The holiday season is an intense time for retail, travel, hospitality, and other industries—intense good, and intense bad. While seasonal demand drives sharp increase in business activity, organizations must also onboard temporary employees, contractors, and third parties at speed, dramatically expanding who needs access to internal systems.

The risk of suffering an outage or data breach due to phishing, social engineering, and other cyberattack tactics invariably go up, along with a new growing area of concern: external users, including season staff, contractors, vendors, and partners often require fast access to internal systems and fall outside standard employee identity controls.

Along with heightened exposure to the usual suspects—fraud, ransomware, and remote attacks on IT workers—a new report predicts a rise in third-party risk this shopping season. According to the 2025 Holiday Season Cyber Threat Trends Report, members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) saw notable spikes in third-party data extortion and anticipate a continued trend of account takeover and business email compromise attempts.

With more threats sprouting up across your vendor, partner and customer ecosystems, adding third-party defense strategies to your shopping list makes sense this year. Read on for a few powerful “Pro Tips” that might help do the trick—we’re sharing them early, before the “holi-daze” hits full stride.

In addition to fraud, last year’s most common threats included phishing, ransomware, and credential harvesting—all techniques that can be countered by strengthening identity security.

Since about 80% of breaches still involve humans and often credentials, the first step in avoiding risk should be making sure anyone trying to connect and access your company resources is who they say they are. Apply strong IAM consistently to both internal and external users, since both introduce identity risk during the holiday period.

Avoid growing threats by extending your strong access controls to validate more third-parties as thoroughly, and as easily as you do your internal workforce. Multi-factor authentication (MFA) is a crucial component of identity and access management (IAM). Strong MFA helps manage the risk that comes with allowing suppliers, contractors, consultants, and customers to access your company’s systems and data.

Last year, we explored security tips to combat holiday phishing. Traditional forms of MFA like SMS, callback, and hardware tokens are not only clunky to use and disruptive to users, but also no longer sufficient in defending against evolving phishing attacks. Duo balances security with user experience, covering the widest range of MFA options to fit organization needs. To defend against MFA-targeting attacks, deploy modern risk-based authentication (RBA) and token-free, phishing-resistant Proximity Verification—a reliable method of authenticating independent contractors, service technicians, and other third parties accessing sensitive systems onsite.

Secure-by-default, Duo makes it super easy to verify external identities and block unauthorized access. Flexible user directory capabilities help IT streamline access by both internal and external identities and manage them separately or together.

The recent addition of Duo Directory lets admins set up, segment, and manage third parties in alternate directories in the same way—but not the same place—that they do employee data. A safe and simple place to store third-party identities, Duo’s cloud-based directory can broker authentication across multiple Identity Providers. After all, protecting your company against external risk protects your entire supply chain; it’s the gift that keeps on giving!

There’s no getting around it: everyone multi-tasks around the holidays. That means employees and external users may be doing their holiday shopping—creating accounts, resetting credentials, sharing links, and entering payment data—all from some of the same devices they use to access your network. While shopping itself doesn’t change the need for device trust, it does increase the chances that those devices are exposed to risky links or downloads, raising the likelihood of compromise and directly impacting the security of your environment.

Strong identity security validates trust in devices as well as users themselves. This includes workforce and third-party devices; both must meet your security bar before accessing internal systems. MFA alone won’t keep everybody safe, particularly when your IT team can't see or control their devices. That’s why Duo’s strong identity security solution validates trust in devices themselves as well as users.

Duo Device Trust delivers strong security for third-party access without requiring people to add new hardware or mobile device management (MDM). Duo automatically runs health checks on external endpoints—managed or unmanaged BYOD devices—and spots red flags like outdated software that could easily be exploited. With Duo’s Trusted Endpoints, easily stand up a policy that denies access from any unknown device.

Real-time device telemetry gives admins the same visibility they use to manage internal device health, including detection of jailbroken devices and what OS version the endpoint has running. This way, automatically block access until users bring their devices into compliance with company policies.

According to RH-ISAC, the 2025 Holiday Period will likely be defined by an unprecedented scale of automation. With generative AI traffic predicted to grow 520% in the 10 days leading up to Thanksgiving, the lines between good bot, bad bot and human will be significantly blurred.

The same AI traffic surge targeting consumers will also overwhelm workforce identity systems. Higher access volumes and increasing number of employees becoming phishing risks, especially as threat actors on Santa’s naughty list use AI to scale their attacks. This is where Duo’s AI Assistant can help by unifying logs, and user context and device posture in one place to accelerate decisions rather than looking through various pages to find an answer. An admin can simply ask the AI Assistant, “Show me all devices this employee used to access corporate resources this week and tell me if it’s safe to grant him access from his Android device.”

As much as we try to separate personal and corporate activities, employees often use the same devices for personal holiday shopping and work. Securing identity at the point of login becomes critical to maintaining resilience during this time.

Sometimes less is more. Getting rid of passwords is a gift that makes life easier for users and IT while making everyone, and your organization, safer.

Even at work, we may have a wish list, like just being able to login faster without the headache of typing and remembering all the different passwords. Do your employees and external users a favor this year by reducing this friction and give them the gift of passwordless.

Duo enables end-to-end passwordless identity security, a foundational element of end-to-end phishing resistance and one less thing for everyone to worry about as they flip from app to app. A bonus for sure, but one every Grinch in your ecosystem can appreciate.

Get the free guide to modern, security-first identity and access management and get ahead of your identity strategy in the new year. Download the Guide to Restoring Trust in Identity.

With that we’d like to wish everyone a safe and joyous holiday rush and a healthy, prosperous 2026. See you then!

MSPs must secure on-premises, cloud, and server applications with MFA, while monitoring access and managing authentication for multiple clients. Current systems encourage shared user accounts for MSP employees to work on client applications, leaving poor traceability and scattered logs. If someone joins or leaves the firm, it's a hot mess. MSPs often must add users to every client tenant, leading to increased licensing costs and overhead that needs to be accounted for somewhere. Clients don’t like it, and swallowing unnecessary costs shouldn't be necessary.

Delegated Access enables MSP employees who are set up as users on your Duo account to authenticate into customer applications on sub-accounts. Simply give the groups that your employees are part of access on the new Delegated Access page, and they can now authenticate into any application on sub-accounts. Set policy for MSP employee authentications in one spot and monitor authentications with full enrichment on the main account and on sub-accounts.

Delegated Access is designed to fit in with your current workflows as an MSP.

With Delegated Access, you can reduce overhead costs by reducing the number of duplicate users you need to add to your client accounts. Just add one user to the main (parent) account, enable them for Delegated Access, and that user can access applications on sub-accounts.

Delegated Access stops you from needing to worry about users sprawling across all of your sub-accounts. Enforce a more secure policy by configuring the application policy as you will. Delegated users will always complete MFA—no exceptions.

