<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2024 3600 <![CDATA[Revisiting Duo’s FedRAMP Authorized Federal Editions]]> harsheik@cisco.com (Haroon Sheikh) https://duo.com/blog/revisiting-duo-fedramp-authorized-federal-editions https://duo.com/blog/revisiting-duo-fedramp-authorized-federal-editions Product & Engineering

Back in November, 2019, Duo achieved a key milestone with its FedRAMP Authorization as a Cloud Service Provider (CSP), and launched its federal products that are FedRAMP Moderate with the sponsorship from the Department of Energy (DOE). Our federal editions are the first standalone cloud-based MFA offerings that are FedRAMP authorized.

Duo’s Federal editions enable federally compliant cloud-based MFA completely aligned to NIST, OMB, and FedRAMP out-of-the-box. It’s essentially an ‘easy button’ for our Public Sector customers for Federal Authentication and Access Control.

Duo Federal MFA and Duo Federal Access

The Duo Federal editions were added to Duo’s product line and aligned specifically to the security needs and requirements of federal customers.

One of the things we’ve done inside Duo’s Federal editions is to make it pre-configured for compliance. This includes: FedRAMP, FISMA, FIPS 140-2 compliant authentication standards, aligns with National Institute of Standards and Technology (NIST) SP 800-63-3, DFARS/FARS, OMB ICAM policy and more.

These Duo Federal editions support Authentication Assurance Level 2 (AAL2) with Duo Push or Duo Mobile Passcode for both Android and iOS devices by default out-of-the-box with no additional configuration required. Duo also supports AAL3 authenticators such as FIPS YubiKey from Yubico.

Additional information on the Duo Federal edition with its available features and comparison to our Commercial editions can be found in our Duo Federal Guide.

Duo Care Premium support available for Duo Federal

The Duo Care premium support program is available for our customers that are utilizing the Duo Federal editions.

This offering provides a dedicated team of Customer Success experts that ensure your deployment is smooth, and work with you through the lifecycle of your subscription to make sure you are maximizing the value of your Duo investment as your organization and business needs evolve.

In addition to the team of dedicated trusted advisors that serve as your strategic point of contact and technical experts - the Duo Care premium support program also includes extended support services such as: 24x7 phone availability, priority ticket SLA, VIP support line and more!

Download the Duo Care Information Sheet

Get started with a free trial of Duo’s Federal Editions

Duo Federal MFA and Duo Federal Access editions are listed on FedRAMP Marketplace, and can be purchased via DHS’ CDM or by visiting the Duo Federal Editions page.

If you would like to get started with a free trial of Duo’s Federal MFA and Federal Access editions, signup through our Federal editions page and we’ll reach out to get you started!

<![CDATA[Reopening the Bat Cave: Duo Labs Is Back]]> tkietzman@duo.com (Ted Kietzman) https://duo.com/blog/reopening-the-bat-cave-duo-labs-is-back https://duo.com/blog/reopening-the-bat-cave-duo-labs-is-back Product & Engineering

Duo Labs is back!

Well, not exactly in the same form — but the sentiment, heart, and function of Duo Labs is back. For the curious, the original Duo Labs was a team of amazing security researchers, tinkerers, and thinkers that published their findings, experiments, and explorations on the Duo Labs site.

Perhaps most famously, the team sent a phone equipped with Duo mobile into space — attempting to complete a Duo push from 90,000 feet. There are still many other examples of cool security research or contributions to the security community live on the Duo Labs site.

Over the last few years, the official labs team was disbanded, moving on to new projects, teams, and gigs — and the Duo Labs site was left to face the digital sands of internet time without much attention or thought. There hasn’t been a Duo Labs post since 2021. Not every project continues forever, and it’s okay to be at peace with an effort ending — conclusions and closure are a part of any story.

However, internally at Duo, we realized that by disbanding the Labs team and discontinuing writing for the Labs site, we lost something special about Duo itself. That special thing was a forum for Duonauts to be nerdy, expansive, and inquisitive about all things at the intersection of access management and security. It’s one thing to have the company blog (look, I’m writing here right now!). But it’s another to have a place to post that doesn’t need a product tie-in or an ask to contact sales.

The truth is, there are still a bunch of security scientists lurking within Duo. Folks thinking about the future of authentication, from passkeys to decentralized identity. Folks researching the identity threat landscape and which parts of the identity infrastructure attackers will strike next. Folks using the massive Duo dataset of authentications to uncover new attack patterns and techniques. And, folks thinking deeply about the next generation of security protocols and frameworks.

This type of work doesn’t necessarily coincide with the scope of Duo’s mainline blog. There often won’t be a clear right answer, and certainly won’t always be a product demo of a solution. Therefore, to showcase the work of Duonauts thinking about the big problems of authentication, access, identity, and security, we're re-opening Duo Labs. The first piece will be a “nigh-comprehensive” overview of identity threats with a look at their prevention and detection. From there, we’ll produce new content monthly, diving deep into the brains of Duo’s engineers, product leaders, and data scientists.

If this effort sounds interesting to you, meet us over at Duo Labs or follow the back online @DuoLabs on Twitter. We’re excited to tinker again

<![CDATA[Don’t Settle for a Vendorship When You Can Have a Partnership]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/dont-settle-for-vendorship-when-you-can-have-partnership https://duo.com/blog/dont-settle-for-vendorship-when-you-can-have-partnership Product & Engineering

Every organization will face challenges at some point. Often, these challenges are the reason vendors exist. Their purpose is to sell you something that’s hopefully going to solve an issue or fulfill a need, so you can get back to what you do best. It’s sort of like buying a Band-Aid for a cut. I just need it to solve a particular issue now. Other than fixing the immediate issue I don’t have any long-term expectations.

What’s a Vendorship?

Search online and you’ll find a lot of similar definitions for vendor. It’s typically something along the lines of “An individual or company that sells goods and services to businesses or consumers.”

The relationship we have with vendors tends to be more transactional in nature. It’s what I refer to as a “vendorship.” Honestly, vendorship isn’t even a real word, but it’s useful to illustrate a point. In a vendorship, I’m not looking for a long-term commitment with the seller. I just need a solution to address a particular challenge. It’s a summer romance. Once I have the solution in place, we probably don’t need to keep in touch unless there is a problem with the product or service. My expectations for a deeper relationship are low. A lot of the time this is sufficient for both parties.

Moving from Vendorship to Partnership

See the video at the blog post.

But what if I want more from my vendor? My organization may have greater needs that require a deeper, longer-term commitment from both sides. This can be especially true if my organization is investing a lot of time and money in a solution. I want to make sure I’m getting value for my investment. If you’re looking for any — or all — of the following from a vendor, then it’s time to move from a vendorship to a partnership.

  • Configuration and Deployment Resources — Does the vendor provide resources to help me properly configure the solution and deploy it into my architecture or to my users?

  • Future Product or Service Updates — I’m buying something today, but how is the vendor adding value to it tomorrow?

  • User Training — Does the vendor make training available so my users are prepared to engage with the product or service?

  • Opportunities to Preview Upcoming Releases and Provide Input — Before a new release is available, is there an opportunity to try it out and provide feedback?

  • Strong Customer Support — At some point my organization will need support, so how good is the vendor’s customer service?

  • Vested Interest in My Organization’s Success — Beyond the product or service, does the vendor have an interest in helping my organization succeed?

Depending on your need, a vendorship may suffice. However, if you’re looking for more than a summer fling, why settle for a vendorship? Consider taking that relationship to the next level with a vendor who is also interested in partnering for the long term. Yes, it requires investment from both parties, but your organization will benefit over time.

In it for the long term

In an earlier blog, I talked about how building a long-term partnership with a vendor enables customers to realize greater value for their investment. At Cisco Duo, we want to help our customers get the most out of their Duo subscription by engaging in a long-term partnership. That’s why we continually add new features to our Access Management offerings, provide opportunities to test drive new features before they’re launched, deliver hands-on workshops and webinars, help our customers grow their Duo knowledge and expertise through online training, and more.

And for customers who want an even deeper relationship from a trusted partner, there’s Duo Care, Duo’s premium support program. With Duo Care, you'll work together with a team of Duo experts who guide you through the life of your subscription so you maximize the value of your Duo investment as your organization and business needs evolve.

When it comes to vendor relationships, don’t settle for a vendorship when you can have a lasting partnership and reap the long-term benefits. Let Duo show you how. Speak with your local Duo sales rep or partner today to learn more.

<![CDATA[Better Together: How Duo Care Helps You Get Directly Involved With Product]]> malhinz@cisco.com (Mallory Hinz) https://duo.com/blog/better-together-how-duo-care-helps-you-get-directly-involved-with-product https://duo.com/blog/better-together-how-duo-care-helps-you-get-directly-involved-with-product Product & Engineering

The Cisco Duo team is filled with excellent researchers, designers, product managers, engineers, and more who know what we are doing when it comes to building a great product - but we also know that we are better together with input from our customers.

Most people are generally familiar with the product release cycle, but for the sake of a quick refresher, below is the multi-step release process that Duo follows:

Any organization utilizing a paid edition of Duo is used to being notified about features that have become Generally Available (GA) through subscribing to updates from the Duo Release Notes section of the Cisco Community page, but today we want to highlight the other stages and how much we care about getting organizations involved.

This blog is part of the Duo Care Trusted Advisor series. Duo Care Premium Support was created because we really do care. The dedicated Customer Success Managers and Customer Solutions Engineers who make up Duo Care help with initial rollouts, but we also guide you through the life of your subscription — ensuring you maximize your investment.

One of Duo Care’s favorite ways to provide additional value is through getting our customers involved in Active Development Programs and Private Previews. Think of it like having a dedicated advocate behind the curtain who is highlighting the ideas that you’ve submitted as feature requests and proactively looking out for new functionalities that might be of interest to you or that might help you better achieve your security goals.

