackers to scale up their operations as easily as any growing startup. 

Rather than throw our hands up in the air and accept defeat, we can take steps to counter the threat of ransomware. We need to ensure that systems, accounts and applications are all protected from direct attacks by the criminal element. As defenders of our systems, we have a responsibility to protect our assets, data, applications and people. 

A strong strategy is essential for helping enterprise organizations accomplish their goals. Continuous trusted access or zero trust is a great approach to help reduce the risk of data breaches and malicious attacks. While it’s an incremental process, we can address some of the low hanging fruit. Multi-factor authentication (MFA) and DNS monitoring can drastically reduce the chances for an attacker to gain access to your systems. Attackers often rely on unpatched vulnerabilities or purloined passwords. What if you could remove their access? Attackers often reuse tactics, techniques and procedures (TTP). What if you could use the fingerprints of those prior attempts to uncover attacks before they launch?

We’ve seen far too many stories about enterprises and organizations falling victim to ransomware. There is a need to have a strong strategy to protect the organization from these attacks. With products from Cisco’s Duo & Umbrella, your road to becoming safe and secure will drastically improve.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Four years ago, the Australian Signals Directorate created the “Essential Eight” — recommendations to secure federal entities and improve cybersecurity protections. This month, the Attorney General’s Department announced plans to extend the protective security policy framework (PSPF) to require implementation and audit of all eight areas. This change reflects a movement we’re seeing in governments worldwide to be more assertive in improving government agency security.

The Australian Essential Eight identifies eight areas of focus for non-Corporate Commonwealth Entities (NCCEs) to improve their security. The eight areas are:

1. Application Control
2. Patch Applications
3. Configure Microsoft Office Macro Settings
4. User Application Hardening
5. Restrict Administrative Privileges
6. Patch Operating Systems
7. Multi Factor Authentication
8. Daily Backups

Each area comes with guidance to improve maturity of the area. So far, NCCEs appear to be struggling to implement the first four, but the Attorney General’s office intends to move forward with the recommendation to mandate implementation of all eight areas.

The Australian government’s plans to double down on cybersecurity for its own departments came at the same time President Biden issued an Executive Order on Improving US Cybersecurity aimed at improving efforts to “identify, deter, protect against, detect, and respond to these actions and actors.”

Though broader in scope than the Australian Essential Eight, and specifically targeted at improving supply chain security, there are areas of overlap that should be noted:

1. Requirement for Zero Trust Architecture
2. Requiring use of Multi-Factor Authentication
3. Requiring use of Encryption at Rest and in Transit
4. Use of trusted source code from vendors, including a Software Bill of Materials (SBOM)
5. Standardizing incident response processes across all agencies
6. Use of Endpoint Detection and Response (EDR) capabilities

Both governments recognize the need for their own agencies to improve their cyber defenses, as well as their dependence on private sector suppliers. 

General supply chain security is also a concern among the European Union. They’re working to update their Directive on Network and Information Security Recommendations (NIS 2) recommendations, with a focus on improving essential organization’s cyber resiliency.

Their recommendations also contain elements similar to Australia and the US:

1. Facilitating standardized incident response and data sharing across members
2. Requiring adequate vulnerability management programs
3. Use of end-to-end encryption
4. Regular audits of cybersecurity programs

The UK Government is updating their National Cyber Security Strategy, calling for input into the process with a strong emphasis on supply chain security. The UK’s National CyberSecurity Centre (NCSC) already provides a number of recommendations that overlap the Australian, US, and EU directives. Service providers are already encouraged to comply with the Cyber Assessment Framework (CAF).

How Do These Directives Make an Impact Short-term?

Not surprisingly, these changes primarily focus on government agencies and the vendors who supply them. Governments are recognizing that their technology footprint extends beyond their network edge, and that their ability to function depends on their third (and fourth and fifth) party ecosystem. As such, they’re implementing requirements for their own agencies to be more secure, while also addressing supply chain cybersecurity risk.

Agencies and their suppliers will need to amend their security strategies to account for these new requirements. Most of the controls are already in place to some degree — the effort will be in understanding and improving the scope and maturity of existing practices. Few of the directives require a set timeline, which may be helpful, although there is an expectation of urgency in the directives. 

Like most organizations, government agencies struggle to meet their existing requirements. Technical debt, lack of skilled staff, and lack of financial resources are common challenges across the public sector. Security leaders will need to work with vendors and internal teams to determine the most cost-effective ways to implement and expand these controls. Vendors will need to be transparent with their public sector customers about the features, benefits and costs of their services, and work in partnership with the agencies to deliver the control objectives without overburdening them with point solutions that require significant integration efforts.

What’s the Long-term Outlook on Securing Government Agencies?

Companies outside the immediate public sector supplier ecosystem will benefit from these requirements, as vendors continue to improve their products and pass those features on to non-government customers. Most of these requirements are re-iterations of existing control requirements in other sectors, which means most functionality already exists. However, new functionality, such as the US Software Bill of Materials (SBOM), will require changes in company product development and security operations processes. 

It is reasonable to expect that new functionality should be incorporated into general product offerings. It will be interesting to see if vendors choose to only deploy changes to their Federal products. Regulators who oversee other industries will adopt these requirements for healthcare, financial services, utilities, etc., and expected controls for those environments will follow. Cyber Insurers, regulators and customers will expect these controls to be present, regardless of public or private status. 

Watch this space — there’s more to come!

What Next Steps in Security Should Government Agencies Take?

As the impact of cyber events spreads across more nations, with greater negative effect, expect to see more governments jumping on the bandwagon. Complying with a framework like NIST or ISO is helpful, but governments appear to be more targeted in terms of which controls are mandated. The focus may start with their own agencies, but will ultimately extend to their supply chain, and anyone who works with vendors in the supply chain (in other words, everyone). 

Governments can no longer expect recommendations to be adopted voluntarily — they will need to impose requirements. Unfunded mandates won’t work. Plus, agencies will need additional funding to identify the resources necessary to deliver these control outcomes.

Vendors serving multiple governments will face a barrage of requirements that will not always align. This isn’t new, but it will likely get more complicated in the short term. International cooperation between governments on standards and requirements will go a long way to keeping the cost of security low, but again, expect it to get worse before it gets better.

For security professionals, a closer look at the kind of controls being required reveals a set of basic hygiene requirements. Items like encryption, multi-factor, vulnerability management and coordinated incident response have been part of security frameworks for years — there are few surprises. So, consider the basic elements of a company or agency’s security program, and make sure they’re being executed with a high degree of maturity, extended into the organization as much as possible. Ensure the security, IT and general teams understand their roles in executing these controls. Use these mandates to spur action from non-security parts of your organization (never let an incident, or a change in regulation, go to waste).

Remember, there are two primary concerns addressed by these directives: confidentiality, through the lens of data theft and espionage; and availability, through ransomware and other service-interruption attacks. With this in mind, focus on the controls that will be a primary defense/response capability for these kinds of events. Zero trust architectures, including multi-factor authentication, backups and disaster recovery programs, and improving incident response and threat intelligence capabilities, will all be helpful in preventing and responding to government agency-related security threats.

