Over the years, the Duo product has evolved from an easy-to-use MFA solution to a comprehensive access management solution with capabilities including SSO, device trust, and risk-based authentication. While the capabilities in our Admin Panel have grown, our overall administrator experience has largely remained unchanged.

Starting this month, we will begin transitioning our admin panel to a new look and feel that will make our admin panel easier to use and more cohesive across your Cisco Secure experience. We recently rolled out a new header and navigation styling for administrators to test out and provide feedback. With this release, we’ve modernized our admin panel to work better on larger screens and have moved help content to make it easier to use. The updated admin panel UI will also feature usability improvements for users who rely on screen-readers, magnification, and keyboard navigation to manage their Duo deployments.

Read more about our accessibility principles and how we’re working to build an inclusive experience for all.

All Cisco Secure products are moving to this more modern look and feel, and the header and navigation is just Duo’s first step on the journey. Our mission is to be our customers’ most trusted partner by providing effective security solutions. Building an easy-to-use administrator experience is a key part of that. Over time, administrators will have a consistent and seamless experience across all their Cisco Secure products, simplifying their job. This means administrators can easily achieve their organizational objectives, whether it's implementing a zero trust architecture or minimizing security gaps with a consolidated set of tools.

“At the end of the day, our product should make people's jobs easier. We design our product experience as a trusted advisor to Duo administrators, helping you keep your organization secure and your employees productive and safe. We'll continue to drive toward easy and effective experiences for all.” – Amber Lindholm, Head of Duo Design

You can expect more improvements to come to the Duo administrator experience, but not without input from admins like you. Sign up to participate in research and feedback with our product teams.

We’re taught from an early age that good health is important to our well-being. Eat the right foods, exercise, drink plenty of water, and get at least eight hours of sleep. But what about preventive care? Most of us aren’t great about getting regular check-ups. In an ideal world we’d get an assessment of our “personal health posture” before we walk in the front door of our home. After all, no one wants to bring home a cold to family and friends.

We can apply this concept to the work environment. The corporate network is our home, other devices we interact with are our family members and friends, and resources such as applications and data are the stuff we need access to like the refrigerator and television. And that cold we want to avoid getting and passing around? That’s malware. If we bring malware into our network, it can lead to all sorts of problems – data breaches, denial of service attacks and account take-overs to name a few.

Much like the modern family, today’s workforce is a bit more blended. Many organizations have employees, contractors and partners who need network access. Some work in the corporate office while others are remote. There are corporate-owned devices, personal devices (BYOD), even shared devices. You wouldn’t let someone into your home if they were sick, so why let these devices on your network without first checking their health?

Assessing the health posture of devices, regardless of whether they're company-issued or personal, before letting them access network applications is a good security practice. To help with that, there's the Duo Device Health Application (DHA) which performs a real-time check on macOS and Windows devices at the time of authentication to establish their health. Now, we've expanded operating system support to include certain versions of Linux OS.

Read on to learn more about this expanded coverage, and about how the Device Health app can help you prevent risky devices from accessing essential resources.

Establish device trust with health checks

Verifying user identity before granting access to a network application is the first step in a well-designed security strategy. But it’s no longer enough. There have been too many cases where a verified employee/contractor/partner brought a malware-riddled device onto the network with disastrous results.

Beyond establishing user trust, organizations also need to verify the health of every device before allowing access. It's part of a strong zero trust strategy. But what makes a device “healthy”? Here are some checks to consider when creating your access security policy:

• Is the device running the latest OS version including patches?

• Is the browser up to date?

• If there are plug-ins, are they the latest version?

• Is a system password in place?

• Does the device have an encrypted drive?

• Is the host firewall enabled?

• Is the device running an endpoint security agent?

• Is it a corporate-issued managed device or an unmanaged BYO device?

Verify device security posture with the Duo Device Health app

As the number of connected devices continues to grow, so does the pressure on security and IT teams to ensure these devices have a healthy security posture. One tool that can help is the Duo Device Health Application. A lightweight client application for macOS, Windows and Linux clients, the Device Health application provides the controls organizations need to create custom access policies that allow or block connections to applications based on device health. It’s part of a more extensive Duo Trusted Endpoints policy that also considers whether a device is managed or unmanaged.

The good news is the Device Health application includes guided remediation that enables users to address the issue and bring the device under compliance quickly and easily. Once that happens, access is granted. Not only is your end-user happy, there’s also no Help Desk ticket to bog down your IT team. Here's some more good news. The Device Health app can update seamlessly to the latest version without user intervention through a Silent Updates feature. Available updates are automatically downloaded and installed without users needing to take time out to enter a password or click through an install wizard.

More ways to check device health

In addition to the list above, the Device Health application enables administrators to combine a Device Health application policy with other Duo policies to check the status of browsers and plug-ins. For example, organizations may hesitate to allow access from devices that aren’t running the latest version of Google Chrome.

The same goes for devices using plug-ins. Outdated browsers and plug-ins are well-known attack vectors, so keeping them current is critical. Again though, the Device Health application’s self-remediation feature makes it easy to update to the latest version with step-by-step instructions.

Duo Premier edition customers have additional device health check options at their disposal. The Device Health application can check to see if an endpoint security agent is running on the device. Duo supports many of the leading endpoint security solutions.

For organizations that want even tighter control, the Device Health application reports unique device identifiers to verify whether devices are enrolled in your endpoint management solution. While a device may pass the required health checks, IT may want to distinguish between devices managed by your organization and those that are not before deciding whether to grant access.

What’s new with Duo Device Health?

I’ve written a lot about the importance of good device health. Creating and enforcing strong security policies when it comes to allowing or blocking access to your applications will help keep your network protected from cybercriminals.

If you’d like to try the Device Health application and experience how Duo can simplify access for your workforce, sign up for a free 30-day trial.

Editors Note: This blog was originally published in September 2022, but has been updated with more recent information.

In November 2022, we announced the general availability of Duo Passwordless. With this release, many high security and low friction authentication methods were made available. These methods have transformed the security of organizations who have been able to take advantage of Duo Passwordless both in their ease of use and phishing resistance.

Duo understands that organizations are at varying levels of modernization and may still depend on the use of MFA for some or all their applications. Whether this is due to specific infrastructural, organizational, or compliance reasons, Duo is closing this gap by adding the same easy-to-use and low friction authentication methods to MFA for browser-based authentication based on the Universal Prompt. These methods include:

• Windows Hello

• macOS TouchID

• iOS (TouchID/FaceID)

• Android (Fingerprint)

By unlocking capabilities already available on most devices (based on actions users are already familiar and comfortable with), you now have more options than ever for your users to securely authenticate into protected applications.

How do users enroll?

What makes these methods so secure?

In 2012 a group of 250+ security vendors formed the FIDO (Fast Identity Online) Alliance to combat authentication challenges "with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords”, and Web Authentication API, or WebAuthn for short, was born.

Public key cryptography

The concept behind WebAuthn is not new. It’s based on Public Key Cryptography. It is behind the widescale growth of ecommerce on the internet. It is what allows you to connect to your bank online over secure hypertext transport protocol (https) and be confident your financial information will be encrypted.

You may have seen a popular exchange between Alice and Bob to explain the concept of Public Key Cryptography. The essence of the explanation is that thanks to the magic of cryptography you can send a “secret” encrypted message using a public key and only the owner of that public key can decrypt it with their private key. Then they in turn can, digitally sign that message, and use that secret to setup an encrypted session to send it back and then both parties can communicate bidirectionally securely.

What is WebAuthn?

WebAuthn is a different protocol with a different purpose but uses that Public Key Cryptography concept to setup and share encrypted messages between two points over the internet. WebAuthn allows servers to register and authenticate users using Public Key Cryptography. It allows servers to integrate with strong biometric authenticators, built into devices, like Windows Hello or Apple’s Touch ID.

Instead of a password, a private-public keypair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity.

The public key is not secret, because it is can only be used with the corresponding private key. Therefore, the public key does not need to be secured on servers, like shared secrets. The private key may be stored on user devices with encryption technology like Trusted Platform Module (TPM) technology which uses secure tamper resistant hardware.

Three significant strengths of WebAuthn include:

• Stored - Private keys, used to perform the cryptographic operations needed for WebAuthn, are stored in a secure enclave on the access endpoint often backed by a Hardware Security Module. In the case of passkeys, the keys are stored in an MFA-protected keychain. More on passkeys below.

• Scoped - A keypair is only useful for a specific origin, like browser cookies. A keypair registered at a web site domain cannot be used at alternate site, mitigating the threat of phishing.

• Signed - Authenticators can provide a certificate that helps servers verify that the public key did in fact come from an authenticator they trust, and not a fraudulent source.

What are passkeys?

In short, passkeys are also WebAuthn credentials, but they can be synchronized in a secure keychain for use on multiple devices within the same device ecosystem. On top of the security benefits of WebAuthn, keychain-synced Passkeys are an up-and-coming tool to reduce or eliminate difficulties that arise from end-users getting a new device, just as instant restore solves this problem for Duo Mobile users. This release offers a limited amount of passkey support across the Apple ecosystem and on Android devices. As passkeys become more commonplace, we expect to support them wherever possible in the future! You can read more about passkeys on our blog post What Are Passkeys?

Universal Prompt

Last year, Duo announced the General Availability of the new Duo Universal Prompt with various security features, and user experience improvements only available in the new prompt. Next year the legacy Duo Traditional Prompt will no longer be supported.

These expanded authentication methods are only available in Universal Prompt. Security Keys and TouchID for macOS on Chrome will continue to be the only available WebAuthn methods in the Traditional Prompt.

Summary

With expanded WebAuthn support Duo’s MFA is stronger than ever and it’s available in all Duo editions. By introducing WebAuthn as an authenticator in your environment you can improve user experience while reducing friction. Get started today!

Securing access to an ever-expanding list of cloud platforms is top-of-mind for many IT teams. But conventional protection solutions, like password security, fall short when it comes to efficacy. That’s why many tech companies are turning to passkeys as a more secure and convenient replacement.

We have a lot of thoughts on passkeys – some of which we’ve shared in other posts in this passkey blog series – and today we’re going to explore how passkeys stack up against passwords from the perspective of cloud platforms.

Want to learn more about passkeys in the enterprise? Be sure to tune into our webinar, The State of Passkeys in the Enterprise, on September 7th at 9am PST | 12pm EST.

