The remote work revolution is driving authentication toward a future that’s more efficient, effective and user-friendly. User experience is more important than ever, access security is expanding, and existing security workflows are becoming more streamlined.

In the 2021 Duo Trusted Access Report: The Road to a Passwordless Future, we examine how enterprises are leveraging lower-friction methods like biometrics and Webauthn to move away from passwords while protecting the hybrid workforce.

For this report, our researchers analyzed data from more than 36 million devices, more than 400 thousand unique applications and roughly 800 million monthly authentications from across our customer base, spanning North America, Western Europe and Asia-Pacific.

The data shows that organizations across all industries are increasingly enabling their workforces to work from home now, and potentially for an extended period of time, and they’re implementing the appropriate controls to ensure secure access to applications.

“Trusted access blends the topics of security, compliance and privacy in a way that affects all of us on a daily basis. Evolving this trusted access is a top priority for our digital future.”
—Wendy Nather, Head of Advisory CISOs, Duo

Five Key Findings

Here are five top trends from the 2021 Duo Trusted Access Report. Get the full report to explore all of the data.

Passwordless Adoption Rising: Users Move Toward Lower Friction Second Factors
Our data shows a fivefold increase in Webauthn usage since April 2019.  

Biometrics Press Forward
More than 71% of customer mobile phones have biometrics enabled, and total mobile phones with biometrics rose 12%.

Locations Blocked
Roughly 74% of Duo customers who implement device-based policies restrict access from China and Russia. 

Push Preferred
Duo Push is the most popular authentication method, accounting for 30% of all authentications.

Cloud Usage Floats On
Among enterprises, June 2020 through May 2021 saw more than a 65% increase in average daily authentications to cloud applications over the average from that same period from June 2019 through May 2020.

Summary

Hybrid work and hybrid business models are now the standard operating procedure for how we take care of business. As organizations quickly accommodated hybrid work at a massive scale in 2020, they realized productivity could happen in this environment, and in response many organizations have indicated that they’ll continue using this approach for the foreseeable future.

However, this rapid expansion presented new security challenges, key among them ensuring that employees can work securely and without introducing new risk to the business. The need to secure users and devices and their access to applications is central to an effective remote access strategy.

We need to provide support for businesses to improve their visibility, get a better understanding of policy management, and place more emphasis on automation to help security teams optimize their impact with the resources available to them. Strategies like zero trust and a passwordless approach help improve security while reducing risk, and by having a stronger focus on user experience they allow for greater democratization of security.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

Customer trust is essential for businesses to succeed, which Salesforce is putting into practice with a future requirement for all customers to enable multi-factor authentication (MFA). Beginning February 1, 2022, Salesforce customers will be contractually required to use MFA when accessing Tableau Online (and many other Salesforce products).

What Does This Announcement Mean for Salesforce Customers?

With this announcement, Salesforce has recognized the importance and value of MFA when establishing and verifying trust every time a customer accesses their broad portfolio of cloud-based services. 

How Does Salesforce Recommend Customers Get Started to Enable MFA?

Salesforce’s announcement is very clear about what customers can do today to enable MFA as quickly as possible. According to the Salesforce Multi-Factor Authentication FAQ, “MFA is one of the simplest, most effective ways to prevent unauthorized account access and safeguard your data and your customers’ data. We’re requiring customers to implement MFA to help mitigate the risks stemming from threats like phishing attacks, credential stuffing, and compromised devices.”

Customers who already authenticate their users via single sign-on (SSO), or who want to move to SSO, can enable MFA for their SSO identity provider when accessing their Tableau Online sites. Additionally, TableauID with MFA is available for customers who do not use SSO or have admins or other site users hosted by TableauID.

“Deploying Duo is the easiest and fastest way to comply with the Salesforce MFA requirement to protect access to Tableau and other cloud-based applications.”

What Is the Most Efficient Way to Meet Compliance With This Requirement? 

Because the runway is rather short, time is of the essence. We recommend following these five tips to accelerate the rollout of MFA for Tableau (as well as any of your other applications):

1. Prioritize interoperability and ease of integration. Chances are, Tableau is just the first of several cloud-based applications you may want to protect with MFA. For example, you may have on-premises apps that could also benefit from MFA. Legacy MFA solutions traditionally fail to integrate across disparate applications in an on-premises and cloud environment, causing inconsistencies and user confusion. 
   
   Duo MFA protects apps wherever they are — on-premises or in the cloud.
   
   
2. Meet your users where they are, securely. Remote work has led to a rise in the usage of bring your own device (BYOD) and unmanaged devices, which increases the risk of compromised devices. And legacy MFA products often can’t accommodate broad sets of users located outside of the corporate network — including remote workers, third-party vendors, contractors and more. These limitations impact business resiliency and often lead to users bypassing any security controls that get in the way of their work. 
   
   Duo Device Trust protects access to apps from unmanaged devices as well as managed devices.
   
   
3. Avoid the need for additional form factors. Traditional MFA solutions require additional security tokens and hardware that don't support all use cases (offline, no cell service, etc.), which results in decreased user adoption and gaps in your organization’s security posture. 
   
   Duo Push does not require additional tokens or hardware, and it works within your existing ecosystem (especially the device you carry in your pocket). 
   
   
4. Make it easy for admins to roll out MFA quickly and for users to adopt quickly. Older MFA solutions often require extensive admin management to enroll users, manage authentication devices, and remediate lost or stolen devices. Because Duo MFA is Duo-hosted and delivered from the cloud, there’s no need to spin up servers. Automated sign-up options, such as user self-enrollment and Active Directory sync, allow for scalable user provisioning. Duo MFA easily integrates with thousands of applications, services and identity providers. With the easiest multi-factor authentication, users can tap a button to approve Duo Push, a push notification on their phones to verify their identity.
   
   Duo combines the best of both worlds: easy for admins and users; secure and scalable for businesses.
   
   
5. Consider a consolidated approach with a long-term view. This is a great time to evaluate long-term projects and requirements, such as ensuring support for new applications being onboarded, enabling SSO, and tightening access policies with a centralized access management tool. Duo is more than a leader in the MFA market — we also offer functionality that goes beyond authentication to protect and secure access to your business’ critical applications. For example, Duo Access edition enables our customers to verify device trust before gaining access to their applications, and empowers users to remediate device issues on their own. Plus, Duo SSO can ease the transition to MFA by providing a place for users to log in once to access all the apps they need to get business done.
   
   Duo simplifies trusted access by consolidating MFA, SSO, device trust and deep visibility into a single solution. With Duo’s Passwordless Authentication capabilities, it’s even easier to protect access to the apps that drive your business.

Deploying Duo is easy and fast to deploy. Whether you’re interested in protecting access to Salesforce, Tableau Online or other applications, each of our editions satisfies the MFA requirement. 

Resources

• Salesforce Multi-Factor Authentication FAQ
• Multi-Factor Authentication and Tableau Online
• Cisco - A Duo Customer Story: How Cisco onboarded more than 100,000 users with Duo MFA

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

The Promise of Passwordless

If you've been following the evolution of passwordless, you've likely read countless blog posts and whitepapers pondering the promise of this technology. The pitch is relatively simple: passwords are insecure and inconvenient, so let’s get rid of them. We shouldn’t necessarily trivialize this promise. Passwords are insecure. They provide a time-tested avenue for bad actors to compromise and gain unauthorized access. As the Verizon Data Breach perennially points out, compromised credentials play a role in the majority of breaches. Passwords are also inconvenient. Password length, complexity, and rotation requirements have only gotten more stringent in the past ten years - leading to headaches for end users and help desks alike.

Before continuing on, it should be noted that all passwordless is not the same. “Getting rid of the password” could be as simple as removing the password field and asking for username only — which is obviously highly insecure. While secure passwordless technology removes the password, it does so by replacing it with stronger factors like device identity or biometrics. If you’re interested in learning more about the technical ins and outs of passwordless, Duo’s own Jeremy Erickson has written an extensive Administrator’s Guide to Passwordless — a great resource for those looking to dive into passwordless in all its glory.

IT Administrators and End Users Are Intrigued by Passwordless

However, let’s return to the problem at hand. Just because industry thought leaders and security vendors agree on a premise (like the value of passwordless), that doesn’t mean IT decision makers or workforce end users feel ready or willing to transition to a new technology. To get to the bottom of this, Duo conducted a global survey of both IT professionals and end users to gauge their attitudes when it comes to passwords and a potential transition to passwordless. The survey covered ten countries worldwide and had thousands of respondents. The findings were quite interesting. 

See the video at the blog post.

To start, end users are largely in agreement that passwords are inconvenient. Fifty-one percent of respondents noted that they forget and reset a password at least once a week. Furthermore, they may not always practice the most secure habits. Fifty-seven percent of respondents noted that they reuse passwords across multiple sites, and 78% of respondents create new passwords by adding a number or symbol to the end of an old password. 

Perhaps more interestingly, users seem more ready for a passwordless future than you might expect. Sixty-nine percent of respondents noted that they felt comfortable using their fingerprint in place of a password to log on. Additionally, 78% of end users already use at least one device in their daily lives with biometrics enabled.

See the video at the blog post.

When it comes to IT decision makers, they too are officially tired of passwords. The IT respondents spent an average of an hour and 15 minutes each week dealing with password resets and issues. Nearly half of (46%) also noted compromised credentials were a top security priority for them.

It also turns out that IT decision makers eagerly await a passwordless future. Fifty-two percent of respondents are actively considering implementing passwordless in their environments today.

Chief Concerns: Deployment and End User Training

These findings clearly indicate that end users and IT decision makers are intrigued by the potential of passwordless. However, that doesn’t mean making passwordless a reality is a slam dunk. The survey also illuminated some serious concerns about transitioning away from passwords. 

End users did express anxiety around their biometrics being stored and housed by private companies. It’s also true that, while 78% of end users have a device with a biometric enabled, it may not be one they can use for authentication at work — and there are still about a quarter of folks who wouldn't be able to use a biometric-based passwordless solution at all. 

IT decision makers worry about the deployment of passwordless. Yes, there are potential benefits — but many have already encountered issues with passwordless authenticators integrating into their environments. Passwordless solutions that work for certain applications or devices, but not their entire environment, also posed challenges.