Resources for Security Professionals

Preparing for these new requirements can be daunting. Various resources are available to security professionals who are trying to navigate this changing landscape:

• Work with your industry Information Sharing and Analysis Center (ISAC) and other guidance groups to understand the new requirements and how to interpret them.
• Reach out to your security vendors. Not only will they have solutions to solve some of your control gaps, but they’re also likely to be subject to the same regulations. Ask them how they’re approaching the problem, and learn from their experiences.
• Think tanks are constantly reviewing and dissecting these directives. Keep in touch with them to get a calibration check on your security strategy.
• Talk to your industry peers. At conferences and roundtable discussions, you can ask questions and share concerns. Take advantage of the community’s knowledge and experience.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

When COVID hit, as a leader working remotely at Cisco, I immediately started thinking about my team. How would we handle working together through quarantine? How do successful managers operate during times of crisis? How would we maintain our team culture when we weren’t sure when we’d see each other again? Like many managers, I scrambled to find ways to support my direct reports at first — I loosened deadlines and I sent each team member a LEGO kit, and they appreciated both — but like everyone else, in the early days, I thought my responses would be temporary. As the pandemic wore on, I adapted my management style with the assumption that this might just be our new normal at work. 

Now, more than a year later, I’ve found that many of the changes I thought of as “crisis responses” have grown into successful practices that I want to leverage permanently. In 2020, I made the choice to respond to the pandemic by doubling down on empathy — and since then, I’ve discovered that the more time I invest in my team’s well-being, the more productive and engaged they are. As we’ve slowly adapted to our new normal, we’ve discovered better ways of relating, cooperating, and getting work done. Now, I want to make sure that sticks.

These are the three biggest lessons I’ve discovered so far through the pandemic, and how I’ve put them into practice with my team.

The gang's all here: My team of developers, designers, and strategists

Fostering Team Culture Takes Hard, Intentional Work

Creating and maintaining a culture across a team is, obviously, easier said than done. When we first went into quarantine, I knew I wanted to step up my culture efforts, but didn’t know where to start. I saw other leaders struggling to keep their own teams’ morale together. On my own team, I was keenly aware that not everyone was the same — some of my direct reports are introverts who thrive with solitude, while others do better when they’re frequently connecting with people. 

So I started with empathy. Each of us was handling things in a different way, and I wanted to create space for that. In team meetings, and with individual one-on-ones, I adopted a few new practices. 

• I made it a standard practice to openly talk about our mental and emotional capacity. My one-on-one meetings have always started with time to socially connect, but now I use them as an opportunity for us to check in on each other. On the days when I’m struggling at work, or having a hard time with current events, I say so. I invite the same candor from my team, and it’s always helpful. When we kick off our one-on-ones with an honest conversation about where we’re at, the work parts always go better. And through that, we align our work to our capacity. Understanding what each of my team members is going through also helps me know when and where to offer help at work.
  
  
• I turned giving feedback and recognition into more formal, structured practices. In the "before times," I relied on in-person interactions to have some of my most important conversations. Communicating tone is so much easier face to face! I gave plenty of feedback and recognition, but my approach was often scattered, because I was trying to balance my in-person and virtual conversations. Quarantine prompted me to lean in to scheduling and planning how I give feedback and recognition — because in isolation, my team needed to be seen more than ever. I hold time in my one-on-ones, as well as team meetings, to provide specific feedback: what worked, and why, as well as what our current gaps and opportunities are. And I plan ahead of time the specific things I want to share for each person, which helps make sure I’m managing equitably.
  
  
• I started being transparent about all my efforts. One of the main messages I conveyed to my team throughout 2020 and 2021 has been that we are all having a hard time, myself included. I made a point of expressing that, and also sharing my goals and my strategies. When my team heard me say things like, “I want to be more open about our emotional capacity, and make feedback more structured to help make sure we’re still connected as colleagues and human beings,” they saw more about what I was trying to do, and that prompted them to be part of the solution. Maintaining culture became a “we” thing instead of a “me” thing.
  

Seeing how the team has grown as we learned to build and maintain our culture in the time since, I can’t help but ask myself: Why would we ever stop doing these things? 

During Times of Challenge, Double Down on Professional Development

I’ve always been passionate about helping my team members develop, but the pandemic gave me an opportunity to dedicate more time to it. 

Professional development, and career development, are both loaded terms. To many managers, they’re code for “You’re supposed to send your people to conferences and give them online training,” which is sort of like being asked to serve a feast and insisting that serving a single side dish is enough. 

I’m a big believer in helping team members develop through goals and experiences. Side dishes are great, but when it comes to my team, it’s all about the main course: the skills they want to develop and the experiences they want to have. Here are a few ways I worked to make that happen:

• I connect individual goal-setting with business objectives. I get that goal-setting with teams is Management 101; what changed is that when we all lost the chance to be in the same building, it became a lot harder for my team to get visibility into potential opportunities. They also had more asynchronous time to dedicate to goals. So I started working with each of them, looking at our team’s business goals together, and then looking for ways to weave in opportunities for them to work toward their individual goals. Our shared isolation helped me realize if I’m not helping them see how and where they could level-up professionally, they might not get enough visibility to that.
  
  
• I leaned into being a talent broker. Like goal-setting, this wasn’t a new thing, but in quarantine, I got more active about helping my team members find experiences on projects or teams that align with their next career steps. Sometimes that meant making an introduction to another team so they could contribute to a project sprint; sometimes it meant adjusting who got what work based on who wanted to be challenged. What COVID changed is that I didn’t have as many organic opportunities to help my team explore options, so I had to set aside time for it, and be much clearer with everyone about my efforts.
  
  
• I invested in my own soft skills. As I looked at my own management approaches, I thought about what was working, and where I wasn’t getting traction — and then went after coaching and learning opportunities. I started checking in with peer leaders from different teams, and reaching out more to work on skills like negotiating, advocating, and leading equitably. On some level I’ve always known that soft skills are critical to effective leadership, but I feel like going through COVID together really proved it to me. The days where I was most effective, the projects that were most successful — they got that way because we focused on being human beings first. 

Self-Care Requires Time and Structure

The most important lesson was also the hardest for me: For self-care to work, you need to set aside time for it, and have a plan. These are the habits I worked to adopt during quarantine; it’s still hard work for me, so I’m not done, but I’m inspired by the outcomes that I’m seeing. 

• I treat self-care time and work time as equally important. We’ve all gotten meeting requests that steamroll over our existing “Do Not Disturb” or “Focus Time” appointments, or been invited to meetings and wondered, “Do I really need to be there?” And the trick there is defending your time.
  
  With my team, I make a point of defending their time, and protecting the hours they set aside to look after themselves. I need them doing their best work, and they can’t really do that if they’re being pulled away from investing in themselves. Sometimes that means making meetings smaller or creating meeting-free days, and sometimes it means telling other managers that they’ll have to wait. That’s not super fun, but it sure beats having a team that’s burned out and fatigued.

• I treat time off as a requirement. Every place I’ve worked has talked about time off as a benefit, but in my eyes, it’s not a “nice to have;” it’s an essential part of thinking clearly, getting perspective, and managing how much energy we have to bring to work. So with my team, I share my mindset and expectation that we all need to take PTO, and that it’s as much a priority as the work we do. I don’t micromanage when they take PTO, but I am clear with them that it’s an expectation. (The hardest part about this is modeling it — but that’s been healthy for me, too.)