Active Development Program (ADP)

Duo prioritizes feedback from customers at every stage of the product process — even when we are just getting started developing features. An ADP might look like connecting you with a Product Researcher for an informational interview about a particular topic that we are exploring. An ADP could be a Product Manager walking you through the mock-up of a feature from a design perspective and gathering preferences for the admin experience before we start building. It could be a combination of conversations and demos.

Mostly, Duo Care loves it when we can find and deepen the alignment between our customers and our product team. We especially love to find those opportunities through the Active Development Program stage. The focus of an ADP might be a topic that you mentioned on a previous call that could make your life as an admin easier or something that relates to a security goal you mentioned during the previous year’s planning session or something that we know you are already thought leaders on where we could learn too. Duo Care is always actively listening and eager to connect the dots to build things together.

Private Preview

In the next stage, a select group of customers are invited to experience a particular product feature before it has officially been released. Private Previews are the “kick the tires” stage where you have a chance to test out how a feature actually works and provide feedback.

One key advantage of being a Duo Care customer is getting early access to features. Duo Care has a close relationship with our product team, and we are always looking for opportunities to collaborate. We want to make sure access management is simplified, easy to use and effective — and customer feedback is incredibly important to make sure that the features we build are in line with helping you meet your security goals. 

Every Private Preview runs a bit different, but it might look like Duo Care doing a demo of a new feature during a Product Roadmap Review, facilitating a call with the Product Manager of that feature for any questions about set-up, or giving you some time to poke around and test things out on your own. After an organization has agreed to participate with us, there are always a few follow up conversations to gather opinions, thoughts, desires — and circle back on any updates that have been made from previous feedback.

Public Preview

The final stage before a feature will launch to GA is a public preview. Those customers without a dedicated Duo Care team can gain access to the product or feature either directly from the Duo Admin Panel and an “Early Access” button or by contacting Duo Support. The features will remain in this stage until they are ready for full release.

There are plenty of other smaller stages that happen behind the scenes to take an idea all the way through launching as part of the Duo product, but we hope that this overview has re-enforced how much we care about your participation, investment and feedback.

Looking to get more involved?

If you are interested in adding Duo Care Premium Support to your current contract to take advantage of additional previews and development programs, please send an email to your Cisco Cybersecurity Sales Specialist or Cisco Account Manager.

If you are brand new to Duo, welcome! Please Contact Us to start the conversation!

<![CDATA[2024 Duo Trusted Access Report: 5 Key Findings for MSPs to Strengthen Security]]> kyang@duo.com (Katherine Yang) https://duo.com/blog/2024-duo-trusted-access-report-5-key-findings-for-msps-to-strengthen-security https://duo.com/blog/2024-duo-trusted-access-report-5-key-findings-for-msps-to-strengthen-security Industry News

For managed service providers (MSPs), navigating the ever-evolving landscape of access security can be a daunting task. With complex identity stacks and a constant influx of new devices and endpoints, ensuring secure access across your clients' infrastructure requires comprehensive data-driven insights.

Duo’s latest annual Trusted Access Report, aptly titled "Navigating Complexity," peels back the layers on the ever-evolving world of access management and analyzes real-world data from 16 billion authentications across millions of devices and users. Coupled with key findings are available levers you can turn on today — because we know that if customers aren’t using all the features in their Duo subscription, they’re not getting the full security value.

5 data-driven access security best practices for managed service providers

1. SMS and phone calls as a method of second-factor authentication decreased by 22%, reaching an all-time low at 4.9%.

It’s well-documented that SMS and phone call-based second factors are not as foolproof as once thought, with multi-factor authenticator apps appealing to both demand for higher security and ease of use. However, today’s landscape sees push-targeting MFA attacks increasing. Enabling Verified Duo Push can disarm push harassment and MFA fatigue attacks, with the bonus of putting your clients on the path towards passwordless.

2. Authentication failures due to out-of-date software surge by 74.7%, with most accounts only seeing 20%-40% of browsers operating with the “latest” updates.

Devices that are no longer supported or have not been updated with the latest security patches are often riddled with vulnerabilities that can be exploited by cyber attackers. For example, we found that mobile Safari is most likely to be used for successful authentications but also most likely to be out-of-date or end-of-life.

Granular, adaptive security policies can be designed to detect such devices based on device posture—including the operating system version, installed security patches, and other critical security configurations. To avoid an influx of helpdesk tickets, Duo’s Endpoint Remediation can notify users when it’s time to update, help self-remediate, or block access completely if posture conditions aren’t met. Meanwhile, admins have visibility on who’s accessing what with which device, all without having to install any agents.

3. Mobile and non-traditional operating systems platforms show steady adoption, making up 61.8% of measured authentications.

Complex supply chain operations, third-party partnerships, and contractor devices heighten the risk of unmanaged devices and unknown endpoints — adding complexity to ensuring trusted access. This variability challenges visibility and trust, necessitating a dedicated layer of security.

Reinforce your clients’ security by combining strong authentication requirements with device trust policies. Duo Trusted Endpoints, available to all your Duo clients, adds an extra layer of security even if an organization cannot manage the device directly. Administrators can define a trust policy for every endpoint — whether managed or unmanaged, company-issued, contractor-owned, or personal — and stop attacker’s unknown devices even if they are able to bypass MFA.

4. In 23% of engagements observed by Talos IR, attackers were able to abuse compromised credentials to access valid accounts.

Here’s one for the administrators: Improper access controls can increase the potential for security incidents or unauthorized access to sensitive information. This is especially true for privileged roles like IT admins and helpdesk.

Duo helps multi-tenant partners manage their operations more efficiently with role-based access controls. Enable subaccount roles and access tags to ensure least privileged access and avoid unsecure credential practices. Curious? Get the infographic.

5. More than 24% of an organization’s total identities are inactive accounts that experience over 500 attacks every month.

Identity security is a high priority for organizations of all sizes, especially evaluating identities and login attempts for context and risk. But with several accounts and various risk appetites, it can be overwhelming for MSPs to manage so many controls.

Data-informed user authentication policies can consider your client’s risk levels and focus points. Take advantage of solutions that assess user and device telemetry to identify known threat patterns and anomalies without impeding user productivity, like Trust Monitor and Duo Risk-Based Authentication. In the event of an attack, Duo’s RBA can step up the authentication to a Verified Duo Push.


Duo wants to make strong security feel simple for administrators, security teams, and end-users alike, most recently announcing advanced identity protection to provide immediate security value and response to today’s most common attacks in real-time such as session hijacking, inactive account abuse, and more.

Get the report

The 2024 Duo Trusted Access Report is packed with data-driven findings on existing and emerging IAM trends across 16 billion authentications, 52 million browsers, 58 million endpoints, and 21 million unique phones. Learn more about the trends and recommendations that can bring impactful value to your MSP clients today.

 Download the 2024 Trusted Access Report.


Become a Partner

Now more than ever, Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management.

Visit Duo’s MSP Program page or reach out to msp@duo.com to start your Duo MSP partnership today.

<![CDATA[The Problem With One-Time Passcodes]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/the-problem-with-one-time-passcodes https://duo.com/blog/the-problem-with-one-time-passcodes Industry News

What are OTPs (one-time passcodes)?

As organizations have improved their security posture, cybercriminals have found new ways to circumvent those controls. Multi-factor authentication (MFA) is a well-known and well-established protection that many organizations rely on. And that also makes it a target for cybercriminals. Therefore, it is not enough to have MFA turned on, organizations must also deploy secure policies to ensure their users are protected.

Several common authentication methods include the use of one-time passcodes (OTP). Normally these codes are sent through “out-of-band communications,” meaning it is sent through a different channel than the website you are trying to access. For example, if you are logging into an application in a web browser, the OTP might be sent through to your email, through SMS text (short message service), delivered as a voice message, or through a dedicated application. The benefit of these codes is that they are random numbers, so they can be difficult to guess, and they cannot be reused across a user’s different accounts (like passwords typically are).

Problems with OTPs:

However, MFA Interception is a way for bad actors to exploit the passcode and gain access. There are different ways bad actors have intercepted MFA passcodes. Some methods include:

  • SIM Swapping: The attacker uses social engineering to convince a cell phone provider to switch the number to the attacker’s SIM card to gain access to the OTP sent to the trusted user.

  • Brute Force Attacks: Since there is a one in a million chance to guess a random six-digit code, attackers can automate scripts to speed up the process and do it across many users to increase their odds. If the OTP only requires two digits (which can be configured by your organization), that increases the odds to one in one hundred chances of successfully guessing.

  • Phishing: An attacker sends a user a link to a fake website to capture the user’s username and password. The trusted user enters the OTP in the fake website while the attacker simultaneously enters the same OTP into the real website, gaining full access.

  • Social Engineering: An attacker logs in with a user’s credentials and the real user gets sent an OTP. The attacker then calls the user, and says "This is your helpdesk, I need to confirm your account, can you please confirm your OTP?" The user then reads the OTP to the attacker who gains full access.

To make matters worse, much of these capabilities can be purchased or contracted out, where launching an attack to capture and use OTPs codes is as simple as sending bitcoin and providing an email address to target.

How to secure MFA

While there are many problems with OTPs, they are still better than no MFA and there should be some form of additional authentication across all users and applications. There are also alternative options to consider if you are looking to improve your organization’s security posture.

Verified Duo Push is one option that might seem like an OTP but operates in a more secure manner. Rather than sending the user a code to their phone that they enter on their computer, a Verified Duo Push shows the code on the access device (e.g., a computer) and the user inputs that code in the Duo Mobile application. In an attack scenario, the code is presented to the attacker, and not the trusted user, so there is no risk of the attacker stealing it from the trusted user. For the attack to succeed, the trusted user would have to know the code and enter it in the Duo application that is associated with the account.

While a Verified Duo Push requires a user to enter the code at every login, organizations can also deploy Duo’s Risk-Based Authentication solution that analyzes contextual signals at the point of login and can step up to a Verified Duo Push if there is a potential attack on a user.

