The holiday season is in full swing, and that means cybercriminals are busy building and launching attacks to steal user credentials. Their ultimate goal? To use those valid credentials to gain network access and steal data, employee and customer information, and other valuable resources. They may even use compromised privileged credentials to launch a ransomware attack and hold your organization hostage for a hefty ransom.

Phishing is still one of the most common attack vectors, and the holidays provide an especially appealing time to launch an attack that’s been supercharged by modern natural language processing models and novel QR codes. While we tend to associate phishing emails more with our personal accounts, attacks targeting our work identities whether through socially engineered phishing, brute force, or another form, are very common.

An email containing a QR code constructed from Unicode characters (defanged) identified by Cisco Talos.

For example, this looks legitimate. What if it’s that nice swag box everyone on the team has been getting for the holidays? According to research by Cisco Talos, malicious QR codes are bypassing spam filters in increasingly clever ways. Scanning an unknown QR code is the modern equivalent of clicking on a suspicious link.

No industry is spared this phishing season, though some are targeted more often than others. According to the Cisco Talos Incident Response Team, organizations in the education, manufacturing and financial services verticals were the most affected by identity-based attacks during the third quarter of 2024. Combined, these sectors accounted for more than 30 percent of account compromises. 

What you may not know is that once a user’s identity is stolen, bad actors don’t always use the credentials straight away. They’ll wait until a time when your IT and SOC (security operations center) teams are reduced such as over a holiday break or weekend.

In its 2024 Ransomware Holiday Risk Report, Semperis found that 86% of study participants who experienced a ransomware attack were targeted on a weekend or holiday. Why? Staffing during those times is lighter which means identifying and responding to threats will be slower.

In that same report, 85% of respondents stated they reduce their SOC staffing by as much as 50% on holidays and weekends. It’s easy to see why cybercriminals view this as a good time to strike. After all, why attack when it’s convenient for your victim?

Beyond staying extra vigilant over the holiday season and weekends, how else can you protect against attacks targeting your users’ identities? Here are five actions you can take with Duo to stop threats, with direct links to documentation to get started:

• Deploy Phishing-resistant MFA — According to the CISA advisory on implementing phishing-resistant MFA capabilities, SMS and voice-based MFA are vulnerable to phishing, SS7 and SIM swap attacks.

Duo supports the only widely available phishing-resistant FIDO/WebAuthn authentication through Duo Passwordless, encompassing “roaming” physical token authenticators and “platform” authenticators embedded into laptops and smartphones. But we know that going completely passwordless is a journey. To level up mobile app MFA, turning on Verified Duo Push number matching is an excellent way to protect against MFA fatigue and push bombing attacks.

Bonus Tip! Since MFA/Push notifications are prompted after users enter their credentials, system administrators are advised to investigate fraudulent pushes as well as issue new user credentials. In Duo, see how to easily generate a Denied Authentications report through the Duo Admin Panel.

• Reduce Your Reliance on Passwords — Fewer, stronger passwords can reduce the likelihood of re-used credentials or your users adding an exclamation point to the end of their password leaked one month ago.

Duo’s single sign-on solution (SSO), available in every edition, secures all your organization’s applications and offers inline user enrollment, self-service device management, and support for a variety of authentication methods. Combining passwordless and SSO decreases end-user login fatigue while still maintaining powerful security and incorporating frequent device health checks. With the newly announced Duo Passport, experience just one login and MFA prompt from the beginning of your day to the end.

• Adapt and Respond — With Risk-Based Authentication, you can dynamically respond to changes in risk level by requiring a more secure authentication factor such as a Verified Duo Push or biometrics before granting access.

• Verify Device Trust — Control access to resources on your network by allowing only devices that are part of your inventory of trusted devices — whether managed or unmanaged and company-issued or personal— and that are up to date and have a healthy security posture.

• Gain Deeper Visibility — A key component of Duo’s Continuous Identity Security solution, Cisco Identity Intelligence provides deep visibility into identity-based attacks while also helping reduce gaps in your security coverage before, during, and after login.

This holiday season, spend less time on phishing training and more time perfecting your secret eggnog recipe. Try Duo at no cost with our free trial, or learn more about how to turn on Duo’s advanced identity security features with our on-demand value-maximizing webinar More Bang for Your Buck: Duo Advanced.

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now in Public Preview (aka 'Public Beta')!

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

See the video at the blog post.

How does this improve the proverbial front door?

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Stronger

Useable

Where won’t Passwordless for Windows logon work yet?

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.

Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

How can I try Duo Passwordless for Windows logon?

If you're interested in trying out the Public Preview, you can find the instructions and installation files on our Duo Authentication for Windows Logon docs page. For installation specifically, look for the Public Preview build on the checksums page. All are welcome!

The dissolution of the traditional security perimeter and the increase in identity-based attacks has come with its fair share of new risks for security practitioners to consider. From MFA bombing to adversary-in-the-middle (AITM) tactics, there are a variety of ways attackers are targeting weak spots in identity and access management (IAM) infrastructure and processes.

One that has been highlighted by CISA in many of its recent briefs is the Help Desk Attack. This technique involves an attacker contacting the help desk, often with relevant context regarding a high-profile employee, and then demanding a password and MFA factor reset. Typically, the attackers will use urgency and feigned authority to put fictional pressure on the help desk worker (ex: “I am boarding a flight with the CEO, and I need this now”). However, in some cases, attackers will pretend to be a naive worker who does not know how to use technology (ex: “I never understand this MFA stuff”).

The fundamental problem the attacker is exploiting in either case is identity verification. It is difficult to virtually verify a caller is who they say they are in a timely manner.

If the help desk worker complies, the attacker will have gained initial access and will typically reset the account credentials, both password and MFA devices, to be under their control. This first foothold is a dangerous step towards attackers gaining more malignant access and control of internal systems.

So, how should we think about preventing, detecting, and responding to help desk attacks?

Preventing Help Desk Attacks

There are two key components to prevention:

1. Reduce the number of tickets associated with authentication and MFA addressed by the help desk.

2. Equip help desk workers with the proper training and tools to identify and prevent active attacks.

Reducing help desk tickets

Let’s begin with the first component: reducing the number of help desk tickets associated with authentication. This may seem like a round-about way to solve the problem of help desk attacks, but if there are fewer overall tickets associated with the authentication and MFA then help desk professionals have more time to consider each request. There is less urgency for any given ticket, and if an MFA-related request is rare then it will fall under something that should be given more scrutiny. In the end, we’re hoping for this type of reaction from the help desk: “Hey, this type of request isn’t common — perhaps I should double-check it.”

So, how do we reduce help desk tickets associated with MFA? At Duo, we have been working on this problem from three angles.

1. Invest in simple, intuitive design

2. Securely reduce the number of times users are asked to authenticate

3. Empower users to remediate security and IT issues themselves

There are many ways that Duo emphasizes these three pillars in our product, but there are a few examples that should be highlighted. Duo’s Universal Prompt provides a sleek UI that makes it easy for a user to understand their options and how to engage. The Universal Prompt also has customization functionality so organizations can implement their own branding and coloring to make it even easier for users to understand that they’re in the right place.

To securely reduce the number of times users are asked to authenticate, we introduced Duo Passport. Duo Passport securely passes trust between authentication scenarios so that if a user remains in a trusted state, they will not have to authenticate repeatedly.

Finally, to empower users, Duo has features like self-service password reset — instant restore — to get Duo running on new devices, and the device management portal so that users can attempt to solve problems on their own first before reaching out to the help desk.

Equipping the help desk with training & tools

To start, help desk workers should be trained on this type of attack. They should understand that even though asking for a password reset or MFA reset might be a common ask — it is always a big ask. They should also be trained to understand certain signals (e.g., like urgency, fear, and anger) that might indicate a user is trying to pressure them into resetting credentials.

“Even though asking for a password reset or MFA reset might be a common ask — it is always a big ask”

However, even if a help desk worker is trained perfectly, there may be an attacker that sounds legitimate! They may have done research on the potential target and know to sound typical. Most employees asking for help desk assistance probably sound confused and slightly annoyed. A clever attacker will probably take on this tone and attitude. An advanced attacker may utilize novel voice-changing technologies in what’s known as vishing.

Therefore, it is also important to equip the help desk with tools and mechanisms to try and verify the identity of the caller. Traditionally, Duo has done this with our help desk push functionality, which sends a Duo Push to a phone a user controls. However, an attacker will almost certainly claim they’ve lost their phone as well.