Passkeys on Cloud Platforms

Passkeys have growing support from significant vendors. While there are areas where passkeys could be better, it is clear that they are the leading contender to improve authentication by an order of magnitude and bring an end to passwords.

Passkeys are better than passwords

Multi-Vendor

Last year, Apple, Google and Microsoft announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the W3C.

According to the FIDO Alliance, it includes:

1. “Allow users to automatically access their FIDO sign-in credentials (referred to by some as a ‘passkey’) on many of their devices, even new ones, without having to reenroll on every account.”

2. “Enable users to use FIDO authentication on their mobile device to sign into an app or website on a nearby device, regardless of the OS platform or browser they are running.”

Apple

Apple introduced support for passkeys at its 2021 Apple Worldwide Developers Conference (WWDC) as a tech preview, introduced broader support at WWDC 2022 and announced additional features at WWDC 2023. This includes:

• Conditional UI support

• Legacy authenticator support

• Cross-vendor support

• Airdrop sharing support

• Enhanced iCloud Keychain integration

• Enterprise attestation with platform authenticators

To get more analysis of the passkey-related announcements at each conference, including code snippets, check out Cisco Duo’s passkey development leader and FIDO Alliance technical contributor Matt Miller’s blog posts:

• WWDC22 Part 1

• WWDC22 Part 2

• WWDC23

Apple ID

Users with Apple ID will automatically be assigned a passkey starting with iOS17, iPadOS 17 and macOS Sonoma. This will allow them to sign in to their Apple ID sign-in pages with Face ID or Touch ID instead of their password.

Apple Business Manager

Apple Business Manager is a web-based portal that helps you manage Apple devices and enable employee access to Apple services, apps and other software.

Apple OS releases in 2023 are targeted to include support for iCloud with Managed Apple IDs, supporting the same kind of sync capability as Apple IDs. This increases the viability of passkeys in enterprise environments.

To create and work with managed Apple IDs, Apple Business Manager needs to be federated with an organization’s identity provider. Apple is expanding which identity providers can be used with its implementation of OpenID.

Vision Pro

The announcement of Apple’s Vision Pro, aside from foretelling the awesome AR/VR experiences, included the introduction of Optic ID, offering biometric authentication using the iris in users’ eyes!

Google

Google jumped in feet first when it announced support for passkeys on personal accounts across broad services, along with the ability to store them on supported devices. So, 2-Step Verification (2SV) is no longer required with them.

Workspace

At the start of the summer of 2023, Google announced an open Beta, enabling nearly 10 million organizations’ users the ability to sign into Google Workspace and Google Cloud accounts using passkeys instead of passwords.

Google Password Manager

On Android, the Google Password Manager provides backup and syncs passkeys. They are always encrypted end-to-end, with the private key only accessible on the user’s own devices, which prevents access by Google itself.

Android and Chrome

Last year, Google announced support for passkeys on both Android and Chrome OS-based devices. They are built on the existing password autofill experience, allowing users to select a passkey, similar to how they accept a saved password.

Credential Manager API

Google released the Alpha of Android’s upcoming Credential Manager passkey provider API support earlier this year. This enables client-side support for passkey authentication.

Security Keys

Google reports that “passkeys are strong enough that they can stand in for security keys for users enrolled in our Advanced Protection Program.” In other words, they could be used on a device in place of a Google Titan Security Key.

Temporary Passkey

If a user temporarily uses someone else’s device, Google supports selecting the option to “use a passkey from another device.” It only uses the phone’s screen lock and proximity to approve a one-time sign-in.

Device-Bound Passkey

Google supports device-bound passkey scenarios where relying parties may still require signals about the strong device binding that traditional FIDO credentials provide, all while offering the recoverability and usability of passkeys.

Microsoft

Microsoft’s Widows 11 Insider Preview includes support for passkeys, with the ability to go to any app or website that supports passkeys to create and sign in using passkeys with the Windows Hello native experience.

Windows 11 preview also includes passkey support for:

• Creating and signing in using passkeys saved on a Windows device

• Sign in using passkeys saved on a mobile phone

• Search and delete from a list of passkeys saved to a Windows device

Portability

Passwords may be transferred between devices by password managers but need to be unencrypted for use.

Passkey private keys are transferred across cloud providers through end-to-end encryption between secure enclaves. They will also be transferred between cloud providers by passkey exchanges.

Recovery

Password managers often sync to the cloud, but this comes with a risk. We saw challenges at LastPass when a developer’s credentials, and ultimately their master password, were compromised.

Portability lends itself to the ability to easily recover passkeys as a replacement for a lost or stolen device. And unlike passwords, passkeys require biometric verification to access the private key from the passkey pair.

Passkeys could be better

Multi-Use

When passwords are cached on a local device, they leave behind a secret that malware can harvest. And when users re-use passwords across different websites, they risk password spraying attacks and put all of their accounts at risk.

While passkey portability and recovery are great benefits, the fact that they can be shared on multiple devices across multiple clouds is an unproven concern to security organizations, akin to the way identity phishing has made them reconsider MFA.

Passkeys with Cisco Duo

Cisco Duo launched passkey support with the release of the Duo Passwordless solution in 2022. Since then, it has expanded functionality with the introduction of Risk-Based Authentication and by bringing privileged access to the Duo console.

Security Platform

Cisco Security Cloud is an open, integrated security platform for multi-cloud environments. With a best-in-class networking security presence, it is well-positioned to be a host for passkey synchronization and management.

Threat Detection

On 7/13/23, Cisco announced its intention to acquire Oort and its pioneering Identity Threat Detection and Response (ITDR) technology. Oort’s telemetry with predictive identity analytics could protect passkey synchronization.

Threat Monitoring

Cisco Talos, with its proven threat intelligence and team of researchers, analysts and incident responders, provides leading security research and response globally, with advanced insights to protect synced passkeys.

Ready to get started on your passkey journey?

At times, we promote technology for a specific purpose, and it has a limited life. However, passkeys are poised to replace passwords in the long term. They’ve been designed to provide both lasting authentication strength and a quality user experience.

The hard work has been done, led by the FIDO Alliance developing the standards behind passkeys. And progress has been made towards replacing passwords, but the journey is still far from over.

Remember, to learn more about the state of passkeys and where they’re used within Duo’s passwordless solution, join Matt Miller, our development technical leader, Cindy Qu, our product manager, and me, Matt Brooks with product marketing, on our upcoming webinar The State of Passkeys in the Enterprise. Tune in on 9/7 at 9am PST | 12pm EST.

These days, users connect to company resources through a variety of endpoints: desktops, laptops, mobile phones, tablets, wearables…the list goes on. And when it comes to managing access for this plethora of devices, password security just isn’t cutting it anymore. That’s where passkeys come in.

In our recent passkey blog series, we’ve been unpacking the difference between new passkey technology and more conventional password security in light of some of the most critical authentication scenarios. Today, we’re taking a closer look at how passkeys compare to passwords from the perspective of user endpoints.

To learn more about the difference between passkeys and passwords – and which solution offers the best value for enterprises – be sure to tune into our webinar, The State of Passkeys in the Enterprise, on September 7th at 9am PST | 12pm EST.

Passkeys on User Endpoints

Passkeys and passwords can both be stored on endpoints. With the former, this is a strength as the private key is stored in a secure enclave and not shared. The latter may be secured in a password manager, yet may also be stored in an open text file or cached in a browser, leaving them vulnerable to endpoint attacks.

Passkeys are better than passwords

Storage

Passwords can be scraped from a text file or extracted from a browser cache. They’re also vulnerable to malware on the endpoint.

Passkey private keys are typically protected by a hardware secure module, like iOS’ Secure Enclave, and must be present on the device to authenticate.

Multi-Device

Most users employ multiple devices to use their applications. Passwords may be used on all of them, but they must be re-typed, which is difficult on small-form factors. They’re also at risk of theft if they’re left cached on the device.

Passkeys excel at multi-device use. In the Apple or Google ecosystems, they can seamlessly be shared between devices logging into the same iCloud or Google account respectively. They can also be used on other devices through QR code-based “hybrid” authentication.

Passkeys include a new backup eligibility flag, which is determined at the time of registration. When this flag is false, then the passkey should not appear on the other devices. When it’s true, then credentials may be synced to a different device.

Biometrics

Passwords provide no verification of user identity. Once a user’s credentials are known, they may be used by attackers on any system with user accounts, from anywhere.

Passkeys based on the FIDO2 WebAuthn standard can use an authentication device’s local biometric capabilities, like Face ID or Touch ID, to verify the user’s identity and provide multiple factors of authentication in a single interaction.

Passkeys could be better

Shared Devices

Passwords, with or without MFA, are often used by different users to log in and log out of a shared device, like devices in a call center with multiple shifts. Or, they may be used with generic accounts on kiosks, like in retail environments.

Each user account on the same device should have separate passkeys. If multiple users use the same account, though, then a Relying Party would want to use security keys or cross-device authentication exclusively.

While passkeys function on shared devices, users need to be aware they are sharing their identity. Google recommends that, “If you Don’t want the other users to access your account, do not create a passkey on a shared device.”

Local Login

Passwords are often used for local device login, using local accounts stored in secure enclaves maintained by the operating system. Or, they’re used for network login with domain directory accounts over a LAN/WAN or an always-on VPN.

While passkeys were designed for web application support, true passwordless solutions support federated logon to desktops with passwordless SSO and to local and cloud applications alike.

Passkeys with Cisco Duo

Duo’s Trusted Endpoints policy allows you to block or allow devices based on whether they are managed by your organization or registered with Duo.

Duo will check if devices are enrolled in an MDM solution or domain joined. Or, admins can even manually import a list of device identifiers. This prevents users from participating in passkey registration and authentication ceremonies on untrusted devices.

Want to learn more about how passkeys function on user endpoints?

We've got a lot of thoughts on how passkeys stack up against passwords, from the perspective of remote users, cloud sites, cloud platforms and user endpoints. To learn more, check out the rest of the posts in our passkey blog series.

Or, be sure to tune into our webinar to hear from Duo’s experts: Technical Leader Matt Miller, Product Manager Cindy Qu, and Product Marketer Matt Brooks. We’ll talk about current passkey technology, trends in the marketplace, and where passkeys are used within Duo’s passwordless solution. Remember, The State of Passkeys in the Enterprise happens on September 7th at 9am PST | 12pm EST.