Passwordless authentication, which uses WebAuthn credentials, is another safe alternative to OTP. This removes the password from the equation and requires you to use a biometric or security key to authenticate. The private key, stored on your computer, unlocks a public key stored in the application. Since the private key lives on the device, it cannot be intercepted by an attacker.

Finally, Trusted Endpoints ensures only safe and known devices can log in. This prevents an attacker on their device from even beginning a login in the first place. It combines both authentication and device policies to provide holistic protection for users.

To learn more about Duo’s secure MFA solution, sign-up for a free trial today.

<![CDATA[The Rise of Passkeys]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/rise-of-passkeys https://duo.com/blog/rise-of-passkeys Industry Events


This problem really came to a head when the internet rapidly grew from a government project to a major medium for electronic commercial transactions. Thanks to the application of advanced math and science, Public Key Cryptography was used to develop a means of securing ecommerce over the internet.


Public Key Cryptography allows a merchant or customer to send a 'secret' encrypted message using a public key and only the owner of that public key can decrypt it with their private key. Then, in turn, they can digitally sign that message and use that secret to set up an encrypted session to send it back and then both parties can communicate bidirectionally securely.

However, while this allowed the merchant or customer to send information securely, it did not verify their identity and make sure the person sending the secure transmission was who they said they were. So, we began with the use of passwords. Skip ahead several years, and it’s widely known that they are problematic. Using concepts from Public Key Cryptography WebAuthn was born to verify identity securely.

Web Authentication API (also known as WebAuthn) is an open standard developed jointly by the FIDO Alliance and the World Wide Web Consortium (W3C) in 2019. It was conceived as a means of providing secure authentication to web sites using a private-public keypair, using public key cryptography techniques, instead of problematic passwords.


Passkeys are the credentials derived from WebAuthn public and private key pairs. Originally, they were static and bound to the secure enclave on the device where they were generated. Then to support recovery in the event of a lost or stolen device, and drive their growth, they were designed to be synced securely. Apple iCloud enables this today allowing their distribution securely between supported endpoints.


The use of passkeys on consumer sites has grown rapidly, yet questions remain about their use in the Enterprise. While the passkeys are stored securely and enable verified session access, how do you know the endpoint is a trusted device and will not put the organization at risk? This requires identity and access management vendors to provide extra protection to establish device trust before they can be used.

Trusted Endpoints

Cisco Duo can enhance the security of passkeys with its Trusted Endpoints functionality. A user preregisters and has Duo Desktop (Windows and macOS) or Duo Mobile (iOS and Android) installed, which uniquely identify their trusted devices. Then, at authentication time, the user’s device must be known or “trusted,” otherwise they are not be allowed to use it to authenticate.


Passkeys are here to stay and it’s important for Enterprises to plan to invest in them. They are strategic to identity security and represent a win-win-win for companies-admins-users. See Duo documentation to learn how Duo Passwordless, Trusted Endpoints, and passkeys can help protect user identities and secure access to your environments today!

<![CDATA[Announcing Identity Intelligence With Duo]]> ivablazi@duo.com (Iva Blazina) https://duo.com/blog/announcing-identity-intelligence-with-duo https://duo.com/blog/announcing-identity-intelligence-with-duo Product & Engineering

The idea that “identity is the new perimeter” is not new. It has been a foundational component in many approaches to zero trust. However, over the past 18 months, there has been an unprecedented wave of identity-based cyberattacks with devastating consequences. According to Cisco Talos, three of the top five MITRE ATT@CK techniques used in 2023 were identity-based.

Traditionally, credentials (such as usernames, passwords or security tokens) have been the gatekeepers of access. Each user’s identity is a potential door into an organization’s environment. Given the affordability and scalability of identity-based techniques, attackers have been quick to target these doors. So, while the statement “identity is the new perimeter” is true, it must be followed with “and identity context is critical in order to grant secure access.”

Even before the high-profile attacks in 2023, the trend in adopting zero trust security principles already showed that identity security must be a major priority for organizations of all sizes.  

Addressing identity-based attacks

Duo has made a number of significant investments in identity security over the last several years with the release of Duo’s Trust Monitor, Duo’s Risk-Based Authentication, and moving Duo’s Trusted Endpoints feature into Duo’s Essentials edition.

In a world where identity has become the most attacked perimeter, Cisco & Duo are doubling down on a security-first approach to identity and access management.

Today, we are announcing a private preview of Duo’s identity security capabilities powered by Cisco Identity Intelligence. Cisco Identity Intelligence is a powerful, cross-platform identity graph that will inform and infuse identity context into the Cisco Security portfolio.

Cisco Identity Intelligence will help Duo customers with unmatched visibility across their full identity and access management stack while helping to detect and prevent identity-based attacks. This will help to overcome fragmented and inferior approaches to identity which leave organizations vulnerable to attacks.

“…we need the identity data…but we can’t just send the SOC an ocean of data without context…” — Duo Customer, Technology Sector

Cisco customers have been asking for this type of intelligence, and we wanted to provide actionable identity insights without the noise. As one administrator put it: "...we need identity data…but what we don’t want to just to send the SOC an ocean of data without context and they don’t know what to do with it.”

Context is king and organizations have a need for contextualized identity insights that are actionable, and we can’t agree more. Most solutions in the market today are either too noisy, plagued by false positives, hyper-focused on legacy infrastructure, or tailored for one specific identity solution.

Reducing the risk of identity-based attacks

Picture a scenario where an attacker acquires a list of dormant accounts, performs credential-stuffing, and gets the necessary credentials to log-in.  Given that the average company has 40.26% of accounts with either no MFA or a weak MFA[1], getting through the hoops to exfiltrate sensitive data is not overly complex.

Having an identity security solution which provides visibility into misconfigured and unused accounts by comparing with identity sources (such as your identity provider and HRIS system), including employees, contractors, and service accounts, is a necessity.  To help minimize chances of successful identity-based attacks, such a solution should also offer holistic coverage across identities and applications.

To address identity-based attacks with greater efficacy, Identity & Access Management (IAM) analytics need to be an inherent part of such a solution. This way, IT Administrators can quickly address any security gaps by migrating from weak authentication to strong, phishing-resistant, multi-factor passwordless deployments across a customer’s entire enterprise stack.

In the video below, Duo Product leader, Josh Terry, highlights how Duo powered by Cisco Identity Intelligence will provide immediate security value and response to today’s most common attacks in real-time such as session hijacking, inactive account abuse, and more:

See the video at the blog post.

Enhanced user and breach protection

This move will help Duo’s customers to streamline security operations, improve security posture by protecting both access and identity infrastructure, address compliance requirements more effectively, and ultimately, fast-forward their journey to zero trust.

Cisco Identity Intelligence’s capabilities are available now in a private preview for select Duo customers. It will be packaged in Duo Advantage and Duo Premier editions for all customers once generally available.

What is coming next?

Whether it is helping customers secure their identity tools or making sense of enormous identity data with data analytics and AI, Cisco is putting identity security at the core of its security strategy.

This private preview is just the beginning as we continue to gather feedback and offer more identity security capabilities to help customers meet additional identity security outcomes.

Stay tuned!

If you just want to talk about identity security with a specialist or aren’t sure where to start, please contact us here!

[1] Based on a report we issued in 2023.

<![CDATA[The 2024 Duo Trusted Access Report: Navigating Complexity]]> sbila@duo.com (Slavka Bila) https://duo.com/blog/2024-duo-trusted-access-report-navigating-complexity https://duo.com/blog/2024-duo-trusted-access-report-navigating-complexity Industry News

The 2024 Duo Trusted Access Report: Navigating Complexity, gives us a chance to use the topic of complexity as a backdrop to examine trends (existing and emerging) in both access management and identity.

Complexity is covered from multiple angles - from the complexity of identity stack to the complexity of managing digital identities and access rights – providing practical recommendations to help organizations navigate the more sophisticated cybersecurity landscape.

In partnership with the Cyentia Institute, Duo analyzed data from more than 16 billion authentications, spanning nearly 52 million different browsers, on 58 million endpoints and 21 million unique phones across regions including North America, Latin America, Europe, the Middle East, and Asia Pacific.

Here’s a quick look at a few of our top findings:

  • Passwordless adoption continues to rise — Even though it began on a small scale, account adoption of WebAuthn-enabled factors, including security keys and biometric technology like Touch ID, increased by 53%.

  • MFA usage continues to expand globally — The number of MFA authentications using Duo rose by 41% in the past year.

  • SMS and phone calls as a method of second factor authentication decreased by 22%, reaching an all-time low at 4.9%.

  • The percentage of failures due to out-of-date devices increased by 74.7% in 2023 — Organizations are putting in stricter controls, reducing risk of out-of-date software.

  • Less than 4% of organizations implement explicit geography-based deny or allow policies.

In addition to looking into the past, we wanted to give our readers a sense of what the future might bring. To do this, we have also delved into identity sprawl and protection, a concept that might still be considered emerging to some.

Why should you care about identity sprawl?

Identity sprawl is a growing challenge and occurs when users have numerous accounts and identities managed by multiple systems that are not synchronized. This presents a continuous security risk and operational challenge for many security and IT teams.

Focused on identity security challenges, the report aims to answer the following questions:

  • Identity is the new perimeter; why are we struggling to protect it?

  • How can we maintain the visibility of our workforce identities?

  • How can we secure workforce identities?

The future of identity security

When Identity & Access Management (IAM) hygiene is poor or inadequate, organizations' identity attack surface increases. As more relationships are created between devices, attributes, identities and permissions, it becomes increasingly difficult to monitor which users are doing what.

Investigating incidents is also challenging without a solution that brings identity-related data together from multiple sources or helps pass contextualized posture information from IT to SOC. Visibility into misconfigured and unused accounts, including employees, contractors, and service accounts is also vital.  