Embracing the Effective

I miss being able to see my team in person, and I miss the communication that happens when we’re all in the same space. And at the same time, we’ve turned into a completely different kind of team now that we’re entirely virtual — one with systems for empathy, and new norms for transparency. And long after the pandemic is gone, I plan on keeping it that way. 

Recommended Reading for Leaders

• The Leadership Mistake You’re Likely Making? Being Nice: When we’re preoccupied with seeming popular instead of fair, when we optimize for pleasant conversations instead of honest ones  —  we hurt our teams.

• An Essential Tool for Capturing Your Career Accomplishments: The Career Management Document helps team members maintain a record of their contributions and identify their progress, making it easier to prepare for performance reviews, job applications and interviews.

• Delegate Outcomes, Not Activities: Involve your team in co-creating what success looks like — instead of purely asking them to execute and get you there.

• The 3 Most Effective Ways to Build Trust as a Leader: To my surprise, in our survey we ran this past fall with 597 managers and employees, these three ways to build trust were in fact viewed as the least effective by employees.

• Dealing With Surprising Human Emotions: Desk Moves: Learning about people’s core needs critically shifted my management style and approach, helping me better understand why someone is reacting to a situation in a way I didn’t expect.

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

Tall Tale #1: PINs Are Just Passwords

In Part 1, we talked about how passwordless authentication is still multi-factor:

1. Possession of a private key, ideally stored on a piece of secure hardware
2. A biometric or PIN the authenticator uses to locally verify the user’s identity

Reasoning about a PIN being used as a factor is simpler than a biometric. A PIN is simply a password, with a few key differences. The most critical difference is the context in which it is used for authentication in WebAuthn. Unlike a password, which is transmitted to the website and checked against the website’s record (hopefully, a salted hash, and not a copy of the password itself), a PIN is used only to unlock the credential stored on the local authenticator device. There is no central repository of user PINs for an attacker to breach and steal, no remote access to the authenticator for an attacker to brute-force over the network. The only way to unlock the credential is for the user to locally, often physically, interact with the authenticator device and enter the PIN. 

By way of analogy, let’s consider the teleporting burglar problem. Why a teleporting burglar? Because remote attacks on the internet are similar in nature — an attacker can instantly “travel” to any “door” in order to attempt a theft. To reduce the risk of a burglar who can teleport, we can (a) make our keys harder to forge and our locks harder to pick, or (b) stop the burglar from being able to teleport.

Burglars who have to walk from house to house are much less of a threat. By enforcing local authentication via PIN, we effectively force remote attackers to “walk” to each account they want to hack. Even weak local authentication stops most remote attacks cold. Switching to local evaluation of a user’s identity eliminates several entire categories of attacks that impact organizations and individuals today. 

Because a user must be able to locally access the authenticator to enter the PIN, and authenticators often lock after a small number of incorrect attempts, the complexity requirements we associate with “good” passwords may not be necessary. Using numbers, symbols, capital and lowercase letters, with a minimum character count, all aim to deter attackers who can brute-force guess trillions of passwords per second. When an attacker gets 10 guesses total and has to enter them all by hand, a random six-digit numerical PIN (search space of one million) becomes sufficient to block bad actors, and is substantially more practical to enter on some devices than a complex password.

Nevertheless, it can be hard to shake off a vague sense of uneasiness around using such a weak “password” as an authentication factor. Is this because we’re worried about remote attacks? Hopefully not. But what about local attacks? Shoulder surfing? Someone recording us unlocking our devices? Fingerprints on the glass that reveal which digits were pressed? Hollywood and its abundance of spy movies give us some great ideas for how a local PIN might be attacked. So if local attacks are part of your threat model, let’s consider biometrics.

Tall Tale #2: Passwords Are Safer Than Biometrics

Biometrics get a bad rap. They’re basically magic. And by magic, we mean difficult to reason about. There are many different kinds of biometric sensors, and even two sensors that measure the same biometric feature, such as a fingerprint, may do so in completely different ways, and be subject to completely different attacks.

At the lower end of the spectrum, biometric sensors like optical fingerprint sensors and single-lens cameras for facial recognition can be spoofed with photos printed by a $50 inkjet printer. On the higher end of the spectrum, facial recognition sensors like Apple’s Face ID and Google’s Face Unlock use multiple cameras and near-infrared dot emitters to capture a 3D facial map. Combined with 2D color imagery, and sometimes liveness detection, the bar is raised quite high. While headlines like to broadcast doom and gloom for biometrics, such as the 2019 BlackHat USA demonstration against Face ID, the truth is these biometrics are really quite secure.

"The attack comes with obvious drawbacks — the victim must be unconscious, for one, and can’t wake up when the glasses are placed on their face." —Lindsey O'Donnell, ThreatPost

In 2020, Talos did an investigation of fingerprint sensors and their practical spoofability on a reasonable budget. Despite achieving great success rates spoofing most of the devices they tested, they ultimately felt it was a difficult process.

When evaluating the security of biometrics in the context of passwordless authentication, the bar we have to beat is to be stronger than a local (often 6-digit) PIN. A biometric, measured and analyzed locally, inherits the same game-changing properties as the PIN does. It unlocks the unguessable, private credential stored on the authenticator device itself, and avoids sharing a cloneable secret with the web server — so even if it becomes compromised someday, it cannot compromise credentials used on other sites. The biometric can only be attacked locally in analog space, eliminating much of the risk of remote attacks entirely (more on the topic of remote attack mitigation in Part 3).

"We defined the threat models starting from the collection methods. The creation process is time-consuming and complex. We had to create more than 50 molds and test it manually. It took months. Once we created an accurate mold, the fake fingerprint creation was easy. Today, by using our methodology and our budget it is not possible to create a fingerprint copy on-demand and quickly." —Paul Rascagneres, Security Researcher, Talos Security and Vitor Ventura, Technical Lead/Security Researcher, Talos Security

Tall Tale #3: Biometrics Are Secrets

Another point that bears mentioning: Biometrics are also used in an entirely different context than we discuss here. That is, while biometrics can be used for authentication, they can also be used for surveillance. Luckily, there’s a fairly easy way to differentiate between these: whether your biometric information is stored in a centralized database with biometric information of many other people, or kept local to the one device that you used to generate your credential. For instance, biometrics used at border crossings, despite being used to identify users, are checked against a central database rather than a device you carry locally with you, and so fall under the surveillance category.

This distinction is significant for several reasons, both technical and non-technical. Surveillance itself is a thorny topic with both legitimate and illegitimate uses, and the ethical boundaries of surveillance and privacy are an area of significant public debate. This clouds the discussion around the use of biometrics for authentication, which is highly privacy-preserving.

Additionally, the use of central databases risks large-scale biometric leaks, as occurred in the CBP biometric leak (2019), Biostar Leak (2019), OPM Hack (2015), SenseNet (2019), and was feared during ClearView AI’s account breach (2020). Biometric data is often considered sensitive or personal information under laws and regulations such as HIPAA, CPRA, and BIPA, with harsh penalties for data leakage, creating even further risk for storing it centrally.