Nobody likes passwords. So for many IT teams, the news that tech giants are steadily embracing passkey technology is exciting. After all, passkeys promise both simplicity and security – a tantalizing combination for security teams that are already spread thin. But how effective are passkeys really? And is it realistic to consider passkeys – and the passwordless solutions they support – as a valid alternative for traditional password security?

We’ve been answering these questions in this blog series by unpacking the pros and cons of passkey technology from different authentication perspectives. Today, we’re focusing on how passkeys compare to passwords when it comes to authenticating on cloud sites.

Want to dig in deeper on the password vs. passkey debate? Be sure to check out our upcoming webinar The State of Passkeys in the Enterprise on September 7th at 9am PST | 12pm EST.

Passkeys and Cloud Sites

Cloud sites are where the web applications are hosted. They must support FIDO2 to enable passkey authentication and are also known as the “Relying Party” in the registration and authentication ceremonies.

Passkeys are better than passwords

FIDO2

Passwords are shared secrets and do not remain on the local authentication device. Instead, they are shared with target cloud application site(s) and are always at risk along with the integrity of the site’s storage security system.

Passkeys are based on the FIDO2 standard, which means:

• No Shared Secrets – There are no shared secrets, and the private key portion of the passkey pair is always kept encrypted locally on the authentication device.

• Origin Binding – The site a user is attempting to log into must match the domain, or origin, where the passkey was registered. An alternate site cannot be substituted, mitigating the threat of phishing.

• Channel Binding – The communication channel from the authenticator to the website must be strongly tied to the browser session attempting to authenticate.

Development

Passwords, and some forms of MFA developed to work around their weaknesses, are based on legacy protocols and workflows. These are a waste of development resources to build and maintain for application authentication.

Future proof development by becoming a Relying Party. CISOs can confidently include support for passkeys in their application modernization plans, supported by their promise of efficiency and security.

Vulnerability

Passwords may be stolen when users are tricked into entering them in phishing websites. Or, if the cloud site that stores them is hacked, they become available to the highest bidder on the dark web.

Passkeys are split. Only the private key, maintained on the user's endpoint, can be used to sign an authentication request. Passkeys are also never stored on the cloud site, and they cannot be phished thanks to FIDO2.

Passkeys could be better

Multi-Domain Support

Many vendors use multiple domain names for their services, with different top-level domain extensions like .com, .net, .biz, etc. A separate set of passkeys are required to authenticate into each site.

Passkeys with Cisco Duo

Duo provides a broad set of security functionality to support passwordless authentication. This includes Duo Device Health, which verifies device posture and protection status prior to providing authenticated user access.

Duo's cloud-based solution supports a zero trust approach to security for hybrid cloud environments, with adaptive authentication that dynamically evaluates risk signals by continuously analyzing user and device context.

Looking for more information on passkeys?

Passkeys are poised to replace passwords over the long haul, it's in the best interest of IT and security teams to learn about the differences to help drive their passwordless journey.

Be sure to tune into our upcoming webinar, The State of Passkeys in the Enterprise, on September 7th at 9am PST | 12pm EST. I’ll join our development technical leader Matt Miller and our product manager Cindy Qu to discuss current passkey technology and trends. Then, we’ll break down how and where passkeys are used within Duo’s passwordless solution.

"Based on FIDO standards, passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing resistant. Passkeys simplify account registration for apps and websites, are easy to use, work across most of a user’s devices, and even work on other devices within physical proximity.” - FIDO Alliance

Most people know what passwords are and have experienced first-hand some of the many issues with them. The FIDO Alliance asserts that passkeys are a replacement for passwords. Therefore, we can measure the state, or progress, of passkeys adoption by their readiness to replace passwords. If you are new to passkeys, you can get up to speed with our primer: What Are Passkeys? And be sure to check out our upcoming webinar, The State of Passkeys in the Enterprise, on 9/7 at 9am PST | 12pm EST.

In this blog series, we will look at passwords vs passkeys from four different perspectives in the authentication process:

• Remote User – Compare operation and security

• User Endpoint – Evaluate endpoint and storage considerations

• Cloud Sites – Look at their interaction and use of cloud applications

• Cloud Platform – Evaluate how they are handled and managed by key vendors

Today, we're going to focus on how passkeys are better than passwords for remote users. We'll also talk about areas of improvement for passkeys.

Remote Users

The web authentication process begins when the remote user wants to connect to an application.

Passkeys are better than passwords

Setup

It’s not worth rehashing all the woes of passwords, but to summarize: They’re a challenge for the user to create with complex rules to remember, to change and to manage overall.

Passkeys are created, encrypted and stored by the endpoint for the target application (also known as the relying party). So both initial registration and usage are easier for the user and out of reach to cybercriminals.

Support

Password-related issues are typically a leading consumer of helpdesk and IT support staff time and resources, from providing lockout and reset help to onboarding support.

Passkeys require more support around deployment and enablement. Users need to be trained since they’re a new way of authentication, but typically users can enroll or manage them through a UI-driven workflow by themselves.

Standards

Passwords, also known as Memorized Secrets, were never invented and managed by standards bodies. U.S. government agencies like NIST provide guidelines, but implementation and use vary by vendor and organization.

Passkeys evolved from standards produced by the FIDO Alliance organization, which is a consortium of 250+ vendors that want strong and effective authentication for their users and/or consumers.

Security

Longer passwords with more character options make it harder to decipher or calculate in brute force attacks. But unless users are using a password manager, they often make passwords easy to guess to help remember them.

Passkeys based on Webauthn are proven to be resistant to phishing, credential stuffing, adversary-in-the-middle (AITM), server breaches and may other cyberattacks. Also, they’re designed to work with biometrics, providing high identity verification efficacy.

Multi-factor

Since password-based authentication is so vulnerable, it’s typically paired with other factors. It’s also a requirement to get cyber insurance. Yet many forms of MFA are susceptible to phishing or bypass attacks, and they convolute the user workflow.

Passkeys can be used as a factor to shore up password-based MFA or can be used independently. Google considers them “strong enough that they can stand in for security keys” for use in their Advanced Protection Program.

Private

Passwords by design are stored on target cloud application sites (or by an IDP in the case of Single Sign-On). They are known as “shared secrets” because others have access to them, often including hackers.

Passkeys are designed based on Public-key cryptography.

Efficiency

Passwords require time to type, often followed by a second authentication factor. They’re also difficult to enter on mobile devices without the convenience of a full keyboard, especially when users are entering special characters.

Passkey workflows are designed to be efficient and save time. Also, users do not need to take additional authentication steps that are necessary to protect password-based authentication, like copying and pasting OTP codes from an email.

Passkeys could be better

Enterprise

Although they are highly vulnerable, password-based processes are embedded in enterprises. They’re understood by users and admins alike, and their workflows are well known for onboarding new users.

Although passkeys are a strong authentication method, they use new technology and require workflow optimization by IAM vendors. They also require the development of new processes by enterprises, along with the onboarding that goes with it.

Compliance

Although passwords are inherently risky, they’re less vulnerable with coupled with additional factors. This is supported by the fact that MFA is often required in order for enterprises to obtain cybersecurity insurance.

Although FIDO standards allow for passkeys to be synchronized or to remain device-bound, some regulations need to be addressed. This includes the possession requirement in the European SCA standard for electronic payments.

Virtualization

Passwords may be used on native endpoints and virtual desktops access through native applications or browsers, since they’re entered manually in a web form irrespective of where they’re hosted.

It’s not clear how passkeys and client-to-authenticator protocol (CTAP2) biometrics may be used by virtual desktops. An effective solve for this use case is still being investigated by vendors.

The latest release of Windows 11 does allow for WebAuthn use in virtual machines (VM) using Windows Hello on the machine the user is remoting in from. Remote Desktop will pipe the request and response out of and into the remote machine.

Passkeys with Cisco Duo

Duo is a member of the FIDO Alliance and is helping to evolve passkeys.

• Matt Miller is on the FIDO Alliance’s Technical Working Group

• Sierre Wolfkostin is on the FIDO Alliance’s User Experience Working Group

Duo remains committed to helping drive adoption of passkey technology. It continues to bet on open-source passkeys for use with FIDO2-enabled web applications, with biometrics verification based on:

• Microsoft Windows Hello

• MacOS TouchID

• iOS FaceID or TouchID

• Android Pixel fingerprint or facial recognition

• Samsung fingerprint or facial recognition

• WebAuthn FIDO2 security keys, including Yubico or Feitian

*Duo Push via Duo Mobile secured by biometric, PIN or passcode is available as an alternative when access devices do have biometric readers and subsequently are unable to support FIDO2.

Want to learn more about passkeys?

Tune into our upcoming webinar, The State of Passkeys in the Enterprise, on 9/7 at 9am PST | 12pm EST. Matt Miller, our technical development leader, will join Cindy Qu, our product manager, and me, Matt Brooks with product marketing, to discuss the state of passkeys and where they're used within Duo's passwordless solution.

At any given point in time, the Duo Care teams are having conversations with customers that span the spectrum of security topics. We love being able to work with organizations who are just getting started with Duo, as well as work with organizations who are looking to build more comprehensive protection on top of an initial MFA deployment.

What have we been most excited to talk to our customers about recently? Access Management and Trusted Endpoints.

Access Management Is Essential to Cybersecurity Excellence

In Case You Missed It (ICYMI) over the last handful of years, cybercriminals have stepped up their game, particularly when it comes to attacking weaker MFA implementations ... but as you read in previous blogs, Duo has been upping its game too.

Duo has released features like Risk-Based Authentication and Verified Duo Push, added features like OIDC to Single-Sign-On, and expanded support for Passwordless – all of which can help organizations have more comprehensive protections in place.

Another key step in directly combatting the recent MFA focused attacks is evaluating whether the device can be trusted. That is why Duo Care has been so excited about the expansion of Duo’s Trusted Endpoints feature to all editions – Essentials, Advantage, and Premier.

By implementing Trusted Endpoints, organizations can differentiate between managed and unmanaged devices and set policies accordingly – giving you the option to block access from unknown devices and only allow trusted devices to gain access to sensitive applications and resources. Not only does this give organizations better control to ensure access devices meet your security standards, but it also provides further protection from social engineering attacks.