All Delegated Access authentication logs will be logged on the main account and on the sub-account, where the application authenticated into is present. In the event of needing to review those logs, you can find where your MSP technicians authenticated, when, and how, giving you great visibility.

You can use Delegated Access to allow MSP technicians to authenticate into any application protected by Duo MFA. You can use any of Duo’s over one hundred application integrations, or our generic integrations for browser- and API-based MFA insertion.

Learn more about how Duo MSP Delegated Access makes it easy to grow with Duo’s leading access management solution:

• Already an MSP? Start using Delegated Access today and follow the guide on the Duo docs.

• Learn about Duo’s program with the Duo MSP At-A-Glance.

Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management.

The Duo MSP program makes it easy to:

• Scale your business with pay-as-you-go pricing with no complex pricing tiers or minimums.

• Securely authenticate into customer applications with Delegated Access.

• Succeed with technical and marketing support from our team and access to an extensive documentation library and 50 NFR licenses.

Sign up on the Duo MSP page or reach out to msp@cisco.com to start your Duo MSP partnership today.

Duo offers a comprehensive identity and access management solution, with a user directory, SSO, phishing-resistant MFA, dynamic identity threat detection, strong, frictionless authentication, and device trust. With Delegated Access, MSPs gain the ability to simplify user management and licensing for their technicians, consolidate MSP employee logs into one spot, and can set strong policy on how an MSP tech can authenticate into customer applications.

Scale with less overhead, increased security, and more confidence. Adopting Delegated Access will allow you to put security and monitoring first, without sacrificing your business operations.

When security is working, it feels like nothing is happening. No breaches. No headlines. No interruptions. For customers, that quiet can spark doubt: Why are we paying for this? As an MSP, this is your challenge: turning invisible protection into visible progress. Your customers’ leadership doesn’t see the blocked attacks, reduced risks, or avoided breaches. They only see a quiet status quo. Your value lies in making that invisible work tangible, measurable, and trusted.

Here are five ways you can stand out as an MSP with Duo:

No two environments look alike. Customers run a mix of different applications. For MSPs, that creates a challenge of lack of efficiency leading to decreased productivity that frustrates customers. Duo solves this challenge by consolidating scattered identities and sessions into one view. You get one source of truth across environments, so you can scale service efficiently while still tailoring policies to each customer’s unique needs. Duo has a broad set of integrations across cloud, on-premises, and hybrid systems, enabling MSPs to meet diverse needs at scale.

Customers expect security that delivers quality and compliance, but they don’t have unlimited budgets. The challenge is finding enterprise-grade protection at a cost that feels attainable. Duo helps you deliver the balance: a straightforward per-user pricing model with no minimums or commitments paired with a product recognized for top tier protection that supports compliance needs. SE Labs awarded Cisco’s Universal Zero Trust Network Access (UZTNA) its highest AAA rating for “Advanced Security IAM Protection,” proving you can offer both affordability and quality in one package.

Also, by bundling MFA, SSO, device trust, and more into a single platform, Duo gives customers more capabilities for the same spend while helping MSPs simplify delivery with fewer tools to manage.

Customers expect prompt, effective support to minimize downtime and keep their business moving. But constant password resets and login tickets can drain your resources and slow response times. Duo lightens that load by reducing authentication tickets, enabling fast self-remediation, and cutting support costs. The result: Customers get the responsiveness they expect, and your team gains the efficiency to focus on higher-value issues.

The MSPs who win long-term trust are the ones who can turn invisible protection into progress customers can see. Leaders don’t just want activity, they want outcomes. Duo makes that easy with dashboards and reports that tie spend directly to risk reduction, blocked threats, and posture improvements. What once looked like “nothing happened” becomes clear, measurable evidence of value.

While AI has been seen as a way to improve security, it has also made social engineering attacks more convincing, raising customer concerns about new phishing risks. Customers need partners who lead with security, not treat it as an afterthought. Duo enables you to deliver that security-first approach through phishing-resistant MFA, passwordless options, device trust, and unified identity intelligence. Pair that with continuous posture checks and user trust scoring, and you give customers visible proof that their quiet security is proactively preparing them for what’s to come.

In security, quiet is the goal, but quiet doesn’t sell itself. As an MSP, your advantage is turning silence into proof, showing customers not just that you’re keeping them safe, but how. Duo gives you the tools to lead with security, adapt to every environment, fit within budgets, stay responsive, and prove results in ways executives can see and trust.

Want to go deeper? Download the MSPs Guide to Stronger Identity Security to learn how to tame identity sprawl, operationalize continuous posture and trust scoring, cut help desk noise, and package tiered offerings with Duo. Or, become a partner today.

Amidst a cacophony of news clamoring over AI-driven headlines, there’s an underlying need to secure and monitor the basics: Who are my users and what are they accessing? Unfortunately, the risk of unauthorized access only grows as “who” expands to include partners, agencies, suppliers, and contractors—each with their own set of identities, devices, and permissions.

The Verizon 2025 Data Breach Investigations Report found that 30% of all breaches involved a third party—twice as many as the year before. This is echoed in Microsoft’s latest Digital Defense Report, reporting that about a third of attackers use simple methods to break in, often through trusted partners in your supply chain or online services.

Wherever these attacks originate in your supply chain, business continuity and data protection are imperative. That makes it essential for identity and access management (IAM) leaders to manage the risk that comes with granting suppliers, contractors, consultants, and even customers access to their company’s systems and data.

To proactively mitigate risk from external identities and prevent unauthorized access, Duo helps organizations adopt and extend zero trust identity security strategies to external users.

Duo’s flexible user directory capabilities and built-in phishing-resistant multi-factor authentication (MFA) make it easy to streamline identity and access management for internal and external identities—separately or together.

With a “security-first” approach to IAM, Duo gives businesses three powerful ways to manage third-party risk:

Where do you store non-employee identities? For many organizations, it's a growing hassle to add third-party identities to their on-premises primary identity provider and then Saran-wrap them with MFA. The addition of Duo Directory equips admins to set up alternate directories so they can segment and securely manage external identities in parallel—but distinct from—employee data.

Duo can broker authentications between multiple identity sources through new easy-to-configure routing rules. Now, the same strong security functionality, policies, and standards for internal employees can be applied to suppliers, vendors, and contractors. This grants administrators an essential level of visibility and traceability for external identities alongside their employees.

Strong identity security validates trust in devices as well as users themselves. That’s why every identity protected in Duo Directory comes with MFA, single-sign on (SSO), and device trust out of the box.

Duo’s industry-leading MFA supports a wide variety of authentication methods including phishing-resistant Proximity Verification, passwordless, tokens, SMS, and callbacks—along with the option to set up smarter risk-based authentication (RBA). Duo SSO streamlines logins and controls access with hundreds of premade integrations. This flexibility makes it easy to choose the ideal authentication method and level of access for every employee and trusted associate, regardless of identity source.