Having identity threat detection and response capabilities under one roof with access management is becoming a necessity. In tandem, these capabilities can help minimize chances of successful identity-based attacks while offering holistic coverage across identities and applications.

To address identity-based attacks with greater efficacy, IAM analytics needs to be an inherent part of such a solution. It builds context for the policies, strategies, and prioritizations necessary to fill visibility gaps and move the needle towards strong least privilege access controls and a zero-trust security strategy.

This year’s Trusted Access Report provides a comprehensive analysis of trends in authentication and access. With the growing complexity of identity sprawl and increasing concerns about identity security, it is more important than ever to add context through data.

Download the 2024 Duo Trusted Access Report: Navigating Complexity today to learn more about these trends.

<![CDATA[Identity Threat Trends for Higher Education]]> beccalyn@cisco.com (Becca Lynch) https://duo.com/blog/identity-threat-trends-for-higher-education https://duo.com/blog/identity-threat-trends-for-higher-education Industry News

As a new semester begins, we at Cisco Duo want to share some findings and trends pertaining to threat activity we have seen across higher education customers. We will outline the trends and attack patterns that are the most prevalent and discuss how to configure Duo policies to best protect your users.

What happened?

In analyzing de-identified customer data over the latter half of 2023, we found a pattern of threat activity targeting multiple universities using shared attack infrastructure. The attack methods included a mixture of passcode phishing and push harassment, with the intent to access university VPNs or register a malicious authentication device on one or more user accounts for continued access.

Threat vectors discussed:

  • Passcode Phishing: An attacker uses a fake website to collect a one-time passcode from a user, which they can then use to authenticate

  • MFA Fatigue: An attacker sends repeated Push requests to a user, in the hopes that the user will mistake a request for a legitimate authentication or approve it to stop the flood of requests

  • Device Registration: After an attacker gains access to a user account, they register their own MFA device so that they can continue to access the account in the future

For example, here we can see a sequence of failed authentications, represented by red dots, as the attacker crawls across multiple users at an organization. In this situation, we can assume that they have either phished users’ first factor credentials (their password), or are crawling user accounts with weak, guessable passwords. The attacker sends a flurry of Push requests to each user, in the hopes that a user will inadvertently grant access. In this example, the users thankfully did not respond to the attacker’s requests, but this isn’t always the case.

How did Duo investigate and respond?

These attack patterns were initially identified via notifications from concerned customers. We knew we needed to do more to investigate the attack and provide support to customers, so we collaborated with Cisco Talos to hunt for and respond to additional activity. As malicious infrastructure was identified throughout this research, we blocked it from accessing our systems, and took steps to notify customers that were impacted. Also, the patterns seen here were cataloged for further development of threat detection mechanisms that will enhance our customers' security.

What can Duo customers do to protect themselves?

The activity observed in these attacks represents some of the most common attack patterns against MFA. Duo customers in the educational sector and beyond can take steps to secure their environments.

Credential Rotation

While security professionals do not recommend that organizations force users to regularly change their passwords, compromised passwords should always be changed. Even if access was not ultimately gained, any malicious MFA attempts typically signify a breach of first factor credentials. Administrators should take care to monitor for unusual patterns of failed login activity and encourage affected users to set new strong, unique passwords.

More Secure Authentication Factors

If you haven’t already, consider securing your user Device Management Portal to only allow more secure authentication factors, such as Verified Duo Push or WebAuthn authentication methods.

Additionally, Duo’s Risk-Based Authentication (RBA, available on Premier and Advantage editions) can intelligently force a “step-up” to require a more secure factor like Verified Duo Push when an attack pattern, like push harassment, is detected. In the context of the attack shown in the previous section, after multiple failed authentications the attacker would be disabled from making further Push attempts. If the attacker selected a different factor like Verified Duo Push, the trusted user would not have the code provided on the access device, and could not inadvertently approve the authentication.

Duo Trusted Endpoints

Duo Trust Monitor

If you’d like to be alerted to suspicious activity in your environment and monitor for potentially malicious behavior, consider using Duo Trust Monitor. Trust Monitor uses a set of machine learning models and security heuristics that consider the user’s prior history and typical behavior within an organization. It will then score and rank authentications in the past 24 hours and surface any anomalous activity as a security event for administrators to review. Trust Monitor will also detect and surface risky device registration events.

Common signals used in Trust Monitor to identify risky events include the rate of travel between authentications, time of day of the authentication, the operating system of the device attempting access, the authentication factor being used, and the application being accessed. Many of the authentications seen in these attacks would have triggered security events within Trust Monitor due to their unusual locations and operating systems given the users’ respective histories.


The behavior we have seen indicates that higher education institutions are increasingly being targeted by malicious actors. While Duo MFA is an essential first step in protecting your organization, we hope that the recommendations laid out here will allow you to have more confidence in the safety of your users as you head into the new semester. That way your teachers and students can focus on why you’re at school in the first place, to learn. We will continue to monitor for and alert customers to detected malicious behavior and use these findings to further enhance our offerings.

<![CDATA[Removing Passwords, Without Compromising Security]]> aggerwal@cisco.com (Nitesh Aggerwal) https://duo.com/blog/removing-passwords-without-compromising-security https://duo.com/blog/removing-passwords-without-compromising-security Product & Engineering

In today’s complex IT landscape, one of the biggest problems faced by a Chief Information Security Officer (CISO) and their IT security team are forgotten and stolen passwords. On average, employees lose 11 hours per year resetting passwords and an average company spends ~$5M per year on setting and resetting passwords. And this is just the cost of resetting passwords. A stolen password can cost a company even more than that.

How can companies safely verify user identities without using passwords? Learn how Cisco did it for our 130,000-employee workforce using our Duo Passwordless solution and how the Duo Care team played a vital role in making that process easy and seamless.

Duo offers an industry-leading passwordless solution. So how did we go about implementing this for a huge enterprise like Cisco? We started with the pre-requisites.


Passwordless uses passkeys and platform authenticators as one of the many ways to secure application access without passwords. Cisco went with the following options, as all of their workforce has devices which support one of the following:

  • Windows Hello for Windows devices

  • Touch ID for macOS devices

  • Face ID or Touch ID for iOS and iPadOS devices

  • Android Biometrics, such as Pixel fingerprint or facial recognition, or Samsung fingerprint or facial recognition

Duo Passwordless supports Chrome (Desktop and Mobile), Safari (Desktop and Mobile), Edge and Firefox. Since these are standard and supported browsers at Cisco, the decision to move to Duo Passwordless was easy.

Phased rollout

Although most employee devices include supported platform authenticators, not all were enabled. Therefore, Cisco planned the rollout of passwordless in phases across its entire workforce of ~130,000 employees.

Before each of these phases, Cisco did an extensive email campaign and published FAQs on how to enable Platform Authenticators and the security benefits which come with Duo Passwordless.

  • Phase 1: This was the initial phase, where Duo Passwordless was enabled for a small set of pilot users.

  • Phase 2: Duo Passwordless was expanded to ~20,000 members of the Cisco Workforce.

  • Phase 3: Duo Passwordless was expanded to ~60,000 members of the Cisco Workforce.

  • Phase 4: Duo Passwordless was rolled out to everyone in Cisco.

It took Cisco a total of 10 months from the initial launch of Duo Passwordless to enabling it for all of their workforce. For a company the size of Cisco, this was a fairly quick turnaround from initial Pilot to Duo Passwordless general availability for their entire workforce. Generally, speaking, rollout times vary based on the number of employees, devices capabilities and applications.

How do you track success?

During each phase of the rollout, the Duo Care team worked closely with Cisco IT to provide detailed metrics on user enrollments. These metrics included details on how many users had successfully signed up for Duo Passwordless, how many users had skipped enrollment manually and how many users were auto-skipped due to their devices missing any of the above-mentioned platform authenticators. These metrics helped Cisco IT reach out to the users directly and work with them to get them enrolled with Duo Passwordless.

The other big metric which was tracked was the reduction in help desk tickets for Password resets. Since Cisco made Duo Passwordless generally available for all of its ~130k workforce in August 2023, we have seen ~73,000 users in Cisco enroll in Duo Passwordless. This enrollment has caused the overall number of password reset-related help desk tickets to decrease by ~12%. The Duo Care team is working closely with Cisco to get their remaining workforce enrolled with Duo Passwordless.

Is your organization ready for Duo Passwordless?

If you are just as excited about Duo Passwordless and want to see how it can benefit your organization with better security and reduced password resets, take action today!

For Duo Care Customers:

Send an email to your Customer Success Manager – alongside your dedicated Customer Solutions Engineer, they will be ready to schedule a call to help you get started!

For All Other Paid Subscribers:

View Duo Passwordless Documentation

And if you are interested in adding Duo Care Premium Support to your current contract, please send an email to your Cisco Account Manager.

<![CDATA[Actionable WebAuthn You Can (and Should) Implement Today]]> adonis1@cisco.com (Adonis Gutierrez) https://duo.com/blog/actionable-webauthn-you-can-implement-today https://duo.com/blog/actionable-webauthn-you-can-implement-today Product & Engineering

Throughout 2023, we’ve heard about many high-profile security incidents targeting a wide range of publicly listed companies. These incidents have caused service disruptions, decreases in operating margins, lost confidence in brand names and fluctuating stock prices. Additionally, Chief Information Security Officers (CISOs) have also been under scrutiny for the actions they’ve taken to address these issues.

Protect your organization

It’s crucial to understand that you can act now, you don’t have to wait to improve your security posture. Technology exists to harden your infrastructure. Let’s talk about how customers have been accomplishing this with Duo Security.

WebAuthn is important.

In 2023, the United States National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) released the Top 10 Cybersecurity Misconfigurations advisory, with #7 highlighting “Weak or misconfigured multifactor authentication (MFA) methods.” To add, Cisco Talos 2023 Year in Review (page 7) highlights hackers' use of “Valid Accounts” as the second most common attack technique observed for the year.  As noted on the page, “These findings are consistent with Talos Incident Response data, which showed compromised credentials/valid accounts accounted for nearly a quarter of known initial access vectors in 2023.”