Fast Track to Success with Duo Care

The Duo Care Premium Support Program was created because we really do care. The dedicated Customer Success Managers and Customer Solutions Engineers who make up the Duo Care teams strive to be true trusted advisors to organizations who are using Duo. It is in that role that we have been so excited to talk to everyone about Trusted Endpoints.

It is true that Duo’s product has long been loved for how fast deployment is and how easy solutions are to use – and the Trusted Endpoints feature is no different. Still, organizations working with Duo Care will have a dedicated partner every step along the way.

We have end user communication templates that will make explaining this new feature to your organization a breeze and will share plenty of best practices, so you can be confident in the plan. Check out this sample timeline of a customer rolling out Trusted Endpoints:

Duo Care will meet with your team to strategize around any nuances of a more complex environment and make sure to answer any questions that you might have about how Trusted Endpoints will fit into your overall security plan.

For Duo customers on the Advantage and Premier editions, this might include discussing more about Device Health Checks (Is this device’s operating system up to date?) and Endpoint Protection Checks (Does this trusted and healthy device have an endpoint protection agent like Cisco Secure Endpoint agent installed?) in addition to the Trusted Endpoints Check (Is this user’s device managed/registered?).

Ready to take the next step?

If you are just as excited as we are about the Trusted Endpoints feature, take action today!

Duo Care Customers

• Send an email to your Customer Success Manager – alongside your dedicated Customer Solutions Engineer, they will be ready to schedule a call to help you get started!

All Other Paid Subscribers

• View Trusted Endpoints Documentation

• If you are interested in adding Duo Care Premium Support to your current contract, please send an email to your Duo Account Executive or Cisco Account Manager.

In a world where remote and hybrid work is here to stay, cybersecurity internships are no exception. For interns in security at Cisco, a hybrid environment has contributed to learning, building connections, and feeling energized. For meaningful opportunities in a hybrid environment, learn about our internship and early-in-career opportunities.

Will travel for hybrid

Despite studying computer science in Boston, Pratham Shroff decided to move to Ann Arbor, MI for his summer internship to have more direct access to his colleagues working on Duo. Why? “Meeting new people over lunch is really easy. You just go to the kitchen, and soon you’re sharing a meal with engineering managers,” he said. “Those small things really help going forward.”

It also helps that, “everyone is very, very welcoming. The ‘be kinder than necessary’ value, everyone has that and that’s what makes you feel very welcome here at Cisco and Duo,” Shroff elaborated. Technical Intern Shubhangi Tiwari, who works from Cisco’s Bangalore campus, echoed that sentiment: “The work culture makes me feel so comfortable and efficient, I feel like a better version of myself at Cisco.”

In the room where it happen

“Every day in the office is exciting for me. Whether it’s progress in my project, participating in events, unwinding with games, hanging out with colleagues or even meetings, I’m excited by it all!” – Shubhangi Tiwari, Technical Intern

Tiwari savors connecting with colleagues at the Bangalore campus. “Every day in this office is exciting for me. Whether it’s progress in my project, participating in events, unwinding with games, hanging out with colleagues or even meetings, I’m excited by it all,” she said.

Let the learning continue

Xander Hughes, a front-end web development intern who studies in New York, moved to San Jose for the summer to work out of Cisco’s headquarters there. He reflected on the additional learning hybrid cybersecurity internships afford.

“Now that I’m in the corporate world, it’s really interesting to learn how hybrid works among other people and how you interact with those people who are also hybrid. I’m learning how to work in this environment with tools that are really helpful in the workflow and pipeline,” Hughes said.

In addition to fun in-person opportunities for interns to connect – including an intern carnival with a DJ, raffles, and games – Hughes has appreciated a dedicated intern space on WebEx. “At first, I thought it was not going to be very chatty, but it’s very lively. Interns are always talking in there. We have a global intern chat, San Jose intern chat, and software development intern chat to build up relationships with other interns remotely or to schedule time to meet up for lunch for local interns,” Hughes shared.

Interested in Hybrid + Remote Cybersecurity Internships?

If you’re driven by innovative work and meaningful collaboration, learn what working in security at Cisco looks like.

In the ever-evolving cybersecurity world, organizations must adopt robust measures to safeguard sensitive data and critical systems. Access management solutions, including single sign-on (SSO), multi-factor authentication (MFA), and privileged access management (PAM), can offer a comprehensive defense against threats.

However, finding the strongest solutions to securing access is an equally dynamic landscape. In this article, we'll some address counter-proofing points to support a well-rounded perspective for technical buyers.

Strengthening authentication with single sign-on (SSO)

SSO simplifies user access by enabling them to log in once and access multiple applications seamlessly. By reducing login credentials and offering self-service, SSO helps save time and cost for onboarding to applications, password resets, device management and more.

When evaluating which single sign-on solution to go with, it's essential to consider the following counterpoints:

1. Types of Application Protections: A strong SSO should come with several out-of-the-box integrations and the ability to easily protect SAML 2.0-based and mobile-first OpenID Connect (OIDC) applications. To enable and secure remote access, SSO should also allow your users to access on-premises websites, web applications, SSH servers, RDP and SMB/file server hosts without having to worry about managing VPN credentials.

2. IdP Integration Complexities: Integrating SSO solutions with existing identity can be complex. Compatibility issues, custom development, or third-party dependencies may require additional technical expertise and resources during the implementation phase. There should not be a need to rip and replace any existing security architecture, and thorough documentation should be provided.

Bolstering security with multi-factor authentication (MFA)

MFA adds an extra layer of security by requiring users to provide multiple forms of identification—commonly between “something you know,” “something you have,” and “something you are.”

However, technical buyers looking at MFA should consider the following two counterarguments:

Safeguarding critical resources with privileged access management (PAM)

PAM focuses on securing privileged accounts and provides granular control, session monitoring, and user accountability.

However, when considering PAM controls, technical buyers should address the following counterproofing points:

1. Ease of Policy Set-Up: Granular access controls can help quickly onboard partners and contract employees, change application permissions and protect high-value information with stringent security policies. However, as application access shifts, it is critical that established policies also be easy to update and maintain – without potentially requiring additional headcount.

2. Continuous Risk Assessment: Risk-based authentication relies on ongoing evaluation of contextual factors, such as user behavior, device health and network conditions when granting or denying access. This eases the authentication burden on users, only stepping up when risky changes are detected. Organizations should ensure that the risk assessment algorithms are accurately calibrated to prevent false positives or negatives, impacting user experience.

3. Regulatory Compliance: Access management is a core security function often required by regulation and cyber liability insurance providers. Some industries or jurisdictions may have specific compliance requirements that organizations need to address when implementing MFA methods such as risk-based authentication. Ensuring alignment with relevant regulations is crucial to avoid penalties or legal consequences.

Conclusion

Technical buyers must consider the counter-proofing points raised to ensure successful implementation and adoption. With a comprehensive approach that combines innovative technologies, user education, and ongoing monitoring, organizations can build a resilient security infrastructure that protects critical resources from unauthorized access and mitigates cybersecurity risks effectively.

Duo’s access management solutions

Duo protects against breaches with a leading access management suite that provides strong multi-layered defenses and innovative capabilities that allow legitimate users in and keep bad actors out.

• Cisco Duo’s MFA solutions offer various authentication factors, including push notifications, one-time passcodes and biometrics. Duo Security’s passwordless authentication enhances PAM by removing the reliance on traditional passwords.

• Duo’s Single Sign-On supports on-premises Active Directory (AD) and cloud or on-premises SAML IdPs as identity sources, including pre-built common attributes. Duo provides the easiest passwordless SSO solution to deploy and manage.

• With granular controls, Duo’s Risk-Based Authentication evaluates potential threat signals at each login attempt and adjusts security requirements, in real time, to protect trusted users and frustrate attackers. Additionally, Duo’s Wi-Fi Fingerprint technology can use anonymized Wi-Fi network data to determine if a user’s location has changed, enabling Duo to evaluate risk while protecting users’ privacy.

• With the Admin Panel, you can set up detailed policies in minutes via a simple, intuitive administrator dashboard, and manage rules globally or for specific applications, devices, or user groups. Duo protects all your applications with one single policy enforcement which gives you consistent policy enforcement between both private and SaaS applications.

Organizations can strengthen their security posture and meet the demands of an evolving threat landscape by integrating Duo Security's unique access management authentication features. Learn more or try for yourself with a 30-day free trial.

In our never-ending quest to help customers safeguard their environments and streamline security operations, Cisco Duo maintains constant lookout for rich vulnerability and threat intelligence so that we can provide the strongest protection. One piece of that effort is dedicated to understanding the types of tactics and attacks targeted at today’s organizations. That’s where MITRE ATT&CK® comes into play.

In this blog, we’ll shed light on how Cisco Duo helps mitigate common attack techniques chronicled in MITRE ATT&CK® framework. 

What is MITRE ATT&CK?

MITRE ATT&CK is a "globally accessible knowledge base of adversary tactics and techniques based on real-world observations." Organizations use this information to audit, assess, and implement security defense-in-depth strategies to mitigate cybersecurity attacks.

Under each individual attack technique, MITRE lists unique IDs to file procedures, mitigations, and detection methods along with associated attack techniques, sub-techniques, definitions, and tactics to provide detailed information on each attack.

For example, MITRE ID: T1621 identifies multi-factor request generation and focuses on using MITRE ID: T1078 valid accounts to generate unsolicited requests to a user(s) to gain unauthorized access to specific or multiple accounts. The technique involves an attacker attempting to use stolen, but valid account credentials to authenticate as a user and perform a push phishing attack such as a push bomb (sending multiple requests to the same user) or a push spray attack (sending multiple requests to different users) to gain unauthorized access.

How does Cisco Duo help mitigate real-life MITRE ATT&CK techniques? 

The image below mimics a real-life attack scenario that we saw last summer targeting Microsoft 365 and displays where Duo can potentially help mitigate the attack: 

In the example image above: 

1. The bad actor obtains a list of Microsoft office mailboxes with account credentials and passwords.   

2. The bad actor uses credentials to connect to Office 365. 

3. The bad actor launches a series of push-phishing attacks against a single user (push bomb attack) or a group of users (push spray attack) until someone accepts one. 