What's end-to-end phishing resistance with Duo? Get the infographic.

What about maintain visibility to the health of risky, unmanaged devices? Automatically managing device trust enables administrators to set security policies for unmanaged devices and block or make sure they stay up-to-date and in compliance.

Duo Device Trust delivers strong security for third-party devices without the need for additional endpoint protection or mobile device management (MDM). Seamlessly enforce a device health check at every authentication attempt, and spot vulnerabilities like outdated operating system versions or jailbroken/rooted devices before they can be exploited. For more stringent policies, differentiate authentication between devices that are managed or unmanaged, and block all unknown devices that aren’t denominated as “trusted.”

Administration of more identities is no easy feat.

Duo’s automated provisioning and deprovisioning make it easier than ever to set up and manage directories throughout the third-party identity lifecycle. IAM leaders can set granular access policies quickly using a single solution built for flexibility and admin usability, including built-in policy calculators and time-saving AI assistant queries. Creating custom user attributes can help with organization and ensure proper de-activation of permissions.

Duo streamlines management of cloud and on-premises apps unifying identity management and security across various groups working remotely and onsite. Secure third-party users against remote attacks—without having to ship out and manage hardware tokens.

Protect against unauthorized access to company data even when third-party vendors and suppliers get hacked. Duo delivers the industry’s most complete IAM solution for securing external identities with flexible, built-in identity directory capabilities complemented by industry-leading phishing-resistant MFA, SSO, and device trust. Secure identity by default, out of the box, for every user.

Read more about how Duo is Restoring Trust in Identity in our latest ebook or see how to set up security-first IAM on a bi-weekly Live Demo.

Approximately 4 years ago we introduced Verified Duo Push—an evolution of Duo Push. Verified Duo Push improves security by requiring users to input a numeric code displayed in the Duo Prompt when approving the Duo Push request.

Requiring a numeric code at authentication time prevents 2 types of push phishing:

1. Push Harassment — An attacker sending multiple successive push notifications to bother a user into approving a push for a fraudulent login attempt

2. Push Fatigue — Constant multi-factor authentication means users pay less attention to the details of each login, causing a user to mindlessly accept a push login

Verified Duo Push, while more secure than Duo Push alone, is still susceptible to certain attacks.

Let’s examine a real-world Verified Duo Push attack vector:

This Verifier Impersonation attack involves a convincing phishing email and a reverse-proxied phishing site:

The Attacker sends the User a phishing email posing as IT support. The User clicks a malicious link and is taken to a proxied login page. The user, thinking the malicious login prompt is the real login prompt, enters their primary credentials. The attacker, in turn, receives those credentials and enters them into the legitimate login page, which proceeds to send a Verified Duo Push to the user’s phone. When the Duo Prompt requests the Verified Push code be entered into Duo Mobile, the Attacker's proxy relays the code back from the real site to the fake site, tricking the User into entering it and granting full access.

1. Attacker sends a phishing email posing as IT support

2. User clicks the malicious link and visits a proxied login page

3. User enters their first factor credentials into the proxy

4. Attacker forwards the credentials to the legitimate login page and begins authentication

5. Attacker (via their legitimate Duo Prompt) sends a push to the User's phone requesting VP code

6. Attacker's legitimate Duo Prompt displays VP code, which is forwarded to and displayed on the attacker's proxy site

7. User enters the Attacker's VP code into their Duo Mobile, granting the attacker full access to their account

At Duo, we constantly are innovating and adapting to the ever-changing threat landscape. Next let's take a look at the steps we've taken to make Push-based authentication even more secure.

We recently released Duo Proximity Verification to Duo Essentials and above, at no additional cost! Proximity Verification helps prevent verifier impersonation attacks and active phishing campaigns.

This new authentication method requires Duo Mobile to perform a BLE communication handshake with the laptop or desktop that the end user is authenticating from in order to successfully approve the login request. The computer must be running a companion application, Duo Desktop, that communicates both with Duo Mobile and with the Duo Prompt.

Proximity Verification stops such attacks with a two-pronged approach:

1. Origin (Verifier Name) Binding — Duo Desktop must be able to verify that the request for authentication came from a legitimate instance of the Duo Prompt

2. BLE Proximity Verification — Duo Desktop (via Bluetooth Low Energy) must be able to verify that the Duo Mobile application associated with the user who initiated the authentication request is within physical proximity

These requirements stop verifier impersonation attacks and offer security comparable to FIDO2/WebAuthn without requiring expensive and difficult-to-provision hardware.

Let's take an in-depth look at how Duo Proximity Verification blocks the earlier attack.

Let's first examine a common attack scenario where the Attacker attempts to leverage the user's Duo Desktop for proximity verification:

Since it’s the User’s Duo Desktop that needs to be within physical proximity of the User’s Duo Mobile, the Attacker allows their proxied site to communicate over localhost with the User’s Duo Desktop.

1. Attacker sends a phishing email

2. User clicks the link and visits a proxied login page

3. User enters credentials

4. Attacker forwards the credentials to a legitimate login

5. Attacker sends a push to the end user

6. Fake Duo Prompt attempts to communicate with Duo Desktop over localhost

7. Origin check fails

8. Attack is thwarted

Here, Origin Binding is the mechanism that saves the day. Even with the Attacker’s approach of communicating with Duo Desktop (located on the User’s machine), the origin validation request will always fail, as the request originated from evil-acmecorp.com.

Now, let's consider a more sophisticated attack where the attacker attempts to bypass the origin check by installing Duo Desktop on their own machine:

• No Verified Push code is shown in the login flow. Instead, an encrypted single-use payload not visible to the user is exchanged between Duo Mobile and Duo desktop using BLE.

• Duo Desktop verifies the origin of the authentication request ensuring that it came from a legitimate Duo Prompt.

• BLE communication is used to prove that the user approving the Duo Push request in Duo Mobile is in close proximity to the computer they are logging in from.

• The attacker cannot satisfy these conditions, so the attack fails.

1. Attacker sends a phishing email

2. User clicks the link and visits a proxied login page

3. User enters their credentials

4. Attacker forwards the credentials to a legitimate login

5. Attacker sends a push to the end user

6. Duo Prompt (on the Attacker's machine) pings Duo desktop (also on the Attacker's machine) over localhost to provide encrypted payload

7. Duo Prompt validates the origin of the request from Duo Prompt. All is well!

8. Duo Desktop attempts BLE communication with Duo Mobile, but since Duo Mobile isn't in proximity, this check fails

9. Attack is thwarted!

Duo’s Proximity Verification provides a new layer of security beyond what Verified Push offers, neutralizing sophisticated verifier impersonation attacks without requiring additional hardware.

If you’d like to explore Proximity Verification in more detail, check out the documentation, a demonstration, or start testing in your environment today!

If you aren’t a Duo customer but are interested in trying out this feature, you can start a trial of Duo.