One method to confirm the identity of callers is with Duo Push Verification

Therefore, we also recommend the help desk have other tools they can use to quickly validate a caller’s identity. One mechanism to do this with Duo is to use our Identity Intelligence functionality. With Identity Intelligence, a help desk employee can quickly see a user’s typical access activity (e.g., which applications they tend to log into, from where, and with which devices). This information can provide some helpful context in a reset credentials conversation — the help desk worker can now say things like:

• "I see you have a second device registered for MFA. Can I send a verification there?"

• "Name 3 applications you used yesterday."

• "I see that you logged in from an unusual location a week ago. Where did you log in from?"

Identity Intelligence is just one way to verify user identity at the help desk. There are also more traditional mechanisms like knowledge-based authentication (KBA) questions that a user may have set. However, given that the attacker may have also stolen the KBA answers if they are easy to research or steal (e.g., mother’s maiden name), we suggest using data that is more dynamic and specific like the examples above.

Detecting & responding to help desk attacks

Now, even if help desk workers are trained well and equipped with proper verification tools, there still may be a case where an attacker slips through. In these instances, it’s important to detect the compromise as quickly as possible.

Detecting help desk attacks

Again, Identity Intelligence has some powerful features to equip security professionals with context regarding help desk attacks. The tool comes with dozens of alerts built to detect identity-based risk. In the case of help desk attacks, there are specific features and checks that may be most beneficial.

1. Feature: User Trust Level

2. Check: Users Sharing Authenticators

3. Check: Admin Role Assigned to User

Identity Intelligence recently released a feature called a User Trust Level. This takes data on user role and activity to establish how trusted a user is at any given time. While it won’t explicitly detect a help desk attack, the User Trust Level is a helpful tool to see a subset of riskiest users in an environment at any given time. By reviewing and remediating the list of “Untrusted” users, security professionals will heavily improve their susceptibility to identity threats.

Account listed as “Untrusted” after logging in from new location without MFA

Identity Intelligence also has an alert for sharing authenticators. This is a helpful tool when detecting identity threats because often an attacker will target multiple users in an organization. If the attacker uses the same phone number/mobile device with each compromised user, Identity Intelligence will highlight this trend with the Users Sharing Authenticators check. Then, a security professional can remediate the compromised users.

Finally, attackers will almost always look to elevate the privileges of the accounts they now control. Therefore, the Admin Role Assigned to User is a great check for detecting privileges being added to an account. And, Admin Activity Anomaly checks are great for understanding if administrator accounts are acting unusually.

To be clear, detection is always a tricky game — but, by combining User Trust Level with the power of the checks that Identity Intelligence offers, security teams will have a powerful set of tools to identify a potential Help Desk compromise.

Remediating help desk attacks

Once compromised accounts and users have been detected, it’s important to establish a secure remediation process. To start, the accounts should be constrained or blocked from further access until the compromise is resolved. Identity Intelligence has a variety of response mechanisms available depending on the integrations set up. For example, a user can be locked out or quarantined via an action in Identity Intelligence. If the security team leverages a SIEM or SOAR for their response workflow, Identity Intelligence can seamlessly integrate there.

However, one thing to note here - there are many processes in place today that may give control to accounts right back to an attacker. Resetting passwords and MFA factors are only viable controls once trust has been accurately re-established with the account holders. We highly recommend putting in place a mechanism to re-verify users via a strong form of identity verification (ex: a phishing-resistant form of MFA or biometric authentication).

Hopefully, by combining strong mechanisms for prevention, detection, and remediation, organizations can attain a defense-in-depth against help desk attacks. If you’d like to learn more about establishing a robust identity security program from the ground up, check out our eBook Building an Identity Security Program.

Our spurs are jingling and jangling — it's time to hitch our saddles and ride on down to Texas for the Gartner Identity and Access Management Summit. Gartner's IAM Summit is an essential event for IAM and security leaders. Held in Grapevine, Texas, from December 9-11, 2024, the summit gathers thousands of attendees to discuss the evolving landscape of identity, which is crucial for both business operations and cybersecurity.

The summit is always an excellent melting pot of practitioners, analysts, and solution providers — coming together to discuss current IAM industry trends — from the overhyped to the overlooked. If you work in IAM or security, we highly recommend the conference as a place to hear both cutting-edge research and concrete strategies for building a resilient, secure approach to identity.

Why Cisco Duo is excited to attend

Duo has been at the forefront of identity and security since our inception. This year, we are excited to showcase how our product and vision are expanding beyond multi-factor authentication to deliver identity-first security solutions for organizations of any size. Our aim is to provide robust identity security controls that effectively counter identity-based attacks, all while maintaining a user-friendly experience.

However, it’s not just about our product and solutions, but the IAM community building and working together as well. This is why we’ve committed to participating in an interoperability demonstration utilizing the Shared Signals Framework. The goal of which is to showcase how IAM and security tools can more effectively and seamlessly share relevant data across systems.

Visit us at booth #323

Cisco Duo will be at booth #323, centrally located in the vendor exhibit hall.

For any current Duo customers, we invite you to reach out to your account team to set up a meeting with our product and engineering executives who will be on-site:

• Matt Caulfield, VP of Product, Duo & Identity at Cisco

• Didi Dotan, Sr. Director of Engineering, Identity at Cisco

• Chris Anderson, Product CTO, Duo at Cisco

We are eager to hear from you! We are open to any and all feedback: the good, the bad, and the ugly.

Join our talks and demonstrations

We are thrilled to present four talks throughout the summit:

• Strategic Session: "The Evolution of Securing Identity" by Matt Caulfield on December 10 at 3:15 PM CT

• Service Provider Session: "How I Learned to Stop Worrying and Love Identity Security" by Ted Kietzman on December 9 at 11:45 AM CT.

• Theater Session: "How to Both Secure and Delight Your Users with Duo" by Charles Kim on December 10 at 6:00 PM CT.

• Theater Session: "Leveraging Identity Analytics to Bolster Defenses with Duo" by Ivor Coons on December 11 at 1:35 PM CT.

And, we'll be a part of the Shared Signals Interoperability demonstration, which will take place at 12PM CT on both Tuesday and Wednesday during the conference.

Ya’ll come round now; you hear?

We would love to connect with you at the Gartner IAM Summit. Visit us at our booth, attend our sessions, or reach out to your account team to schedule a meeting with one of our executives.

We look forward to seeing you in Texas!

Stepping up to a better, more feature-rich product or service can seem challenging. In the end though, it’s worth the effort, especially when it addresses areas of need. For example, my TV is 14 years old. Although the picture quality is still excellent and there are some decent capabilities I can use, it’s missing many of today’s modern features that deliver a much better viewing experience than what I have now. So, I’ve got a plan to a get a new model that offers the advanced features I want, and frankly need. And yeah, I’m pretty excited. Figuring out how to set up and use some of the advanced features will be challenging, but I’m up for it. I can see the benefits and the value.

More features, more value with Duo Advantage Edition

For organizations on the Duo Essentials edition, stepping up to Duo Advantage edition offers a slew of modern identity security and user experience features that add value to their Duo investment. Let’s take a look:

1. Cisco Identity Intelligence (CII) — One half of Duo’s Continuous Identity Security solution, Cisco Identity Intelligence adds a powerful security layer for any identity infrastructure. CII addresses organizations’ need for comprehensive visibility into multi-vendor identity sources and high-fidelity threat protection. It also reduces coverage gaps by providing a broad range of MFA options for all your use cases plus added security layers using device trust and risk-based policies.

2. Duo Passport — The other half of Continuous Identity Security, Passport enables organizations to provide their workforce with an exceptional user experience by dramatically reducing the number of times users are asked to authenticate. After logging in and authenticating just once on a trusted device, users get uninterrupted access to permitted applications across browsers and thick clients, minimizing repeated authentication requests throughout their workday and increasing productivity.

3. Device Health Checks — Allowing a device that’s running outdated software — like an operating system, browser or plug-in — to access your network is risky. Duo Desktop, Duo’s native client application for macOS, Windows and Linux endpoints, removes that risk by assessing an endpoint’s health posture at the point of authentication to make sure it complies with your access security policy. Devices that fail a health check are blocked from accessing an application. Fortunately, Duo provides guided self-remediation with step-by-step instructions to help end-users bring a device that fails a security check back into compliance without the need to contact IT so they can immediately access the application from the newly compliant device.

4. Risk-based Authentication — If you have a mobile workforce or you like to work from a different location every now and then, Risk-based Authentication evaluates risk signals such as location at the time of login and then adjusts the authentication requirements based on risk level. If the risk is low and trust is high, the user can complete a basic Duo Push. However, if trust is low, the user is asked to step up to a more secure authentication method like a Verified Duo Push or passwordless authentication to re-establish trust.