Passwordless Priorities at Duo

At Duo, we understand the promise and potential of passwordless to improve security and offer end users a streamlined experience. However, we’re also taking to heart the concerns of end users and IT decision makers as we develop our passwordless solution. We’re not positing that every company can go fully passwordless tomorrow — that would be a huge oversimplification — but we have prioritized making it easy to take the first step. 

First, we’ve ensured that our passwordless authentication is easy to set up and deploy. If passwordless is difficult or frustrating to enable, people won’t do it. It’s more than easy enough to continue with the status quo. Unless the passwordless path is relatively simple to start down and walk along, people won’t take it. At Duo, we’ve made sure that testing, deploying and maintaining passwordless in any environment is as easy as possible.

Second, we want to make it accessible for end users to understand and use. While folks may hate the idea of passwords, they’re definitely used to them. To make sure there’s minimal friction for end users, Duo will support many device types as passwordless authenticators. In addition, the enrollment process will provide easy-to-follow instructions as well as relevant information about the security and privacy properties of our passwordless solution. For example, to address concerns about companies storing fingerprints, we inform users that Duo will never store or keep a copy of their biometric. This way, end users feel comfortable making the transition to passwordless.

With each passing month, the promise of passwordless is becoming a reality. However, it’s important to remember that even though security professionals, IT administrators, and end users feel ready for passwordless, it’s our responsibility to make it easy to fulfill its promise. To learn more about Duo’s approach, explore our Passwordless solution page or sign up to receive the latest updates about our Passwordless solution.

Duo’s Passwordless Authentication Resources

• Explore our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Sarah McLachlan, a sage of our time, once opined, “I will remember you. Will you remember me?” and for the longest time Duo for Windows Logon replied, “No.” Today, weep not for the memories of what was, but rejoice because the answer will soon be, “Yes.”

We’re pleased to announce the general availability of Trusted Sessions for Windows laptops and desktops. Trusted Sessions brings the “Remember Me” feature from our browser prompt to Windows Logon, allowing you to trust your local logins with Duo and reduce the amount of times needed to MFA in the future, saving you lots of time, energy and defenestration of Windows endpoints.

Consider the use case that New Hampshire Ball Bearing, Inc. is looking to solve. The IT Security team of this specialized manufacturing producer uses Duo to comply with the DFARS regulation and enforce corporate security policies. They wanted to ensure that security policies do not create user friction and negatively impact productivity. With Duo’s Trusted Sessions feature, the team reduced multi-factor authentication (MFA) fatigue without compromising on security.

"We protect local device logon with Duo’s MFA to comply with DFARS, and our corporate security policy mandates inactivity screen lock of 5 minutes. This scenario increased user frustration, especially at a time when employees are unable to use FaceID to unlock their MFA device due to mask wearing. Duo’s trusted sessions feature for Windows Logon has greatly reduced our end user hesitancy during MFA deployment while increasing voluntary adoption rates. The majority of our users recognized and enabled the trusted sessions feature organically with no notification or instruction from IT. Now our user base finds Duo unobtrusive and we're able to comply with our MFA mandate without push back from users." —Clayton Girouard, Sr. Systems Engineer - Information Technology, New Hampshire Ball Bearing, Inc. (NHBB)

Enable Trusted Sessions in Just a Couple of Clicks

Reducing user friction has never been so easy for administrators. They can easily enable trusted sessions from the admin console under the “Remembered devices” policy section. 

“Remember Me” for Windows Logon

With the Remember Devices for Windows Logon policy enabled, the user will be offered a “Remember Me for X Time ” checkbox during login. When users check this box, they will not be challenged for secondary authentication when they log in again from that device for a set period of time unless something changes. Policy is available for a minimum of one hour with a maximum of 90 days, allowing you to find the optimal time frame to meet the security considerations for you and your organization. 

One of the core challenges in our research was that logging into an endpoint requires different security properties than logging into a web application. As a result, we had to develop a way to proactively revoke trust when we could no longer assert the user and the device were in a state where it was appropriate to continue trust.

To achieve this, we looked at three properties:

1. The operating session state. When invoking Duo, we determine whether the authentication attempt is an unlock or a new session. If it’s a new session, Duo will require MFA, and a subsequent unlock will honor the time duration set for “Remember Me.”
2. Network location. At each authentication attempt, Duo will snapshot and compare the network state of the user's device to determine whether it moved off of your network. If it has, we'll prompt for MFA.
3. User’s choice. Trusted Sessions give users the choice to end their remembered sessions early by clicking cancel while logging into a trusted session.

See the video at the blog post.

Now, a reality check. Duo is going to default to secure, so if there’s uncertainty about network location we’re going to prompt again. The idea is to streamline MFA attempts, not completely eliminate them. Additionally, we’re not delivering this feature for RDP sessions today. Our research highlighted the need for a robust way to assert the same user on the same device with trust, returning back to the same RDP session. That opened the door to a new round of research that was beyond our scope and would have seriously delayed delivery. And finally, Offline MFA sessions will not be remembered, because Duo cannot assert certain things about the device. We must assume it’s outside of normal administrative control and can’t be assumed to be in a trustworthy state. 

“Remember Me” Is Available Now to All Duo Customers

Trusted Sessions for Windows is available as part of all Duo product editions (Duo MFA, Duo Access and Duo Beyond) at no extra cost. Administrators decide which groups of users can use “Remember Me” and for how long.

For more information about Duo’s Windows login capability, read our documentation.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

According to Gartner, 40% of all help desk calls are related to password resets — and those calls are expensive, with Forrester finding each password reset call costs an organization $70.

So it comes as no surprise that most businesses want to improve the productivity of their IT help desks and address the password reset cost problem. Many consider self-service solutions, possibly secured with Duo MFA, to help.

However, even the best self-service solution won’t eliminate all calls like these. And because help desk agents might feel pressure to reduce their ticket times (because time is money, after all) the focus on security can sometimes lapse.

For example, without a solution to enforce user identification at the help desk, organizations often rely on insecure methods like employee ID, which are vulnerable to a social engineering attack.

“Unfortunately, a lot of the methods currently used to verify users at the service desk today are insecure. Whether it’s employee ID or relying on recognizing someone’s voice, IT departments can do better.” —Darren Siegel, Product Specialist, Specops Software

Instead, IT teams can leverage solutions like Specops Secure Service Desk and Duo to address the need for improved efficiency and security.

How It Works

The help desk agent begins by looking up the user asking for assistance. Once they’re selected from the search results, we see a number of Quick Verification options, including Duo.

The options within Duo are dynamic, based on the user’s Duo enrollment. Duo Push is the easiest method, but if that’s unavailable the help desk can also request the one-time password (OTP) within the Duo app, or send an OTP via Duo SMS.

The user will receive a push notification on their device, with information about the help desk agent who requested it.

Once verified, the help desk agent can reset that user’s password right from Secure Service Desk and, if enabled, share the link to complete their self-service enrollment.

On the Reset Password screen, the agent is presented with the password policy rules for the end user (this works with native Active Directory password policies or Specops Password Policy as shown here). The user will need to change their password again at the next logon.

No Extra Enrollment Steps

When your users are already enrolled with Duo and have the Duo Mobile app installed, there are zero extra steps for them to take to verify their identities at the help desk with Specops Secure Service Desk.

Secure Service Desk is part of a larger authentication platform that enables self-service for password resets and encryption key recoveries. When used together, the solution can offer a consistent authentication process for users across all scenarios, utilizing Duo and more.

Do you need a secure process to verify users at the help desk? See how Secure Service Desk can help.

The passwordless future is sooner than you think. At Duo, we're building a passwordless authentication solution that’s as easy to set up as it is to use – with our world-class security baked in. Is passwordless a good choice for you, and how do you lay the foundation? Our experts have you covered.

What is Passwordless, Anyway?

See the video at the blog post.

In the Administrator’s Guide to Passwordless blog series, Tech Lead Jeremy Erickson covers everything you need to know to determine for yourself why passwordless authentication can be more secure and more usable than today’s leading authentication systems. But not every passwordless product or system meets the security high bar administrators need.

Your Journey Begins with Multi-Factor Authentication

See the video at the blog post.

Advisory CISO J. Wolfgang Goerlich details in our white paper, Passwordless: The Future of Authentication, how pairing passwordless technology with strong MFA to protect access across cloud and on-prem is a practical way to provide the broadest security coverage today. With MFA in place, you can reduce your reliance on passwords and modify password policies to require less frequent resets, alleviating help desk burden and reducing user frustration.

“We’ll remove the password down the road, but the first step really is reducing the security vulnerability and ensuring that we can rely on that strong factor, and we get there by beginning with multi-factor.”

MFA + Passwordless = Raising the Bar

See the video at the blog post.

In considering a passwordless solution, we want to raise the security bar, not lower it. Part of ensuring that passwordless is just as secure as multi-factor is ensuring that it is multi-factor.

Read about why MFA and passwordless are a powerful pair.

Passwords Are Safer Than Biometrics, PINs Are Just Passwords, and Other Tall Tales

See the video at the blog post.

On your path to passwordless, it’s key to separate fact from fiction around biometrics, PINs and passwords.

“Whatever form it takes, passwordless should be easy to deploy, increase security, and be frictionless for users.”

Learn more about common misconceptions related to passwordless authentication methods.

No Phishing, Please

See the video at the blog post.

To prevent phishing, your authentication solution should offer a few general properties.

“Passwordless should also raise the bar by substantially reducing or even eliminating the risk of phishing attacks. Any ‘passwordless’ solution that cannot meet this bar is simply inferior.”

Get a rundown of the properties you should look for in an authentication solution to prevent phishing, and the difference between platform and remote authenticators.

One Step at a Time

See the video at the blog post.

Passwordless is a leap forward on the path to a strong and usable authentication system, consisting of many individual steps that you must navigate.

“A phased approach to providing secure access for the workforce can take you closer to a fully passwordless future.”

Review the high-level phases of the passwordless journey.