It seems like on a near monthly basis, a protocol is “dead” or “dying.” Some have been close to true, but when we dig into the likes of OAuth, the reality couldn’t be further from the truth: OAuth continues to expand its role. With OAuth 2.1 approaching ratification and enterprises exploring agent-driven frameworks like the Model Context Protocol (MCP), OAuth is moving from a behind-the-scenes standard to a frontline security guardrail.

It’s not flashy, but without OAuth, interoperability quickly turns into uncontrolled risk. A risk that Duo’s here to help you solve!

At its core, OAuth is a delegation protocol. It was designed to let applications grant access without sharing usernames and passwords, relying instead on scoped tokens. That simple idea has become the connective tissue of enterprise IT. It allows SaaS platforms to integrate cleanly, internal APIs to share data securely, and, increasingly, AI agents to take on tasks with just the right level of permission.

The principle is always the same: Access should be temporary, identity-bound, and accountable. OAuth enforces that principle at scale.

The emergence of MCP highlights why OAuth still matters. MCP promises a world where apps and AI agents can coordinate across organizational boundaries. But that flexibility also increases the number of access decisions enterprises must manage.

OAuth provides the discipline MCP requires. Tokens limit what agents can do and how long they can do it. Permissions are no longer vague, permanent grants but scoped, time-limited credentials. Every interaction is governed by least-privilege. In short, OAuth makes MCP practical for enterprises that can’t afford to trade innovation for uncontrolled risk.

OAuth 2.1 sharpens the tools enterprises already depend on. By removing insecure pieces such as the implicit flow, it closes off a common path to token leakage. By requiring PKCE in every application—even server-side ones—it reduces the risk of code interception. And by consolidating best practices into a single recommended baseline, it simplifies life for developers who no longer need to guess which flow to use.

The result isn’t a reinvention, but a protocol that is easier to implement securely and better suited for distributed, agent-rich ecosystems.

Most identity providers manage OAuth through a single authorization server per tenant. Duo takes a different approach: Each OAuth or OIDC integration is its own server, creating explicitly secure segmentation, seamlessly tying into our security-first IAM strategy. By doing this, we ensure that a potential compromise in one integration cannot cascade laterally across the tenant.

When more flexibility is required, Duo also offers Global Token Introspection, an optional capability that centralizes token validation across selected integrations. Instead of managing multiple introspection endpoints, organizations can route validation through a single global service. That improves consistency, reduces administrative overhead, and makes interoperability between applications and agents more straightforward—all without sacrificing the control to isolate integrations when necessary.

OAuth is only one layer. Duo enriches it with contextual policies that consider device health, location, and risk. Groups can be mapped to scopes through only after meeting the policy criteria that customers can define, ensuring access decisions align tightly to identity. And all of it feeds into a unified visibility layer, giving administrators a single place to monitor logins, API calls, and soon, agent activity.

This layered approach expands OAuth from a protocol that connects apps to and IdP into an access management framework. One that aligns with how enterprises actually manage workforce access today!

We just launched a beta for a new OIDC/OAuth 2.1 integration. This release combines grant types from OAuth 2.0 and 2.1, enables group-to-scope mapping, and extends Duo’s policy framework directly into authorization decisions. Very shortly, we’ll be further enhancing this integration by adding Dynamic Client Registration (RFC 7591) and Resource Indicators (RFC 8707) for even deeper support, so stay tuned! It’s OAuth built for the agent era - secure, interoperable, and ready for enterprise adoption.

AI agents are already becoming part of daily work. OAuth ensures they operate within safe boundaries. Duo makes that governance secure, scalable, and simple enough for enterprises to adopt with confidence.

Ready to see it in action? We sure are and we want to hear from YOU!

A key way to get the most out of Duo and the biggest return on your investment is to use Duo’s policy engine to customize the security experience and provide granular access to applications and resources.

It’s been 10 years since Duo first released its policy engine. Over time, we have added 18 different kinds of policy rules that help keep our customers ahead of new security needs. However, more options meant we needed to improve the administrative experience in a simple, easy-to-understand way.

We’re excited to share that we’ve refreshed the entire policy creation experience, making it easier to use and now providing useful decision-making information as-you-go. Best of all, the new policy editor stays true to the familiar Duo interface. No need to learn a new UI.

The general layout of the policy editor should feel familiar, but the new experience makes it easier to find links to documentation, understand which devices will be affected by the policy, and learn of important dependencies.

For every kind of rule you can create, Duo now shows the information you want to know to be confident in your choices. For example, say you want to set up a rule about authorized networks requiring certain IPs to authenticate every time. The new policy editor surfaces a warning about how this will affect other rules in the policy.

The policy editor now includes recommendations and explanations for each type of rule. You’ll learn what they protect against and what Duo recommends. These sections can be found below configuration.

The strength of an authentication method is a key consideration when selecting which methods are allowed. Duo now provides helpful information during the selection process. For example, it’s recommended to only allow phishing-resistant methods for privileged users. These are directly highlighted when setting the policy.

We know not everyone is able to easily access or visualize the effect of new policy in their environments—so we’re doing it for you.

The new policy editor now has data about your Duo environment. Each data visualization directly relates to the granular choices you can make when setting policy.

For example, in the operating systems section, you’ll be able to see how many Windows and Mac computers are accessing your protected applications and if they are up to date or out of date.

If you are looking at which authentications to allow, you will be able to see how many users and authentications have used that method in the last 30 days and predict the impact of the policy.

We’re adding data like this to four kinds of policy initially: user location, operating systems, risk-based factor selection, and authentication methods.

Ultimately, we want to make navigating Duo policy as simple as possible for administrators. We’d love to hear what you think of the data. Which sections would you like to see us build next? And what data do you really need to create the best policy for your business?

Get started with the New Policy Engine today! See a full list of improvements in the policy documentation.

Security and IT teams today are facing immense pressure. Identity administrators are constantly juggling complex tasks—managing directories, implementing applications, and responding to user access issues. The need for efficient, intelligent tools has never been greater.

That’s why we’re thrilled to announce the upcoming release of the Cisco AI Assistant for Duo for our customers in Asia-Pacific. Integrated directly into the Duo Admin Panel, the Assistant is designed to simplify identity security and empower your team to make faster, data-backed insights—all in your preferred language.

Key capabilities that will transform your daily operations include:

• Intelligent Troubleshooting: Efficiently diagnose and resolve user access issues. The Assistant can interpret natural language prompts to troubleshoot denied access, summarize authentication logs, and provide relevant data. For example, you can ask, "Why was [username] denied access?" and get a comprehensive overview in seconds.

• NEW—Understanding Policy: Quickly scan across your Duo policies to understand configurations, identify potential conflicts, or verify compliance. For instance, ask "Show me device health policies affecting users in [group name]" for instant clarity.

• Instant Configuration Answers: Get quick answers to setup and configuration questions by leveraging Duo's extensive documentation.