WebAuthn addresses this attack vector by requiring strong MFA as it requires physical human interaction when authenticating.

Can your organization exclusively support WebAuthn?

I’m constantly talking to large S&P 500 companies. When we speak, I ask them, 'Where are you with your WebAuthn strategy?'

I constantly hear the same thing from customers: “It is part of our future security objectives, but we also need to consider our legacy infrastructure.”

There isn’t a 'one size fits all' approach to security and authentication methods. The world has vastly different organizations and plenty of use cases to meet, from call centers in another country to the administration of huge server farms.

Many customers still need to support applications that don’t support browser-based authentication workflows. How do we isolate those authentication workflows while application vendors continue to adopt the WebAuthn protocol or until organizations can decommission these applications? Duo can provide the needed flexibility.

Improving your security is closer (and easier) than you think

Duo can help your team improve security. The approach outlined in our knowledge base article Guide to WebAuthn Enrollment Strategies provides multiple authentication method options to fit a wide array of customer use cases, budgets, and administrative costs. It can also help reduce reliance on your internal help desk team and thus reduce the number of help desk tickets.

In many cases, your help desk team is required to identify the person calling in for support. Therefore, it’s important to clearly understand: how secure is your help desk’s identity verification process? You’ll have to account for any human verification as a possible risk factor.

With the approach we outlined, you can shift verification from the help desk to technology that will enforce a consistent authentication process and thus reduce the risk of a security incident.

Do you have any questions or want to discuss this strategy more in-depth with a trusted advisor? Duo Care can help.

For interested customers who would like to continue the conversation, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

Click here to learn more about Cisco Talos Incident Response.

<![CDATA[Revolutionizing Cisco VPN Access with Duo SSO]]> lgreer@duo.com (Landon Greer) https://duo.com/blog/revolutionizing-cisco-vpn-access-with-duo-sso https://duo.com/blog/revolutionizing-cisco-vpn-access-with-duo-sso Product & Engineering

  • Secure Cisco VPN logins in less than an hour

  • Authenticate users in seconds

  • Verify user + device posture

  • Block unmanaged devices

  • Mitigate modern security threats with phishing-resistant authentication

Join the thousands of Cisco firewall customers who take advantage of protecting Cisco VPN logins with Cisco Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Cisco Duo is a leading access management platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.

10 reasons to move to Duo SSO with Cisco VPN

The following functionality is only available using the Duo Universal Prompt and protecting Cisco Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.

  1. Passwordless — Duo Passwordless uses passkeys and platform authenticators, security keys from access devices, or Duo Push to secure application access without passwords, reducing the risk surface and administrative burden associated with passwords while improving the user experience

  2. Verified Duo Push — Asks users to verify push requests to mitigate the risk of push harassment attacks

  3. Trusted Endpoints — Block untrusted/unwanted devices from accessing your corporate VPN

  4. Risk-Based Authentication —This reduces user friction and improves security by analyzing risk signals and automatically stepping-up authentication only when necessary

  5. Built-In Security — Universal Prompt utilizes OpenID Connect and moves away from using iFrames, which eliminates the need for additional security configurations (allowed hostnames) that is recommended with the Traditional Prompt

  6. Self-Service Portal — Admins can securely enable the new Duo hosted Self-service portal by enforcing policies and requiring strong authentication, empowering users to self-enroll and manage their authentication devices

  7. Improved User Experience — Universal Prompt is a major redesign with new styling and workflow-based authentication experience, such as last-used authentication method and more

  8. Localization — Includes support for 15 languages, with more to come

  9. Customization and Branding — Allows admins to give users a familiar and trusted experience

  10. Accessibility — Makes strong authentication inclusive and easy for every user. Universal Prompt is designed and tested to meet Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level

See the video at the blog post.

Cisco VPN User Login Experience: SAML 2.0 vs. RADIUS

Cisco Adaptive Security Appliance (ASA) and Cisco Firepower are two of the most common VPN solutions on the market today. Given such, Cisco Duo hosts a wide range of customers leveraging the Duo Trusted Access platform to protect their Cisco Secure Client logins. Today, many of these customers utilize an aging legacy integration that leverages the RADIUS protocol. This integration provides an end-user experience that is an automatic Duo Push or Duo Phone Callback (if enabled by a Duo Administrator) but leaves a lot to be desired (and lacks the ability to deploy modern access & security policies to all logins).

Cisco VPN Radius Experience:

See the video at the blog post.

Instead of the legacy experience, you have the power to simplify trusted access across your organizations by moving from a legacy integration method like radius to Duo SSO. Duo SSO enables organizations to deploy simple, but granular zero trust security policy per app or group including passwordless, phishing resistant authentication (verified push and/or passkeys), device trust (trusted endpoints), risk-based authentication (RBA), contextualized access policies, user-self remediation and much more.

Below is an example of the Cisco Duo SSO experience for Cisco VPNs:

See the video at the blog post.

The experience and capabilities enabled by a modern Duo SSO protected login are highlighted in the section below.

How to protect & modernize Cisco VPN logins with Duo

Review prerequisites for Cisco ASA or Firepower.

  1. Configure Duo Single Sign-On

  2. Connect Cisco ASA or Cisco Firepower via SAML 2.0 to Duo SSO

  3. Create Duo Policy requirements for Cisco ASA or Cisco Firepower by application or group

  4. Validate the sign-in experience and test with a pilot group

Ramp up security without sacrificing productivity

Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for Microsoft 365, Citrix NetScaler, Palo Alto Networks, SonicWall, SalesForce, Cisco Webex, and many others.

With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people, and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.

<![CDATA[From Base Camp to Summit: Climbing from AD FS to Duo SSO]]> cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/climbing-from-ad-fs-to-duo-sso https://duo.com/blog/climbing-from-ad-fs-to-duo-sso Product & Engineering

Scaling a cybersecurity mountain is an arduous but essential task for organizations. It requires careful planning, thorough preparation, and the right gear. For years, Active Directory Federation Services (AD FS) has been the trusted climbing gear for many organizations. It has been a dependable tool, providing single sign-on access to systems and applications across organizational boundaries.

However, just as mountain climbing techniques and equipment have evolved over the years to overcome tougher terrains and higher peaks, so too must our cybersecurity tools adapt to the ever-changing threat landscape. As cyber threats become increasingly sophisticated and complex, it's crucial to ensure your organization has the most advanced, secure, and efficient tools at its disposal.

This is where Cisco Duo's Single Sign-On (SSO) comes into the picture. Consider it the next-generation climbing gear designed specifically to overcome the challenges of today's cybersecurity mountain. Duo SSO offers enhanced security features, streamlined user experience, and the flexibility to adapt to unforeseen challenges.

Switching from AD FS to Duo SSO is like trading an old climbing harness for a state-of-the-art alpine kit. It not only ensures that your organization is better equipped for the climb but also makes the journey significantly smoother and safer. In the vast landscape of cybersecurity, Duo SSO is the gear upgrade that can help your organization reach new heights of security. As with any sport, you don’t need to upgrade all of your gear at once, and we’ve made it easy to move at whatever pace best fits your organization.

Embrace Duo SSO and ensure your organization's journey up the cybersecurity mountain is secure, efficient, and successful.

What are customers saying from the top?

Just as every mountaineer experiences a unique journey to the summit, each organization embarks on its own unique path when transitioning from AD FS to Duo SSO. As they traverse this cybersecurity landscape, customers often share their insights, much like climbers sharing their experiences to guide those who follow. So, what are we seeing from our customers as they navigate this shift? Let's delve into the base camp chatter.

The Ultimate User Experience: Duo SSO offers a seamless, single sign-on experience across all applications. This enhances user satisfaction and boosts productivity by reducing the time spent logging into multiple applications. Duo SSO is the linchpin to our streamlined authentication experience in which users authenticate once at the start of their day and forget that Duo is there as we securely and automatically sign them into the rest of their Duo applications.

Threat Mitigation: Duo SSO ingeniously prevents user lockouts and unnecessary strain on your internal infrastructure by proactively analyzing and suppressing repeated bad login attempts. This feature significantly reduces user frustration and enhances account security. Offering a smooth, smart solution, Duo SSO ensures a secure and hassle-free environment for user accounts.

Straight-Forward, Zero Trust Policy Enablement: Duo SSO supports enabling zero trust policies with a simple per app, group, or global approach such as strong multi-factor authentication (MFA) with Verified Push, risk-based authentication with Duo's Risk-Based Authentication, device trust with Trusted Endpoints, and contextualized access & remediation policies.

Simplified Management: Duo SSO offers a cloud-based service that eliminates the need for so many on-premises servers. This reduces the complexity and maintenance efforts, providing a more streamlined and simplified management experience.

Increased Flexibility: Duo SSO supports SAML, OIDC, and OAuth applications, which covers many, if not all, of the SaaS or increasing number of internal applications you may use. With our growing list of officially named integrations, you have greater flexibility in shaping your IT architecture according to the unique set of applications that you care about most and that drives your business forward. All accessible in whatever way is easier for you - the Duo Admin Panel or our newly released Admin API!

Enhanced Scalability and Availability: Being a cloud-based service, Duo SSO offers high availability and can easily scale up to meet the growing needs of large organizations, ensuring uninterrupted service.

Cost Efficacy: Migrating to Duo SSO can lead to significant cost savings by reducing the need for hardware, lowering maintenance efforts, and minimizing downtime - giving your team time to drive the business forward instead of updating AD FS servers.

Robust Security:  Duo SSO provides robust security features, including two-factor authentication and device health inspection, offering better protection against cybersecurity threats.