Bonus: We Bid Passwords a Fond Farewell

Video Producer and Twitter sensation Ben Armes shares a poetic passage about the problem with passwords and welcoming a passwordless future.

See the video at the blog post.

Duo’s Passwordless Authentication Resources

• Explore our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Duo Labs just released its third State of the Auth report, which takes stock of individuals’ experience and perception of 2FA in America and the U.K.

Adoption of two-factor authentication has substantially increased since we began conducting this research in 2017. However, considering only 32% of respondents report using 2FA on all applications where available, there’s still ample opportunity to improve 2FA adoption.

That Was Then, This is Now

2FA Usage Continues its Climb

Two-factor authentication has become notably more prevalent over the last two years, with 79% of respondents reporting having used it in 2021, compared to 53% in 2019 and 28% in 2017.

SMS Text Message Remains the Most Used Authentication Method

SMS (85%) continues to be the most common second factor that respondents with 2FA experience have used, slightly up from in 2019 (72%). Email is the second most common second factor (74%), with a notable increase compared to 2019 (57%).

While SMS is certainly more secure than no 2FA, there's room for improving security here. Other factors, such as push notifications and security keys, are more effective in preventing account takeovers.

2FA in the Workplace Drives Adoption

Among respondents who are currently employed, 2FA adoption is nearly 20% higher.

Of All Accounts, Users Perceive Banking as Most Important

Respondents continue to have money on their mind, with 93% considering financial accounts the most important to secure, up from 85% in 2019.

But in comparing user perception to reality, there's evidence that the impact of an email compromise is more harmful than a financial account compromise:

“Overall, email accounts are the most valuable online accounts as they are used to exchange sensitive information with banks, health services, and various online service providers. In addition, they are also often used as the recovery mechanism for other online accounts.”
—Elie Bursztein, Cybersecurity Research Lead, Google

Non-Traditional Authentication Methods Move the Needle

Two contemporary trends in primary authentication are password managers and biometrics. Password managers are a tool which securely stores a user’s existing passwords and can assist in the creation of new, more secure passwords. Instead of using something you know (username and password) as the primary factor, biometric authentication verifies identity with a user characteristic (such as a fingerprint).

In this survey, 32% of respondents report using a password manager, and 42% report using biometric authentication for at least some applications. A separate study conducted by Duo found the top two user privacy concerns about biometric authentication were attackers replicating a biometric (42%) and distrust of companies with personal biometric information (36%).

Explore our complete findings by downloading the 2021 State of the Auth report.

Organizations of all sizes and types are facing increasingly severe and complex security challenges. For the last ten plus years, we at Duo and Cisco have been on a mission to make it simple for businesses to easily secure access for their workforces and mitigate security risks. Today, I’m proud to announce a major milestone in this long journey.

We’ve expanded our data center presence to include Australia, Singapore and Japan, in addition to our existing presence in the United States, Canada, Ireland and Germany. The new cloud data centers allow Duo to better respond to the needs of our global customers, particularly in the government, financial and insurance industries, where data sovereignty continues to be one of the key requirements.

With compliance requirements putting pressure on customers to ensure that their data is secure, we've seen a large increase in demand for control over where cloud services are hosted. To that end, our data centers and services are ISO27001 and SOC2 compliant and have 99.99% service availability. 

The new data centers will support our rapidly growing list of customers based in the region, as well as multinational customers whose workforce is based in various countries around the world.

International Expansion

The launch of the new data centers are part of Duo's international expansion strategy. All functionality from Duo’s zero trust platform including multi-factor authentication (MFA), single sign-on (SSO), VPN-less remote access, device trust and adaptive risk-based policies is available through these new data centers. Moving forward, passwordless authentication and other new features will be available in all of our datacenter locations simultaneously.

In 2022, we aim to launch additional data centers in the UK and India, giving multinational customers even more choice over service delivery location, helping them meet local regulatory requirements. As more companies move their workloads to the cloud and global SaaS regulations constantly evolve, these investments position Duo for the long-term well and ensure parity for our customers regardless of their location. 

Several teams from Duo and Cisco worked together to scope, prioritize and deploy these three data centers. The team executed well, despite the pandemic and everything else that’s happened over the last 18 months. Please join me in congratulating the teams and welcoming our new customers in Australia, Singapore and Japan.

Let’s continue to keep our workforces safe online!

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Building a security strategy for a company is a balancing act. How do you protect your organization without imposing an unnecessary burden on your employees? If you put too many locks on the door, sooner or later, the window will start to look like a viable option.

Using Duo’s Policy Engine empowers security professionals and IT administrators to put the right locks on the right doors. Policy is the tool that allows you to specify who gets access to what, from where, and through what authentication method.

Like onions, ogres and parfaits, your company’s security policy comes in layers. First is Global Policy, which is required and applies everywhere, all the time. Then, you can create custom policy by layering Application Policy, which is specific to a single application and works in addition to Global Policy. Finally, there’s Group Policy, for which you define a policy to apply to a specific group of Duo end users in your company, and it works in addition to Global Policy and Application Policy.

When it comes to creating your layers, some companies use Global Policy to build their strictest level of protection and then carve out exceptions for areas which only require lighter touches of security using Application and Group Policies. This methodology is considered best practice. Other companies choose to take an additive approach. Their Global Policy covers the solid basics, and then they layer on more strict controls to protect those applications and users which need tighter security.

Group Policy is the most granular policy control. It’s at the top of the hierarchical policy stack, allowing Duo administrators to precisely define how certain users can access company resources. However, right now, only 11% of Duo customers are taking advantage of this precision tool. The sharpest knife in the drawer can be intimidating to use if you’re not sure how to wield it! 

Let’s take a look at three cases where Group-Level Policy is effectively being used to balance a company’s security posture with reasonable ease of access for their employees.

Use Group-Level Policy when some of your users have a significantly different risk profile than others

A hospital has, in the past, experienced cybersecurity threats that originated from outside of where they are based in the United States. These threats prompted them to implement a Global Policy which denied all access requests coming from abroad. However, they sometimes have doctors who do medical mission trips to other countries and need to access hospital systems while traveling. In this case, these doctors temporarily have a higher risk profile but should still be granted access. The hospital uses a Group-Level policy to temporarily, during the time period of travel, adjust the geography-based access controls and allow an exception to the Global Policy for specific users. The hospital’s base layer of security stays strict, but all users get the access they need.

Use Group-Level Policy when some of your users have a different normal context, such as frequency of access requests, than others

A construction company recognizes that an IT administrator and a contractor working on a construction site are logging into sensitive systems at a different frequency. That has a couple of implications: first, the more frequent the access requests, the more frustrating it is to have to repeatedly authenticate. Secondly, the less frequent the access request, the less savvy a user is at spotting a phishing attempt. This company set up Group-Level policies to specify the authentication methods different that end users of Duo could use. This enabled them to mitigate push notification phishing risks from busy contractors in the field and to alter how long a system would remember a users’ login, to alleviate push fatigue from IT administrators.

Use Group-Level Policy when you want to designate a test group for new Duo features or settings

Many companies will designate a group of users, often made up of IT professionals, to be the first to have any new Duo Policy applied to them or be the first to test out exciting new Duo features or products. Having this smaller pool of users to give feedback can build your confidence in trying out Duo’s capabilities to their fullest.

In each of these cases, Group-Level policy served to balance the organization’s security needs and a low-friction user experience. Updating policy doesn’t always mean making sweeping changes to a company’s overall security settings. Policy is the tool you need to make precision strikes that address the unique risks your company faces while doing the job that you and your company are there to do.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

As a former high school history teacher, I used to love teaching lessons that used technology. It allowed the class not only to learn facts, but also to practice their critical thinking skills — evaluating the reliability of a source, analyzing a variety of primary and secondary documents, and corroborating information in order to develop independent views on what is important and true.

However, incorporating technology was not as simple as logging on to a computer. The process started with reserving the computer cart about a week in advance. On the day of the lesson, I would pick up the cart from the office and distribute the computers to my students. Inevitably, there were some computers that weren’t charged, so they had to go back in the cart and students had to shuffle around to get access to chargers.

If the computer required a password, I needed to go around the classroom and enter the password on each computer, because teachers weren’t allowed to share the credentials with students. There was also the looming, and realistic, possibility that the wifi would go out, meaning I was always prepared with back-up paper documents.

I share this with you to illustrate the challenging logistics that educators often face to get a classroom of 25 K-12 students online. Considering that you only have 45 minutes with those students, the situation takes on more urgency. And you might not realize that there were few, if any, security measures in place to ensure that students were not risking their own data and privacy.

Since joining Duo Security, I’ve realized that security should not be overlooked, regardless of how many people are impacted or their self-perceived level of importance. This is especially true with the rise in ransomware and data breaches in 2020, specifically among K-12 schools.

In our new world of virtual learning and cloud applications, it’s not enough to hand out logins and passwords, considering that 81% of breaches come from stolen credentials. However, as a teacher, if you had asked me to incorporate another step into logging onto the computer, I would have said it can’t be done. 

If schools want to successfully implement a security solution, it must be simple, fast and teacher-friendly. In my opinion, Duo checks those boxes with a clear focus on design and ease of use (just tap the big green button to log in). All schools want to ensure that they don’t get breached and that the data of their teachers, staff and students are protected online — and Duo provides the tools to make that happen without disrupting learning. 

When I think back to my time in the classroom, I remember the feeling that I couldn’t add more to my plate. It seemed like every new policy or requirement made our job more difficult, rather than providing the resources we desperately needed. Security shouldn’t feel like a burden, and Duo offers a solution that both teachers and schools can get behind. We owe it to our students to unlock the use of technology and make it easy to be safe online.

Related Resources

• Watch a demo of how Duo works, and learn how to gain access to public funds to implement a security solution at your school, in our webinar, Security at Every Age: Designing Remote Access for K-12 Networks.
• Schools may contact grantquestions@cisco.com to get more information about public funding options available within your state. 

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

From knocking out high-velocity sprints to successfully delivering key features, everyone on the Endpoint Health team here at Duo really feels like they’ve hit their stride. Handling customer issues quickly and efficiently, and having in-depth, successful technical conversations have become normal, expected occurrences within the team, which provides us with a great sense of accomplishment. Looking at these things together, we asked ourselves why. What have we been doing well that produced successive sprints and left us feeling accomplished and proud of our team’s work?