Watch a demo of the AI assistant in action in our previous blog post Introducing Cisco AI for Duo

We understand that the introduction of AI, especially in critical security functions, comes with questions about trust and responsibility. Cisco is deeply committed to building AI that is not only powerful but also ethical, transparent, and secure. Our approach to the Cisco AI Assistant for Duo is founded on several core principles:

• Privacy-Centric: No Duo customer data is used to train our AI Assistant, ensuring your sensitive information is protected.

• Security by Design: The AI Assistant is built with security at its foundation, protecting against vulnerabilities and ensuring safe data handling. Administrator permissions are respected, preventing data leakage and upholding role-based access controls.

• Transparency and Accountability: We strive for accurate, trustworthy answers that always link back to Duo data, allowing administrators to validate the Assistant's work. Humans review all feedback submitted to the Assistant for improvement.

The Cisco AI Assistant for Duo represents how we see the future: AI and human intelligence working side by side to protect what's most important.

We’re excited to make workflows easier with more multilingual support for admins around the world. The Cisco AI Assistant for Duo is available to non-Federal customers in the United States and will be available for customers in Asia-Pacific in January.

Ready to get started? Try the AI Assistant in your environment and supercharge your security workflows today.

Today's identity infrastructure is fragmented, siloed, and convoluted. This complexity creates blind spots where compliance issues, posture vulnerabilities, and even identity threats lurk unnoticed. Organizations need more comprehensive visibility and risk analysis when it comes to their identity environments. It should be simple to understand questions about:

• MFA Usage

• Dormant Accounts

• Suspicious Access

• Non-Compliant Users

Yet so often it takes days or even weeks to get the data required to answer these questions accurately.

Never fear! Cisco Identity Intelligence was built to solve this challenge by providing unified visibility across diverse identity sources, using AI to analyze information and empower organizations to evaluate the security posture of their identity environments and effectively detect and respond to identity-based threats.

However, there's been a catch. To unlock Identity Intelligence’s most powerful querying capabilities, users needed to understand Kibana Query Language (KQL)—a technical query syntax that, while robust, presents a steep learning curve. For security analysts, IT administrators, and business leaders who simply need answers, learning a new query language shouldn't stand between them and critical security insights.

To address this problem, the Cisco Identity Intelligence team leveraged specialized AI to eliminate the KQL barrier. Now, instead of crafting complex queries, users can simply ask questions in natural language—just as they would ask a colleague. To deliver the new functionality quickly and effectively, the Identity Intelligence team accelerated their work by using AWS and its powerful services (shoutout to AWS).

Want to find admin accounts without MFA enabled who've logged in from suspicious IP addresses? Instead of writing:

groupNames.keyword:"sg-gsuite-admins" AND
mfaEnabled:false AND lastActive:{now-7d TO now-1d} AND
ipAddressDetails.ipTags.name:(VPN OR TOR_Proxy)

An admin can simply type: "Show me GSuite admins without MFA who recently logged in from VPN or Tor proxies."

The real magic? Identity Intelligence displays both your results and the corresponding KQL query. This dual approach means users get immediate answers while simultaneously learning the underlying query structure—empowering them to grow their technical skills organically.

Consider these common security scenarios that become dramatically simpler:

1. Identity Posture Management: A compliance officer needs to identify inactive service accounts that don't follow naming conventions. Rather than deciphering query operators and wildcards, they ask: "Find inactive users whose accounts start with 'sa.' and contain 'company.'" Instantly, they have actionable data for remediation.

2. Threat Detection and Response: During an incident investigation, your SOC analyst needs to quickly identify users with recent authentication activity from a specific country. Instead of memorizing country codes and attribute syntax, they simply query: "Show users with recent IP activity from China." Time saved during critical response windows can mean the difference between containment and breach.

3. Application Licensing Assessment: IT leadership wants to understand application usage by finding users with Salesforce assigned but unused in the past month. The natural language query—"Show users assigned to Salesforce SAML but haven't used it in 30 days"—makes this strategic analysis accessible to non-technical stakeholders.

Identity Intelligence should empower the team, not intimidate them. With natural language search, we're ensuring that anyone who needs identity insights can access them immediately—no advanced training required.

Ready to experience seamless access to accelerated identity insights? If you’re a customer, try the new search functionality in your instance today. If you’d like to get a feel for the feature, check out the functionality in the product tour or start a Duo trial to learn how Cisco Identity Intelligence can transform your organization’s identity security posture.

Multi-tenant security can be complex, but it doesn’t have to be. We’re excited to announce that Role-Based Access Control (RBAC) for subaccounts has been rolled out to all Duo Managed Service Providers (MSPs) at each Duo edition, including a way to manage granular access in bulk. Duo RBAC makes your Admin Panel experience more secure—without compromising productivity. What does that mean? Let’s dive in.

RBAC is the practice of granting or restricting access to users based on their specific responsibilities. RBAC works by assigning permissions to roles and then assigning roles to users, allowing organizations to easily manage access to systems and resources.

Clients count on their MSPs to be secure. The focus on MSP security has heightened due to advanced cyber-attacks and even recent ransomware campaigns specifically targeting MSPs.

However, managing admin permissions in a multi-tenant structure can be complex, with stronger security often coming at the expense of ease of use.

To scale operations securely, role-based access helps MSPs and other multi-tenant accounts easily ensure proper access controls and reduce the potential for security incidents or unauthorized access to sensitive information.

There are two new RBAC additions to the Duo Admin Panel that work together to keep the engine moving smoothly:

1. Subaccount Roles: Establish granular admin permissions and least-privilege access practices within your organization. Non-Owner admins can be assigned distinct roles at the parent (main) account and subaccount levels.

2. Access Tags: Non-owner admins can be given access to specific subaccounts and denied access to others—without having to manage multiple logins. Manage account access with security, usability, and client privacy top-of-mind. Manage Access Tags using the new Access Tags page.

Let’s say that Kit, an IT administrator at Acme MSP, wants to ensure that Stef, Acme MSP’s helpdesk specialist, can properly support clients. Stef works with clients in the financial industry and needs the ability to view and modify their user information but should not be able to create or delete users. Stef should not be able to edit any other accounts that Acme MSP serves in other industries.

• With access tags, all administrators with the tag “ACME Financial” can access any subaccounts associated with that tag, but admins without it will not. Kit can add the “ACME Financial” tag to Stef’s admin profile to grant Stef access to client accounts with this tag.

• With subaccount roles, Kit can assign Stef ‘Help Desk’ access to subaccounts but limited ‘Read Only’ access to the “Acme MSP” account. Stef now has ‘Help Desk’ access only to all “ACME Financial”-tagged subaccount and no access to other tagged subaccounts.

Duo’s MSP RBAC allow Stef to do their job and Kit to deploy and manage at scale for multiple customers, all without compromising on the security efficacy of Acme MSP and their clients.