5. Trust Monitor — If you’ve ever had to sort through mountains of log data to identify anomalous access events that could be threats to your network, you know it’s tedious and time-consuming. Trust Monitor does the work for you by sorting through your organization’s authentication logs and surfacing unusual access and device registration attempts, enabling you to detect and remediate compromised accounts proactively.

6. More Reasons — I know I said there were five reasons, but I’ll add in a bonus round. Stepping up to Duo Advantage also unlocks more of what you get with Duo Essentials — more adaptive access policies, more customizable reports and more insight into devices connecting to your network. In other words, Duo Advantage “Goes to 11.”

Making the move to Duo Advantage

Moving from Duo Essentials to Duo Advantage might seem like a big step up, but for those that do, the benefits are many. Everything I discussed earlier is included in a Duo Advantage subscription. And when it comes to configuring these features, you don’t need to go it alone. Duo Care Premium Support provides customers with the opportunity to work directly with a dedicated Customer Service team to roll out their Advantage deployment.

If you’re interested in test driving the features in Duo Advantage, contact your local Duo reseller or managed service provider (MSP). You can also sign up for a Free Trial which includes 30 days of Duo Advantage edition.

In addition, we encourage you to see what your peers are saying about Duo. You can read customer reviews on sites such as TrustRadius, which just announced Duo as a Buyer's Trust Award winner in the Authentication category for 2025.

The rise of multi-factor authentication (MFA) has been good for security. The merits of MFA have been so widely accepted that governments recommend it, cyber insurance providers often require it, and companies like Microsoft and Google are now mandating MFA for a variety of login use cases.

However, the rise of MFA has come with a correlated challenge: authentication fatigue.

Employees often struggle to navigate the complex web of passwords, authentication prompts and multi-factor authentication (MFA) requirements, leading to frustration and even bad behavior. Repeatedly entering credentials and performing MFA across multiple applications not only wastes time but can also incentivize employees to subvert authentication controls, eroding their security efficacy.

The problem of authentication fatigue is exactly why we introduced Duo Passport about six months ago. By enabling users to log in just once to their work device and gain secure access to applications throughout the day, Duo Passport eliminates the need for repetitive authentication. This frictionless approach to authentication not only boosts end user productivity, but also ensures strong authentication security is in place across diverse IT environments.

To review, Duo Passport delivers a seamless access experience by making the authentication process invisible to users. Upon login, Duo verifies the user's identity and the trustworthiness of the device, whether it's a corporate-managed device or registered with Duo. Once authenticated, Duo continually verifies trust for every access request based on adaptive and risk-based policies behind the scenes — without re-prompting users for authentication. This eliminates the need for users to constantly prove their identity, reducing authentication fatigue and streamlining their workflows.

Since its introduction, Duo Passport has been adopted by hundreds of customers and garnered positive feedback from users and administrators alike.

Here are the top 3 reasons customers are loving Duo Passport so far:

1. Simple Setup: Administrators have been pleasantly surprised by the ease of setting up Duo Passport, with only two clicks required. This simplicity translates into reduced administrative burden and faster implementation.

2. Serious Time Saved: So far, Duo Passport has seamlessly and securely saved users from hundreds of thousands of authentications, equivalent to literal months of time spent authenticating. This time-saving capability demonstrates the significant impact Duo Passport has on user productivity.

3. Minimal Support Cases: Once Duo Passport is up and rolling, the ongoing care and feeding of the feature is minimal. In the last month, there have been 0 help desk tickets associated with using Duo Passport.

As more MFA mandates are put in place, the importance of using a tool like Duo Passport only increases. By reducing authentication fatigue and providing a frictionless experience, Duo Passport empowers users to focus on their work while maintaining the robust security of MFA. The remarkable adoption rates, time saved and minimal administrative burden highlight the tangible value of implementing Duo Passport.

As organizations strive for a secure and seamless user login experience, Duo Passport emerges as the solution that bridges the gap between security best practice and delightful user experience.

Ready to enhance your organization's security and user experience? Explore Duo Passport today and unlock the power of seamless authentication or reach out to sales to learn more.

In today's digital age, the concept of security has evolved far beyond the traditional boundaries of firewalls and antivirus software. With the ongoing movement towards digital transformation, cloud adoption, hybrid work environments and increased business interconnectivity, workforce identity tools have emerged as the new perimeter. This shift has made identity-first security a core component of modern security initiatives, such as zero trust architecture and cloud-first strategies.

The identity crisis: Breaches leveraging employee identity

According to Cisco Talos, 80% of security breaches today leverage compromised employee identities. The trend continued in their most recent quarterly threat trends report which highlighted identity and improper use of MFA as key vectors for attack. These findings are not surprising, given that identity technology, which originated in IT, has become increasingly complex over the past decade. Identity sprawl, where organizations have a diverse array of users, including employees, contractors and partners accessing corporate resources, is a common issue. Managing these diverse sets of users with multiple accounts can be challenging, especially if multiple identity stores and identity providers are involved.

Attackers are exploiting this complexity to gain unauthorized access to company environments, bypassing commonplace security measures.

Traditionally, organizations have relied on strong authentication requirements, such as multi-factor authentication (MFA), to address compromised access. However, attackers have become adept at finding the gaps where MFA is not required or subverting MFA altogether through technical mechanisms like adversary-in-the-middle or even just particularly nuanced social engineering.

The need for a holistic identity security program

To effectively combat identity-based threats, organizations must implement a comprehensive identity security program. The first step in this program is gaining visibility across the entire identity ecosystem. This is a larger ask than may seem apparent — identity infrastructure has many components and the relationships between accounts and access is often hard to parse. But the benefits of investing in cross-platform visibility are tangible and measurable.

To start, this visibility enables proactive measures known as Identity Security Posture Management (ISPM). ISPM initiatives include efforts like ensuring widespread adoption and usage of MFA and cleaning up dormant or inactive digital identities to prevent their exploitation by attackers. According to Cisco Identity Intelligence, 24% of user accounts are inactive or dormant, and 40% of accounts lack strong MFA. Addressing these posture gaps is crucial for strengthening defenses and reducing the risk of breaches.

Identity Threat Detection & Response: Limiting the blast radius

A robust identity security program also includes dedicated Identity Threat Detection & Response (ITDR). The problem with traditional Threat Detection & Response solutions is their generality and primary focus on non-identity infrastructure components. Typically, security operations tools focus on the endpoint or network without the context they need to effectively detect identity threats. Moreover, the detection logic leveraged within these tools often assumes endpoint or network compromise and can miss the patterns associated with identity-based threats.

By implementing threat detection and response that is dedicated to identity as a vector, organizations will limit the blast radius and accelerate remediation actions. ITDR ensures that organizations can quickly detect and respond to identity-based threats, minimizing the impact on their operations.

Moving beyond authentication

In conclusion, the rise of identity security necessitates a shift beyond relying solely on authentication to address compromised identities. Organizations must implement robust and holistic identity security programs that encompass visibility, posture management, and threat detection and response. By doing so, they can effectively protect their digital frontiers and ensure the security of their operations in an increasingly complex and interconnected world.

As identity continues to be the most important perimeter, it is imperative for organizations to stay ahead of attackers by adopting comprehensive identity security strategies. This approach not only enhances security but also improves user experience and delivers significant financial benefits. The time to act is now, and the path forward is clear: Embrace identity security as a cornerstone of your organization's defense strategy.

To learn more about building a comprehensive identity security program, learn more in our ebook Building an Identity Security Program.

Winning an award, especially one based on feedback from users of your product or service, is gratifying. It’s validation that you are designing and delivering solutions that address your customers’ needs.

“Cisco Duo winning the TrustRadius Buyer's Choice Award is a testament to their critical role in security for organizations across the globe,” said Allyson Havener, SVP of Marketing & Community at TrustRadius. “This award, based on vetted customer reviews, highlights how Duo makes it simple for businesses to implement strong, reliable multi-factor authentication and safeguard their digital environments. Congrats Cisco Duo for delivering a solution that not only enhances security but also builds deep trust with its users through ease of use and dependability."

Earning the Buyer’s Choice Award is significant because it’s based on peer reviews written by practitioners, consultants, decision-makers and others who have experience using Duo. Reviewers are authenticated and their experience with the product is verified through a multi-step process prior to writing a review on the TrustRadius website. This ensures technology buyers are reading opinions they can trust. According to TrustRadius, "During the review process, we don’t just ask reviewers if they liked or didn’t like the product — we dig deeper. Reviewers are asked if products and their support teams live up to expectations; and if they would buy the product again. These candid answers shape whether or not a product is chosen as ‘best’ in each of the key areas."