The answer wasn’t just one thing, but rather a combination of factors among our team that have contributed to our success. Even better, these factors aren’t unique to our team; they’re as relevant for engineers as they are for a creative team, customer support, and everyone in between.

There's no single, easy answer, but we think we've found some of the reasons we love working together. Ensuring effective communication, fostering a sense of ownership over your product, and maintaining a general sense of positivity all work together to create a successful, cohesive team.

Communication is Key

Communication now, more than ever, is vital to our daily operations as a team. Word choices can make all the difference in fostering team unity. Using “we” and “us” instead of “I” and “me” can make successes feel bigger and failures feel smaller. For example, instead of saying “When I worked on the feature,” you could instead say, “When we worked on the feature.” This language switch helps to solidify a unified front as a team, where everyone feels recognized for their contributions to the product overall.

An easy way to make this kind of communication more natural to nurture the personal connections between everyone on the team. The microinteractions throughout a normal day in the office have disappeared, and video calls have seemingly been forced into all-business mode. This change to remote work removes a lot of the “chit chat” that naturally happens in a workspace, so it's important to encourage any level of non-work-related conversations that happen during video chats. For example, we’ve added a weekly “icebreaker” to our first standup of the week — it helps us get to know each other better and find common interests. 

When people feel a personal connection with their teammates, they’re more likely to communicate when they need help, or are more likely to support other members on the team both when they need help and when they need positive reinforcement. Something that Duo uses to further influence better communication between team members is assessing how each person likes to be communicated with, and giving a central location for you to double check that you’re communicating with someone as effectively as you can.

Some people react positively to long, detailed conversations, while others prefer getting straight to the point. Some people prefer discussing issues over whatever chat system you use, while others prefer face-to-face conversation. It's critical to keep those things in mind when interacting with one another to ensure effective, positive discourse among your team.

Everyone Should Feel Ownership of the Team’s Product

Every team has a product. Whether it’s a marketing campaign, a big sale, or a piece of software, every team owns something. In most cases, a single individual is not responsible for that entire product, as there have been designs discussed, opinions solicited, products reviewed, and many other steps taken before that product is released.

A great way to foster a team-centric success/failure mindset is to set goals to achieve as a team, and then break down the goals into pieces that each team member o can own. An important thing to note here is that the goals are not “handed down” to the team — they’re set by the team and worked on as a team. Feeling ownership over the products you create makes it natural to jump at the chance to help when improvements are needed or a bug needs immediate attention.

Developing a sense of ownership comes from every member of the team. Encourage each other to own pieces of a project, set goals that everyone can work toward, and if you’re an expert in an area, try not to dominate the conversation — let others contribute!

If everyone on the team feels that same sense of ownership, issues no longer slip through the cracks. Instead of one or two people consistently supporting issues, everyone focuses together because everyone is driven by the same overarching goal. Everyone feels driven to ensure that a project or a task is completed, both in the code sense and in the sense of ensuring it’s delivered to the end user.

Succeeding and Failing as a Team

Along with any kind of product comes success and failure. It’s important to realize that both of those outcomes are built upon the contributions that preceded them. Our team celebrates successes by taking the time to recognize achievements as often as possible. This could be as simple as telling someone their code review is awesome, or by sending out a wider shout-out communication to highlight when someone on the team has done an excellent job. 

We also struggle through challenges together, like when bugs in production have caused us to drop what we’re doing and rally to find the solution as a group. In those situations, instead of being mired in a battle of blame and shame, we focus on finding the solution, and acknowledge the fact that we both succeed and fail as a team. Everyone makes mistakes, and it’s important to ensure that everyone on the team knows they’ll be supported when or if they make an error.

Additionally, it’s important to realize that when something goes wrong, it’s rarely a single team member’s fault. Between code reviews and other checks and balances to ensure the work and responsibility are evenly distributed across team members, it's rare to find instances where issues can truly boil down to one person. Supporting each other in those times of failure can lead to a better, more positive team dynamic.

A Positive Atmosphere

A large portion of our team’s success comes from a general sense of positivity, but this doesn’t always mean that our day-to-day operations always bring happy feelings. From unexpected outcomes of a research task to customer calls that leave you feeling defeated, everyone on the team has an opportunity to encourage each other and, in turn, strengthen the team.

Positivity is much easier to talk about than to actually feel. Even describing positivity within a team seems so simple to talk about, yet so difficult to build. We each see the world and interact with it differently. This means one team member may come out of a customer call feeling defeated after seeing an unhappy customer, but another sees so much exciting potential. Both of them play a key role in encouraging the team — the former to make a better product to please customers, and the latter to energize.

In addition to helping in times of strife, positivity also helps to ensure all team members feel valued. You can show it by recognizing a team member’s hard work, or by recognizing the strengths of the team in general. One way we work to create a positive atmosphere is by talking about our “happys and sads” in our sprint retrospectives, which cover both work-related and personal events. The “sads” are conversation topics we can address as a team and do our best to prevent in the future. The “happys” become things we can celebrate together.

Final Thoughts

If we had to summarize in one word what makes our team effective, it’d be trust. We acknowledge that trust is not something that comes quick or easily. It has to be built and maintained over time. Open communication, a shared sense of ownership, working as a team, and a positive environment all drive trust forward and, in turn, reinforces each of those attributes. Fostering an environment where each piece is encouraged can drive any team forward.

That said, our team doesn’t have everything figured out. The team consists of individuals who have unique personalities, handle stress differently, and tackle problems in various ways. We’re growing and changing every day, so every time we sit at our desks in the morning, the team looks different. We’ve realized recently that we’ve been working well together, but we can always move forward and learn together as we continue to grow as a team.

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

“There are primarily three ways you can authenticate someone: with their username and password, with two-factor authentication, and with a company-supplied device that you can trace. For most stuff, you should have two of those things. For critical things, you should have all three.”
—Alex Stamos, Former Chief Security Officer, Facebook, in WIRED magazine

Adopt a Defense-in-Depth Strategy With Device Trust

Identifying what devices are accessing corporate applications is critical to understanding the overall security posture of an organization and reducing the risk of unauthorized access.

• Unknown devices offer the lowest level of trust because they’re beyond the control of the IT department.
• Enforcing security requirements such as OS updates and disk encryption help organizations set a baseline for healthy and compliant devices.
• For critical applications and environments with sensitive data (e.g., HIPAA compliance in healthcare or PCI compliance in retail), organizations need to ensure that only managed devices are authorized to access.

Security practitioners are always looking to minimize risk of a data breach, and a common framework to achieve this goal is by leveraging a defense in-depth strategy. Implementing device-based access policies follows this framework by layering on authentication and authorization controls, raising the bar for cyber criminals looking to gain unauthorized access. Even if an attacker compromises an employee’s credentials and somehow manages to get around multi-factor authentication, they would still need to access the application using a compliant and/or managed device.

Establishing Device Trust, Simplified

Since 2017, Duo has enabled organizations to identify if a device is enrolled in the corporate management system and apply device-based access policies based on the management status. Duo administrators may be familiar with the Trusted Endpoints policy, which typically relies on device certificates to verify the management status.

At Duo, we constantly seek feedback from customers to understand their pain points. One recurring comment from customers was that the deployment and management overhead of device certificates impacted the policy implementation. 

Administrators want an easier way to verify the enrollment status of devices in corporate management systems without having to deal with digital certificates. And security practitioners want to ensure that critical applications are accessed only from managed devices.

Enter Duo’s Device Health Application. The lightweight client application that was released in 2019 helps organizations enforce device-based access policies around security requirements such as:

• OS version (including minor versions)
• presence of security agents (eg: Crowdstrike, Cisco Secure Endpoint, Symantec)
• host firewall status
• password status
• disk encryption status

We’re excited to share that administrators can now use the Device Health application to easily enforce the Trusted Endpoint policies for devices that are Active Directory domain-joined or enrolled in Jamf Pro. Other device management tools will be supported soon — stay tuned! 

Duo’s Device Health application now collects unique device identifiers (UUIDs) and, at the time of authentication, verifies whether that device has been enrolled in the enterprise management system. This novel approach eliminates the need for device certificates, helping organizations balance security with usability.

Enable Trusted Endpoints In Three Easy Steps

Duo has made configuring and applying Trusted Endpoints policy as easy as protecting an application. Administrators can get started in just three simple steps: 

1. Create an integration in the Duo admin panel by navigating to the Trusted Endpoints Configuration and selecting your device management tool.

2. Configure your device management system, and input the information in the Duo admin panel to complete the integration.

3. Deploy Duo Device Health application on the managed devices, and apply the policy to Duo-protected services and applications.

Benefits of using Device Health Application to Verify Device Trust:

• Enables trusted endpoints policy in five minutes or less!
• Eliminates overhead due to certificate deployment, management or expiration
• Performs real-time and reliable device identity and security health checks 
• Reduces dependency on third party PKI infrastructure 
• Provides broader support for browsers and compatible thick client applications 
• Supports environments with shared workstations

In Conclusion: Balance Security With Usability

Enforcing Trusted Endpoints policy using Device Health application significantly reduces certificate deployment and management hassles for organizations, while providing similar security benefits and raising the bar for cyber criminals to compromise internal systems. 

We’re excited for our customers to try this new approach and share feedback. If you’re not a Duo customer, sign up for a free trial and reach out to a Duo representative to try this feature. 

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Recommended Reading: Check out our ebook, Anatomy of A Modern Phishing Attack, to learn how trusted devices, zero trust, adaptive user policies and more can thwart phishing before it can result in a data breach.

When’s the last time you finished a project — say, implementing a new cloud integration — without any hiccups or surprises? If you’ve accomplished this recently, congratulations (and please teach me how you did it)! If you haven’t, you’re in good company.

According to Duo’s cloud data provider, our average mid-market customer manages 20 application integrations in their environment. Controlling this access throughout your environment and ensuring the right people get the right access at the right time is incredibly difficult. That’s a key factor in why Gartner’s CARTA model emphasizes how important it is to “continuously discover, monitor, assess, and prioritize risk — proactively and reactively.” So what are we to do in the face of this complexity? 