However, the single most significant distinction between authentication and surveillance is that surveillance relies upon a remote representation of a user’s biometric. To fool a remote biometric check, I must simply submit a digital equivalent to the remote verification engine. A digital representation of a biometric is trivial to replicate and distribute, and is therefore an incredibly weak proof of identity. The original, physical, biometric is very difficult to replicate with sufficient fidelity to pass as the original. By verifying a biometric locally, you gain a high level of assurance in the user’s identity. By verifying a biometric remotely, you verify that the user is in possession of a shared secret that is the user’s digital biometric. 

Biometrics may be sensitive and personally identifiable, but they aren’t secrets. Evaluating a biometric digitally, remotely, turns the biometric into a password that can never be changed and that you wear around on your face all day. In short, remote biometric matching should be considered distinct, separate, and vastly inferior to local biometric authentication.

Today, there are really good, easy to use, biometric-based authenticators that achieve the right security properties —  and best of all, you may already have many of these in your environment:

• Windows Hello
• Apple Face ID and Touch ID
• Google Face and Fingerprint Unlock
• Yubico Yubikey 5 Bio (coming soon)

This isn’t meant to be an all-inclusive list, or to advertise or advocate for any particular product or vendor. Instead, it’s meant to illustrate that your users probably already have a FIDO2-capable and secure authenticator in their pocket, and even if they don’t have one today, your organization’s equipment refresh cycle may supply your users with one or even multiple secure authenticators, simply as a side effect.

Duo’s Passwordless Authentication Resources

• Explore more of our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Approximately one year ago, I was hired as Duo’s first Content Designer. You might be thinking: what is Content Design at Duo? It’s designing in words, concepts, systems and terminology, voice and tone, and knowing how to apply them to make our products more usable and easier for people to adopt. Content design is about seeking harmony between images and words to tell a rich story in our products. Although it has its own capabilities and techniques, close partnerships with product strategy, product design and design research are indispensable. 

How Content Design Works with Teams

When I joined Duo, I knew my work would largely focus on writing and editing product content to make sure it’s accurate, clear and consistent. To be successful as a Content Designer, I’d need to collaborate with Product Designers and feature teams. But as a team of one, if I spread myself too thin and overcommitted, I risked sacrificing the trust of designers, PMs and engineers. That didn’t sit well with me. How could I responsibly contribute to these relationships? What activities would help me do that?

In the beginning, I had hypotheses about the dynamics of these relationships. I soon realized I had to work with teams and designers to figure out how to work with them. After a few months, I developed three models for “how I work”:

Fully Embedded

Here’s where I can bring the most value to teams. Essentially, I’m accountable and function like a Product Designer on the team. While embedded on a single sign-on (SSO) team to work on Duo Central, some activities I did included: 

• Regular working sessions with the product designer to iterate on content
• One-on-one meetings with the Product Manager and Engineering Lead to better understand the product roadmap and any dependencies or constraints
• Reviewing content-related Phab tasks before shipping

Duo Central policies banner, before working session

Duo Central policies banner, after working session

At Scale

In this mode, I’m working with a few teams simultaneously that have parallel or intersecting goals. An initiative called “Duo 4” provided the right opportunity to work at scale. I partnered with teams as they worked across common touchpoints, such as the Universal Prompt, Duo Mobile and new user enrollment.

A key activity here was to do a full audit assessing the current state of product content for all touchpoints. I reviewed early prototypes for what would become the Universal Prompt and found that we used a range of words and phrases to talk about authenticating — from two-factor authentication to login session and login request. Inconsistent language could confuse our users and slow them down as they get to their applications.

Authentication by many different names

Next, I read out those findings to the Engineering team. Because our end users — many of whom have limited knowledge of security — would use this content to make decisions, I recommended we use simpler language like log in or logging in and verify your identity. Our design research supported this recommendation, too. For example, in one study, when a system admin saw the copy, Are you logging in to Microsoft 365?, they said, “That’s exactly the phrasing I use in all of our documentation.”

“I was looking over the [mobile] enrollment flows recently. I like how [the Universal Prompt and the self-service portal] are designed with the same language. Feels like one flow (unlike in the past).... [It] starts with the prompt saying Let’s protect your identity and ends with Duo Mobile saying Your identity is now protected. LOVE IT.” —Omar Abduljaber, Engineering Manager, Endpoint Health, Duo

One-offs and Quick Help

I wanted to make sure to have an open channel for communication with designers, engineers and PMs to ask questions and get quick answers. At first I scheduled weekly office hours, but attendance was lower than I had hoped. As an alternative, I created a content-specific chat channel, which has worked better. It’s been a hub that allows for more visibility between feature teams. Folks from different teams will often chime in with feedback or more context. It’s also a space where I can drop in resources, links to current topics in content design, and book recommendations by authors from the greater UX content community. 

Content Design and Writing for Our Products

Besides writing for our products and collaborating with teams, I’m also responsible for creating and maintaining guidelines for product content. As a member of the Design Ops team that manages Tellaro, Duo’s design system, I wanted to be strategic about where to start with guidelines. I arrived at voice and tone principles. Getting those right would underpin future content guidelines. It would also ensure that content in our product sounds like what’s in Duo’s broader content ecosystem, from Duo.com to our Documentation and Knowledge Base.

To help define Duo’s product voice, I ran a series of workshops with folks from R&D, Customer Support, Global Knowledge & Communities and Product. Through exercises like “Duo is this, but not this”, these sessions generated a lot of great conversation and an avalanche of data and digital sticky notes.

From there, I asked the Design Ops team to review and help synthesize findings, then I took this condensed data to a small group of internal content experts. The result was a short but solid list of principles intended to be a “source of truth” for anyone who writes for our products. 

Duo’s product voice is informative, simple and warm

With product voice and tone guidelines in hand, I’ve since added sections to Tellaro on product writing best practices and guidance on word choice. I’m currently working on accessible and inclusive content guidelines and plan to launch them on Tellaro in the next few months.

What’s Next for Content Design at Duo

After one year spent understanding how best to collaborate with product designers and feature teams and co-creating product voice and tone guidelines, here’s what I’m planning for year two and beyond:

• Help design and run a content-first research project
• Create an in-product copy database
• Recruit new writers to the Content Design team!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Security controls can sometimes be double-edged swords. The obvious benefits can be slightly reversed if the control isn’t managed or practiced properly. To illustrate the point, think about placing a defensive wall around a village. In the early days after the wall is constructed, there is probably a night watchman set to walk the perimeter in case of attack. 

Perhaps the villagers are even trained to understand that one horn blast means attackers are approaching and two horn blasts means that invaders are at the wall. However, over time, if attacks become rare and the village goes through a few years of peace, it can be easy to discontinue the night watch and the villagers may go on to forget the horn threat signals. When this happens, the once strong wall protection, though still better than no wall, becomes less effective.

We can map this exact example onto modern multi-factor authentication. There is no question that MFA is a core security control, it plays a key role in stopping credential-based attacks which are still a primary cause of breach. MFA was also required specifically in the most recent Cybersecurity Executive Order. However, MFA is now commonplace enough that folks are beginning to treat it as the wall that’s been around the city for years - some have gotten too used to its protection.

What is Second Factor Phishing?