Here's what customers who have written a review on the TrustRadius site are saying about Duo.

“Duo Security is a simple low friction way to solve the problem of compromised accounts. At our organization, we had dozens and dozens of these. Users would fall for a phish and surrender their passwords. The hackers would then have access to their accounts to use them for their own purposes. Duo solved that problem.” — IT Analyst, Higher Education

“Cisco Duo also gives us flexibility with how 2FA is set up, whether it be an app push, SMS or telephone call, we can provide a variety of options to our end users. It's a great security option to add into an environment and easy to do so, with great support and online documentation.” — Information Technology Manager, Transportation

“We used Cisco Duo for three years now, and we are very satisfied with this product. Our organization faced brute force attacks, and we really needed a security product to solve that problem.” — Information Technology Manager, Military

This is not the first time Duo has received an award from TrustRadius. The 2025 Buyer’s Trust Award follows on the heels of Duo being named Top Rated for 2024 in three TrustRadius categories.

Visit us online to learn more about how Duo can help your organization protect against identity-based threats while delivering an exceptional user experience with solutions such as Continuous Identity Security. You can also check out Duo reviews on TrustRadius or sign up for a free trial to try Duo for yourself.

Hey there, Fortinet FortiGate users!

Let's talk about how Duo SSO is revolutionizing FortiGate VPN access.

Picture this: You're securing VPN logins in under an hour, authenticating users in seconds and saying goodbye to those pesky stolen credential risks. Sounds too good to be true? Well, it's not, and thousands of Fortinet firewall customers are already reaping the benefits.

"But wait," you might be thinking, "I'm already using Duo with my FortiGate VPN through RADIUS. Why should I bother switching to SSO?" Great question! While RADIUS has served us well, it's starting to show its age. Plus, why settle for 'good enough' when you can have 'great', at no extra cost?

Why Duo SSO is the superhero your FortiGate VPN needs

Security for superheroes

• Passwordless authentication: Leverage methods like passkeys and biometrics

• Verified Duo Push: An extra layer of verification to stop push fatigue attacks

• Risk-based authentication: Adjust security measures based on contextual risk factors 

Simplicity is the ultimate sophistication

• Intuitive interface: A redesigned, user-friendly authentication process

• Self-service capabilities: Empower users to manage their own devices and authentication methods

• Multi-language support: Cater to your global workforce with localized experiences

Control freak (in a good way)

• Device trust policies: Easily manage access based on endpoint security posture

• Advanced security protocols: Move beyond traditional frameworks to more robust solutions

• Comprehensive accessibility: Ensure strong authentication is available to all users, regardless of ability

Modernize your FortiGate VPN logins with Duo SSO

Setting up Duo SSO with your FortiGate VPN is a breeze. It's like following a recipe, but instead of a delicious meal, you end up with ironclad security (which, let's be honest, is delicious in its own right):

1. Open your Duo SSO configuration in the Admin Panel.

2. Connect your FortiGate VPN to Duo SSO using SAML 2.0 (it's like introducing two friends who are destined to become besties).

3. Sprinkle in some Duo Policy requirements.

4. Taste-test with a pilot group.

And voilà! You've got yourself a security masterpiece.

Wrapping Things Up

But wait, there's more! Duo Single Sign-On plays well with others. Whether you're juggling Microsoft 365, Salesforce or a smorgasbord of other apps, Duo's got your back!

So, what are you waiting for? It's time to give your FortiGate VPN the upgrade it deserves. Your IT team will thank you for the simplified management, your security folks will sleep better at night and your users? They'll wonder how they ever lived without it.

Ready to join the Duo SSO revolution? Reach out to us today, and let's make your FortiGate VPN the Fort Knox of the digital world — but way easier to get into (for the right people, of course).

Identity security is more crucial than ever. In a recent survey of IT and security leaders, Cisco found that 65% of them see Identity & Access Management (IAM) as a top priority for the next 2-3 years. This makes sense — as businesses face an increasing array of threats like phishing, social engineering and even MFA bypass, it becomes critical that organizations build a comprehensive identity security program. By developing a dedicated identity security practice, organizations can arm themselves against hackers looking to login with forged, stolen or spoofed credentials — pretending to be the very workers we’d like to protect.

As we discuss in our Identity Security Blueprint, this is where the four pillars of identity security — Identify, Detect, Protect and Respond — come into play. When implemented as part of a robust strategy, they offer a strong foundation for securing your organization’s digital environment.

In this blog post, we’ll dive deeper into what those four pillars look like, how you can implement them and how Duo can help you get there.

1. Identify: Know your users and assets

The first step in any identity security program is knowing who your users are and what they have access to. This requires accurate user identification and a clear understanding of each user’s role within the organization. Ensuring that only authorized users have access to sensitive information reduces the risk of unauthorized entry and data breaches.

• How Duo Helps: Duo’s Identity Intelligence functionality can create an inventory of users and devices. This visibility helps set a baseline for normal access in an environment and enables proactive posture improvement work (i.e., ensuring that everyone is using strong MFA).

2. Detect: Monitor for suspicious behavior

After identifying users, it’s essential to monitor their behavior. Anomalous activity — such as failed login attempts, unusual locations or abnormal behavior patterns — can be a sign of compromised credentials or insider threats. Continuous monitoring helps detect these warning signs before they escalate into major security incidents.

• How Duo Helps: Duo has a variety of ways to detect anomalous behavior and provide context to security and IT teams. Moreover, Duo’s adaptive authentication can react to risk signals in real-time. If an action is flagged as high risk, Duo can automatically enforce additional authentication steps or block access entirely.

3. Protect: Safeguard against attacks

Prevention is key when it comes to identity security. By putting proactive protections in place, organizations can minimize their exposure to threats. This includes securing endpoints, enforcing strong authentication measures and ensuring the overall health of devices that access the network.

• How Duo Helps: Duo not only provides MFA but also includes industry-leading Device Trust functionality. Duo can invoke these features in granular access policies, ensuring that all users and devices meet security standards before they access corporate resources.

4. Respond: Take action against threats

Even with the best defenses, no system is 100% immune to attacks. This makes a strong response plan critical. Responding quickly and effectively to incidents helps minimize damage and recover more quickly. This involves having automated responses in place to block compromised accounts and tools to investigate and remediate issues.

• How Duo Helps: Duo provides real-time insights into login activity, device health and risk levels, allowing IT teams to respond immediately to potential threats. By quickly locking down accounts or enforcing new security measures, organizations can limit the spread of an attack.

Building Your identity security program with Duo

By implementing the four pillars — Identify, Detect, Protect and Respond — into your organization’s identity security strategy, you’re building a comprehensive defense against modern threats. Duo’s portfolio of features supports each of these pillars and forms a unified identity security platform that safeguards your users and keeps your organization secure.

Ready to get started? Read our in-depth look at how to develop a world-class identity security program by downloading our 2024 Identity Security Blueprint.

A brand-new tool has landed in Duo. The policy calculator is here to simplify policy like never before. It’s your new go-to feature for effortless policy management and evaluation.

What is the Policy Calculator all about?

Managing multiple security policies in Duo is a crucial and complex task.  Our rule-based policy engine brings flexibility, but figuring out exactly how all those policies combine can be a real head-scratcher.

That's where the Policy Calculator comes in. This tool is designed to take the guesswork (and stress) out of policy. It allows you to see exactly which policies apply when a user accesses an application, providing a clear, rule-by-rule breakdown of the final policy in effect. Not only does it give you the final calculated policy, but it also shows which specific policy each rule originates from. It's like having X-ray vision for your policies!

How does it work?

Spoiler alert: it's super easy!

You’ll find the Policy Calculator nestled under Policy in the Duo Admin panel. Input a user and application name, the key details needed to calculate the policy.

And then the magic happens! You'll see the groups the user belongs to and all the policies that apply.

You will also get a detailed, rule-by-rule breakdown of the final policy, complete with the origin of each rule. It's like having a personal policy detective at your fingertips.

Continue exploring by entering different usernames and applications to see how the calculated policy changes.

Wondering when you might use the Policy Calculator?

• Verify if the policy changes you made are doing what you think they are. The Policy Calculator lets you see how these modifications affect the final policy for a user accessing an application. No more policy surprises!

• Understand why a user was denied access. See the breakdown of policies leading to the denial, helping you troubleshoot and make necessary adjustments.

• Got a complicated policy stack? In Duo, group-level policies override application and global-level policies. The Policy Calculator looks at rules from each of these policies and picks the rules from policies with higher precedence for the final policy. It untangles the complexity, so you don’t have to!