Let’s start with the basics. Your security posture must be designed to serve business access needs within your specific risk context. But business needs and risk environments are constantly changing. Given the changing landscape, you must constantly evaluate and readjust your access policies and posture. That’s where machine learning tools come in, like Trust Monitor, which can identify and flag anomalous events for you to review, providing the context necessary to understand an event’s impact for your unique scenario. From here, you can remediate the event and fine-tune your policy.

Duo Trust Monitor's Risk Profile flow enables administrators to select a prioritized set of Duo-protected applications, user groups, and locations/IPs.

Trust Monitor helps you gain visibility by leveraging Duo's enriched, historical authentication data, shedding light on what's normal, and what’s atypical, as users and devices access your corporate environment. Understanding anomalous access enables you to harden security posture as well as policy; detect and remediate access risk; and step access requirements up (or down) accordingly. Because it operates on carefully calibrated machine learning models, Trust Monitor can continuously react to changes without your manual input.  

What does this look like in practice? The general process is like this, while Trust Monitor runs in the background:

1. Because of your business needs and risk environment, you set up a new application, protected by Duo.
2. Something changes, either among your business needs or your risk environment. This could be as significant as the shift to remote work brought on by the COVID-19 pandemic, or as routine as onboarding a new contractor or introducing a new application.
3. Trust Monitor continually trains itself on what “normal” looks like in your environment. When it finds that something has changed, it creates a new definition of what “anomalous” behavior looks like.
4. This new anomaly is flagged for review, you’re able to fix the environment, and your company’s security posture is better off for it.

The Security Events dashboard allows administrators to review events surfaced by Duo Trust Monitor based on their anomaly score and other factors, like Risk Profile designation.

Since releasing Trust Monitor earlier this year, we’ve heard dozens of stories from our customers about how Trust Monitor has helped them improve policy. At Duo, we call this “policy hardening,” and we think it’s an important practice for good security hygiene. Let’s take a quick look at some of these policy hardening success stories:

Securing a National Retailer's Storefronts

A national retailer rolled out updated multi-factor authentication (MFA) policies. They implemented these new policies starting with the Security team, followed by the IT team, and finally to headquarters and in-store teams. However, due to a misconfiguration in their Identity and Access Management system, a retail store was included in this rollout and enabled with MFA before the team was properly trained. Trust Monitor spotted the anomalous access from the improperly enrolled store, and the retailer was able to fix the misconfiguration before it negatively impacted their Sales team.

More on Duo’s solutions for Retail

Enforcing a Law Firm’s Client Data Protections

A mid-sized law firm has a strict set of company guidelines and information security protocols implemented in order to prevent customer data from leaving the country. Trust Monitor has been invaluable to them as they maintain visibility of what information is accessed where — and, more importantly, when access to data is attempted from out of compliance. This awareness empowers them to shore up their data governance and policy enforcement.

More on Duo’s solutions for Legal

Allowing Access as Needed for a Healthcare Provider

A healthcare provider has critical patient information that needs to be shared with third-party providers, insurers and other interested parties. Because of the uncompromising requirements they have for patient health data, they set a strict global policy limiting access outside of the US. However, business requirements changed, and they contracted with an international supplier.

Trust Monitor flagged these access attempts for review, giving the healthcare provider an understanding of where their sensitive patient information was being used. The company updated their blanket policy to be more granular in allowing access from partner locations, but not too broadly across other regions. Because of Trust Monitor, the company was able to find the right balance of access and security for their business needs. 

More on Duo’s solutions for Healthcare

Duo Trust Monitor provides detailed information and additional context around anomalous access attempts, as well as a timeline of the access events surrounding it.

Each of these Duo customers has a complex IT environment, security concerns and risks, and business needs that must be met — and each of these environments, concerns, risks and needs are changing. Trust Monitor has proven to be useful to these customers in understanding their environment as it evolves and continuing to serve their customers and employees with the convenience and security that they need to get their work done.

Further Reading

• Learn more about Trust Monitor in our documentation
• See for yourself by trying a demo of Trust Monitor
• Contact our Sales team for additional information
  
  

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

As I write, It’s been two months, one day, and nine hours since I began my internship at Duo. In celebration of Intern Week on the blog and my two months-ish milestone, take a step back with me as I reflect on my journey through the virtual doors of Duo!

How did you get here?

A few weeks before my sophomore year in college, I made a last-minute addition to my fall course load: the class Organizational Management in Startups. Not only did I find myself surprisingly fascinated by the fast-paced spontaneous startup environment, I also learned about Duo as a successful Ann Arbor startup.

My interest in people organization began in my senior year of high school, where I had the opportunity to take on a similar, albeit simplified, role. I fell in love with advocating for people and developed the belief that a company’s employees are truly its greatest assets. Imagine my excitement when I found not only internship openings at Duo, but coincidentally an opening on the Belonging Team — a more perfect opportunity could not exist! I immediately started working on my application, harboring hopes of working at Duo, and the rest was history.

Okay, so what exactly do you do as an Employee Programs Intern?

Great question! On a broader scale, I help out the Belonging Team with a number of internal programs. More specifically, I work with my manager Emily Boring, Global Events Manager, on Global Events. I’ve had the amazing opportunity to observe the planning processes behind successful events such as a Fireside Chat with Daniel Dae Kim and the Duo Pride Celebration. A day in my life at Duo is never the same, which I appreciate so much! One day I may spend hours brainstorming projects and writing, stopping occasionally to chat with vendors or ask for peer reviews. Or I may bounce from meetings with my manager to conducting listening tours around Duo and pitching in to help with other Belonging Team projects. Typically, my days are a mix of the two, with ample personal focus time and collaboration time.   

Duo's Decades Party, hosted by DJ Graffiti

Tell me more about the projects you’ve been working on this summer!

My main project for summer was to create a virtual summer social for Duo that would bring renewed fun energy and offer opportunities for Duo team members to connect. This culminated in the Duo Decades Party, featuring DJ Graffiti spinning songs from the 1970s to today, plus a throwback outfit contest and other activities.

Other projects on my plate this summer include a guide for virtual team building (coming soon to the Duo wiki) and a virtual event proposal for future company celebrations. 

The Duo Decades Party was a blast! What did you enjoy most about the experience?

On the other hand, did you run into any challenges? If so, what did you learn from them?

Something people may not know about event planning is that there are a lot of moving pieces. Originally, my main project consisted of a series of three to four events. After continuous discussions with the team, however, the focus narrowed to one event. Even a few days before Decades Party, details were still evolving. It was sometimes tough to navigate changes and feedback, but from this experience I learned the value of getting a diverse set of perspectives.

Without the Internal Communications team (thank you, fellow intern Hannah!), I wouldn’t have considered the cadence and tone of communications. I also consider myself lucky to be able to draw on the expertise of both Emily Boring and Head of Employee Programs Emily Reid in designing inclusive and fun social programs.

The best part is that nothing ever goes to waste! For example, one virtual event proposal I built out will make an appearance in a future Belonging Team event. Being flexible and open to new ideas was definitely essential in navigating these roadblocks and helped the experience tremendously. 

What advice do you have for future interns?

The first thing I’d say is to stay organized in whatever way that looks for you. I personally found it super helpful to block out times on my Outlook calendar to focus on completing self-designated action items. I also keep a notebook of notes from meetings that I can refer to later on.

Secondly, be flexible and receptive to feedback. Others may point out things you overlooked or offer creative new ideas. Be appreciative of them, because it helps enhance your work overall, but also feel empowered to stand up for your ideas!

Lastly, time goes by fast — take advantage of the resources available and get to know the lovely and kinder than necessary folks around you!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Part of our Administrator's Guide to Passwordless blog series

See the video at the blog post.

If you’re considering passwordless authentication for your organization today, you’ve probably been thinking for a while about a holistic authentication strategy. Passwordless is a leap forward on the path to a strong and usable authentication system, consisting of many individual steps that you must navigate.

Let’s start by reviewing the high-level phases of the passwordless journey:

Phase 1: Establish Multi-Factor and Identify Passwordless Use Cases

Multi-factor authentication has been a critical component of strong authentication systems for more than a decade. Hopefully, you’ve already got this one — but if not, there are countless products that can help you mitigate the threats of password-based single-factor authentication.

Phase 2: Consolidate Authentication Workflows

A typical company runs hundreds of applications. Managing each application’s authentication methods and security policies quickly becomes untenable for administrators at this scale. Rather than attempt to augment the security of each application individually, Phase 2 focuses on consolidating authentication workflows into a place where the majority of the authentication events can be centrally managed.

This may take the form of single sign-on (SSO) or federated portals through standard protocols like Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). Even applications that aren’t web-based, such as SSH clients or remote desktop software, may be able to go passwordless by using a reverse proxy and client software that opens a passwordless web prompt. There are numerous products and services that will offer different experiences and features, and both the features you need and the protocols your applications support may dictate which products and services are suitable for your organization.

Phase 3: Increase Trust in Authentication

Next, focus on building a more comprehensive user authentication system and mitigating additional threats in your environment. Ensure user authentication is occurring from known and trusted devices with up-to-date software and operating systems. Detect anomalous user behavior and flag it for remediation. Identify safe conditions and risky behaviors and configure flexible policies that can reduce user friction without reducing security. Support for all of these things builds upon your work in Phase 2 and the selection of a vendor that supports the features you need.

Phase 4: Adopt Passwordless (We are here!)

Passwordless requires support from both your users’ access devices and your SSO portal or federation system. Microsoft, Apple, Google, and other system manufacturers have done an excellent job in rolling out access device support for passwordless, and security key manufacturers like Yubico, Feitian, and SoloKeys can help enable support for passwordless on devices that don’t support it natively. SSO and federation providers are beginning to bring passwordless solutions online. If you’ve done the hard work in Phase 2 to consolidate your authentication workflows into a centralized authentication experience, you may be able to enable passwordless across the majority of your organization by simply switching it on. Your existing authentication and authorization policies, device trust, and configured settings should ideally transfer over and take effect right away.