4. The bad actor self-enrolls their device (via self-service) and sets up MFA for persistence.  

5. With the Azure Active Directory credentials and the ability to approve MFA requests on their own device, the attacker can move laterally into other applications and services.  

The threat actor ATP29/Cozy Bear used the following MITRE techniques to target Microsoft 365: 

• Brute Force: MITRE ID T1110 

• Device Registration: MITRE ID: T1098.005 

• MFA Request Generation: MITRE ID: T1621 

An organization using Duo’s Universal Prompt functionality could help mitigate similar attacks since the bad actor would be unable to authenticate to 365 without advanced verification such as requiring Duo’s phishing-resistant MFA (Multi-Factor Authentication) and Trusted Endpoints. Duo Trust Monitor would also help surface the attempted device registration so administrators could take action. If you are not using Microsoft 365, Duo can also apply the same zero trust protection & analytics to Microsoft AD FS, Google Workspace, Citrix, WorkDay, SalesForce, Cisco VPN, and a variety of applications & services.

What else can Cisco help with? 

Cisco Duo is a robust, end-to-end access management solution that can play a significant role in mitigating popular MITRE ATT&CK techniques with a zero-trust approach. Duo can also pair with other Cisco Secure Access solutions including SSE, Cisco XDR, Cisco Umbrella, Cisco Email Security, Cisco Secure Endpoint, Cisco Secure Workload, and Secure Analytics for a comprehensive defense-in-depth strategy that supports a best-in-class security operation for your organization. 

To learn more, contact the Duo sales team today.

If endless false positives and reactive security models have been threatening your productivity and that of your users, you’re not alone. Many organizations struggle with authentication processes that frustrate and burden users to the point that they see security as nothing but a point of friction. Meanwhile, admins waste time chasing down alerts that ultimately point not to threats, but false signals.

Here, we explore how Cisco Duo’s risk-based authentication can decrease false positives, accelerate frictionless trusted access, and help you assess risk at the point of login.

Assessing the attack landscape

To implement a frictionless trusted access experience, it’s important to understand the attack landscape. Today's cyber attackers aren't sacrificing quality for quantity; instead, they are increasing the complexity of their attacks with multiple stages that expose companies to different kinds of risks. For example, a ransomware attack can lock users out of the company network while also exfiltrating sensitive data to sell on the dark web.

Increasingly, attackers are successfully finding ways to take advantage of gaps in weaker multi-factor authentication (MFA) systems. These MFA bypass attacks outsmart standard MFA protections by using the MFA system’s own software and processes, as well as users’ fatigue with more difficult MFA tools, to goad users into accepting fraudulent verification requests. Attackers manipulate user behavior via a variety of attacks, including:

• Push phishing attacks

• Man-in-the-middle (MitM) attacks

• One-time-password attacks (OTP)

• Vulnerable device attacks

The truth is users are attackers’ favorite targets. The most recent Verizon Data Breach Investigation Report lists credential and phishing attacks as the top attack vector (followed by vulnerability and botnet attacks). In fact, the report finds that 82% of attacks involved the human element.

Despite these growing risks, 80% of organizations are not prepared to protect themselves against this latest generation of attacks, according to the 2023 Cisco Cybersecurity Readiness Report. 

Evaluate risk to establish trust

To reliably and efficiently establish trust, it’s critical to understand the risk level an authentication attempt poses. Duo’s Risk-Based Authentication (RBA) uses a series of contextualized signals to evaluate risk at the point of login. Duo then provides the right level of friction for the user based on the corresponding risk level. Duo’s RBA enables security policies and risk signals to work together to create an automated, dynamic user experience. (Organizations can create policies that reflect their trust tolerance and implement them with Duo.)

If a user meets the established risk threshold, the session can be extended using Duo’s Risk-Based Remembered Devices. Reducing the time spent authenticating improves user experience and user productivity. If risk signals indicate that trust has dropped below the threshold due to the presence of worrisome signals (say, if the user’s authentication device suddenly appears to be in a far-off time zone), Duo automatically requests additional verification steps for the use. Continuously adapting to changes in user context between authentications provides an additional layer of security.

Risk signs are vital

Many other MFA systems’ risk-based authentication signals are plagued by false positives and weak contextualized risk signals. Some simply do not check all risk signals at the point of login.

Cisco Duo's RBA offering is a real-time, adaptive security product that can help fight threats at the point of login. Duo detects potential attacks such as push-spray and push harassment attempts, while also assessing factors such as device geo-location, unrealistic travel, time of authentication, and more. Duo collects user data to determine location risk, using Duo’s unique Wi-Fi Fingerprint capability to intuit their working location and detect changes to that location when the Wi-Fi Fingerprint varies.  This provides a high level of assurance on location and network. Duo also assesses device attributes (OS and browser version, firewall, security settings. etc.), XDR/anti-virus status, and management status—and couples all this information with signals from known attack patterns. In real time, the Duo risk engine analyzes the signals and decides where the authentication falls in the trust spectrum.

If a user logs in at their normal time and location on their corporate device, the decision engine would label it as “high trust” with no added verification steps, such as requiring Verified Duo Push (which sends a code to the user’s authentication device) or authentication using a security key. 

But if authentication is deemed “low trust,” the user may be required to take additional security measures such as remediating a non-compliant device, using a more secure authentication factor, or entering a verification code before they gain access to the network or application. Unlike other access management solutions, Duo is designed for self-remediation. Rather than giving users a meaningless error code and telling them to contact IT, Duo tells them what the problem is and how they can fix it, so they can get back to work quickly and easily.

To protect users, data, networks, and applications, Duo places friction only where and when you really need it. Our goal is to frustrate attackers, not users. In the process, we deliver what every organization and users really want: stronger protection and frictionless access.

To learn more, contact the Duo sales team today.

Do you grapple with complicated access policies, or have you experienced a failed device trust policy deployment? You’re not alone.

The truth is, zero trust access policies can be complicated to deploy, scale, and support. And organizations looking to gain ground in their zero-trust journey are forced to contend with a widening cybersecurity readiness gap. According to the Cisco Cybersecurity Readiness Index, 85% of organizations are not prepared to protect themselves against modern attacks. Security leaders, then, are looking for more efficient ways to lock down their defenses. And they want help from effective zero trust access policies. They just don’t want it to be complicated.

That’s why we at Cisco Duo offer a simple-to-deploy policy for applications, people, and devices that can help mitigate modern security threats and attacks.

Cisco Duo’s recent update to our $3 per user per month edition (now called Duo Essentials) adds an important device trust feature called Trusted Endpoints, which allows businesses to:

• Distinguish device trust easily by integrating with virtually any third-party device management solution

• Distinguish trust by application verification using Cisco Duo’s Device Health and Duo Mobile applications

• Deploy and verify device trust status at a lower cost than out competitors

Accelerate device zero trust with Cisco Duo SSO

The simplest way to implement a device zero trust policy such as Trusted Endpoints is by centralizing the SAML & OIDC Single-Sign-On (SSO) experience with a solution like Cisco Duo SSO. Duo SSO quickly connects to your identity provider of choice and integrates with ANY SAML or OIDC application with dedicated integrations for Microsoft 365, Citrix NetScaler, Cisco AnyConnect (ASA + FirePower), SalesForce, Cisco Webex, and many others.

Learn how to deploy Cisco Duo SSO

Once an application has been integrated, administrators can use Duo Trusted Endpoints to configure policies to validate device trust across a variety of device use cases such as MacOS, Windows, Android, and iOS and require phishing-resistant authentication methods such as FIDO2 Security Keys, Touch ID, and Verified Duo Push

Here’s an example of a simple policy requiring all devices to be trusted and only allowing enrolled users to authenticate using pre-approved phishing-resistant authentication methods:

Learn how to deploy Cisco Duo Trusted Endpoints

Ramp up security without sacrificing productivity

With Cisco Duo SSO, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people, and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.

Applications have grown in variety and adoption for over two decades. SaaS (Software-as-a-Service) adoption is skyrocketing. It is estimated that by 2025, 85% of business apps will be SaaS-based.

As a technology marketing professional, I use at least 20 applications every day - SaaS/cloud applications and on-premises apps - including email, web-browser based, chat/collaboration, corporate internal apps including Intranet, and mobile apps. I am so glad I don’t have to create or remember passwords for every application. That is because Duo Single Sign-On (SSO) is enabled on my work account. Duo Single Sign-On is a cloud-hosted SAML (Security Assertion Markup Language) 2.0 identity provider (IdP) and OpenID Connect (OIDC) provider (OP) that adds two-factor authentication. It offers inline self-service enrollment and authentication with Duo Universal Prompt to popular cloud services like Microsoft 365 and Amazon Web Services (AWS) using SSO protocols.

Nowadays, employees across many different industries use 10s to 100s of applications, so it is imperative that the single sign-on solution used in their organization support as many of those applications out-of-the-box so that configuration is simple and quick for admins.

What’s new: Duo SSO now supports more pre-configured applications

From the time we launched single sign-on five years ago, we have enabled Duo administrators to easily use the Duo Admin Panel for configuring cloud applications based on SAML 2.0 and OIDC standards.

Already in the first half of 2023, we’ve added many apps to the Duo SSO applications catalog, including:

• 1Password (private preview)

• Aha!

• Amazon Web Services (AWS) and CLI

• Atlassian Cloud

• BambooHR

• BeyondTrust (formerly Bomgar)

• BugSnag

• Citrix NetScaler

• CrashPlan

• CyberArk Privileged Access

• CyberArk Workforce Identity (formerly Idaptive)

• Datadog

• DigiCert

• DocuSign

• Epic mobile apps

• Expensify mobile apps

• Freshdesk

• GoTo apps (formerly LogMeIn)

• Meraki Secure Client

• Monday

• Notion

• Panther

• Remedyforce

• SAP Concur

• Sauce Labs

• Snowflake

• Udemy

Tell us what applications you would like to see added by filling out this form. This will help our Product team prioritize these.

It’s difficult to avoid the noise currently surrounding generative AI. Based on many recent conversations, this is an issue that needs to be approached with some care. Certainly, from the security and resilience perspective, we need to think about the impact of these solutions and how we can provide a useful framework for security, privacy and governance in relation to AI-driven apps. Put simply, how do we make sure we’re managing the potential risks while capitalizing on any opportunities?

“Who is Richard Archdeacon?”