What does it mean when users get “too used to” MFA protection? At Duo, some of our customers are worried about second factor phishing or push phishing. Second factor phishing can occur when a bad actor has stolen a user's primary credentials (usually a username and password) and then attempts to gain access to that user’s environment. 

The bad actor is hoping that, even if there is MFA in place, end users will be overly conditioned to accept the second factor. In other words, the end user is acclimated to “the wall” and may have forgotten to assess the threat signals. In these cases, the end user just hits accept and the attacker is through - effectively bypassing MFA. 

To be clear, in the case above, it is still much better to have MFA in place than not. The overwhelming majority of end users assess each push accordingly and don’t grant fraudulent attempts access. However, companies shouldn’t let their guard down when it comes to end user education. Workforces should be reminded to evaluate the second factor when it comes in. 

Whenever accepting a second factor, there are simple questions an end user should ask themselves:

• Did I just attempt access to an application? 
• Where is the second factor coming from? (ex. Duo’s push factor shows device and IP address as a part of the second factor).
• Did a session of mine just end? Or, am I being prompted to re-login to an account?

Even with the MFA in place and consistent worker training, there are still cases to worry about. Some users may accept a fraudulent second factor absentmindedly, or even by mistake, letting a bad actor into the corporate environment. 

Duo Trust Monitor Enhances The Security of MFA

Never fear, Duo has a feature for that: Duo Trust Monitor. Duo Trust Monitor is Duo’s machine-learning enabled risk detection tool. It works by ingesting Duo authentication information and using it to develop baselines of workforce activity. Basically, who typically accesses what from where. After setting up these baselines, Duo Trust Monitor highlights anomalous access attempts. 

For example, Duo Trust Monitor can understand that John Doe typically accesses his CRM application at 9 am EST from Virginia on a MacBook. This is helpful because if John Doe’s credentials attempt access that is highly anomalous (say they try to gain access from the Ukraine on a Windows device) then Duo will highlight this information.

Duo Trust Monitor is especially effective at combating second factor fraud. This is because bad actors almost never exhibit all the same behavioral variables as their targets. Yes, they may have the primary credentials in hand — but it would be exceedingly difficult for them to replicate the daily pattern of access behavior of that user. 

If an attacker buys a set of usernames and passwords, how are they supposed to know what type of device the users typically access from? Or, which IP addresses? Or, which times users typically login? The answer is that it’s incredibly challenging, if not impossible, to do.

In this way, Duo Trust Monitor can alert customers to potential cases of second factor fraud or push phishing. Even if John Doe were to accept a push notification sent by a bad actor — Duo Trust Monitor should catch it. The feature would highlight that, even though the second factor was accepted, the variables associated with the authentication are anomalous. 

In other words, Duo doesn’t expect John Doe to attempt a login from outside of the US, from a new device, at a strange time — therefore, we’ll flag this authentication and sound the alarm.

In conclusion, though it’s obviously important to put core security controls in place, it’s also important to maintain them. In the case of a city wall, maintaining proper watch protocols and keeping an informed citizenry are key. In the case of MFA, maintaining risk detection features like Duo Trust Monitor and keeping an educated workforce are critical. 

If you’d like to find out more about how Duo Trust Monitor can help enhance your MFA experience - you can set up a trial or reach out to sales.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

In early 2019, we embarked on a project to improve the Duo Mobile user authentication experience. It was a daunting task, considering we haven’t changed the Duo Mobile application in over seven years.

We had a few simple principles:

• Make it easier for users to enroll and authenticate
• Help users self-remediate, rather than call the help desk
• Make Duo Mobile accessible for all users

I’m excited to announce we’re ready to allow all users to start testing the redesigned application with us in a public preview. Before we do that, I wanted to take some time to share with you exactly how we’re making it easier for users to authenticate using Duo Mobile. As part of the redesign we are:

Educating First-Time Users

For users new to Duo or the idea of 2FA in general, understanding exactly why your employer is asking you to put Duo on your phone is often a burden. Users are concerned about an invasion of their personal space and what a corporate app might do to impact performance on their device.

In order to help users better understand what Duo is really doing, we’ve introduced the concept of inline education in our enrollment flow. We’ve made it simpler to understand how Duo works, what purpose Duo serves and a variety of changes that help ensure end users successfully complete enrollment.

We found this to be incredibly successful in testing these flows with real users. One existing Duo user went as far as to tell us:

“Prior to seeing this, I thought Duo was just an app my employer put on my phone to spy on me. Now I understand it’s actually there to protect my identity.”

Fighting Fraud by Humanizing the Push Screen

Authentication is hard! Users are asked to constantly be on the alert — scrutinizing URLs and email attachments, ensuring they don’t do the wrong thing.

During our research, we found that we can improve the readability of contextual information that was displayed at the time of authentication, and help end users make the right decision.

These findings have been incorporated into the new Duo Push screen. We are shifting to human-readable language, reminding users to verify that they are actually logging in as they receive the notification. Simple iconography and removal of technical information (eg: ip addresses) helps users understand at a glance whether or not they are receiving a legitimate request.

Finally, you’ll notice we’re repositioning the Approve and Deny buttons. We’re doing this in order to align with best-practices in UI design when it comes to placement of approval buttons. Every other app end users have to interact with uses a pattern of having the approve button on the right, and we can make it easier by aligning with this common practice.

(For administrators who are worried about this generating a lot of tickets or denied Pushes, we’ve done extensive testing on this internally at Duo and with real end users and have found users adjust very quickly, with no significant increase in denied pushes).

Reducing Help Desk Tickets by Enabling Self-Remediation

Any customer that has had to roll out quickly has dealt with the challenge of end user education. Mobile apps can be invasive and users are rightfully wary of granting new apps permissions on their phone. Help desks commonly had to help users remediate when they accidentally denied notification or camera permission for the mobile application.

Our new Call-to-Action area will guide users to self-remediate when they are in a known error state. For example, if we detect a user has notifications disabled, Duo Mobile will alert them at the top of the app, and guide them to enable notifications so they can successfully authenticate.

To start with, the Duo Mobile app will alert a user if they have notifications disabled or have no cellular or wifi connection. We plan to continue adding use cases over the coming months.

Simplifying Account Management

In our user research, we found that many users had trouble performing simple tasks without education. This makes sense! Users just want to ‘do Duo’ and get on with the work, not stop to learn about how to do things in an application.

We realized we need to make it as easy as possible for users to perform day-to-day activities they might want to do. Moving to a new card-based UI allowed us the freedom to expose functionality many users didn’t even know existed, such as the ability to add/edit and remove accounts.

The card-based UI also made it easier to show first-time users how to use passcodes, without relying on documentation or training from the help desk.

There are a host of other changes we added as well, all aimed at simplifying the end user experience.

• Made it easier for end users to add a new account
• Improved navigation by adding an easier-to-access slide-out menu
• Decluttered the settings menu so it’s easier for end user to find help information and discover new features

Empowering Advanced Duo Users

Research showed that the majority of our users only ever use Duo for work. They have one account (their employers) and they use the Duo Mobile app to simply authenticate once or twice a day.