Migrating from AD FS to Duo SSO offers businesses several benefits, including simplified management, increased flexibility, enhanced scalability, cost savings, robust security, and an improved user experience. It's a strategic move that can help businesses navigate the cybersecurity landscape more effectively.

Layering — important for any climb

Layering is key to adapting to changing conditions. Similarly, organizations can layer cybersecurity solutions for smooth transitions. Consider AD FS as your base layer, reliable and familiar. But as cybersecurity challenges grow, you need more advanced gear.

Enter Duo's Single Sign-On (SSO), the high-tech outer shell layered over AD FS. It enhances functionality and protection with features like SAML 2.0 support and two-factor authentication. As you adjust to Duo SSO's enhanced capabilities, you may find you no longer need the AD FS layer. Shedding it leaves a lighter, more efficient, and highly secure system, but having both for a period ensures a more comfortable, streamlined experience for your organization.

In short, layering solutions from AD FS to Duo SSO ensures a secure, smooth transition, preparing you for every stage of your cybersecurity journey.

With Duo SSO, you can configure the service to use your AD FS server as a SAML Authentication source. When configured in such a way, your users will still be greeted with the same login page that they are familiar with but with the added benefits of Duo.

Here is an example of this flow:

  1. The user initiates login to a SAML or OIDC application-protected with Duo SSO.

  2. The application redirects the user’s browser to Duo Single Sign-On with a SAML request message.

  3. Duo Single Sign-On redirects the user’s browser to AD FS with a SAML request message.

  4. The user logs in with the primary credentials at the AD FS login page.

  5. AD FS redirects the user’s browser to Duo Single Sign-On with a response message.

  6. Duo Single Sign-On requires the user to complete two-factor authentication. User completes Duo two-factor authentication.

  7. Duo Single Sign-On redirects the user’s browser to the SAML or OIDC application.

Now, you have the flexibility to transition at your own pace. Your users won't notice any disruptions as applications are seamlessly shifted between systems, thanks to the established application sessions. Once your migration to Duo SSO is complete, you can smoothly transition to using Active Directory directly. It's like shedding a layer once you've acclimatized to the climb, leaving you with an efficient, and highly secure system to carry you forward on your cybersecurity path.

Want to climb with us? Subscribe to our release notes.

To learn more about Duo SSO and Duo Central as a whole, view our official documentation.

<![CDATA[Understanding & Defending Against Adversary-in-the-Middle (AiTM) Attacks]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/understanding-defending-against-adversary-in-the-middle-aitm-attacks https://duo.com/blog/understanding-defending-against-adversary-in-the-middle-aitm-attacks Industry News

Adversary-in-the-Middle (AiTM) is a sophisticated attack vector that has made headlines for sensitive breaches. While understanding these types of attacks can seem intimidating, it is important to know what an AiTM attack is and how it works to safeguard your users and your organization.

What is an AiTM attack?

A typical AiTM attack might start out with a phishing email that includes a malicious link. All the attacker needs to do is get the user to click the link. The user might not even need to give up their password. Clicking the link routes the user to a proxy server which is typically identical to the authentic web page, except the URL. Oftentimes, these proxy sites will use HTTPS, so they will still show the lock icon in most browsers. The proxy page allows the attacker to steal the user's valid session cookies, bypassing the traditional authentication process.

How does the proxy work?

To learn how an AiTM attack works, it is important to first understand the following browsing concepts:

  • Cookies: Cookies enable a website to remember you, so you don’t have to re-login with every click. This is how you can navigate between emails without having to log back in or add different items to your shopping cart and the website remembers them.

  • HTTPS: HTTPS, or Hypertext Transfer Protocol Secure, is a secure version of HTTP.  The protocol enables you and the website to speak securely using encryption, making it difficult for outsiders to monitor your communications or traffic.

AiTM can start by using the phishing link to initiate an HTTPS connection with the attack server and an HTTPS connection to the website you’re trying to access. HTTPS is never broken. There really is a secure connection between you and the attacker's server. From this point on, all traffic sent between the user and the login webpage – including credentials, MFA passcodes, and cookies – will be proxied through the attack server. This is key, because the attacker controls the HTTPS session, they can see everything that is sent.

Even an out-of-band method of authentication (a request sent through a different channel other than the website), such as a Push, is technically susceptible to an AiTM attack. This is because once a user completes the push request, the website sends the session cookie to the attack server. Once the attack server has the cookies to be authenticated with the website, it will sever connection with the user.

Phishing-Resistant Authentication

The best way to protect users from AiTM attacks is to require phishing-resistant authentication. The FIDO Alliance has developed standards based on public key cryptography, including the Web Authentication API, or WebAuthn. WebAuthn works using several different secure design principles, including:

No Shared Secrets:

In this method of authentication, a user’s device creates a pair of keys. The private key is stored securely in tamper-resistant hardware on a device and a public key is registered with the application. When the user authenticates with the private key, it remains on the device so even if an AiTM attacker tries to intercept the communication, it is impossible to steal the private key.

Origin Checking:

When performing the authentication, the browser sends the origin information to the FIDO2 authenticator (like a security key or phone). The authenticator uses this information to ensure that the request is coming from the correct website, not a malicious one. This way, users don't have to worry about spotting small differences in the URL (like the difference between an upper-case 'O' and the number '0' in a URL); their authenticator does it for them.

Token Binding:

FIDO2 authentication also supports a method called token binding. When a user logs into a site or app, it gives the device a "token" which works like a temporary pass that proves the device's identity for a certain period. So even if an AiTM attacker intercepts the communication, they can't use it because it's bound to the original, secure session.

How Duo can help

Duo’s Passwordless solution employs FIDO2 standards to provide a phishing-resistant authentication option. This enables users to use a biometric, like a fingerprint or face ID, or a security key, to confirm their identity on their device. Doing so removes the need for passwords and enables users to complete multi-factor authentication in unified experience. In addition, Duo supports the use of passkeys, or WebAuthn credentials, to enable users to synchronize private keys between devices.

Organizations can also combine device trust policies with strong authentication to provide an extra layer of defense. Duo Desktop powers the Trusted Endpoints solution to evaluate the device’s health and management status when the user authenticates. With new features like Automatic Registration, Payload Signing, and Device ID Pinning, Trusted Endpoints can enhance protection against bad actors.

Duo makes it easy for organizations to protect their users regardless of the application or device. To learn more, sign up for a free trial of Duo to see the product in action today.

<![CDATA[Social Engineering 101: What It Is & How to Safeguard Your Organization]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/social-engineering-101-what-it-is-how-to-safeguard-your-organization https://duo.com/blog/social-engineering-101-what-it-is-how-to-safeguard-your-organization Industry News

An attack in action

Logging into work on a typical day, John, an employee at Acme Corp. receives an email from the IT department. The email informs John that the company suffered a security breach, and it is essential for all employees to update their passwords immediately. John clicks the link provided, which takes him to a website that looks exactly like his company’s login page. A few days later, John finds himself locked out of his account, and quickly learns that the password reset link he clicked earlier did not come from his company.

John is a diligent employee. He took the steps needed to keep his account safe by following the directions from his IT team. While there might have been some signs the email was a forgery from an outside attacker, there were no obvious red flags. The email was clear in its logic and the login page was identical to the one he uses regularly.

But as it turns out, John was a victim of a phishing scam, a type of social engineering attack where the cybercriminal impersonated John’s IT department to gain his trust and trick him into revealing his login credentials. The login page John visited was a convincing duplicate of the company's real login page, but in reality, it was nothing more than a trap set by the attacker to collect credentials.

What is social engineering?

Social engineering is often used to obtain access or information through a technique called phishing. Typically, an attacker will impersonate someone the victim knows and convey a sense of urgency and importance in their communications to encourage the victim to take action. Some common phishing attacks used for social engineering include:

  • Phishing: An attacker sends fraudulent emails or texts that appear to be from trusted sources to get individuals to reveal personal information. These are often generic in nature, and use bland pressure tactics, such as the data breach warning John experienced.

  • Spear Phishing: A more targeted form of phishing where specific individuals or organizations are the intended victim. In John’s case, a spear phishing attack might have referenced a coworker, his employee number, or a project he was working on.

  • Whaling: A specific type of phishing attack that targets high-level executives or important individuals within a company.

  • Vishing: The telephone version of phishing, where the attacker calls the victim and pretends to be a legitimate organization asking for sensitive information.

  • Smishing: This is the SMS version of phishing where the attacker sends fraudulent messages via text to trick the victim into providing sensitive information.

Social engineering enables attackers to victimize trusted users and then use the information obtained (often compromised credentials) to do damage to an organization. Cisco Talos found that the use of valid accounts is the most common technique for an attacker to gain initial access to an organization, making up nearly 40% of security engagements. So clearly, John isn’t alone. Every day criminals send millions of phishing emails. It’s a numbers game to them, and they only need one or two people to fall for their scam to be successful.

How Duo can help

As attackers get more sophisticated, it is important to improve your organization’s defenses to ensure only trusted users gain access to sensitive resources. Duo can help your organization protect its users and set up roadblocks to get in the way of attackers, even when they send convincing emails meant to deceive your employees.

  • Ensure access from devices you trust: Reinforce your users by combining strong authentication requirements with device trust policies. Duo’s Trusted Endpoints checks if the device is managed or registered and if it should be trusted. If it is, access is granted. If it’s not, the user is stopped before they can even attempt to log in. This capability is available in all Duo editions.

  • Remove passwords from the equation: Duo’s Passwordless solution, powered by WebAuthn technology, requires a biometric at login, rather than a password. The biometric on the trusted user’s device unlocks a private key that is matched to a public key held by the application, enabling the user to log in. This makes traditional phishing attacks in which bad actors steal passwords obsolete.

  • Evaluate login attempts for context and risk: In the event of an attack Duo’s Risk-Based Authentication can step up the authentication to a Verified Duo Push. This requires the user to enter a code from the access device, like a laptop, into the Duo Mobile application, which a trusted user cannot do if they are not logging in. This is available in Duo’s Advantage and Premier tiers.