Phase 5: Optimize Passwordless

Unless you’ve managed to consolidate every one of your applications into using the same federation solution, it’s likely you won’t be able to completely eliminate the use of passwords overnight. This is where having a layered security model with MFA, configurable policy, device trust, and adaptive authentication pays dividends. Your organization is only as safe as your weakest authentication method, so ensuring every authentication method is strong reduces your risk as you transition towards Pure Passwordless. The goal here is to aggressively continue consolidating authentication workflows into centralized auth solutions where passwordless support exists and begin the process of disabling password-based authentication.

This will be a protracted phase, as disabling passwords will highlight all sorts of corner cases where passwords may be used in your organization, such as new user onboarding, account recovery, and that one server in the basement that you don’t want to touch in case something goes terribly, terribly wrong. Certain applications and protocols will most likely not be able to adopt passwordless initially, so some of your users may need to keep a password around to use with these systems for a while.

Passwordless is exciting and promises both security and usability benefits. We mostly get the usability benefits in Phase 4 and the security benefits in Phase 5, but like anything, there’s a spectrum. So long as passwords remain an option, adversaries can apply the same attacks they use today to password-based auth methods. Adding passwordless auth as an option starts by making authentication easier. Removing passwords as an option makes authentication safer. 

For frequent use, adding additional factors behind a password may have been deemed too much friction, but it may be more acceptable as an infrequent fallback when passwordless is the primary authentication method. Security benefits can also come simply from user habit migration. For example, users who become conditioned to passwordless authentication will find an unexpected push or a password entry field conspicuous, even if they’re still allowed as options. This is one of the few exciting breakthroughs in authentication technology where a more usable option is more secure as well!

However, it would be remiss to say everything will be roses. Let’s dig in to Phases 4 and 5 and discuss some of the challenges you are likely to face as part of passwordless adoption and how to manage them.

Your First Few Weeks of Passwordless

When you flip the switch and enable your first passwordless login, it’s probably going to feel unfamiliar. If you’ve read this guide and have a general understanding of how authenticator devices store and use credentials, you’ll probably be able to infer how things operate. Your users, on the other hand, may have no idea what they’re supposed to do. Passwordless login is supposed to be quicker and easier than using a password, but most people have years or even decades of experience using passwords. We know what to do when we see a password input form. 

Your users will be old hats at passwordless in no time, but the first time seeing an unfamiliar prompt to scan a fingerprint or face can be unsettling. If a user thinks they’re entering their system password into a web form, being prompted to enter a PIN or local system password can be confusing or even suspicious. You’ll most likely want to evaluate the passwordless login flow yourself and work out a strategy for assisting your users through their first passwordless logins.

But before we even get to passwordless login, your users will need to enroll a credential or add an authenticator device to their account or profile. This can be just as confusing as a first login, if not more so. However, depending on your MFA configuration, your second-factor authentication method may be suitable, or nearly-suitable, for passwordless auth already.

If your users have adopted a WebAuthn-capable 2FA method such as Windows Hello, Touch ID, Face ID, Fingerprint/Face Unlock, or a FIDO2-certified security key and regularly use it as a second factor, your authentication provider may be able to use the same credentials for passwordless authentication if they support user verification. If not, then the simplest way to enroll a new passwordless device is to piggyback on top of a normal password-based auth and ask your users to enroll a device as part of their normal login process. This will probably feel pretty similar to how your users first enrolled their MFA devices after entering a password the first time. On next login, they’ll be able to use passwordless!

Now, imagine you’re a few weeks into your passwordless rollout and one of your users loses their first device. Even though their credential on the device should still be protected by a user verifying PIN or biometric step, we want to invalidate that credential as soon as possible because it’s now lost the something you have property. Your authentication provider should offer a control panel or other administrative console where you can view your users and see what devices they have enrolled. You should have a quick and easy way to invalidate the lost device and credentials through this interface. (In case you’re curious, each device is supposed to only have one credential per user account.) If you haven’t disabled passwords yet, your user should be able to use their password to enroll a replacement authenticator device the next time they try to log in.

Removing Passwords: Applications vs. Users

Throughout Phase 4, passwords remain a viable fallback option. Although these challenges in Phase 4 are likely to require lots of time, they’re more about helping your users acclimate to a new process than technical complications per se. You may wish to progressively roll out passwordless to smaller groups within your organization at first, to smooth the influx of help tickets and allow early adopters to share knowledge of passwordless with their peers.

Things get trickier as we move toward Phase 5 and start to remove passwords as an option. Any user who hasn’t acclimated to passwordless login will be stuck if they no longer have a password-based fallback. The goal of Phase 5 is to remove passwords from the environment to improve security, while minimizing new complications. Let’s explore a few complications that may come up as we remove passwords.

To start, not every application will be able to use passwordless. Take connecting to a wireless network for example. Unless you’ve rolled out client certificates to your fleet, the main WPA2 Personal and Enterprise authentication protocols expect either a pre-shared key, or a username and password. Not every protocol is web-based or can be proxied through a web-based gateway. Applications released years ago may never get updates that support SAML, OIDC, or other federation protocols. It’s likely that one or more additional applications or use cases in your environment may not be passwordless-capable, now or in the future. That’s okay. Each application from which you can remove passwords gains the security benefits.

Every user from which you can remove passwords is one fewer user who can be phished or introduce credential reuse into your organization. However, it’s much harder to completely remove passwords from users than to completely remove them from applications. If a user no longer has passwords, then they can’t fall back to a password if they lose their authenticator device. It becomes important that each user have two or more authenticator devices enrolled, so that they do not get locked out of their account. Once passwords are eliminated, your users will probably need to use passwordless authentication to enroll new devices.

Authenticator Management Considerations

Platform authenticators like Touch ID and Windows Hello are conveniently present on the access device but are also limited to being used on the specific platform they’re a part of. Let’s say you need to enroll a new device with a platform authenticator but no longer have a password. How do you bootstrap trust in your new device to get to where you can enroll its platform authenticator?

Roaming authenticators like security keys or mobile authenticators have the advantage that they can be used to authenticate across multiple machines. You can use a platform authenticator to enroll a roaming authenticator on one computer, then move the roaming authenticator to another computer and use it to enroll that computer’s platform authenticator.

It’s clear that the passwordless future involves lots of devices and a mix of both platform and roaming authenticators. However, increasing the number of authenticators introduces even further complications, as each authenticator must generate its own per-site credentials. Enrolling multiple devices with each of multiple websites will likely grow tiresome. You can partially alleviate this via federated login, centralizing login to a handful of sites or fewer. On the plus side, enrolling multiple devices gives your users the ability to self-remediate individual lost or stolen devices without losing access to their account.

Inevitably, some users will find themselves with one or more lost authenticator devices and no way into their account. You will need a recovery flow. There are many different recovery flows, including temporary passwords, recovery links, backup codes, and more. Your recovery flow may delegate the authentication decision to another provider, such as an email host, wherein if your user still has access to their email account, they may be able to self-remediate. If not, they may need to contact your help desk for an override. Recovery flows are also a potentially-viable option for bootstrapping trust across platform authenticators without a roaming authenticator to assist.

While it’s critical to have one or more recovery flows, know that the recovery flows you support, especially any self-remediation flows, are viable attack vectors. It doesn’t meaningfully improve your security posture to remove password-based authentication if your recovery flow isn’t ultimately stronger.

Your organization may likely reach Phase 4 quickly but spend years optimizing passwordless in Phase 5, which is to be expected. Over time, the passwordless space will expand to support additional applications and use cases, and someday, we hope, passwords will be a relic of the past. 

If you’d like to see how Duo can help bring passwordless to your organization, visit the product page for our passwordless authentication solution.

Duo’s Passwordless Authentication Resources

• Explore more of our Administrator's Guide to Passwordless blog series
• Learn more about our upcoming passwordless authentication solution, and sign up for updates
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

See the video at the blog post.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

When I announced that I was returning to Duo for my second internship, I was met with a great deal of congratulations — and occasionally with surprise. In a few cases, I even experienced some soft criticism about this decision. “You should be trying to have a variety of experiences,” some said, “Your early career is a time to explore.”

However, I must take this advice with a grain of salt. By returning to Duo, I would say that I am having a variety of experiences, and I have lots of opportunities to explore! The work I’m doing this summer, both technically and organizationally, is markedly different from last summer. Beyond this, my work will continue to evolve as I communicate both my short- and long-term goals with my extensive support system.

Also, variety alone isn’t enough. To make informed decisions about the future, we need to consider which experiences will likely bring us the most value. That’s what led to my decision to return to Duo. The work I’m doing this summer is a strategic step in the right direction for what I aim to do in my future career.

Last summer, I worked with an excellent team on a rewarding project. I was involved in the frontend development of the new Universal Prompt, implementing features that are seen by users millions of times daily. Throughout the summer, I gained immense experience in both the hard skills of programming as well as the intangible skills of structuring my time and working within a team setting.

In addition, the summer taught me a lot about myself and helped me understand what kind of work excites me the most. The most interesting problems that I faced included how the new Universal Prompt would work in front of the users. At the end of the day, any decisions that we made in this area had to be reinforced by some kind of data. When we had more data to work with, the decisions would become easier, and we could develop the product much faster. This work specifically sparked my interest in the engineering behind data-driven solutions.

At Duo, when anything sparks your interest, you’re generally free to pursue it. When I expressed my interest in working with the Data Engineering side of the business, I was quickly set up to do so. Honestly, in terms of switching teams, I felt like I had pretty much carte blanche access to the entire organization. Everyone is open to discussing opportunities and more than willing to offer advice and help along the way.

While it was tough to say goodbye to my team, I was met only with support in my decision to move forward onto the Data Platform team, where I’m working this summer. As Duo team members, our job is to support the company, but Duo reciprocates this deal and supports us just as much. At Duo, everyone seems to sift into the positions where they want to be.

My story is not unique — many other people around Duo can speak to this experience. We frequently receive emails about job promotions at Duo, and typically there are too many to read! In fact, my former hiring manager who interviewed me for my new role this summer was only on the team for a period of weeks at the time of the interview (I had spent more time at Duo than he did!).