However, a significant portion of our users are advanced. They are protecting work and personal accounts, with some users protecting upwards of 40 accounts! Duo Mobile is an important part of their own personal security and we needed to make sure the app works equally as well for them.

In order to do this, we introduced a new view — if a user has more than two accounts, they will switch from the card-based layout to a stacked view, allowing you to quickly scroll and find the account you are looking for. We made this even easier by aligning the color bar for the account with the color of the logo, so you can visually differentiate and find accounts.

We also are doing a better job exposing the ability to reorder accounts — something we know many advanced users rely on to build muscle memory to quickly locate the right account.

This was a really important change! Now that we’ve stopped treating all users equally in our UI, we can continue to think about adding additional features aimed at supporting power users in the future, like the ability to search within your accounts or to add custom account icons.

Speeding Up the New Phone Migration Process

Finally, we know one of the biggest points of friction can come when a user gets that new phone over the holidays. In all of their excitement, they forget about Duo right up until they need to access their work email after vacation ends.

We introduced Instant Restore in order to make it easier than ever for users to seamlessly restore their Duo Accounts over to a new phone. With the new UI, we’re introducing a few improvements to make it easier for users to successfully complete the restore flow, such as more explicitly guiding users to use their old phone on Android.

We also are making it easier for users to back up and restore their personal accounts. While we enable users to restore their personal accounts, we found that a significant portion of users were not taking advantage of this feature, causing them to be locked out when they got a new phone.

In the new UI, we highlight this feature to users, right when they add a personal account and have seen a significant uptick in the number of users enabling restore.

Making Duo Mobile Accessible for Everyone

Last, the new design considers everyone. We've made it so Duo Mobile will be easier to use for people with disabilities, going beyond AA compliant with the Web Content Accessibility Guidelines.

Updates include:

• Support for dynamic text, so users can change the text size to be whatever size is most readable, and the app will adapt its layout accordingly.
• Adding landscape views across the app, so it can be used regardless of orientation. This is excellent for users with phones hard mounted to wheelchairs or anyone who finds landscape orientation more convenient.
• Revamping how our screen readers follow content and actions to be as efficient as possible.

We're just getting started, and updates will continue to come as we go to improve accessibility for all users.

This Looks Awesome!!! How Do I Test This?

We’re going into public preview with the new UI starting at the end of June. Anyone (administrator or end user) is welcome to test the new UI.

Simply sign up here and we’ll automatically sign you up to participate in the preview program going forward.

We’re looking forward to testing this with you and are really excited to make these changes a reality for all Duo customers come this fall. This newly redesigned application will continue to make Duo the easiest authentication product on the market for your users.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

While the risk of an employee clicking on a foreign prince’s secret gold offer may be past us, modern-day technologies have evolved and expanded in today’s remote work and IoT-connected settings. It’s hard to wrap our heads around every new risk out there; nowadays a single well-intended click of a GoFraudMe link can download malware that locks and holds your data for ransom. Unless every employee is on-boarded with good back-up practices, the fee to get a decryption key is high (and probably in Bitcoin). The advancing ransomware business is a threat not just for the big guys, but for organizations of every size.

According to Verizon’s most recent Data Breach Incident Report, instances of advanced ransomware have doubled in the past year, alongside major upticks in phishing attacks and social engineering. A new landscape of data and cloud-enabled business has forced us to think differently about what to protect — namely the key personally identifiable information (PII) and personal health information (PHI) that can be accessed through corporate and remote networks.

This era of unpredictability has increasingly resulted in companies looking for ways to protect themselves and their employees in the event of a breach. Don’t worry though, there's already an insurance policy for that.

What is Cyber Liability Insurance?

Cyber liability insurance, sometimes known as cyber insurance, is distinct from traditional commercial general liability and property insurance policies. In short, cyber liability insurance acts as a general line of coverage designed to mitigate losses and costs from a variety of cyber incidents, including data breaches, network damage, and the resulting business interruption.

While each provider’s policy may differ slightly, cyber liability insurance generally deals with:

• Loss or destruction of data
• Damages to software/hardware
• Extortion demands to appease bad actors
• Breach incident response and crisis management
• Legal claims for defamation, fraud, and privacy violations (third-party coverage)

Many variables go into pricing, which ranges from $500 to over $50,000 per year. To determine what coverage is necessary, cyber liability insurers calculate cost and risk based on industry, width and depth of data coverage, and, most importantly, what security measures are already in place. Kind of like how your car insurance needs to know your location, make and model, and how many teenagers will be behind the wheel.

Any insurance policy wants to make sure that you’re taking the necessary foundational safety measures. Home insurance recommends anti-theft measures and outdoor cameras. Auto insurance expects you to use a seatbelt and have a valid driver’s license. Likewise, cyber liability insurers often look to MFA (multi-factor authentication) as an indicator of security safeguarding and may expect your company to have it set up.

How MFA Protects Your Company

MFA serves to protect against account compromise in the first place by requiring an additional step of verification beyond a username and password. A second factor is used to confirm identity, ranging from smartphone push notifications to hardware keys and biometrics. Considering 61% of breaches involve credential data, it’s a no-brainer for insurance companies to require something as easy and effective as MFA.

Enterprises and large businesses may seem like the obvious candidate for MFA and cyber liability insurance. However, equally, if not more, at risk are small and medium businesses that may not have the advanced IT infrastructure and teams to deal with potential liabilities. Municipalities and healthcare organizations that need immediate access to critical information are also frequent targets.

Converging Trends

The simple act of rolling out MFA also has the additional benefit of setting up a foundation for good security hygiene and a zero trust architecture. Zero trust (ZT) brings in elements of device trust and least-privileged access. We want to make sure that users are who they say they are, their device is trusted, healthy, and up-to-date, and that they are given access to only what they need. Even if a bad actor gains credential access, the nature of zero trust is to check identification frequently and continuously with abnormal and irregular activity prompting higher security measures. With least privileged access, the user might not have had access to PII and critical data in the first place if their role didn’t need it. This not only protects breach of key information and networks, but it also helps prevent lateral movement if one account is compromised.

Google searches of the recent Executive Order, GDPR compliances, and “what is cyber liability insurance” are on the rise, and it’s clear that today’s digital landscape trends towards one direction: dealing with the when rather than the if of attacks and breaches. While cyber threats continue to innovate and promises of free gold are replaced with compelling links to “the next cryptocoin for cat-lovers,” perhaps the smarter move is to begin thinking about deploying MFA and a preventative zero trust model of security. It’s just a good idea.

Read the Duo for Cyber Liability Insurance solution brief to learn how Duo can complement cyber liability insurance.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

If you go by just the name, “Passwordless” could refer to any login experience that doesn’t require a password. An absurd example would be one that simply logs you in using a username, and nothing else. In considering a passwordless solution, we want to raise the security bar, not lower it. Part of ensuring that passwordless is just as secure as multi-factor is ensuring that it is multi-factor.

In the WebAuthn protocol, there are three primary actors:

1. The website, also known as the Relying Party or RP
2. The browser, also known as the Client
3. The Authenticator, of which some popular varieties include Windows Hello, Touch ID, and security keys like the Yubikey.

See the video at the blog post.