Get started today!

The Policy Calculator is now available in your Duo Admin Panel. Start using it today to ensure that your security policies are working exactly as intended. Go ahead, give it a whirl!

Available now in all paid Duo subscriptions

The launch of Duo Mobile in the early 2010s changed how businesses enabled secure authentication. Still, we have always known that there are industries and use cases that cannot rely on smartphones (or hardware tokens, SMS, and phone calls). Enter Duo Desktop authentication, which allows users to authenticate from a single laptop or desktop seamlessly when more secure forms of authentication are not available (restricted sites like clean rooms) or allowed (call centers or manufacturing sites). Duo Desktop authentication can be the solution for your edge use case:

Duo Desktop authentication isn’t a replacement for more secure authentication methods such as passkeys and Duo Verified Push. A secondary authentication device will be more secure, and your organization should always strive for the strongest protection against identity-based attacks. However, Duo Desktop authentication was developed to serve specific use cases such as call centers, manufacturing sites, clean rooms and scenarios where stronger authentication forms are unavailable. In restricted environments, employees often do not have access or cannot have access to devices, landlines, or tokens. Duo Desktop addresses this precise issue by allowing employees to authenticate using their desktops efficiently:

Reduce IT spend

For many organizations, particularly those with strict compliance or regulatory requirements, using personal devices for work is not an option and purchasing a device for every employee to authenticate can be costly. Telephony, SMS and hardware tokens, are either expensive, vulnerable or simply archaic to use across the wide variety of use cases in the market.

Duo Desktop reduces the cost of organizations needing to purchase devices, telephony credits and tokens, across use cases. Duo Desktop also reduces the administrative costs and complexities that physical device management or telephony requires. In restricted sites with high-security measures or in international territories with high shipping costs or logistical challenges, Duo Desktop authentication provides a streamlined solution that reduces administrative overhead and enhances the use case experience.

Reduce credential risk

As mentioned, Duo Desktop authentication is not a replacement for more secure forms of authentication such as passkeys or Duo Verified Push. However, Duo Desktop's registration process does help mitigate the risk of bad actors trying to pass off their own devices as ones with privileges to corporate resources by blocking devices presenting already registered device identifiers.

Duo Desktop authentication can be paired with additional security measures including Duo’s Trusted Endpoints or device health policies with Duo Desktop, which helps to bolster the security of authenticating from the desktop. This streamlined identity security approach ensures minimal disruption to operations while maximizing security and efficiency to help mitigate compromised credential attacks for the edge case where a more secure form of authentication cannot be used. It also enables administrators to implement Duo Desktop authentication quickly, empowering employees to authenticate securely without delays.

Reduce user friction

Duo Desktop authentication also serves as an efficiency driver for your organization’s edge use cases. Imagine supporting a critical service or role such as a call center for a hospital network, where authenticating faster allows critical issues to be resolved more efficiently. In this scenario, you need to limit the user friction by reducing the time to log in. By authenticating at the endpoint instead of an external authentication device like a phone call, SMS code or token OTP, Duo Desktop drives efficiency for your edge use case.

This flexibility is a plus for scenarios where traditional multi-factor authentication (MFA) methods fall short and organizations struggle with time-to-login issues during the sign-in process. Duo Desktop authentication helps Duo embody the principle of securing identities on any device, from anywhere and we are excited to hear feedback during public preview.

Experience Duo Desktop authentication today

Duo Desktop authentication is a step forward in secure access, providing organizations with a secure authentication method for use cases that are typically challenging to deploy, maintain and support. By offering a solution that eliminates the need for smartphones or tokens, Duo addresses the need of organizations across industries including security, compliance, cost management and operational efficiency.

Duo Desktop authentication is available now in all paid Duo subscriptions. You can test by deploying the Duo Desktop app and enabling Duo Desktop authentication in your Duo Policy stack to your preferred applications and identities. Review more on how to use Duo Desktop authentication on the Duo Docs page and reach out to your Duo contact to learn more today!

In the high-stakes arena of cybersecurity, multi-factor authentication (MFA) is the gold medal of safeguarding our online accounts. Just as Olympic champions need the latest technology and rigorous training to excel, our digital defenses require more advanced methods to fend off today’s sophisticated threats.

SMS–based MFA leverages text messages (SMS) as one of the authentication factors to verify a user’s identity when attempting to log into a system. SMS-based MFA is like a sprinter who lost a step: Once a reliable performer, it now struggles and it’s no match for the evolving competition.

Vulnerability to SIM Swapping: In a relay race, the baton is our SMS. In a SIM (Subscriber Identity Module — a smart card used in mobile devices to store information) swapping attack, the baton is stolen by an opponent who tricks your mobile carrier into transferring your phone number to a new SIM card. Once the baton is in their hands, the attacker can cross the finish line with your authentication codes, leaving your accounts vulnerable. Just as a stolen baton can jeopardize a race, a hijacked phone number can compromise your security.

Message Interception: Unlike the secure lanes of a well-organized race, SMS messages travel through a more exposed route where anyone with a clear view can intercept them. Attackers with the right tools can effectively “watch the track” and snatch your messages as they pass by. Without the barriers and safeguards of a secure relay race, these messages are left vulnerable to interception.

Phishing Risks: Phishing scams are like devious obstacles on your course. Even the most alert runners may stumble over these obstacles, which are disguising themselves as valid communications. Like how a hurdle could make a sprinter falter and fall, smishing attacks trick you into giving over your MFA codes. Attackers will have an easier time disrupting your security race if you use SMS-based MFA because there is a greater chance that you will run into these false obstacles.

Dependence on Mobile Network Reliability: MFA is a race where the starting pistol is fired by the reliability of your mobile network. If the network is down or you’re in an area with poor signal, it's just like a false start that delays your run. You might not receive your authentication codes, causing frustrating interruptions and potentially locking you out of your accounts. In the security race, relying on a network’s unpredictability can leave you off-balance.

An elite squad of auth methods

To stay ahead in this race, it’s essential to upgrade to more secure, agile methods that can sprint past these security obstacles with ease.

Duo Security offers more secure alternatives to SMS-based MFA, addressing many of the vulnerabilities associated with traditional methods:

Push Notifications: Duo Push is the high-performance sprinter in your security team. When you attempt to log in, Duo Push sends a notification to your mobile device. With a single tap, you can instantly approve or deny the login attempt. Offering a seamless and responsive experience, much like a runner who reacts with lightning speed. It combines convenience with robust security, ensuring that your authentication process is both swift and secure.

Time-Based One-Time Passwords (TOTP): Duo Mobile app with time-based one-time passwords (TOTP) are the precision tools in your security toolkit. The app generates a new code every 30 seconds, providing a time-sensitive layer of security. This method is like an athlete using specialized equipment to fine-tune their performance.

Hardware Tokens and Biometric Authentication: Duo also supports hardware tokens for those who prefer a physical security device. These tokens generate one-time passcodes, like a runner relying on specialized gear to enhance their performance. They provide an extra layer of security that’s resistant to phishing and other attacks, ensuring your authentication remains robust and dependable.

Comprehensive Security Monitoring: Duo’s advanced monitoring and reporting features are the vigilant security team analyzing every runner’s performance in real-time. This feature allows organizations to track authentication attempts and detect suspicious activities. The added layer of oversight helps prevent and respond to potential security threats more effectively.

Going for Gold

As the race to secure digital authentication continues, SMS-based multi-factor authentication is losing ground to other methods in the fight against cyberattacks.

Adopting advanced MFA methods such as Duo Push, Duo Mobile with TOTP, Duo Hardware Tokens, and Duo’s Comprehensive Security Monitoring, you’re ensuring your security team is prepared for the toughest challenges. With these cutting-edge tools, you can cross the finish line with confidence, knowing your digital identity is well-protected.

Resources

For more information on choosing strong MFA authentication methods, reach out to your dedicated Cisco team or check out the resources below!

• Duo Authentication Methods

• Duo: Next Level MFA

Available now in Public Preview for all paid Duo subscriptions

• Seamlessly connect multiple identity providers to Duo

• Orchestrate secure access for multi-domain environments

“Routing Rules just make sense, and it is great to see all of our users under one single Duo tenant.” — Head of IT, Biotechnology Organization

Today, we are proud to announce the launch of Routing Rules for Duo Single Sign-On (SSO) into Public Preview.