To learn more, sign up for a free trial of Duo today.

<![CDATA[Build Long-Term Success by Realizing the Value of Your Duo Subscription]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/build-long-term-success-by-realizing-value-duo-subscription https://duo.com/blog/build-long-term-success-by-realizing-value-duo-subscription Product & Engineering

Value. It’s what we all want when we’re paying for something. While recognizing short-term value is certainly important, we often find that achieving value over the long haul is more rewarding and profitable. The burden of realizing the value of a product or service is shared by both the provider and the consumer. I’ll use myself to illustrate this point.

The Value Equation

I’ve been a Comcast customer for almost 13 years now and I keep renewing my service package. Why? Like any smart service provider, Comcast understands that to retain customers, it must continue to enhance its offering. For example, faster broadband speeds, more TV channels, smarter remotes and throwing in some loyalty rewards like free movie rentals. The enhancements are designed to provide consumers like me with greater value over time. That’s nice, and Comcast does a good job improving its services and communicating them to me, so I know what I’m getting for my money.

But that’s only half of the value equation. It’s still up to me to make use of the all the features I’m paying for, otherwise it’s not worth the investment. In today’s world of streaming services there are a lot of alternatives I could turn to. So, I try to stay on top of the enhancements and upgrades I’m receiving and make sure I’m using as many as I can so that I get that value I want. I’m playing a long-term strategy.

Realizing Value

When we engage with customers who are considering moving to another vendor, we sometimes learn they aren’t aware of all the features they have at their disposal within their Duo subscription. After spending time with the customer to discuss their needs and the Duo features available to help solve their challenges, it typically leads to an ‘Aha!’ moment and a happier customer.

Building a Partnership for the Long Term

So how are we helping our customers achieve greater value and build a long-term partnership with Duo? Here are just some of the ways we’re doing both.

  • Growing Feature Set ­— We’re continually building out the Duo feature set to help our customers realize a greater return on their investment. In 2023, we made our Trusted Endpoints feature available in all paid Duo editions. We added single sign-on (SSO) support for OIDC-based apps and enhanced the security in Duo Desktop to prevent bad actors from spoofing the app and its data. We also announced Duo’s vision for streamlining the user authentication workflow.

  • Public and Private Previews — Before new features or products become generally available, Duo often provides customers with the opportunity to evaluate the feature or product and offer feedback as part of the release process.

  • Workshops — Customers can take advantage of hands-on instructor-led training courses on a variety of topics such as zero trust and SSO to build their skills and increase their knowledge of Duo features.

  • Duo Care — This premium support service enables you to work with a team of Duo experts who will guide you through the life of your subscription to help you maximize the value of your Duo investment as your organization and business needs evolve.

  • Level Up Online Training — Free to all Duo customers, Level Up is an online learning platform featuring courses designed to help you get the most from your Duo subscription and take the next step as you develop your zero trust security expertise.

  • Duo Customer Newsletter — Duo’s monthly newsletter is available to all customers and includes the latest information on feature releases, learning opportunities, events, and more.

Visualizing a Successful Future

Some customers use Duo only for MFA. And that’s certainly fine if it fills a specific need. However, by not adopting the other features available to them, they’re not getting all the value they could for what they’re paying. Those that do adopt most or all of the features in their edition find they achieve greater value not just now, but also later as their organization grows. As a result, they’re able to see a successful future with Duo. Regardless of which edition you’ve purchased, Duo offers much more than MFA to help you recognize the full value of your subscription.

We have an eye for the future as well. Soon, you’ll be hearing more about how Duo can help you further your identity security goals with Identity Threat Detection and Response (ITDR) as well as our plans for embedding artificial intelligence into Duo features.

Learn more about the features included in each Duo edition.

<![CDATA[Zero Trust Access in the Cloud: How Cisco Duo Bolsters Security for AWS Environments]]> kritisin@cisco.com (Kritika Singhal) https://duo.com/blog/zero-trust-access-in-cloud-how-cisco-duo-bolsters-security-aws-environments https://duo.com/blog/zero-trust-access-in-cloud-how-cisco-duo-bolsters-security-aws-environments Product & Engineering

As organizations migrate their workloads to cloud infrastructure platforms, new security risks can emerge. Certain risks may expose critical infrastructure to cyberattacks, enabling malicious actors to gain unauthorized access to critical business information and potentially causing large-scale data breaches. We live in a world where information is the new currency, and the consequences of security breaches can be catastrophic both financially and for the company’s brand reputation. As such, the importance of ensuring that cloud applications and services are secure cannot be overstated. In fact, IBM's 2023 Cost of a Data Breach Report found that 82% of data breaches involved data stored in the cloud.

In this blog, see the depth of Duo integrations with various AWS applications and services, and learn how you can better equip your organization with security that frustrates the attackers and not the users.

IBM’s 2023 Cost of a Data Breach Report found that 82% of data breaches involved data stored in the cloud.

Three primary challenges to securing cloud access

  1. Wide and complex attack surface: The increased flexibility of cloud services comes with a trade-off; a larger attack surface exposes organizations to more cloud breaches than ever. What does that mean? This means the potential entry points or vulnerabilities available to attackers seeking unauthorized access to the cloud have become numerous and diverse.

  2. Password reuse and weak password practice: The practice of reusing passwords and relying on weak passwords to access multiple cloud applications introduces security vulnerabilities that can cause data breaches, obstruct productivity and lead to password fatigue. Additionally, it imposes a substantial workload on IT administrators responsible for user account management.

  3. Hybrid work and device trust: Hybrid work has been complemented by adopting cloud, offering workforce flexibility, accessibility and scalability. It has also presented security challenges causing cybersecurity attacks. Users work on a variety of devices to access essential applications vital for daily productivity. Outdated, unmanaged and obsolete devices add significant risk to critical infrastructure.

Large enterprises aspire to have roughly 60% of their environment in the cloud by 2025, according to a recent McKinsey report. As cloud adoption continues to accelerate, it is imperative that organizations fortify access to critical data through advanced access management tools and technology.

Together, Duo and AWS enable organizations to adopt cloud services securely

AWS provides organizations, from nimble startups to global enterprises, a cloud platform to build, deploy, and manage applications with flexibility and scalability in mind. As a modern authentication and access management solution, Cisco Duo helps organizations establish a comprehensive zero trust security model for cloud infrastructure. What does it mean to build a successful zero trust security model? It means that we never assume trust, we always verify it. With Duo, this can be achieved while prioritizing user productivity and scalability, all while minimizing security risks.

 Preventing unauthorized access and keeping customers’ data safe is a top priority for Duo and AWS. To support an expansive AWS infrastructure, Duo provides robust access management capabilities including:

  • User-friendly and adaptive multi-factor authentication (MFA)

  • Single sign-on (SSO)

  • Policy-driven device posture check and trusted endpoints

  • Contextualized risk-based authentication and more

Improve overall security posture with zero trust access to Amazon-hosted applications

In a Zero Trust architecture, context, device trust, and risk should be evaluated on all authentication requests. Most AWS services leverage AWS Identity and Access Management (IAM) or AWS Identity Center to authenticate users. By integrating Duo’s SSO with AWS applications such as AWS IAM, AWS Identity Center, and others, AWS admins establish trust in users and devices and use contextual clues to allow access based on the risk it poses to an organization.

Duo SSO enables verified users to authenticate their identity once and seamlessly access AWS and integrated applications eliminating the need for repeated logins. Every time a user accesses an application, Duo’s SSO performs a risk assessment.

  • Administrative overhead for password management is minimized, as users can log into multiple applications using a single password or a passwordless method. In fact, users can utilize self-service features for password resets avoiding delays and taking off that load from IT admins.

Did you know? As customers expand their operations, they can take advantage of Duo SSO login to seamlessly access an unlimited number of integrated apps, whether from AWS or other vendors.

In addition to integration with AWS IAM Identity Center, Duo SSO supports a growing list of AWS apps integrated with Duo SSO using SAML and OIDC to enable easy and secure access to developers, IT admins, end -users etc.:

  1. Developers and SREs can leverage SSO experience when logging into AWS IAM identity Center to access the unified command line tool to manage AWS services and resources.

  2. Contact centers can ensure their workstations adhere to posture requirements while also protecting identities with MFA giving access to valuable customer information with Amazon Connect integration.

  3. Admins can utilize AWS Verified Access and Duo SSO to provide secure access to private applications without a VPN.

  4. A variety of user groups can securely and easily access AWS IAM using Duo SSO login to access a range of AWS cloud services and solutions.

  5. Amazon managed Grafana, Amazon Redshift and AWS Client VPN are additional integrations recently added to this list.

Did you know? Users get a high level of security without compromising on the experience of logging into apps with Risk- Based Authentication where Duo evaluates potential threat signals at each login attempt and adjusts security in real time.

It takes only 15 min for Duo to be configured to provide all these outcomes. By integrating AWS services with Duo, AWS administrators can bring these zero trust protections to AWS applications.

Establish device trust with Duo Desktop for AWS Workspaces (Private Preview)

Duo Desktop integrates with AWS Workspaces to give organizations control over which virtual desktop can access internal websites and SaaS services based on policy system and security requirements for that organization. Duo Desktop checks for security posture to evaluate device attributes and accepts or restricts them based on the security criteria.

Did you know? When a user's device does not meet the security criteria specified in the device health policy, the Duo Desktop application assists the user in taking the required steps to enhance their device's security posture, ensuring alignment with the application's policy.

While the users are empowered to proactively keep their devices updated and healthy, here is how IT admins benefit from this integration:

  • Admins can establish security policies using the policy engine for virtual devices that access AWS Workspaces for a certain user group or group of users. They can also leverage the Duo Admin panel for managing and adjusting device access policies to differentiate between corporate and personal devices.