An authenticator is a device that can generate and securely hold a cryptographic key that serves to identify an end-user. During account registration, the authenticator generates a credential and passes the corresponding public key to the website for association with the user account. Later, during login, the authenticator uses the private key associated with that credential to sign a message known as an assertion, and passes it to the website. The website uses the credential public key, from the registration step, to verify the signature on the assertion. This verification proves control over the credential, which, if properly protected, strongly identifies the authenticator device (and, by extension, the user).

But how do we know that it’s really our user that holds the credential and not an imposter? For instance, someone who stole the authenticator device. For that, WebAuthn and CTAP2 support a User Verification (UV) flag, wherein the authenticator device must first locally verify the identity of the user before it can unlock the credential to sign messages. This often takes the form of a biometric check, such as a fingerprint or face scan. Alternatively, users can unlock the credential using a local PIN. Notably, the biometric or PIN never gets sent to a server or otherwise leaves the device.

Since User Verification generally can only be performed locally, attacks against this user verification process become very labor-intensive and must be targeted at specific users, greatly increasing the difficulty of attacks.

In the WebAuthn protocol, the two factors are:

1. Possession of a private key, ideally stored on a piece of secure hardware
2. A biometric or PIN the authenticator uses to locally verify the user’s identity

The specific bits of the messages that state that the authenticator performed User Verification aren’t important for this conversation. What is important is that the website can trust that the user was locally verified before authenticating them. Due to the UV flag being signed over in the message, it is straightforward for the website to trust that the authenticator says that user verification was performed. What’s harder is to ensure that the authenticator isn’t capable of lying about having performed user authentication.

The WebAuthn protocol is community-developed and publicly shared, which means that anyone can implement a CTAP2-compliant authenticator in software at any time, with relatively little effort. There is no inherent requirement in the WebAuthn protocol that authenticators must identify themselves.

In fact the WebAuthn protocol goes to great lengths to ensure that websites cannot use authenticators to de-anonymize users on the Internet, unless they are specifically attempting to identify themselves by logging in. However, what the WebAuthn protocol does provide is a mechanism by which websites can refuse to allow an authenticator to be used unless it strongly identifies itself. Note that we’re not talking about the user’s identity, but the authenticator device’s identity.

The process of determining the provenance of the authenticator is called attestation and it occurs at the same time as user registration. The same way that modern websites may need a certificate issued by a certificate authority in order for browsers to trust them, so too does the authenticator need a certificate issued by a certificate authority for the website to trust it. The certificate authority for authenticators is often simply the manufacturer or vendor that produces the authenticator.

The attestation process works as follows:

1. When the authenticator is manufactured or produced, the manufacturer issues it a certificate signed by the manufacturer’s certificate authority. The manufacturer’s certificate authority public key is published so it can be used by the website later to verify the legitimacy of the authenticator’s certificate.
2. When the authenticator generates a new credential for the user during registration, it signs the registration message it sends to the website using its certificate. The registration message is called an attestation object and the signature and public part of the certificate is known as the attestation statement.
3. During registration, the website receives the attestation object and examines the attestation statement in it. It verifies that the registration message is signed using the private key associated with the certificate the authenticator presented. It then also verifies that the certificate the authenticator presented is properly signed by the manufacturer’s certificate authority.
4. If the certificates are all signed properly and the verification procedure succeeds, then the website can be assured that the authenticator must have been issued by the manufacturer that published the certificate authority in Step 1. If the website trusts that manufacturer, then it can trust the authenticator to behave according to its manufactured specifications, which may include only setting the UV flag to true if a particular user verification procedure is performed. The details of which manufacturers or even which device models a given website trusts are left up to that website to determine for itself.

This attestation process gives websites a powerful tool to ensure only approved authenticator devices can be used to identify users, but is attestation necessary to realize the security benefits of passwordless? 

The answer is mixed. In high-consequence environments, requiring attestation may be prudent. Ensuring that only authenticators with hardware-backed secure storage or a specific local user verification method can be used could be a necessary precaution to address known threats or conform to regulations. But in many cases, the website operator may not need to have such stringent oversight.

Each user gets to decide which authenticator(s) they use to register a credential to their user account. And with strong authenticators like Touch ID and Windows Hello now regularly present on the same device from which users are accessing their accounts, it may be entirely acceptable not to require attestation and simply trust users to safely store their own credentials. That’s what we do, for the most part, with passwords today. But with WebAuthn credentials, even the most simplistic authenticator, without any secure key storage properties, still needs to be attacked on a local, per-user basis.

Duo’s Passwordless Authentication Resources

• Explore more of our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

No one could have foreseen the changes to the workplace that occured over the past year. The need to rapidly switch to remote work environments created pressure for IT teams worldwide, but doing this while keeping their organizations safe and adequately protected was one that many unfortunately overlooked. Seventy percent of Canadian organizations found themselves vulnerable with the exposure of their Windows Remote Desktop Protocol (RDP). It is important for companies to ensure their information is secure regardless of where their employees are working. Doing so will help avoid breaches and exposures, allowing companies to do their work safely. 

As IT Stands Now

You can expect to see major changes this year. Prisma Clouds’ 2021 Cloud Threat Report and Verizon’s 2021 DBIR Report show how companies have needed to adapt and expand cloud workloads and how this has affected their cybersecurity.  

Moving to remote work forced the perimeter of the workplace to expand swiftly and substantially. Companies worked to adapt quickly to ensure their work could be done effectively while their employees’ environments changed. This led to the cloud workloads of organizations growing by 20% from December 2019 to June 2020. With this change many made the mistake of expanding their cloud network without also growing their security, leaving their information vulnerable. Phishing, ransomware, credential theft and web app attacks increased, catching organizations in their vulnerable states. Automated controls can help successfully expand cloud workloads while also preventing breach scenarios.

Security needs to be intentional, not left as an afterthought. 

In April to June of 2020 alone, security incidents increased by 188%. External cloud assets were being attacked more than on-premise assets as companies expanded their cloud services — often without security in their plan. Not surprisingly, increasing a cloud network also significantly increases security risks. In their oversight, 35% of businesses made their cloud storage publicly accessible, meaning anyone could access it from the internet. Without having automated security controls in place, companies’ critical information exposure can go undetected. Focusing solely on cloud growth without giving security the proper attention it requires can lead to breaches and leaked critical information. 

It Is Time to Expand the Perimeter?

Per the statistics above, it’s obvious that the old perimeter-based security approach is insufficient for today’s security needs. Organizations must now secure a mobile workforce that uses a mix of corporate-owned and personal devices (BYOD bring your own device) to access cloud-based applications and services and expand the security perimeter.

There are several resources available that can guide organizations move toward a secure framework. The Canadian Center for Cybersecurity provides a list of baseline security controls, so you can choose the right moves and develop a foundation for implementing a zero-trust approach to security. 

Duo Can Help

Organizations can start the zero-trust implementation by introducing MFA (multi-factor authentication) to protect all users, establish trust in devices, protect applications with access controls, and secure remote access from any location.

Duo’s multi-factor authentication secures access to all applications from any device, whether it’s corporate-owned or BYOD. Duo’s Device Trust enables organizations to gain visibility into devices connecting to their network. Additionally, Duo’s granular policy controls look at details such as the health of the device or its geolocation, and then make compliance easy to enforce.  And with Duo’s machine-learning Trust Monitor feature, you can detect whether a login is normal or deviates from established patterns and therefore find and remediate access threats early.