Historically, Duo Single Sign-On (Duo SSO) only supported one SAML Identity Provider (IdP) per account, which caused issues for multi-domain environment use cases. With the introduction of Routing Rules, Duo SSO now adds support for simultaneously authenticating users to multiple SAML identity providers and multiple Active Directory (AD) sources. Routing Rules also improves the well-adopted support for multiple Active Directory (AD) sources by allowing for more targeted requests to the proper AD environment. This ensures Duo SSO is prepared for all your users and can deliver a better user experience while reducing the load on your existing Duo Authentication Proxy infrastructure.

“With the introduction of Routing Rules, Duo SSO now adds support for simultaneously authenticating users to multiple SAML identity providers and multiple Active Directory (AD) sources.”

With organizational growth and diversification come more intricate authentication needs. A good example are mergers and acquisitions, which frequently require support for multi-domain use cases. This innovative solution is crafted to synchronize your identity access control, much like a maestro orchestrates a symphony, ensuring every authentication is delivered to the right authentication source at the right moment.

Modern organizations often rely on multiple identity providers to meet their diverse needs. With Routing Rules, you can configure detailed access rules based on conditions. For example, when an identity accesses an application, the email domain, network space, and application itself can be assessed in the Routing Rules profile to intelligently route the user to the correct downstream identity provider. This flexibility ensures access is granted under exact conditions, especially when combined with the rest of Duo’s amazing policy stack, enhancing the overall security posture of growing organizations.

One of the standout features of Duo is that rather than just being a delegated authentication event, Duo retrieves the most up-to-date attribute set from the Active Directory or SAML source in real time, enabling both Duo as well as the applications being logged into to perform more secure authorization checks.

Let’s walk through a use case example

Acme Corp. acquired Globex and the acquisition is closing faster than expected. Each organization has their own infrastructure, including different domains (multi-domain), multiple identity providers, applications, security tools and resources. With the acquisition closing, an administrator needs to be able to route traffic intelligently for the two unique profiles to ensure members have the correct experience and authenticate with the right downstream identity provider.

• The acquired Globex domain users will need to authenticate with Okta for Workday and Google for Acme’s Salesforce.

• The existing Acme domain users will need to still authenticate with Active Directory for Workday.

In Duo, the Routing Rules configuration would look like the screenshot below:

As you see in the diagram, if the Globex user accesses Workday, Duo will orchestrate access to the Okta authentication source. However, if the Globex user accesses Salesforce or any other application, the user will need to authenticate with Google Workspace. Lastly, the Acme user will authenticate strictly with Active Directory for all applications in this example scenario.

Experience Duo Routing Rules today!

Routing Rules is solution for various use cases across sectors including organizations dealing with mergers and acquisitions, multi-domain, multiple IdP, multi-national corporations and any business looking to secure access to applications with different IdPs based on routing conditions. On that note, we’re excited to see what symphonies Duo administrators orchestrate with Routing Rules.

Head over to the Duo docs page to learn more!

October is Cybersecurity Awareness Month. So, is there a better time to think about securing your personal life?

With cyber threats becoming more sophisticated, it's essential to safeguard your personal information. One of the easiest and most effective ways to do that is by using Duo Mobile, a mobile security app designed to keep your online accounts safe. In this blog, we’ll walk you through installing Duo on your mobile device, even if you aren’t very tech-savvy. Let’s make sure you stay safe online!

What is Duo?

Duo is a multi-factor authentication (MFA) tool. It helps protect your accounts by requiring a second form of authentication and password. This makes it much harder for anyone to access your information without your permission. With Duo, even if someone knows your password, they won’t be able to get into your account without access to your phone.

Why you need Duo Mobile

This is “need to know” information: Using a password alone isn’t enough anymore. Data breaches and hacking attempts happen all the time. Duo adds an extra layer of security to your accounts, allowing peace of mind that your sensitive information is protected.

“Using a password alone isn’t enough anymore.”

Installing Duo on your mobile device

Step 1: Download the Duo Mobile app

Whether you have an iPhone or Android, the first step is to download the app.

1. Open the App Store (for iPhone users) or Google Play Store (for Android users).

2. In the search bar, type “Duo Mobile”.

3. Look for the official app, developed by Duo Security LLC (it’s usually the first one that appears).

4. Tap Download or Install. The app will begin downloading to your phone.

The Duo Mobile app in the App Store

Step 2: Open the app and get started

Once it’s installed, tap on the Duo Mobile app icon to open it.

Step 3: Link your accounts to Duo

Now that Duo is installed, it's time to link it to your online accounts, like social media, email or banking apps.

1. Open the website or app for the service you want to protect (for example, Gmail, Facebook or your bank).

2. Go to the Security or Account Settings section.

3. Look for an option that says Enable Two-Factor Authentication or Add a Second Layer of Security.

4. When prompted, select Duo Mobile as your 2FA method.

5. The website will show you a QR code (it looks like a black and white square).

6. In the Duo Mobile app, tap the + button in the top right corner.

7. Use your phone to scan the QR code.

That’s it! Your account is now connected to Duo.

Step 4: Authenticate when you log in

Whenever you log into your protected account, Duo will ask you to confirm your identity. Here’s how it works:

1. Enter your username and password as usual.

2. Open the Duo Mobile app.

3. Enter the generated code in the login screen of the application you are logging into.

This tells Duo that it’s really you trying to log in, adding an extra layer of protection to keep your account safe.

Tips to Keep in Mind

• Keep your phone secure: Since Duo works through your mobile device, it’s essential to lock your phone with a password, PIN, or fingerprint.

• Save your online account recovery codes: If you get a new phone, you’ll need to reinstall Duo. Make sure you have backup codes from your online accounts in case you lose access to Duo.

• Backup your Duo account: Turn on backup of your third-party accounts in Duo Mobile from the Settings menu in the app. You'll need to set a password that you'll use if you have to restore Duo Mobile accounts to a new phone.

• Use Duo for more than one account: You can link Duo to multiple accounts, including email, banking apps and social media.

Security Made Simple

You don’t have to be a tech expert to protect yourself online. Installing Duo on your mobile device is a simple yet powerful way to stay safe. As we celebrate Cybersecurity Awareness Month, now is the perfect time to take control of your digital security. In just a few minutes, you can drastically reduce your risk of being hacked and enjoy peace of mind knowing your personal information is secure.

Stay safe out there!

According to Cisco Talos, 80% of breaches involved identity as a key component. As organizations continue to rely on digital identities for access control and authentication, the risk of identity compromise grows. These breaches can have severe consequences, affecting not only the organization but also its customers, partners and overall reputation. Therefore, it is crucial to have proper mitigation controls in place. However, even with the best defenses, breaches can still occur. When they do, it's essential to have a robust response plan to limit the damage and recover swiftly.

The serious consequences of a breach

There is really no need to reiterate the serious consequences of a breach. Breaches are bad! They pose significant risks to an organization's operations, reputation and stakeholders. They can expose sensitive data, instigate operational disruption and lead to serious financial liability in both direct and indirect ways. The key point here is that limiting the blast radius of a breach is of the utmost importance — and having a plan to quickly remediate and bounce back from a breach is integral.

Mitigation controls: A proactive approach

To be clear, Duo often sits as a primary mitigation mechanism against breaches. By providing strong and flexible multi-factor authentication (MFA), enforcing granular, risk-based access policies, and ensuring that only trusted devices get access to sensitive resources, Duo helps our customers defend against breaches in a variety of key ways.

With the introduction of our Identity Intelligence functionality, Duo has even more tools to proactively help organizations improve their identity posture and make sure their defenses are optimized.

Responding to an identity-based breach: Best practices

However, despite having strong defenses in place, sometimes breaches can still occur. When they do, it's important to remember that the game is not over. Here are some best practices to put in place after an identity breach occurs:

Short-term best practices

Identify and Remediate Affected Accounts: Conduct a thorough investigation to identify all compromised accounts. Understanding the scope of the breach is crucial for effective remediation and preventing further unauthorized access.

Re-establish Trust and Secure Accounts: Though it may be painful, it's important to re-establish trust with the affected accounts. This means running them through an identity verification process to know that the account is associated with the correct user. Then, consider strengthening MFA requirements. For example, if SMS was still allowed as an MFA factor, maybe move up to Verified Push. Re-establishing trust and adding stronger MFA can help prevent attackers from regaining access using stolen credentials.

Rotate Passwords for All Users: Require all users to change their passwords, even if their accounts were not directly affected. This precaution helps mitigate the risk of undetected compromised accounts and enhances overall security.

Enhance Monitoring and Detection Capabilities: Implement or upgrade security monitoring tools to detect suspicious activities and potential breaches in real-time. One way to do this is by leveraging Duo’s new Identity Intelligence functionality, which provides dedicated Identity Threat Detection & Response capabilities. Improved monitoring allows for quicker detection and response to security incidents, minimizing potential damage.