RBAC plays a crucial part in simplifying operations, strengthening security and driving productivity for MSPs and the customers they protect. With new subaccount roles and easy access tagging, Duo MSPs can easily onboard new clients with appropriate admin privileges, simplifying security management and increasing client trust and faster time to revenue.

Instead of needing to set up RBAC through dozens of pages and clicks, MSPs can use Duo’s Access Tags page to set up RBAC in one spot, as well as use the Admin API to modify subaccount role.

“RBAC is a huge step to make my Duo experience easier.”

Beyond MSPs, Duo’s RBAC can benefit multi-tenant customers using Duo subaccounts, such as universities segmented by campus and enterprises segmented by department.

“I love it…Just a day after I got the email from Duo that this feature had launched, we had a situation… where utilizing the tags saved our day.”
- Duo MSP partner, EMEA

Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management.

The Duo MSP program makes it easy to:

• Scale your business with pay-as-you-go pricing with no complex pricing tiers or minimums.

• Manage all customers in one console with Duo RBAC.

• Succeed with technical and marketing support from our team and access to an extensive documentation library and 50 NFR licenses.

Visit the Duo MSP page or reach out to msp@cisco.com to start your Duo MSP partnership today.

Duo is a offers a comprehensive identity and access management solution, with a user directory, SSO, phishing-resistant MFA, dynamic identity threat detection, strong, frictionless authentication, and device trust. With RBAC for subaccounts, administrators gain fine-grained control over ensuring the right people have the right administrative permissions, strengthening security, streamlining role assignments, enabling scale with confidence.

Adopting Duo RBAC can lead to improved security hygiene, a more scalable admin experience, and improved client trust. The best part is – it doesn’t have to be all or nothing – start by protecting your most sensitive accounts today while you build your organization’s permissions structure over time.

Learn more about how Duo RBAC makes it easy to manage and grow with Duo’s leading access management solution:

• See the RBAC infographic!

• Already an MSP? Set up and start using RBAC today with the Duo RBAC Admin Guide. Learn about access tags on Duo Docs.

• Learn about Duo’s program with the Duo MSP At-A-Glance

Basics is no longer cutting it. Free is not stacking up. Even with multi-factor authentication (MFA) patrolling security’s new identity-based perimeter, phishing attacks remain one of threat actors’ favorite tools and demand stronger protection in identity and access management (IAM). MFA may make it harder to simply log into enterprise environments using lost, leaked, bought, weak, or stolen user credentials, but it’s clearly not impossible either.

That’s because user training and even basic MFA are not enough to ensure phishing resistance against modern campaigns that use new techniques to subvert or sidestep authentication:

• AI-led campaigns use large language model (LLM) tools like ChatGPT to craft convincing emails that look and sound like trusted entities

• Adversary-in-the-Middle (AiTM) attacks bait users into clicking fraudulent links that take them to proxy servers controlled by the bad actors

• New multi-stage MFA fatigue campaigns are designed to capitalize on repeated user authentications to bypass and exploit weaker forms of MFA

• Gaps in protections reveal themselves as attackers target supply chain and third-party access permissions, remote desktop protocol (RDP), or legacy applications

And that’s not all. Modern phishing attacks like the ones listed above now stretch beyond authentication, threatening session cookies and bypassing traditional defenses, making comprehensive phishing resistance essential—even for trained help desk pros.

If all of that makes achieving end-to-end phishing resistance sound like a pipe dream, identity security leaders can take heart. In a new guide from Cisco Duo, you’ll learn what tools and strategies you can use to push your organization toward modern phishing resistance.

Ready to strengthen your organization's phishing resistance?

Download the free Guide to Building End-to-End Phishing Resistance now.

Let’s talk about what makes defending against modern phishing attacks so challenging.

There’s a lot more to consider when it comes to phish-proofing your organization, and new and existing regulations are not shy about pushing standards higher. To mitigate the risk from modern phishing attacks, regulators, zero trust guidelines, and cyber insurance companies now emphasize phishing-resistant MFA and robust identity security. Forward-looking regulations like Memorandum 22-09, from the Office of Management & Budget (OMB) in the US and the NIS2 directive in Europe now specifically prescribe “phishing-resistant MFA” as a best-practice strategy for safeguarding identity.

These evolving mandates concentrate on the strength of the factor, but IAM leaders already know their defenses must extend beyond the conventional app login. With more threat actors expecting to run into traditional SMS, and even push-based MFA, phishing-prevention strategies must illuminate exploitable blind spots throughout the entire identity lifecycle. That means starting at enrollment—where new, enthusiastic employees are susceptible to false HR emails—through critical points like help desk interactions, remote connections, and deprovisioning.

With headlines of AI-enabled deepfake and vishing (voice phishing), social engineering tactics grow trickier to detect. In many situations, organizations may revert to using passwords or basic security questions as a fallback option for verifying identity. Today’s identity security practices must rise to meet new challenges. For example, using an integrated identity verification service creates a more secure fallback option that equips help desk technicians to establish trust on the fly.

Many organizations use cookies to extend trust throughout a user’s entire working session. But if intruders can find a way to log in using active credentials, they can sometimes steal those “remember me” cookies to hijack active sessions and authenticate into other applications. Or, change or escalate privileges without triggering detection.

Attackers have become adept at stealing cookies through malicious JavaScript, infostealers like Redline and Emotet, or adversary-in-the-middle attacks. Once they have the session tokens, they can take over digital identities, bypassing passwords, MFA, and other security controls. Typical precautions like making sessions shorter and asking users to reauthenticate more often only add to productivity complaints and user frustration.

Security often comes at the cost of increased friction—especially challenging when end-users must interact with it several times a day for each of their applications. What if we removed the very thing that makes a session stealable? Duo’s patent-pending authentication without cookies paves the path for a dramatic reduction in user friction, delivers platform-agnostic protection (Windows and macOS) with no vendor lock-in or ecosystem limitations, and provides built-in hardware-backed phishing resistance.

Security only works if people use it, which they won’t do if MFA gets too complicated. Asking users to keep track of multiple passwords, rotations, authenticator apps, and physical tokens is a recipe for disaster and that new digital malady, MFA fatigue.

Overly complex controls also burden IT. According to the Cisco Duo 2025 State of Identity Security report, nearly 60% of security leaders cited token management as the biggest hurdle to phishing resistance. Most security and IAM leaders would like to make their MFA more phishing resistant but believe it might not warrant the time and effort.

Rolling out new methods of authentication (like biometrics and smart cards), buying and shipping hardware tokens to remote users, and fielding support calls all consume endless IT cycles that offset the value of IAM investments.

IAM strategies must overcome leaders’ top obstacles to deploying phishing-resistant MFA:

• Cost and ongoing management of hardware tokens

• Training and support

• System compatibility

Resistance stems from operational burdens, not lack of demand. At the core of improving phishing resistance is making stronger security feasible to deploy for every user. After all, “if a security control isn’t deployable; it’s not usable. And if it’s not usable, it’s not protecting anyone.” For Duo, the breakthrough was adding the same proximity-based verification that hardware tokens provide on top of our familiar interfaces. No shipping hassle, no complex configurations, no added cost.