To some it’s generative AI, to others it’s Machine Learning. Perhaps the most useful description for the AI solutions is simply: “the practical application of clever maths.”

In other words, we need to remind ourselves that these tools are not magic. They’re simply the interaction of algorithms with a defined data set.

To illustrate the point and prove my dedication to keeping fellow CISOs fully informed, I decided to test the new capability by asking an AI tool to generate an introductory slide for a presentation that I was giving at a conference. 

My attempt to cut corners came out with a result that was none too complimentary. But who am I to disagree? It was certainly appreciated by the audience!

This experiment did make me think. The information used to generate my introduction was taken from a set of data that was static at that time. But what if it could be manipulated? Would it be possible for me to “poison” selected online platforms with fake content about Nobel prizes, international sporting achievements and previous roles as a leading Hollywood actor? It’s an almost textbook illustration of the well-known GIGO issue and it begs an important question for the proponents of AI.  How do we know that the data trawled by these apps has not been poisoned — especially since such an attack would be relatively simple to implement? (With that in mind, expect to see an increasing recognition of the benefits that can be gained through vaccinating datasets against adversarial attacks.)

Or, as we have heard already, what if confidential information had been accidentally shared and was now in the public domain? This could pose an organization with any set of business risks from exposing vulnerabilities to compromising IP claims.

That is why there is now a growing body of commentary recognizing how the rewards of generative AI are counterbalanced by some very real security risks.

For the CISO there should be an inside/outside view. What solutions are being developed internally and what controls should be put in place?  What solutions are being introduced into the organization and how do we make sure they’re doing the job? 

There are also ethical questions to be considered, emphasizing the importance of effective data governance structures, policies and procedures.

A business-driven approach

The capabilities of a new technology and its potential for future development are key considerations that guide investment decisions for any business. Equally important for the CISO is the necessity to understand the risks a technology may pose for data governance, privacy and security.

The understanding of whether AI is the best tool for a particular job or not will depend upon whether it will support productivity and build business resilience by focusing on the practical priorities a CISO faces. 

So, just like any other technology investment, our initial questions should be about the operational capability of AI:

• What are the issues and the benefits around it?

• How do I get confidence in it?

• How do I take advantage of it?

• What might happen in the future?

• How will this make the business more successful?

When looking further into any such solutions, the risks and opportunities need to be understood. In short: will they introduce new weaknesses or vulnerabilities?

With these considerations in mind, I see a series of assessments being undertaken which may well include an extension of the current approach to third-party solutions.

More compliance for the CISO to worry about!

AI and governance

The first step for a CISO is to look for a clear list of principles to ensure that ethical data governance is built in from the start when AI solutions are implemented. Cisco has a well-established set covering:

1. Guidance and Oversight

2. Controls

3. Incident Management

4. Industry Leadership

5. External Engagement

So, a sound basis for developing trust in any solution. For example, knowing that there is governance in place, that privacy and unintended bias are recognized and addressed, and that incidents are managed mitigates any adoption risk. Privacy will be a key issue where generative AI apps store information from user inputs and use it to generate additional content.

When mentioning the Cisco principles and framework to CISOs there has been a mixed reaction from “That is impressive.” to “May I get a copy please?”  Albeit purely anecdotal feedback, it shows that this is an area of interest to them, there is a need to fill a gap and a recognition that Cisco has already started to do so.

Regulators and legislators are already reviewing new controls in most countries including the US, EU and the UK while generative AI has been banned in some countries including Italy, France and India. These developments need to be watched as it will be another area for CISOs to monitor.

Using AI (or clever maths) in practice

To understand how to use AI (or clever maths) in a practical sense, the way Cisco Duo has developed its Trust Monitor solution provides a case study. Trust Monitor creates an internal data set using AI to learn what looks like secure behaviours and then (automatically) alerts administrators when something looks risky.

"We created a data governance team to look at every use case in which we wanted to apply AI techniques. This team included all stakeholders. Not only Engineers, but we also included perspectives for legal, privacy, and ethics concerns. In that way, we could decide whether this was the right solution for the use case and, if so, we ensured we had a full understanding of how we could apply our principles." - Joe Duggan, Product Manager at Cisco Duo

This ensures a development approach which works to protect the security of users with systems that anonymize and obfuscate personal user details without impacting functionality.

In addition, policies around secure by design, data handling, retention and deletion are in place from the start.

These principles are also top of mind as Cisco Duo integrates with an increasing number of solutions across the wider Cisco Secure portfolio. So, a principled approach is embedded into the whole engineering process, increasing the opportunity to protect users whilst reducing any risk.

Asking about this type of approach may be one way in which the CISO can assess the risk of the solution being provided.

A sense of perspective

AI is going to continue making an impact, but it will never be the whole answer to every question for the business. In those situations where it is useful, we will need to have a view on how any associated risks are managed.

For security specialists, AI will remain a genuinely useful tool, automating many mundane tasks and doing a lot of heavy lifting. There is an increasing body of work looking at the security issues of LLMs and AI which are developing use cases and potential security issues.  Without the right controls in place, however, AI won’t always be the best answer. It is important to be able to demonstrate that the use of any AI is based on sound principles to build confidence and acceptance in its use.

In fact, as I’ve discovered myself, it might not even be the best tool for writing an introduction to a presentation.

Knowledge may be the wing wherewith we fly to heaven – but we better make sure it is secure.

Further Reading

• Mitigating Risks of AI Apps: Keeping Your Users Productive & Your Data Safe blog

Editor's Note: This blog was updated on 8/31/23 to reflect new developments in AI technology and at Cisco.

For many Duo Security administrators, logging into the Duo Admin Panel is part of your everyday work. From unlocking a user to configuring a new policy, you need to get in quickly and securely to protect your organization. Recently, we released passkeys for the admin panel to make this workflow even easier and more secure.

What is a passkey?

A passkey is a phishing-resistant cryptographic keypair you register for web-based authentication. It’s the strongest authentication method available today, which is why you see passkeys moving to replace passwords altogether.

“Passkeys cannot be phished, so they transfer the possibility of detecting whether a link is valid away from the end user.” – Matt Brooks, Cisco Duo Product Marketing Manager

Passkeys are built on WebAuthn technology so you can use all the methods you’re used to — like security keys, TouchID, WindowsHello — as well as a few more like mobile phones and password managers. Not all browsers support all verification methods on a given operating system, so for the widest compatibility we recommend Chrome or the browser that came with your operating system.

As of July 2023

For a deeper dive into passkeys and their benefits, read 'What are Passkeys?’ by Matt Brooks.

Easier-to-use login experience

While adding passkeys to admin panel login, we also took action on your feedback to make admin login easier to use. Starting in July 2023, administrators will start to see a new login experience that more closely resembles the Universal Prompt experience. In addition, admins can choose to remember their last used login method so that they are automatically prompted after entering their password without an extra click.

See the video at the blog post.

Switching administrators to passkeys

We’re encouraging all admins to make the switch to passkeys for a more secure Duo Admin Panel. While Duo has had more secure methods like Yubikey and hardware token support for a long time, investing in hardware for your admin team can be expensive and difficult to manage. The advantage of passkeys is that they already come with devices your administrators have today. Even if your administrators’ laptops do not have biometric support, admins can use their mobile phone as an authentication device without needing to download an app.

Passkeys are enabled by default for Admin Panel access. Owners can change this setting under the Admin Login Settings page in the Administrators section of the Admin Panel.

• Admins can add passkeys during self-activation or from their profile in the Duo Admin Panel

• Owners can also add passkeys for admins through the Administrators page

Since launching, we’ve seen over 15,000 passkeys added. Register a passkey in the admin panel today for an easier and more secure login. As always, we recommend having at least two authenticators tied to your account, so that you’re never locked out. You can register up to 100 passkeys and rename them from your admin profile.

Recently, Cisco Duo sponsored a comprehensive study on Passwordless in the Enterprise led by ESG senior analyst Jack Poller. Today we will discuss the survey makeup, review key results and explain why Duo’s Passwordless technology is well positioned to meet enterprise authentication needs highlighted in the study.

In addition to this blog post, you can find more information on the study results in:

• ESG’s state of Passwordless in the Enterprise ebook

• ESG and Duo’s state of Passwordless in the Enterprise webinar

Study Overview

During the study, ESG asked questions of 377 security, IT, and application development professionals across a variety of company sizes and verticals, about both workforce (internal/employee) and customer (external/client) users. The study also covered multi-factor authentication, identity protections, identity risks and identity vulnerabilities experienced.   

Study Findings

We’ll focus on the workforce findings:

1. Multiple account or credential compromise is the norm

This result is surprising, but it’s not entirely new. Year after year, there are countless reports that a significant number of breaches occur due to lost or stolen credentials. Cybercriminals don’t break in, they just log in. There are a variety of reasons that credentials are a perennial attack vector. Some companies don’t have budget to implement MFA, they don’t have the skills to implement it, or the solution is too complex and it negatively affects user productivity.

The writing is certainly on the wall that username and password credentials are a menace to secure environments, and moving to strong authentication is the solution. Yet, enterprises are faced with a trade-off between enabling a great user experience and deploying strong security.

Duo does not subscribe to that choice. Founded in a world-class design-led philosophy, Duo offers a great admin and user experience behind cutting edge authentication security for unmatched value.

2. Workforce authentication failures are common and MFA is still not mandatory

Duo has always focused on meeting customers where they are. Depending on the situation, authenticator options may be limited. Therefore, Duo supports a wide variety of authentication options. However, at the same time, we also enable our customers to implement the strongest multi-factor authentication (MFA) options available in the industry.

Some include Verified Duo Push with number matching, Risk-Based Authentication that steps up authentication strength based on risk signals, Trusted Endpoints to limit the scope of acceptable endpoints to known devices, or phishing-resistant factors like FIDO2 WebAuthn that is a foundational Duo Passwordless component.

3. Two-thirds of enterprises have started their workforce passwordless journey

Based on this stat, we can infer that passwordless has been beneficial to overall security efforts for most companies. Therefore, as enterprises develop plans to strengthen their security postures in the future, we can expect growth in the use of passwordless authentication.

Duo brought its Passwordless solution to market last year and has seen a steady rise in adoption and expansion from production pilots to full production in various functional groups across a broad set of verticals. Since it’s available in all product editions, all Duo customers have the capability to get started using passwordless immediately on the heels of completing their rollout plans.