Long-term best practices

Conduct a Post-Breach Security Audit: Perform a comprehensive security audit to identify vulnerabilities and gaps in the current security infrastructure. An audit helps in understanding how the breach occurred and what measures can be taken to prevent similar incidents in the future. Again, Duo’s new Identity Intelligence is a great mechanism to use during such an audit. In particular, the new Identity Security Posture score can help highlight areas of weakness and gives recommended actions for improvement.

Implement Stronger Identity Security Controls: Review and improve identity security controls, such as implementing tighter access policies, enforcing device trust and improving the deployment and adoption of MFA. Stronger controls reduce the likelihood of future breaches and improve the organization's security posture.

Educate and Train Employees: Conduct security awareness training for employees to recognize phishing attempts and other common attack vectors. Educated employees are less likely to fall victim to social engineering attacks, reducing the risk of future breaches.

Communicate Transparently with Stakeholders: Inform affected individuals, regulatory bodies and other stakeholders about the breach and the steps being taken to address it. Transparent communication helps maintain trust and ensures compliance with legal and regulatory requirements.

Conclusion

While we hope to have strong enough defenses in place to prevent breaches, we must not ignore the possibility that a breach will happen to us. If it does, having a strong playbook ready can help limit the blast radius, remediate the situation quickly and improve our security posture moving forward. By following best practices and learning from each incident, we can build a more resilient organization capable of withstanding the evolving threat landscape. Remember, the key to effective breach response is preparation, swift action, and continuous improvement.

If you’d like to learn more about building a playbook for breach response, check out our eBook: Building an Identity Security Program.

Administrators of identity tools hold the skeleton keys to the kingdom now that identity is the new perimeter. To be clear, all administrator accounts — regardless of use case — represent accounts with elevated levels of power and access and should be a focus of heightened security controls. However, in recent months, administrators of identity infrastructure and tooling have come under specific attack.

Therefore, understanding who your identity administrators are, what they do, and how to monitor their activities is crucial for maintaining a secure environment. In this blog, we will explore the importance of securing identity admins, highlight the risks of poorly managed admin accounts and provide best practices to mitigate these risks.

What is an identity administrator?

Identity administrator accounts have elevated permissions to deploy, configure, and modify relevant identity systems. In many enterprises, this includes administrators for tools like on-premises and cloud directories, single sign-on (SSO) solutions and multi-factor authentication (MFA) providers.

These administrators are essential for configuring key workflows for identity and access management (IAM) within organizations. For example, they often define and configure the lifecycle of employee identity accounts, provision application access for user groups, set access policies for these groups, and determine authentication requirements for various policies. Identity admins play a large role in defining and setting access policy and requirements, making these accounts attractive targets for cyber attackers.

The risks of poorly managed administrator accounts

Poorly managed identity administrator accounts can lead to significant security risks. Excessive privileges, lack of visibility, and undetected anomalous activity can all contribute to security breaches. To illustrate the risk, let’s use the notable example of the Scattered Spider attacker group, which has been known to exploit administrator accounts to gain control of identity systems.

Case study: Scattered Spider

Scattered Spider is the name of an attacker group associated with several major identity-based breaches. Their techniques have been outlined in this helpful briefing from CISA. They famously use a variety of social engineering techniques (e.g., calling the help desk and asking for password and MFA resets) to gain initial access to environments.

Once they obtain initial compromise of a user's account, Scattered Spider threat actors register their own MFA tokens to establish persistence. This is where they begin targeting and performing identity administrator accounts and administrative actions. They will change the access policy so that it no longer requires MFA or even go so far as to create and link new identity provider instances.

For example, they have been documented adding a federated identity provider to the victim's SSO tenant and activating automatic account linking, enabling them to sign into any account using a matching SSO account attribute. This allows them to perform privilege escalation and maintain access even when passwords are changed.

The key takeaway is that gaining administrative control of identity systems can have devastating consequences. However, with the right tools and practices, organizations can detect and respond to such activities early, reducing the potential impact.

Monitoring identity administrators with Cisco Identity Intelligence

Cisco Identity Intelligence offers powerful capabilities to evaluate and monitor administrator accounts and activities. By providing necessary visibility into the number of identity admins and their interactions with the environment, Cisco Identity Intelligence helps ensure proper use of privileges and alerts on anomalous activity.

Key features of Cisco Identity Intelligence for Administrator Security

Dashboards:

• Administrators per source

• Administrator logins

Checks:

• Admin filter on weak or no MFA

• Admin activity anomaly

• Admin role assigned to user

• Login to admin console

• Admin impersonation

• New IdP created

These features enable organizations to detect and respond to risky admin activity, reducing the likelihood of security breaches.

Best practices for securing identity administrators

To enhance the security of identity admins, organizations should implement the following best practices:

1. Limit the number of admins

Restrict the number of admin accounts to the minimum needed to function effectively. This reduces the attack surface and makes it easier to monitor and manage these accounts.

2. Limit privileges and access

Grant admin accounts only the privileges and access necessary for their roles. Implement the principle of least privilege to minimize the potential impact of a compromised account.

3. Enforce strong multi-factor authentication (MFA)

Require strong forms of MFA for admin access. When we say strong MFA, we mean disabling weaker forms of MFA like SMS and requiring phishing-resistant MFA via passwordless or combining traditional MFA with a trusted device requirement.

4. Implement monitoring and detection

Continuously monitor admin accounts and implement detection logic for high-risk activity. Use tools like Cisco Identity Intelligence to gain visibility into admin activities and detect risky activity.

5. Establish a response workflow

Develop and implement a response workflow for various levels of administrator risk. This ensures that your security team can quickly and effectively respond to potential threats.

Keep an eye on your identity watchmen

If we revisit the case of Scattered Spider after having implemented these controls, the picture is much rosier. It’s unfair and unwise to say that all breaches would be prevented or detected. But by proactively limiting the attack surface and putting in place detection logic to alert on strange admin activity (e.g., creating a new tenant or connecting a new SSO), organizations will be much better off.

To assess the security of your identity administrator accounts, consider the asking the following questions of your own environment:

1. How many identity administrators do you have in your environment?

2. Is strong MFA required for all identity administrators in every case?

3. Do you have good visibility into normal admin activity?

4. How do you detect anomalous admin activity?

5. What is the response workflow when risky admin activity is detected?

If you’re interested to learn more about building a robust Identity Security program to handle identity admin security and much more, check out our ebook: Building an Identity Security Program. Talk with someone about how Cisco Identity Intelligence and Duo can help bolster your organization’s identity defenses by contacting us.

We are less than two months away, are you ready?

Starting next month, Microsoft announced that they will begin rolling out mandatory multi-factor authentication (MFA) sign-in for Azure (also known as Microsoft Entra ID) resources.

It is no secret that identity-based breaches are on the rise, so we applaud Microsoft by taking the first step towards better protecting Azure resources! As Microsoft points out in their announcement, MFA “can block more than 99.2% of account compromise attacks.”

MFA “can block more than 99.2% of account compromise attacks.”

Not only do we applaud them, but at Duo we have been partnering with Microsoft for years to provide seamless integrations that make any Microsoft deployment more secure. Most recently, Duo became the first approved vendor in Microsoft’s new External Authentication Methods framework.

To illustrate the depth of our integration, you can satisfy Microsoft’s mandatory MFA requirement through any one of the following Duo configurations:

1. Duo Single Sign-On for Microsoft 365 supports Microsoft’s mandate out of the box

2. Duo two-factor authentication for Microsoft Entra ID External Authentication Methods (EAM) supports Microsoft’s mandate out of the box

3. If you are using Duo with Active Directory Federated Service (AD FS), you will need to ensure you are sending the Authentication Methods Reference (AMR) in the AD FS custom claim to support Microsoft's mandate

However, while MFA has shown to help stop attacks, authentication alone is not the answer. The security industry has diligently battled compromised credentials. We have evolved from passwords to multi-factor authentication (MFA) to phishing-resistant passwordless — our most secure form of authentication to date. Duo has been at the forefront of passwordless development and fully supports passwordless authentication as a component of an identity security program.  

Despite these advancements, we still see many identity-based breaches year over year. This is why we released Continuous Identity Security earlier this year. Continuous Identity Security is built on the premise that we need to enhance our traditional access management controls. It combines Duo’s current authentication capabilities like MFA, Passwordless and SSO with powerful security insights into identity and device risk. It also  provides mechanisms to maintain and revoke trust based on these insights.