We recently announced our upcoming passwordless authentication solution which will take authentication to a new level. Passwords are prone to human error and hard to remember, while passwordless authentication can help increase user productivity and reduce the administrative burden of password-related help desk tickets and password resets. And of course, getting rid of passwords will increase security by eliminating threats and vulnerabilities related to them (including phishing, stolen or weak passwords, password reuse, brute-force attacks, etc.).

With Duo, it is easy to avoid becoming a part of the 70% of Canadian organizations with exposed RDP. Duo helps protect your Microsoft workforce applications, including O365 and Remote Desktop.

In Conclusion

Securing your organization’s information and cloud network does not have to be a stressful, unattainable task. By implementing a framework that will continuously work to protect your organization, you will alleviate the burden of password-driven breaches. Duo helps secure your organization and protect your workloads while you focus on your tasks at hand. 

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Follow the lives of three Duo designers as they work together to turn a user insight into a product update by sharing discoveries, embracing creativity, and making connections.

Part 1: Andrea makes a discovery

Andrea turns a corner onto Ashley Street and bounds up the stairs to the building. She takes out her badge and opens the door. Were it not for the green circle with “Duo” emblazoned on the front, you would have no idea it housed one of the nation’s top cybersecurity companies.

Duo’s headquarters in Ann Arbor, MI

Inside the Duo headquarters, the office is quietly coming to life. Walking through glass doors on the second floor, Andrea reaches the main gathering area: a wide open space with a brick fireplace and velvet couches. Smiles and murmurs of “morning” and “hey you” float by as she walks through. It feels safe, warm, and light. A large sticker of a daisy catches her eye. Be kinder than necessary. A Duo core value. It sets the tone of every space and every meeting, building trust between coworkers, and even people that haven’t yet met.

Inside the Duo office

Andrea gathers her laptop and slides into a nearby table, finding a spot in the sun and preparing for the morning’s work. She had spent the past six months designing a new Duo product—a portal called Duo Central where you can access all your work organization’s applications. It’s part of Duo’s evergrowing mission to make security easy and simple in the workplace. Now that the product had launched, she was busy collecting and analyzing feedback from users.

“Hey Andrea! How’s it going?” says a friendly voice.

Andrea looks up and grins. It’s Ivo, one of the design managers on the team and one of her closest work partners. She waves him over and he sits down, setting his morning coffee on the table.

“It’s going well, thanks!” says Andrea, “I was actually just looking at our latest user interviews. You know what’s interesting? Users are satisfied with the portal—but they shared lots of ideas for other things they could do there, too.”

“Oh, really? Like what?”

“I got a few examples from the sessions….they see it as a place for anything Duo, really!”

“Hmm that’s interesting....what else might add value here?”

As they brainstorm ideas over the table, Andrea starts to see a growing opportunity to add more value to the portal. She opens up a virtual whiteboard. Creates a few sticky notes. Then — with the help of Ivo and Duo’s Wiki — she starts sifting through past research studies, slowly weaving together a colorful web of data, insights, and statistics from different sources. As the minutes go by, this web of information grows and the full extent of the design opportunity comes into focus.

Andrea’s research synthesis

After a few hours, Andrea sits back and surveys her handiwork. With the initial research complete, now it was time to share the discovery with others.

Part 2: Trevor explores design concepts

Shrugging off his jacket, Trevor walks through the Duo office on the way to his desk. A slim figure with calm eyes and a mop of hair over his glasses, he’s a visual designer at the company. Sometimes he works outdoors or from a neighboring building, but today he prefers the design nook.

The Duo design nook is a naturally creative place. The room has a wide and open feel, with light pouring in from the windows across its walls, plants, and bookshelves. One side is lined by glass conference rooms. The other side has bookshelves brimming with design classics like Design of Everyday Things by Don Norman and Thinking Fast and Slow by Daniel Kahneman. A group of standing desks nestle at the center, becoming a hub of energy during peak hours of the day as designers swing by to share work and bounce around ideas.

A gathering space next to the design nook

Trevor walks by the nook and settles into his desk. He opens up his MacBook, setting it next to his pencils and a collection of bespoke illustrations. As one of Duo’s strongest visual designers, Trevor works across several engineering teams, helping them to create a cohesive visual style.

A friendly voice greets him, “Hey Trevor!”

He looks up, and sees Andrea smiling from her desk across from him.

“Hey there! Good timing too, want to see some concepts?”

“Sure!”

“Cool, let me open up the file”

After learning of Andrea’s user insights and discovered opportunity, Trevor had taken interest. Exploring additions to the portal could be useful, especially if users found them valuable. Besides, he has some time in between projects. Why not try it out?

Now gesturing for Andrea to take a look, Trevor leans back and opens a file on his computer. Rows and rows of design concepts fill the screen. Everything is selected on purpose—the clean grids, geometric icons, and pillowy shadows all help to frame potential additions to the portal and bring them into focus. \

Trevor’s early design explorations

Trevor slowly glides over the boards, using his mouse to point out highlights in each design. What if the portal served as a bridge between products? What if users could access their general settings or devices? How might Duo become more of a connected ecosystem?

Andrea and Trevor make notes as they go, jotting down questions and potential next steps. With the design concepts and discovery research complete, it was time to loop in additional people and teams to take it further. To make these connections, one person in particular comes to their minds.

Part 3: Ryan connects the dots

Ryan swings around a corner and instantly runs into someone he knows (“Hey, cool vintage wine holder, thanks for the present!”) and then another (“How’s your kiddo Oliver today?”). Smiling and slowly sipping his tea, he continues on. He walks into a space filled with velvet green couches and tall wiry lights. The nook is filled with light chatter and laughter as engineers, designers, and product managers catch up in between meetings. Like most of Duo’s spaces, it brings people together.

Ryan walks over to the Design Lab, a large room sporting whiteboards and more UX classics like Hooked and Don’t Make Me Think. After hearing about Andrea and Trevor’s work, he’d been inspired and immediately looped in some partners across product and engineering to help them take it further. Now they’d all be meeting for the first time.

A meeting room at Duo

Ryan opens the door and walks in, setting down his notebook and pencil, and sees Andrea and Trevor looking up from their seats at the wooden table.

“Hey Ryan! Excited for today?” said Andrea.

“Sure am. I think Marina and Scott are going to love this.”

“Cool, they’ll be here soon.”

Andrea opens up her laptop, pulling out her insight web of data, statistics, and research behind her case for an expanded version of the portal. Beside her, Trevor opens up his design concepts.

This will be the first step in a much longer journey, of course — there is still the matter of testing their design concepts, gathering feedback from users, getting buy-in from product managers, and coordinating efforts across engineering teams to make the update. But every big change begins with a small action, a tiny seed planted early on at the beginning. The seed only grows over time.

The door opens and Marina and Scott wave hello. They’re happy to be here and super curious to learn more about this new idea. What problem does it solve, and how exactly would it work? Maybe some of the engineers—like Ron, Tyler, Milly—could help vet the concept and see if it’s feasible?

The trio of designers smile and pull up their notes.

“Alright, let’s dive in”

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!