It’s not uncommon to hear of passwordless authentication as an option to go phishing resistant and improve user experience at the same time. The pitch to go password-free is typically accompanied by plenty of caveats and challenges, yet many organizations committed to strengthening their identity security are already moving forward—streamlining authentications with single sign-on, enforcing device hygiene standards, and leveraging risk-based authentication (RBA) to cut down on repeated logins.

With the past several years of innovation, regulators, cyber insurance companies, partners, and prospective customers are also headed towards passwordless, and for good reason: without credentials there’s nothing to phish. Even AI can’t steal passwords that no longer exist.

Is “complete passwordless” just another pipe dream? After all, complexities arise in the form of legacy applications, working with existing infrastructures, and initial directory enrollment. The new guide details how you can make the elimination of passwords—typically considered a ‘stretch goal’—a near-term reality (versus a “roadmap item”) at every stage of the identity lifecycle: enrollment, application and operating system logins, help desk support, and secure fallback.

1. Securely verify and onboard new users

2. Strengthen user authentication at every access point

3. Prevent session stealing even after users log in with cookie-free protections

4. Secure the "edge" cases like fallback, Help Desk calls, and deprovisioning

5. Move towards eliminating passwords completely

Stronger security is achieved in phases. Implementing end-to-end phishing resistance with identity verification, session theft protection, and phishing-resistant MFA ensures your organization is protected now and in the future.

Duo makes it easy to get started on the journey to complete end-to-end phishing without the high price tags and hidden costs. Download the guide now to learn how you can build seamless, reliable identity security and deliver a world-class end-user experience at the same time.

Get the free guide to achieving end-to-end phishing resistance today!

“Comprehensive security should be built in or enabled by default” — a statement implored by Patrick Optet, CISO at JP Morgan Chase. In an open letter to their third-party providers, Optet points out an erosion of strong authentication and authorization practices as software providers prioritize speed of development over security.

Complexity is the reality for organizations of all sizes. With an ever-distributed supply chain and increasingly modern software demands, security controls expand to defend a new perimeter: identities, from trusted employees to partner external accounts to experimental AI agents. Change is hard and adds pressure on traditional systems that prevent organizations from moving forward with even the most obvious decisions, like taking a “security first” approach to identity and access management (IAM). It’s simply challenging to justify ripping out what’s in place and start over.

Change is hard and adds pressure on traditional systems that prevent organizations from moving forward

Check out our latest guide to security-first IAM to see how Duo is restoring trust in identity.

Cisco Duo aims to eliminate the performance and compliance tradeoffs that drive up the cost and complexity of other solutions—like gaps in visibility and strong authentication coverage. Evolving to security-first IAM should be easy. With roots in both deep security research and exceptional user experience, Duo makes world-class identity security available by default, not as an add-on. To level-set, here’s what business and IT leaders can expect to gain and how they can jumpstart the process to putting security first.

Modern cybersecurity strategies know that identity is the new perimeter, but many traditional IAM solutions don’t adequately protect those identities with security until later. As a result, organizations are forced to seek incremental control layers to protect their core directory solution and stretch to cover their edge cases. Between additional budgets and deployment hours, that’s too late.

When companies treat security as an afterthought, adding important protections drives up the basic cost and complexity of IAM solutions exponentially with deployment, maintenance, and upgrades. Security-critical upgrades may slide to the back burner, or worse yet, never get done at all.

Security-minded organizations have rolled out multi-factor authentication (MFA) to validate and protect identities as users log into their desktops, single sign-on (SSO) portals, SaaS and online applications. That’s a great start but leaves business-critical legacy, custom and remote applications unprotected. Because converting those systems to work with other MFA solutions is a heavy lift, companies continue to—perhaps unknowingly—rely on incomplete protections.

Duo gives businesses an easy, affordable way to protect all applications for all users against sophisticated phishing attacks out of the box with industry-leading MFA and SSO included by default.

Even with SSO, threat actors continue to log—versus “hack”—their way into systems with leaked or stolen credentials. Duo gives organizations a reliable way to validate trust in devices as well as users.

From day one, Duo helps organizations control which devices get access to which resources in your environment whether managed or unmanaged. Duo Device Trust avoids risk by gathering health and security posture before allowing devices to connect to organizational resources. If an accessing device fails to meet health requirements, the request is blocked—and the user is prompted to self-remediate with step-by-step costs. Enforce baseline device health at the access management level, extending protections without device-level agents.

Remote identity-based attacks have learned to take advantage of push-based MFA with repeated, annoying push-bombing. Proximity verification that confirms the device being used to log in is in the same physical location as the system being accessed acts a strong defense against remote phishing attacks. But for many organizations, requiring hardware tokens.

Organizations can’t stop phishing attacks while still relying on passwords. Duo’s advanced, end-to-end phishing-resistance includes complete passwordless authentication—even for MFA enrollment, fallback, and on-the-fly help desk calls—to meet modern requirements and deadlines for protecting identities.

Putting security first means recognizing the reality that security teams want to step up protections but have too few dollars in the budget, and not enough hours in the day. Duo makes it easier to make security first a top priority by overcoming the main objections: that the pain of making a change outweighs the business benefits.

Nothing could be farther from the truth, and IAM teams can prove it by phasing in security-first IAM in three powerful use cases:

With the addition of powerful user directory capabilities and deployable end-to-end phishing-resistance, Duo creates “security-first” IAM that achieves forward-looking identity security at enrollment.

Duo offers the broadest possible MFA coverage with flexible options for every user, and no exceptions. Use Duo to quickly achieve 100% MFA, SSO, and device trust coverage and meet the needs of “edge” cases like first responders in healthcare and seasonal workers in retail. Duo works with legacy and custom applications adding visibility and protections that strengthen security and compliance quickly. With hundreds of integrations out-of-the-box, Duo delivers on speed to security that ensures your bases are covered for audits, compliance, and insurance.

Accelerate workforce consolidation during mergers and acquisitions (M&A) and other strategic initiatives using Duo’s IdP and routing rules capabilities to broker between them. Over time, Duo Directory streamlines the transition to a single identity provider (IdP) to centralize and unify operations or makes it easy and affordable to manage multiple directories seamlessly for as long as IT chooses.

A key part of Cisco’s broader cybersecurity solutions, Duo leverages Cisco Identity Intelligence (CII) to streamline detection, response, forensics and reporting on identity-led attacks. Identity security posture management (ISPM) is another key function that helps make self-auditing habits easier. Identity Posture Scoring in CII detects gaps across your entire identity ecosystem and provides prioritized, actionable recommendations to help you effortlessly identify and address gaps in your organization's identity security hygiene. For example, see your distribution of enabled MFA methods or pull a list of identities that are dormant, shared, or missing from HR systems. Take the ISPM product tour.