For example, Continuous Identity Security includes an Identity Intelligence layer that provides visibility and context into identities across multiple data sources such as EntraID, Duo, Okta, Workday, Google and Salesforce. This context can be used to proactively improve identity security posture by doing things like finding and removing dormant accounts. But, it can also be used to inform an identity threat detection & response (ITDR) practice that seamlessly responds to identity threats.

In addition to Identity Intelligence, Continuous Identity Security includes functionality like Duo Passport which securely brokers trust across disparate authentication scenarios, reducing the number of times a user is asked to log in. Just like SSO before it, Duo Passport eases the burden of performing authentication on an end user, making them much less susceptible to frustration-based attacks like Push Bombing.

With Continuous Identity Security, not only can you satisfy Microsoft’s mandatory MFA requirement, but you are able to protect yourself against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for your end users. Security is better because you now have deep visibility across all your identity environments enabling ISPM and ITDR. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.

If you’re interested to learn more about how Duo and Microsoft can help secure your organization, check out this eBook that highlights how we work together to enable Zero Trust.

If you’d like to learn more about how to implement Continuous Identity Security at your company, you can read more on our product page or reach out to sales for a quick discussion.

The importance of gaining visibility into identity data

Over the last two years, the security of an organization's identity ecosystem has become paramount. Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data. This visibility is the cornerstone of any robust identity security program.

You cannot protect what you can't see. Identifying what to protect is the first step in an organization’s identity security program. To achieve this, building an accurate user inventory is necessary. If you don’t trust us, the Center for Internet Security (CIS) also recommends maintaining an accurate inventory of devices and users to ensure that only authorized users have access to the system. Without an accurate user inventory, it becomes difficult to identify and mitigate security risks.

Challenges facing organizations trying to gain identity visibility

However, organizations often face several challenges when trying to gain visibility into their identity ecosystem. To start, identity providers store data in different formats with varied attributes and schemas, making it hard to map and reconcile data between systems, especially HR directories and identity providers. Additionally, data quality varies, with HR directories often having more accurate and up-to-date data compared to cloud-based identity providers. This creates inconsistencies when forming a unified view of user identities. And finally, individual users often have multiple accounts (Gmail, Yahoo, etc.) with access to company data. These accounts should be linked to a singular corporate entity.

By leveraging Cisco Identity Intelligence, organizations can easily overcome these challenges to gain powerful visibility into their identity ecosystem. One of the key functions of Cisco Identity Intelligence is creating an identity graph that is a mapping of accounts and access within an organization.

Visibility unlocks identity security posture management (ISPM)

Once an organization gains visibility, they can start getting proactive by implementing an identity security posture management (ISPM) initiative. But what exactly is ISPM?

Identity security posture management (ISPM) is the idea that an organization has a certain level of posture when it comes to the defense of the identity environment. This posture is affected by different levels of security hygiene and control in place both for individual users and for the organization more broadly. ISPM involves continuously monitoring and analyzing identities, access rights and authentication processes across your entire ecosystem to inform the current identity security posture. This gives you insights into your identity risk profile and guidance on how to remove that risk.

To get concrete, here are some examples of use cases or insights that would fall under the category of ISPM:

• Uncover dormant or inactive accounts

• Ensure widespread coverage and proper usage of strong MFA

• Evaluate administrator accounts for risky activity

• Monitor guest, contractor or service accounts for proper use

Deep dive into dealing with dormant accounts

So, what are dormant or inactive accounts? The definition can vary from organization to organization, but this usually refers to a licensed and provisioned account that has not performed any activity for an extended period of time.

Why are dormant accounts a risk?

Dormant accounts pose a significant security risk. The Cybersecurity and Infrastructure Security Agency (CISA) recently highlighted that attackers are now targeting these accounts as an initial entry point into organizational environments. According to a CISA report: "Attackers have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system."

The report also highlights that attackers can time their activities to align with a breach or incident at the company. For example, it is often the case that during an incident, employees across an organization are forced to do a password reset. CISA noted that attackers have “also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities."

In either case, dormant accounts are providing a viable entry point for attackers looking to gain access into company environments.

How Cisco Identity Intelligence helps identify dormant accounts

After ingesting data from identity data sources, Cisco Identity Intelligence analyzes the data and offers a variety of checks that highlight potentially inactive or dormant account risks. These checks can be used individually or in combination to zero in on dormant accounts and abnormal activity associated with dormant accounts. To illustrate the how Cisco Identity Intelligence does this, here are some of the checks that run inside the tool:

• Inactive Users: Detects users who are enabled (Active status) and who have not successfully authenticated for more than 30 days.

• Inactive Account Probing: Detects users with a sudden spike in failed login attempts after a long period of inactivity, which may be an account takeover attempt.

• Never Logged In: Detects accounts that were created but never successfully logged in. These accounts appeal to attackers, as they may be able to register their own MFA factors.

• Access from Dormant Account: Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system.

• Unused Application for a User: Detects applications unused by a user. Users will fail this check if they have not used an application within 30 days.

Once the dormant accounts have been identified, it’s straightforward to limit or cut off access where necessary.

What is the benefit of remediating dormant or inactive accounts?

Security Benefit: By leaving standing entitlements in place that are not needed or not used on a regular basis, attackers may be able to use a dormant account to gain access to sensitive systems and data. By removing these entry points, the attack surface is made smaller and harder for attackers to penetrate.

Economic Benefit: Dormant accounts may consume license costs without using them. By remediating dormant accounts, the organization can save money on these unused licenses by removing them.

Interested in learning more?

By addressing the risk of dormant accounts, organizations can significantly enhance their security posture and reduce unnecessary costs. With Cisco Identity Intelligence, gaining visibility and managing identity security has never been easier.

Be sure to download our free ebook — Building an Identity Security Program — to learn more about building and maintaining an identity security program that actually works.

To learn more about how Duo can help you on your ISPM journey, check out our Duo and Cisco Identity Intelligence page. Or, start a free trial of Duo to try out this functionality for yourself.

In the June D292 Duo D-release, the Duo Federal edition integration with Microsoft Entra ID Conditional Access policies became available.

This Duo integration with Microsoft Entra ID (formerly Azure Active Directory) Conditional Access policies adds 2FA to Entra ID logons, offers inline user enrollment and supports a variety of authentication methods — such as Duo Push, Verified Duo Push, passkeys and security keys in the Universal Prompt. 

Microsoft Entra ID Conditional Access allows you to set policies that evaluate Entra ID user access attempts to applications and grant access only when the access request satisfies specified requirements e.g. user group memberships, geolocation of the access device, or successful multifaceted authentication.

Duo’s custom control for Microsoft Entra ID Conditional Access provides strong secondary authentication to Entra ID logons along with Duo’s granular access policies and controls complement and extend the access controls in Entra ID. It is important to note that this integration only works with Commercial Entra ID tenants and does not work for Entra ID GCC or GCC-High.

This is one of the first major updates since the Duo Federal edition since its FedRAMP Authorization.

Duo Federal MFA & Duo Federal Access

Both the Duo Federal MFA and Duo Federal Access editions will be undergoing an upcoming update to the edition names similar to what the Duo Commercial edition had back in May 2023. These changes align with the Cisco Security Portfolio and reflect our comprehensive solutions and rich feature-set.

For the Duo Federal editions, Duo MFA will be renamed to Duo Essentials and Duo Access will be renamed to Duo Advantage. Regardless of the name change, they will continue to be federally compliant and FedRAMP authorized. Learn more about Duo’s Federal editions.

These Duo Federal editions support Authentication Assurance Level 2 (AAL2) with Duo Push or Duo Mobile Passcode for both Android and iOS devices by default out-of-the-box with no additional configuration required. Duo also supports AAL3 authenticators such as FIPS YubiKey from Yubico.

Duo Care Premium Support available for Duo Federal

The Duo Care premium support program is available for our customers utilizing the Duo Federal editions.

This offering provides a dedicated team of Customer Success experts that will ensure your deployment is smooth and work with you through the lifecycle of your subscription to make sure you are maximizing the value of your Duo investment as your organization and business needs evolve.

In addition to the team of dedicated trusted advisors that serve as your strategic point of contact and technical experts - the Duo Care premium support program also includes extended support services such as: 24x7 phone availability, priority ticket SLA, VIP support line and more!

Download the Duo Care Information Sheet.

Get started with a free trial of Duo’s Federal Editions

Duo Federal MFA and Duo Federal Access editions are listed on FedRAMP Marketplace, and can be purchased via DHS’ CDM or by visiting our Federal editions page. If you would like to get started with a free trial of Duo’s Federal MFA and Federal Access editions, sign up through our Federal editions page and we’ll reach out to get you started!