Prevent unauthorized access to applications utilizing AWS Directory Services with Duo MFA

Note: This integration uses RADIUS Auth Proxy.

Did you know? It takes less than 10 min to protect AWS Directories using Duo MFA using the Quick Starts. This is how IT admins can leverage Duo MFA for AWS Directory Services:

  • Easy deployment and provisioning of bulk users to get organizations up and running quickly. User-friendly admin dashboard to create and manage granular access policies for different user groups

  • Detection and response to MFA bypass attacks is done in real time using adaptive controls and changing context, including factors like location, device role, and other variables. This is done by adjusting authentication requirements to include additional verification when necessary.

In closing, with the partnership between Duo and AWS, businesses can confidently navigate the digital landscape, knowing their data and access is well-protected. As organizations rapidly expand their operations using AWS resources, they can do so with peace of mind thanks to Duo's access management solution, which fosters secure, productive, and scalable business outcomes for AWS customers.

Get Duo to secure access and boost user productivity now:

<![CDATA[Spot the Difference Between Legitimate & Suspicious Logins with Duo Trust Monitor]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/spot-difference-between-suspicious-legitimate-authentications-duo-trust-monitor https://duo.com/blog/spot-difference-between-suspicious-legitimate-authentications-duo-trust-monitor Product & Engineering

If you’re a cybersecurity analyst, suspicious logins aren’t anything new. You see them all the time. Identifying suspicious logins probably feels something like playing Spot the Difference. For the uninitiated, Spot the Difference is a puzzle game that presents you with two similar images, one of which has been altered slightly, and challenges you to pick out the differences between the two. Finding the differences can be a real test of one’s patience and ability to concentrate on details.

This can be fun if you’re taking a brain break. It’s less fun if there’s a real security threat you need to find. Why? Because searching through mountains of log data to find something different that could be a potential threat to your organization can be tedious and time-consuming. To illustrate the point, we’ll focus on a particular type of event that generates logs: user authentications (aka “logins”). Every time one of your employees logs into the network or an application, an auth log is created. Depending on the size of your organization this could result in thousands of new logs each day. There goes your break time.

If you prefer to spend your time on other pursuits, Duo Trust Monitor can help. Trust Monitor gives you back your break time by surfacing suspicious logins. And, we’re continuing to add new features like "Email Alerting" which proactively sends an email whenever a new security event surfaces.

Read on to learn more about this new feature, and about how Duo Trust Monitor can help you identify suspicious logins.

Identifying “different” authentications

Searching through auth logs to identify a login that looks suspicious is one thing. But how do you know if it’s truly different and poses a threat? To understand that, you need visibility into both normal and anomalous authentications. If you don’t know what a normal, or “expected,” login looks like, it’s hard to spot the difference between them. This requires creating a baseline authentication profile against which other logins are compared. Doing so will help you spot the difference(s) between the two and identify suspicious auths that could spell trouble.

But what happens if you don’t have the time to search through log data for atypical access attempts? Well, bad things possibly. One is account takeover using compromised credentials where the cybercriminal has stolen someone’s username and password. Based on responses in the IBM Security Cost of a Data Breach Report 2022, stolen or compromised credentials are the most common vector for a data breach, responsible for 19% of breaches with an average cost of US $4.5M. Once the account has been compromised, the attacker can use persistence techniques to maintain their presence without alerting the victim by interrupting their access. One technique used is to register a new authentication device in order to bypass multi-factor authentication (MFA). this fraudulent device registration typically goes undetected, leaving the threat actor free to gain access to critical applications and data on the network.

Another is insider access abuse, or privilege misuse. Findings from the Verizon 2022 Data Breach Investigations Report indicate the attacker is typically an employee who uses their legitimate credentials to access a privileged account to steal data, often for financial gain. While this doesn’t paint a pretty picture, the signs for identifying anomalous logins that could lead to a data breach are there. You just need the right tool to surface them.

See the signs with Duo Trust Monitor

So, what are the signs to look for? Here are a few along with some questions to consider:

  • The User Is the person a current employee? Are they part of a group with privileged access?

  • The Auth Location – Do we have employees working in this country?

  • The Auth Time Do we expect people to be accessing data or applications at 3:00am?

  • The Device – Is the authentication from a Windows device but our employees use Macs?

  • The Application – Does the user need access to this app to do their job?

Duo provides a tool to help you see the signs and “spot the difference” between authentication attempts. Duo Trust Monitor is an advanced anomaly detection feature that does all the work of searching for risky authentications for you. It ingests all the authentication logs in your environment and runs them through proprietary machine learning algorithms.

The algorithms set a baseline of normal user and device activity. Using this baseline, Trust Monitor compares future authentication attempts against it and highlights anomalous or risky login attempts in the form of a security event. With just a few clicks, administrators can create a Risk Profile for the organization that prioritizes and surfaces security events that match profile elements. For example, you may want to keep a closer eye on authentications related to certain Duo-protected apps, specific user groups or countries. Security events that deviate from the Risk Profile are given more weight and appear at the top of the Security Events board with a yellow shield designation that provides an explanation of the connection between the event and the Risk Profile.

Can I get some context here please?

I’ve touched a bit on the “What” and “How” of Trust Monitor and its ability to surface atypical logins, but let’s take a closer look at the “Why.” Why is a particular authentication considered anomalous? The answer has to do with context. While there are other risk analytics tools on the market, many focus on a single model like novelty which looks for a variable that’s new such as a new device or application that’s being accessed for the first time. This approach is simplistic and doesn’t offer much context into the access attempt. Basing a decision on just one model alone can lead to an increase in false positives.

Trust Monitor on the other hand takes a more holistic view of each authentication using contextual analysis. By analyzing historical login data across multiple models and variables, Trust Monitor provides a much richer picture of the access attempt, enabling administrators to make a more informed decision as to whether it is legitimate or suspicious and requires action. Let’s look at some examples:

  • Security Event: The VP of Sales is accessing the company’s CRM app at 4:00 a.m.

  • Analysis: In this case Trust Monitor analyzes the application being accessed and the timestamp. Is it unusual for the VP of Sales to access customer information? No. Is the timing unexpected? Hopefully. A solution focused on Rarity would flag this event as risky.

  • Security Event: Someone is requesting access to a sensitive app from a Windows device using an unusual multifactor authentication method (SMS).

  • Analysis: Here we have three variables flagged. The organization uses macOS devices, not Windows. Also, the user has not accessed the app for six months and a push notification is their preferred authentication method, not an SMS text. These three together are a strong indication that this is a fraudulent authentication attempt.

  • Security Event: A Marketing manager is traveling to an event in another country and needs to access email.

  • Analysis: Without the right context, this access attempt could be marked as suspicious based on location, timestamp and a new device IP. However, we know there is a big event happening overseas so it’s not unusual to see these three variables associated with this user and therefore we can dismiss the event.

The goal of any risk analytics tool is to surface potential threats so that organizations can step up or step down their security policies to shore up any gaps. By providing contextual analysis, Duo Trust Monitor helps you spot the difference between legitimate and fraudulent access attempts while limiting false positives. Trust Monitor is included in our Advantage and Premier edition subscriptions. It’s also integrated into the Cisco SecureX ecosystem so that you can access Trust Monitor telemetry data from the SecureX dashboard for enhanced threat intelligence. And, if you already have a SIEM (Security Information and Event Management) solution, you can export Trust Monitor security event data directly to your favorite SIEM via API.

What's new with Duo Trust Monitor?

Security events are very useful for highlighting suspicious logins that may pose a threat. Adding context around why an access attempt was denied (or allowed) makes Trust Monitor even more powerful.

But even powerful tools need to adapt as the cyberthreat landscape changes, which is why we continue to build new capabilities into Trust Monitor. One of those is "Email Notifications," which sends email notifications when new security events populate in your environment. The notifications help you maintain an awareness of your organization's security posture using popular communications channels like email without having to log into the Duo Admin Panel. They include much of the same information you would see for the security event in the Security Events dashboard within the Duo Admin Panel.

Email Alerting is available to all Duo Advantage and Premier customers at no additional cost.

Start flagging suspicious logins

If you’d like to try Trust Monitor and experience how Duo can help you spot the difference between legitimate and suspicious logins that could be potential threats, sign up for a free 30-day trial.

*This content has been updated after its original publication date in November 2022.

<![CDATA[Announcing Duo MFA Support for AD FS OIDC Applications]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/announcing-duo-mfa-support-for-ad-fs-oidc-applications https://duo.com/blog/announcing-duo-mfa-support-for-ad-fs-oidc-applications Product & Engineering

The 2.2.0 release of Duo AD FS adds support for OIDC application groups, enabling customers who use Azure Active Directory as their primary user directory to do MFA with OIDC to connect to their corporate cloud applications. This extends Duo MFA to OIDC applications federated with AD FS for users authenticating to those applications.


AD FS is a Microsoft identity access solution that gives remote users single sign-on access to protected cloud-hosted applications or services.
It relies on OAuth to facilitate access authentication with application groups such as web applications or APIs.

Microsoft AD FS

Cisco Duo can be invoked to secure the AD FS access process with multi-factor authentication (see step #7 below):


OpenID Connect (OIDC) is an authentication protocol based on the OAuth 2.0 framework. It helps verify the identity of user based on authentication performed by an Authorization Server using REST APIs designed for use in cloud-hosted applications.

What’s new?

Prior versions of Duo ADFS were qualified for SAML 2.0 and WS-Fed relying parties only. Duo’s 2.2.0 release fully supports AD FS MFA access policies applied to federated OIDC/OAuth server applications. Customers who use OIDC application groups in AD FS can now take the next step on the journey to MFA protection featuring Duo Universal Prompt.

For more information on Duo AD FS, see our AD FS documentation. And for specific update details, check out our AD FS 2.2.0 notes.


Duo’s AD FS MFA adapter offers MFA for all types of federated corporate cloud applications to protect customer environments against attack. Get started today!