4. Investment in strong authentication is growing

Top 3 “Areas expected to benefit from an increase in authentication technologies over the next 12 months.” include:

• Adding or improving passwordless authentication for workforce users – 24% of enterprises

• Adding or improving passwordless authentication for partners or suppliers – 18% of enterprises

• Adding or improving passwordless authentication for customer users – 17% of enterprises

Duo Passwordless provides enterprises with broad options to strengthen security and improve the user experience by eliminating the use of passwords. Our Passwordless solution supports flexible authenticators including:

• Passkeys that are single device bound or synced across multiple devices

• Platform authenticators built into access devices

• Security keys attached to access devices

• Duo Push on mobile devices

With Duo Passwordless, users can log in securely with a single gesture that provides the security based on “something you have” + “something you are” factors and doesn’t rely on the plagued “something you know” factor used for password-based authentication.

There’s no time like the present for starting your passwordless journey

Weak authentication with passwords and phishable MFA is putting enterprises at risk. So many are making passwordless a high priority to enable them to benefit from the increased security and improved user experience it offers. Get more insight into key survey takeaways by reading ESG’s ebook on the state of Passwordless in the Enterprise.

Also, be sure to register for the state of Passwordless in the Enterprise webinar with Jack Poller and I on July 19th at 1:00pm EDT. Jack will discuss key result from the survey and share his extensive industry experience. I will complement his observations by highlighting why Duo is well positioned to shore up enterprise authentication needs raised in the survey, while guiding organizations on their journey to passwordless authentication.

Show me the money!

The number-one reported motive for a cyber breach is financial gain, and ransomware 3.0 is the newest preferred tool to get there.

Tightening cybersecurity has become an increasingly important issue for organisations and individuals around the world. In Australia, the threat of ransomware attacks has been growing, with the Australian economy reportedly losing up to $2.59 billion annually from these incidents.

Twenty-nine per cent of incidents reported to the Office of the Australian Information Commissioner (OAIC) were attributed to ransomware between July and December of 2022, making it the most reported type of security breach of the year. Compromised credentials and phishing attacks, our previous two points of focus in the series, are two of the most common entry paths to ransomware deployment.

In the final instalment of this series, we cover the rise of ransomware 3.0 in Australia and the secure access innovations that make tangible differences in preventing a breach, mitigating the spread, and keeping organisations moving forward.

The Rise of Ransomware 3.0 in Australia

What is Ransomware 3.0?

While ransomware has been around for many years, it has continued to evolve. According to the 2022 Verizon Data Breach Investigations Report, ransomware has increased by 13% over the previous year — a jump greater than the last five years combined. Ransomware 3.0 is the latest iteration of this type of malware, and it differs from its predecessors in several ways, first and foremost in scale.

Unlike earlier versions of ransomware that targeted individual users, Ransomware 3.0 targets large organisations and critical infrastructure. It is also more sophisticated, using advanced encryption algorithms that make it more difficult to decrypt files that have been encrypted by the malware, moving laterally to disrupt cloud applications and taking advantage of inconspicuous crypto-mining schemes.

One innovation driving the proliferation of ransomware is Ransomware-as-a-Service (RaaS) or fully integrated out-of-the-box attack solutions, giving powerful access even with low technical literacy for a small cut of earnings. While Ransomware 2.0 evolved the double-extortion technique of threatening data release in addition to locking systems, Ransomware 3.0 double-downs on monetisation through organised crime and layered extortion methods.

How much does a ransomware attack cost an organisation in Australia?

The cost of ransomware on business is also mounting higher, with Australian organisations paying an average of $250,000 per incident. Cash aside, businesses and individuals must also deal with the costs of lost and compromised data — especially when it comes to personally identifiable information (PII) and personal health information (PHI).

A big target on the healthcare industry

The healthcare industry is particularly vulnerable to malicious attacks such as Ransomware 3.0. The Australian healthcare sector holds a significant amount of PII and PHI, making it an attractive target for cybercriminals and one of the largest reported targets for malicious software by the Australian Cyber Security Centre (ACSC). 

Strong cybersecurity in highly digitised healthcare is essential to save lives, where every minute matters. This belief is likewise reflected in compliance and insurance demands, with strict demands for PHI under the Commonwealth Privacy Act and regional legislation (e.g., the Health Records Act in Victoria or the Health Information Privacy Act in New South Wales) and reporting under the critical infrastructure bill.

Rather than temporary patching of security potholes, a strong cybersecurity strategy should evolve with business needs. Ever-increasing regulatory requirements force providers to be ready for current regulations and those that might be enforced shortly. Implementing a model of secure access with solutions like Duo can help mitigate the risk of cyberattacks today and the Ransomware 4.0s of tomorrow.

A Pacific Northwest healthcare provider uses Duo to protect against attacks and enable remote work

A large nonprofit healthcare provider serving over 600,000 residents in the Pacific Northwest is one organisation looking to increase remote work security, improve administrative overhead, and prevent future breach attempts.

In addition to a hospital, the healthcare provider operates a network of more than two dozen primary care, urgent care, and specialty clinics. The administrators wanted complete visibility of all users and devices accessing their Office 365 environment (whether in the hospitals or accessing remotely) and granular access controls through role-based policies for each application.

Multi-factor authentication (MFA) is a critical component of their security program, but the solution that was packaged with the existing enterprise suite did not meet the requirements of the IT security team. After evaluating several market-leading MFA solutions, the team chose Duo because it provided strong multi-factor authentication, complete visibility for workforce access, role-based access controls and the added benefit of ease of use for both administrators and end users.

"When users get phished, bad guys start attempting to use the stolen credentials within 10 minutes. Duo stops these login attempts and provides the details of the login failures so we can take the necessary action. In the last. 90 days, Duo has protected against three instances of account hijacking," said one Security Architect

Duo’s dashboard provides the security administrators with a snapshot of the overall access activity across the organisation, minimising the administrative overhead in user management, monitoring and reporting

“The dashboard gives us a high-level view of our [organisation]. Useful information such as login failures, who logged into which application and when, the number of deployed licenses and inactive users are all available right there. I can then easily drill down to the details of a specific login event with just a few clicks. We did not have this level of information before Duo,” the Security Architect explained.

The healthcare organisation leveraged Duo Care’s expertise to ensure success in deploying and migrating users to Duo with minimal impact on business. Duo’s premium support program, Duo Care, tailored support to the hospital’s unique needs and helped maximise business value. “Duo’s native integration with ADFS gave us the flexibility we needed and made it very easy to deploy in our environment. The rollout was complicated, but we were able to customise the deployment using scripts and we executed it very well,” said the Security Architect.

Migrating to a high-touch solution such as MFA can be daunting and complex as it impacts business productivity. However, using a combination of scripts and user self-enrolment, Duo was rolled out to a group of test users for a month and then to the entire organisation in four days.

Device trust and mitigating Ransomware 3.0 propagation

As with phishing, a layered approach is one of the best tactics against advanced attacks like ransomware.

Duo can help protect organisations from ransomware attacks—including Ransomware 3.0—on three fronts:

1. Preventing ransomware from getting an initial foothold in an environment

2. Mitigating or stopping the spread of ransomware if it manages to infiltrate an organisation

3. Protecting critical assets and parts of the organisation while an attacker still has a presence in the environment and until full remediation is achieved

Strengthening multi-factor authentication is a critical step to protect against ransomware.

Healthcare, alongside education (covered previously when we discussed how dangerous phishing is), is an industry that tends to teeter below the “security poverty line” due to legacy programs and systems; over half of the browsers measured by Duo’s 2022 Trusted Access Report were out-of-date in healthcare.

With Duo Device Health App, organisations can perform health and posture checks at the time of authentication to ensure the device meets set security policies before granting access. Without using an agent and keeping user privacy intact, Duo can check whether the OS is up to date, if disk encryption is enabled, if a password is set and more.

Cyber attackers are increasingly targeting gaps in weaker multi-factor authentication implementations. That’s why Duo is bringing protection previously available only in Duo's most advanced edition to every Duo customer. Now included in every tier, Duo’s  Trusted Endpoints distinguishes registered or corporate-managed devices from unmanaged BYOD (bring your own device) — with the option to block when an unknown device is attempting to access resources on the network.

Duo's admin panel provides a single-pane-of-glass solution, making it easy to manage policy and monitor security status across all devices. For the aforementioned healthcare provider, Duo helped the team implement role-based access policies per application with ease. While role-based access per application was possible with the incumbent solution, it was cumbersome to implement and manage because each application required a separate instance of the solution.

With just a few clicks, administrators can enact new policies or create a Risk Profile in Duo Trust Monitor that prioritises and surfaces security events that match profile elements. Trust Monitor surfaces suspicious logins and alerts administrators when a new enrolment event matches attack patterns seen in the wild.

The bottom line

Yes, Duo and other security solutions reduce the risk and impact of attacks like Ransomware 3.0, but taking a step back reveals the larger goal of strong cybersecurity practices like zero trust in the first place: To keep critical infrastructure online, to launch a new product to market, to move the business forward, or even to keep people healthy and cared for.

“We were able to implement strong security controls without disrupting the business of helping patients, and Duo has helped us to do it easily and securely,” said John Zuziak, CISO of the University of Louisville Hospital (UofL) where over 500,000 patients are served every year. “Our long-term vision is to adopt a zero-trust security framework, and we have taken our first step.”

UofL Hospital deployed Duo and was immediately able to consolidate several projects — including MFA, single sign-on (SSO) and mobile device management (MDM) — which reduced its overall total cost of ownership by more than 50%.

However, the biggest advantage was ease of use and continuation of the users’ day-to-day roles: “... Multiple clinician leaders recommended Duo. It was an easy choice for us. It was the first-ever security solution recommended by the users and by clinicians. This never happens in healthcare.”

"Multiple clinician leaders recommended Duo. It was an easy choice for us. It was the first-ever security solution recommended by users and clinicians. This never happens in healthcare." - Jason Zuziak, CISO of University of Louisville Hospital

Wrapping up: Organisation resiliency

In a few months, cybersecurity professionals will convene at Cisco Live Melbourne to learn and discuss the latest and greatest across security. Last year saw subjects like Secure Access Service Edge, new technological innovations, and the best security practices take centre stage. One theme emerged consistently: resilience and protecting the integrity of business amidst unpredictable changes.