However, over just a few months’ time, he was deservingly promoted into another role. I think it’s a great fit, and I’m very happy for him, as well as my new hiring manager who was promoted to fill his place. You can also find other blog posts where Duo teammates share more experiences like these.

My decision to return to Duo was also complicated by the possibility of working for another company. I did work with other companies over the fall recruiting season, but none of them could really match the freedom that I was given at Duo. Honestly, it was a pretty black-and-white decision. With every other company’s software engineering internship, I had essentially no information about where I would be working, which product or sector I would be working on, or what kinds of technologies I would be working with. While this kind of uncertainty is inevitable and often leads to growth, I couldn’t turn down the work at Duo for this summer, especially because it’s such a certain, targeted leap forward in my career.

It’s also worth mentioning that working on the Duo product is motivating in and of itself. The company is growing rapidly, and Cisco continuously releases news to us about how our product is being used more widely and making a difference in the industry. I’m instantly motivated in an environment where I’m attempting to build technology that’s more innovative, clean, and efficient than all of our competitors. 

This summer, on the Data Platform team, I’m already in the midst of a project that involves making product data immediately available for analysis. The project involves linking together multiple technologies into a system, and I’m pushing the boundaries of how these technologies can be used with one another.

Finally, I can’t forget to mention that the culture at Duo is fantastic. There’s a specifically-designed, multi-pronged approach to keeping a fun, exciting, and lively team environment, and this does not come by accident. On that note, I’d also love to thank Emily Samar for inviting me to write this blog post about my experiences. It really feels special to be heard, especially as an intern. I’m very happy to be back at Duo, excited for everything to come this summer, and encourage you to consider the program if it’s the right time in your career!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

With only a handful of years of wisdom under my belt, I’ve come to realize that the world works in ways you never expect. The big “P” was a challenge that no one could have prepared for, but one outcome of 2020 surprised me in the best way possible: interning from home is kind of nice, and I want to share a few reasons why.

The Home Office™: Working Here, There, and Everywhere

I hear that Duo’s offices are the pinnacle of an open-office tech start-up floorplan, complete with cool wall art and unlimited fancy coffee. However, I’d like to think that my humble remote setup can still spark joy. For starters, it exists wherever I want it to be.

Although I primarily sit at my crammed (but cable-optimized!) desk, seven feet from my bed, some other Home Office choices include: at the living room/kitchen table with my other fellow WFH roommates, outside in a hammock under some trees, and in an air-conditioned university building when the heat becomes too much. I have the freedom to choose where I work best and the flexibility to continue working, even if I choose to move back to my hometown or spend a few weeks in a different city.

This luxury of comfort and mobility is facilitated by the way teams here at Duo adopted remote working. While the initial shift to remote was challenging, Duo workshopped processes and programs (like summer internships) that adapt to needs and feedback. I frequently find myself hopping on quick calls, sharing my screen to get quick troubleshooting advice or creating a collaborative board to brainstorm with my team.

Tools like chat programs, Webex, and Mural, when complemented with supportive management and an openness to learning new methods of working together, contribute dramatically to establishing digital best practices that create a healthy and collaborative work culture. These are changes with longevity — a third of the Product Marketing team works in places without any Duo offices, so these practices will continue even as buildings begin to open.

A Broader Scope: Variety is the Spice of Life

Speaking of chat programs and Webex, one of the greatest advantages of a digital-first internship is the variety of conversations, projects, and unique learning opportunities I’ve been able to experience.

This internship I set a goal for myself: overcome my fear of “coffee chats” and talking to strangers. There were definitely a few factors at play here, like re-learning post-quarantine social skills, but for the most part I was successful — driven by both the ease of setting up 30-minute Webex meetings and the knowledge that the people I reach out to in a direct message are excited to talk to me. As a result, I’ve learned that CS stands for Customer Success (and not just computer science), compiled a list of more than 50 pieces of life advice (a go-to question particularly around my 20th birthday), and honestly met a bunch of really cool people.

Being able to reach out across the organization also allowed me to dive into functional areas that interest me. For example, I’ve been able to explore the international marketing scene in ways I probably wouldn’t have had the chance to if I were sitting in the Ann Arbor office. I’ve been in meetings with people from London and Sydney to Canada and Japan, giving updates, working on campaigns, and generally growing a deeper understanding of markets beyond North America through firsthand experience, rather than feeling confined by the small office area I would’ve been assigned. 

After a few months’ experience in the remote world, the number of digital experiences drastically expanded. At Duo, I was surprised to learn about the “Intern Learning and Development Budget” — and that’s on top of the pre-existing unlimited book fund. I’ve been able to attend specialized conferences, read recommended books, and even sign up for training and certifications without the significant costs of travel and time.

Imagine my surprise when I heard a fellow intern animatedly sharing her early-morning dance session that kicked off a virtual Customer Success Festival she was attending, all in week two of the Summer Internship. Duo hosted several virtual guest speakers, webinars, and learning sessions, and I somehow found myself interviewing Daniel Dae Kim for AAPI Heritage Month (first name basis, 100% bucket list accomplished). Suddenly, something I’d never even considered an option became a major part of making this internship memorable.

Breaking Barriers: Unlocking Opportunities and finding Connection

This summer cohort is the biggest at Duo yet — 26 undergraduate and graduate interns across both technical and non-technical roles. Remote internships have mitigated a lot of traditional barriers to work experience: cost of living in cities; logistics of leasing and housing; commuting; and even time zone challenges. In the cohort, people log in from New Jersey and New York to California, Texas, and… throughout the Midwest. For many, including myself, this is a first exposure to roles like technical writing, program management, and product marketing. It also opened the opportunity to co-op and get professional experience while taking classes in the winter and spring (shout-out to the three-person intern chat during hard winter months).

Feeling connected during the workday is a real challenge, and it takes more than beloved “meeting icebreakers” to fix. Rather, I’ve found that frequent, smaller interactions can help drastically humanize the WFH experience: quick messages, virtual working hours, drop-in lunch, and maybe even some happy hours putting our trackpad drawing skills to the test. As an intern cohort, we have our own chat channels, attend Design Thinking training together, and keep each other in the loop on our diverse projects. All of this, and more, felt more genuine than I had expected — even though only four of us are located near the Ann Arbor headquarters.

Reflections: The WFH Internship Experience and the Future of Work

In an ode to myself rediscovering and watching “The Suite Life of Zack and Cody,” I’d like to kick off this conclusion with a quote from the iconic 2005 theme song that aptly describes the remote work life:

“Here I am in your life, here you are in mine.”

As I enter week 24 of my second fully remote internship at Duo (they don’t call me a “senior intern” for nothing), I’ve come to appreciate many of the things working from home has brought to my attention. Overall, there’s a greater focus on work-life balance, building accessible experiences, and giving people more autonomy to decide for themselves how they work best. Maybe it’s because I grew up in a generation where technology has touched almost all aspects of my life, or maybe it’s because I’ve admittedly never worked a “real-life, in-person, 9-to-5 cubicle office job” before, but the shift online felt like a natural progression of where I would find myself.

In school I took a class on the future of work, reading articles about applying machine learning to customer service bots and discussing the implications of autonomous vehicles. We explored the different fields of application — healthcare, education, manufacturing, global economics, public policy — and zoomed out to see the greater (exponential) rate of growth of technology. It’s interesting to think that in January 2020 the future meant a looming workforce of robotics, AI, and automation, and only a few months later it shifted to mean finding a solution for the most human-centric needs for connection, collaboration, and balance.

While the Fourth Industrial Revolution is definitely still something to consider, I think in the closer future is a work world where in-person and online hybridize. Maybe in the coming months and years there will be a visible shift in office spaces. Maybe interactive calls and virtual experiences become the default, building for accessibility and opportunity. And maybe it’ll be led by the interns who know that it’s positive, healthy, and feasible because they’ve experienced it before. After all, sometimes the world works in ways you’d never expect.

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Giving back to our local and global communities has always been a big part of Duo’s culture. This tradition inspired us to launch the Duo Commmunity Impact Awards, now in its second year, which recognizes and celebrates how Duo team members made an impact in their communities over the past year. 

Joining me on the awards committee were Megan Furman, Chief of Staff / Head of Operations; Emily Reid, Head of Employee Programs; Stephanie Frankel, Head of Brand Team; and Kristina Birk, Release and Documentation Manager / Duo Gives Planning Team.

We received a wide variety of nominations across Duo, and we loved hearing about all the amazing things our team is doing to make the world a better place — volunteering, coaching, mentoring, running community initiatives, and so much more both inside and out of the workplace. We also loved seeing how many people nominated someone else. Each nominator shared that they’re personally inspired by seeing their colleagues’ efforts, and we think they’ll inspire you, too. 

We’re really excited to highlight our five winners, who each earned a $5,000 grant for Bright Funds, Cisco’s charitable giving and matching platform. This allows our winners to award non-profits that they’re personally passionate about, further spreading their positive impact and kinder-than-necessary attitude.

Andy Peterson, Technical Solutions Architect, volunteers at nonprofit animal welfare organization Friends of Upland Animal Shelter in Upland, California. He spends most of his free time working to drive animal welfare education and activities to improve the situation for lost and abandoned animals. He typically volunteers around 100 hours per month doing various activities including fostering puppies, supporting as a volunteer board member, committee member, and everything in between.

Rose Putler, Data Scientist, volunteered with Our House, a southeast Michigan-based organization helping young people with foster experiences transition successfully into adulthood. She not only participated in one-on-one and group mentoring with the organization, but also reached the milestone of more than four years working with her mentee, Alexis! (You can learn more about Rose and Alexis in this interview.) Having moved from Michigan to Boston after working with Our House for so long, she’s thrilled to be able to support them from afar and hopes to find a similar organization to work with in her new hometown. Rose hopes folks get inspired to be more compassionate and to advocate for policies which respect the dignity of the disadvantaged and the value of their time.

Jim Salmonson, Federal Systems Engineer, has been giving back in a variety of ways over the past year. He volunteers for the development of future Cyber Warriors as well as promoting music and arts in high school programs. Jim has been able to connect his network of cyber professionals and resources to help Junior ROTC leadership mature their programs, where he consults and mentors the senior directors to engage Cisco Systems and expose this community to current security capabilities, while developing good cyber citizens. In addition, Jim has been an active volunteer on the weekends for the local philharmonic and high school band programs to keep music active in the community. Jim provides audio/video services to the programs to keep kids connected and active safely during the pandemic.

Ted Stockton-Smith, Account Development Representative (ADR) Manager, has spent countless hours volunteering within COVID-19 vaccination centers since the beginning of the year. He has selflessly given his spare time, along with his Time2Give hours (a Cisco benefit providing team members 40 hours per year to give back to our communities) to one of the most important causes of the past 18 months. Being able to regularly spend three hours in the morning or on weekends assisting a team that vaccinated thousands of people a day, and then start work at 9AM ready to mentor, coach, and manage the ADR team is really inspiring.

Kevin Wainczak, Software Engineer, was driven to get involved in his community after a year when many people felt a strong sense of disconnection. He is a volunteer coach in pole vault at a local high school, working with athletes of all skill levels. Developing trust within such a difficult sport really allows the kids to achieve their best, and Kevin has fun and takes pride in seeing the enthusiasm and hard work that they show up with every day. He hopes that the athletes come away more confident than when they started, and that they feel like part of a team.

With so many impressive submissions, we wanted to highlight five more honorable mentions! Each of these Duo team members was awarded a $100 Bright Funds grant to donate to the non-profits that matter most to them.

Daniel Bagwell, Software Engineer, assisted with the distribution of COVID-19 vaccines at the Dallas, TX Fair Park Vaccine Mega Center. Because the site was only open during business hours, Time2Give allowed him to volunteer when others could not.

Courtney Eastman, Account Executive, organized a group to convert a trailer into a home for a family who lost their father and were living in a hotel. Donating replacement flooring, cabinets, and appliances, along with painting, cleaning and landscaping, took about five days.

Madhavi Kongara, Data Warehouse Developer, has been involved with Wayne County Senior Services initiative, providing meals to homebound senior citizens through Meals on Wheels. For the past nine months, she’s delivered meals to 10-20 seniors each week.

Amelia Lombard, Learning & Development Lead, volunteered twice a week in a virtual Algebra 2 classroom from January through June. During the one-hour classes, she and the teacher divided the class and supported their respective groups as they worked through math activities.

Mike Spitz, Head of America SMB Sales, is part of the Ann Arbor Community Academy, a volunteer group of citizens who connect with the city to understand more about what goes into day-to-day operations in Ann Arbor, Michigan. Through AACA, Mike learned about and got involved with several other initiatives, including one to plant 10,000 trees!

We're seeking top talent! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

When I open my laptop for the first time in the morning, one of the first things I check is my email. As a Duo team member, and as part of the greater Cisco organization, I am one of more than 258 million monthly active subscribers of Microsoft 365. Because this service is integral to the working lives of our customers and ourselves, we wanted to ensure that you can easily yet securely access your emails, documents, and presentations from any device and any location.

That’s why we’re happy to share that Duo now offers a Microsoft 365 application for Duo Single Sign-On (Duo SSO), allowing you to federate your Microsoft 365 domains with Duo SSO. 

Where We Started: Duo Access Gateway, 2015

In 2015 we introduced the Duo Access Gateway (DAG), which used SAML 2.0 to authenticate users into Office 365 (now Microsoft 365). Next, we added support for legacy authentication protocols (Basic Authentication).

Since its inception, nearly half of all customers using the DAG consistently leverage it for at least Microsoft 365 — both for Modern and Basic Authentication. Many customers even use the DAG exclusively to protect Microsoft 365!

For these customers, the many pain points of maintaining an on-premises SSO offering — configuring servers, managing certificates, configuring high-availability, making sure everything is kept up-to-date — increasingly consume more time and resources that could be used to solve and improve other IT issues. That’s a lot of overhead for a single, albeit business-critical, application.

Building a Better Solution

Because the metrics we observed with the DAG are not trivial by any means, and we’d begun work on our hosted Duo Single Sign-On (SSO) offering, we knew that we had to deliver the best experience possible for Microsoft 365, for administrators as well as users. 

Keeping that in mind, we worked hand-in-hand with Microsoft to design, build, and validate according to their best practices by using WS-Federation, WS-Trust and WS-MetadataExchange, instead of SAML 2.0.

This allows us to fully support a wider range of modern and legacy authentication workflows, improving the end user experience, and aligning with Microsoft’s current and future product plans. These include, but are not limited to:

• Web browser logins
• Microsoft Office application logins
• Azure AD Management Tools
• Legacy email client logins
• Azure AD and Hybrid Domain Joins
• Windows Autopilot

When using WS-Trust for legacy workflows, we also give the option to limit access based on IP address, user agents and/or groups. We want to help customers move toward more modern authentication workflows, but we also recognize this isn’t always an overnight shift. These controls allow organizations to incrementally scale back on legacy usage. 

We’ve also made it easier than ever to get Microsoft 365 working with Duo by providing a prebuilt configuration script after entering some information about your tenant into the Duo Admin Panel. Long gone are the days of typos that have plagued our customers, and often technical support teams!

What’s Next with Microsoft and Duo?

Our partnership with Microsoft is stronger than ever, and we’re incredibly proud and excited to provide our joint customers with one more place to take advantage of Duo SSO. In addition to providing more options today, it also prepares our customers for the release of our upcoming Passwordless authentication solution!

Duo SSO is just getting started. Want to follow along? Subscribe to our release notes.

To learn more about Duo SSO and Duo Central as a whole, view our official documentation.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

This blog is part of an ongoing blog series for Duo’s Universal Prompt Project. The project is a major re-architecture and redesign of the Duo multi-factor authentication experience. In this post, we’d like to discuss a “behind the scenes” change we’ve made that helps achieve the overall project goals — improving security and delivering a better user experience. The change involves adopting the OpenID Connect (OIDC) standard to integrate with supported applications to deliver the prompt for MFA. But before jumping into the details, it might help to understand the open standards in discussion.

Understanding OAuth 2.0 Framework and OIDC Protocol

Problem to solve: Apps and services need a way to share data with each other

Years ago (back in the early 2010s!), applications shared sensitive information by asking users to enter their credentials from one application into another. Many applications offered services which would tie together functionality from other sites. For example, mobile applications such as Yelp requested your Gmail address book to encourage more signups by emailing your contact list on your behalf. Similarly, budgeting applications like Mint.com needed access to your banking credentials to help track your spending, and website developers wanted ways to post users’ tweets on their own websites.

These were all great services that provided benefits to everyday users, but users needed to share their username and passwords with these services to realize those benefits. Sharing credentials or passwords with multiple applications not only increases the risk of a compromise (yes, that same password you also use for online banking), but also gives third-party applications full access to your account.

This is a big no-no! Once credentials are compromised, hackers can take over user accounts; even change the passwords and lock users out. Even today, according to Verizon’s 2020 Data Breach Report, 37% of credential theft breaches use stolen or weak credentials. 

The main problem to solve here was authorization — in particular, how can we verify that an application or service is authorized to access information about the user?
This problem was solved with the creation of the OAuth framework.

The OAuth 2.0 framework essentially allows a third-party application to access information on behalf of the user. Think about how you might provide a friend an extra set of keys when they’re visiting so they can come and go as they please. However, there’s a key difference: You already know your friend, so you don’t need to authenticate them. Instead you just need a way to authorize them to access your home.

Once applications were able to successfully share data with each other, developers realized that this framework could also be used to implement some form of authentication. The OAuth 2.0 framework gained popularity and significant adoption to become an industry standard. However, it was not explicitly designed to support/enable authentication. And that’s why the OIDC authentication protocol was developed as an identity layer on top of the OAuth 2.0 framework, to explicitly provide support for authentication. Specifically, OIDC protocol allows you to log into multiple websites using a single set of credentials. Depending on the use case, the protocol provides several workflows. 

This entire workflow is like checking into a hotel. To make this flow more understandable imagine that a traveler, let’s call him Bob, is checking into Hotel Duo. 

Authentication workflow: Bob arrives at Hotel Duo and walks up to reception. Here the receptionist checks that Bob is who he says he is, actually has a reservation, and provides him with a key card (access token) for access to his room. 

• The hotel receptionist here is the OIDC provider, who is responsible for verifying Bob is who he says he is and that he meets the right criteria to get a key card. 

Authorization workflow: Next, Bob enters his room with his key card. Once Bob settles down in his room, he has time to get in a quick workout, maybe at the gym or at the swimming pool. Bob’s room key card also authorizes him to access other amenities like the gym or the swimming pool, but not facilities like the conference room unless Bob explicitly requests it. 

Benefits of Adopting OIDC for Duo MFA: Reliability and Security

One thing to note is that today, Duo does not support OIDC for identity federation. Rather, Duo leverages the protocol to integrate with applications for MFA. 

Now, let’s take a look at what the new Duo authentication experience looks like when using the OIDC-based integration:

1. Bob is authenticating with an application
2. Bob succeeds his first factor
3. Bob is redirected to the Duo prompt
4. Bob succeeds his second factor with Duo
5. Bob is redirected back to the application

The new Duo MFA experience for Bob is very similar to the current experience, but the prompt is now on a Duo-hosted web page. While only the savviest of users might notice the change, this approach enables Duo to deliver strong authentication that is more reliable and secure.  

Ultimately, by utilizing the OIDC Auth API or WebSDK 4 to integrate with an application, Duo provides developers a familiar and simple way to build MFA into their products and applications. Also, because this integration mechanism redirects to a Duo-hosted page for MFA, developers and customers need to build an integration only once and continue to get improvements for security and user experience.

We've received a lot of positive feedback from customers who have participated in the private preview. And we can't wait for all our customers to try Duo’s next-generation authentication experience. Until then, you can get started by learning more with:

• New guide for Duo administrators: Universal Prompt Playbook
• How to update to Duo Universal Prompt: Duo Universal Prompt Update Guide
• Duo Knowledge Base: What is the Duo Universal Prompt?

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.