A mere 15% of organisations globally have the 'Mature' level of readiness needed to be resilient against today's modern cybersecurity risks, according to the Cisco first-ever Cybersecurity Readiness Index. Developed against the backdrop of a post-COVID, hybrid world, the report highlights where businesses are doing well and where cybersecurity readiness gaps will widen if global business and security leaders don't act. In Australia, that proportion of mature readiness is 11%.

Cisco Cybersecurity Readiness Index is based on a double-blind survey of 6,700 private-sector cybersecurity leaders in 27 global markets. Read the Australia Market Snapshot

Every seven minutes, a cybercrime is reported in Australia. The threat of phishing, compromised credentials, and ransomware attacks are growing concerns around the world. Luckily, stronger security solutions exist — ones that don’t impede user productivity and can prove their investment value.

Cybersecurity will continue to be a priority. More than ever, it is essential to embrace the idea of cyber resiliency and continue to evolve security solutions. Today, we can start with securing user access.

Looking for more information?

• Protecting Against Ransomware: Zero Trust Security for a Modern Workforce ebook

• Healthcare Shifts in Cybersecurity ebook

• The State of Information Security in the Healthcare Industry ebook

• Healthcare Provider in the Pacific Northwest case study

Confidence in data can be a lot like having a good friend. When we trust the source, our confidence in the truth of the information we receive grows. And like any relationship, there’s room to develop that trust.

Originally built to support contractors using personal devices, the Duo Device Health application (DHA) took on an expanded role to help establish device trust by checking both the health and management status of endpoints before granting application access. Increasingly, it’s being used to differentiate managed devices from unmanaged BYOD (Bring Your Own Device). Now, we’re moving forward with enhancements that will further increase confidence in the truth of the data the DHA reports.

Stop the spoof

The enhancements to the Device Health application address two security challenges. The first is to make it even more difficult for a bad actor to “spoof” the DHA and its data. This improves confidence that the data reported by the Device Health app is valid, comes from a legitimate source and has not been tampered with during transmission. 

The second is to make it more difficult for that bad actor to cause a device that should not be trusted (in the context of Duo Trusted Endpoints) to appear as though it should be trusted. Let’s take a look at the enhancements and how they overcome these challenges.

Device Health application enhancements

Automatic Device Health Application Registration, Payload Signing and Device ID Pinning are a set of capabilities that, when combined with Duo Trusted Endpoints, make it even more difficult for a bad actor to use a fake version of the DHA in place of the legitimate application or to tamper with the data reported by the app. With all three enabled, IT teams can more confidently depend on the source, authenticity and legitimacy of the Device Health app’s reports which are used to determine the trustworthiness of the access device and enforce a Duo access policy.

Automatic Registration

If the Device Health app is not already registered, Automatic Registration will occur when a user accesses a Duo-protected application and successfully completes multi-factor authentication (MFA). The DHA will generate a cryptographic keypair, store the private key on the access device and send the public key to Duo, where it is stored and associated with the user, account and access device.

If any of those three attributes change, say someone else uses the same access device to log into an application owned by the same Duo account, the registration process will repeat. This allows for many-to-many scenarios where multiple users can utilize the same device, a single user can use multiple devices, and any or all of them can register with multiple Duo accounts.

Payload Signing

The private key that was generated during registration is used to cryptographically sign the data payloads sent by the Device Health app. The signature is verified by Duo’s back end using the public key that was sent at the time of registration. If the payload’s signature is invalid, either because it did not come from a legitimate DHA or it has been tampered with, the access attempt will be blocked.

Device ID Pinning

This feature works best when coupled with the Device Health-app based Trusted Endpoints feature. Device ID Pinning makes it more difficult for a bad actor to capture device-identifying information used to determine whether an endpoint should be trusted and make their own access device look like an endpoint that should be trusted. For example, it is theoretically possible for a determined bad actor to identify device IDs such as the UUID (Universally Unique Identifier) or CPUID (CPU Identification) that Duo considers to be trusted, enable their access device to represent itself with the same device IDs and therefore cause an access device that should be untrusted to appear as though it is trustworthy.

Device ID Pinning prevents devices that have already registered with a set of unique device IDs from registering again. Once enabled, the feature blocks any attempt to register a Device Health app where the access device has already been registered for that user and account. That way, a bad actor attempting to spoof a trusted endpoint will be blocked. If a legitimately registered device attempts to register again because the private key was removed (re-image, OS reinstall, etc.) an administrator has the means to de-register a device so that it can be registered again.

Feel confident

Having trust in the source of the data we receive gives us confidence that it’s accurate and reliable. With the security enhancements we’ve made to the Duo Device Health application, you can be confident the source, authenticity and legitimacy of the data reported by the Device Health app is trustworthy and not being spoofed by bad actors.

If you’d like to try the Device Health application and experience the new security enhancements for yourself, sign up for a free 30-day trial.

Third party security risk is an issue that frequently comes up in my discussions with clients. The topic is usually raised through questions like these:

1. “I have a contractor starting on Monday. How do I give them the access they need to get the work done while still keeping our environment secure?”

2. “How do I enable secure access for a third party if I want them to maintain a particular asset?”

3. “How do we restrict access to protect our IP when working with a third party?”

Snapshots like these indicate a much bigger picture, with most organizations at the center of a vast ecosystem sharing data with service providers and subcontractors to improve service delivery and reduce costs. Effectively, these third parties are trusted with the client’s corporate crown jewels – key information that may concern its employees, solutions, end users, company strategies, and much more besides. Safeguarding the privacy and security of that information is a business-critical responsibility.

How serious is the challenge?

There’s plenty of objective proof to support this anecdotal insight.

The Sunburst attack showed just how broadly based and deeply damaging an attack involving third parties can be. 

Meanwhile, Prevalent noted that companies are currently big on exposure but small on preparation, with a staggering 45% still relying on manual spreadsheets to assess third party risk. This renders risk audits more time-consuming and less effective.

That lack of preparation is particularly disconcerting at a time when KPMG is calling on security leaders to respond to increased threats by making a step change in their operating models and approach to third-party risk.

How simple is the solution?

In this situation, taking effective action starts with a simple statement of the problem.

Most third-party breaches feature two vulnerabilities:

1. Device vulnerability due to lack of patching

2. A lack of security on a client’s edge

An effective security solution to protect against these breaches must therefore be built on three essential pillars:

1. Identity assurance: We need to be sure that third parties are who they say they are by implementing phishing-resistant authentication. This is particularly important now that many bad actors are attempting to bypass MFA with tactics such as MFA fatigue.

2. Device posture: We need to make sure that third parties will be alerted when the devices they’re using need updating to protect their security posture. This protects the corporate apps third parties will need to access in order to do their work.

3. User behavior: We need to create a historical baseline of user behavior and surface unusual access attempts by looking at variables. These include who typically accesses which applications from which devices at what times from what locations using which authentication methods. Visibility into abnormal access attempts then enables admins to detect suspicious activity and tighten access policy. Deploying a secure access solution that is able to identify whether a device is registered or managed versus not known or personally owned is a huge benefit, mitigating the escalating threats which customers of all sizes face.

How quickly can it be done?

So far, so secure.

In the real world, though, security is not the only consideration for organizations working with third parties.  Speed of response and speed to business impact are also critical in keeping costs down and maximizing competitive advantage.

In this respect, not all security solutions are equal. Some will indeed deliver security but cost you precious time in doing so. For instance, if you’re obliged to build a hierarchy of policies to accommodate your third-party requirement it means that you’ll likely be tackling a job with many moving parts. The downside of that isn’t just the resources it ties up and the budget it consumes. It’s the lag time between starting the job and being protected — time during which your network remains vulnerable.

Similar considerations apply with speed to impact. If an organization is working with third parties, it probably wants to control costs and have those partners add as much value as quickly as possible. That equation can quickly become unbalanced if IT is tied up for days making sure the network is safe before the third-party work can begin.

The right solution can also make regulatory compliance and cyber liability insurance easier too. But those are possibly separate topics for a different day.

Control the risk. Fast.

The good news for hard-pressed CISOs and IT admins is that the ability to create policies very rapidly for particular scenarios and apply them almost instantly has been built into Cisco Duo from the beginning.

Cisco Duo’s critical capabilities — such as strong authentication, phishing-resistant MFA, Passwordless, Single Sign-On (SSO), and Trusted Endpoints — offer an all-in-one package comprising essential secure access management for third parties and internal users alike. Equally important, this high level of security is delivered unobtrusively with minimal user friction thanks to Duo’s Risk-Based Authentication solution automatically evaluating risk signals, responding dynamically, and then adjusting secure access as required.

Managed centrally, the Duo Policy engine means admins can almost instantly reduce risk by enforcing precise policies and control, defining and enforcing rules on who can access what applications and under what conditions.

Duo Single Sign On also accelerates the third-party journey without compromising security, saving time and cost for onboarding to applications, password resets, device management and more while also providing a way forward to a Passwordless future supported by biometrics, security keys and specialized mobile applications that make access highly secure yet virtually friction-free.

Similarly, Device Trust makes it easy to enforce access control across both managed and unmanaged devices so organizations can be as confident as possible about authorizing third-party access.

I’ve seen what these capabilities mean in the real world on many occasions.

Thinking back to the scenarios I mentioned at the start of this article, I’ve seen situations where clients have told us they have a team of contractors starting a program of works imminently and we’ve been able to deliver a secure environment rapidly in response, sometimes within hours rather than days and certainly within days rather than weeks.

Or they’ve told us they need tighter controls to protect their IP with a third party working on a specific asset, and Cisco Duo has been able to spin up bespoke policies and controls almost instantly without interrupting day-to-day work.

Of course, that doesn’t happen by luck or accident.

It happens because the Cisco Duo solution is purposefully designed to build resilience for the entire business rather than simply help IT implement security.

Next steps

With the ongoing tech skills shortage plus a challenging economic environment, it’s likely that organizations will be relying on their third-party ecosystems to plug the gaps and cope with change for a long time to come.

Taking a free trial of Cisco Duo today is a quick and easy way to find out how those relationships can be secured in a way that effectively accelerates their ability to deliver value so the organization can achieve its goals.

Want to learn more?

Check out some other blogs:

The Bigger the Party, the Bigger the Risks

Healthy Device? Check With the Duo Device Health App Before Granting Access