According to Verizon’s 2025 Data Breach Investigations Report, 30% of all breaches involve a third party. To minimize risks originating in your supply chain, manage vendor, customer and other third-party identities in a separate Duo Directory that comes with MFA and device trust out-of-the-box. A modern, secure storage for external identities, Duo gives admins visibility into whether devices are managed or unmanaged and applies the same security checks to third-party devices before allowing them to connect.

Solutions that demand full rip-and-replace fail to recognize the complex nature of identity in modern organizations. Hidden fees, from incremental feature upgrades to operational costs, add up for already-stretched IT teams.

Duo believes that securing IAM should not be an afterthought but a default. That translates into stronger protections against modern threats, better, faster performance with less friction for users, and an administrative experience built for IT teams to deploy, manage, and grow with ease.

See how Duo is restoring trust in identity with our latest guide to security-first IAM.

Try Duo for free with a 30-day free trial today.

Have you ever wished managing policies was … easier?

Maybe you’ve wanted to restrict access for a certain group of users across all applications—but found yourself stuck clicking through every single application to make it happen. Or maybe you wanted to pilot a new control with a small set of users — but the setup felt more like a marathon than a test run.

If either of those scenarios sound familiar, we have some good news. We’re introducing two new capabilities designed to give you more flexibility and control while cutting down on repetitive work: User-Group Policy and Bulk Apply.

Until now, custom policies could only be applied at two levels: Application and Application- Group. That works, but sometimes the real question isn’t what application they are logging into—it’s who’s logging in at all.

With User-Group Policy, you can now apply policies directly to specific user groups—no matter which applications those users log into. That means:

• Apply restrictions globally to specific user groups.

• Pilot new security controls with small test groups before rolling out to everyone.

• Simplify management when your policies map more naturally to people than to applications.

Here’s how it works:

• Policies applied at the Application or Application-Group level will always take precedence.

• User-Group policies apply underneath those layers, ensuring you can still set broad rules for specific user groups without undoing stricter application-level rules.

Think of it like adding new gear to a bike. You don’t have to relearn how to ride — you just get another option when you need it.

And remember: if you ever want to see which policies apply when a user logs into an application, use the Policy Calculator. It’s there to show you the final outcome so you can test and verify with confidence.

Creating policies is only half the story—the other half is rolling them out without spending your afternoon buried in app settings. That’s where Bulk Apply and Unassign come in.

With Bulk Apply and Unassign, you can:

• Apply a policy to multiple applications, groups, or application-groups all at once.

• Unassign a policy when one or more applications or groups no longer need it.

• Save time and reduce errors that come from repetitive, click-heavy work.

With Bulk Apply, rolling out a policy is simple and clear—and you do it all right from the Policy page.

You’ll see exactly where you can apply a policy—whether to Applications, Application-Groups, or User-Groups—so there’s no guesswork. Selecting targets is quick, with search and filters to help you narrow things down.

If there are pre-existing policies, you can order policies to control which one applies first, giving you even more flexibility.

Before anything is applied, a clear summary gives you visibility into what will change. It’s designed to give you confidence and help prevent mistakes.

Once applied, tags on the Policy page show where and how the policy is deployed. And if you need to undo something, Unassign makes rolling it back just as easy.

Want the full, step-by-step breakdown? Check out our Policy documentation for all the details.

With User-Group Policy you get people-focused controls. With Bulk Apply you get the power to deploy those controls quickly and consistently. And with the Policy Calculator always available, you can preview exactly how those layers combine—so you never have to guess.

Both features are now Generally Available. Head to your Policy page and start using them today—or dive into the documentation for the full step-by-step guide.

Several vendors talk about “identity-first security,” which is another way of saying, “identity is the new perimeter,” or that zero trust security starts with confirming someone’s identity before giving them access to your company’s resources. Spot-on advice.

But making identity a priority for security is only half the story. To propel a business forward, companies also must make security a priority for identity and access management. IAM emerged to do just what the name says: manage users’ access and privileges to make their lives easier and more productive. With most solutions, strong security controls get added later with a hefty upcharge. Security is literally an “afterthought.”

Duo turns this equation inside-out by making built-in security foundational to IAM, or “security-first IAM”—all with unmatched ease-of-use, proven speed to security, and at no added cost to properly protect the identity perimeter. Let’s break down what this means.

We’ve seen time and time again that, despite checking the box for “has MFA,” a majority of successful cyberattacks still involve valid credentials identities. Organizations and compliance firms alike play Wack-a-Mole, solving for unique use cases and crafty attack methods with an increasing list of disparate and expensive identity tools. On average, it takes IT teams five different tools to solve any given identity-related issues. A modern IAM solution is secure by default with top-notch security controls built into the architecture and base pricing.

An IAM solution should not only store identities, but it must also protect them. In addition to being a flexible user directory, the three foundational capabilities of security-first IAM are:

• "MFA Everywhere" by default — World-class security starts with making sure you have MFA available and enabled everywhere, not just for some users or use cases but for every user and every use—cloud and SaaS services, legacy systems on-prem, remote or hybrid work, first responders, and third-party contractors connecting to your company’s resources.

• Device trust out of the box — Most IAM solutions charge extra to add and manage device trust. In zero trust environments, we avoid risk by verifying every endpoint before granting access. Additional adaptive security policies block threats before they reach the network, stopping risky devices in their tracks to keep businesses safe. These policies should be easy to set up, manage, and adjust.

• Building for phishing resistance — To address the weakest links in the identity lifecycle, IAM-driven phishing resistance begins from the minute you start onboarding users through their initial enrollment in MFA, fallback, and account recovery. Protect against remote phishing with a proximity-based authentication. Additionally, the ability to start passwordless without added costs also promotes compliance with evolving mandates for phishing resistance and zero trust strategies.

Treating security like a “nice to have” leads to some obvious bad outcomes starting with greater odds of encountering a data breach. Compromised credentials and unauthorized or undetected access allow attackers to gain access to systems and escalate privileges or take over accounts. Well-known breaches like the attacks on Target, SolarWinds, and Colonial Pipeline all involved identity compromise as an initial access vector.

IAM failures can have a high blast radius that leads to excessive financial and reputational losses from operational downtime and service disruptions. And according to a 2024 Microsoft report, poorly managed identities and access controls still play a role in more than 90% of successful ransomware attacks. Subpar security also damages the bottom line through the high costs of reputational damage, regulatory audits and fines for non-compliance, and increased cyber insurance premiums.

Putting security first doesn’t mean user experience should take a backseat, either. To avoid dangerous workarounds or low enrollment, it’s important not to make accessing resources too complicated or to ask users to authenticate over and over once they’re logged in. Single sign-on (SSO) for as many applications as possible helps minimize logins, especially if the user doesn’t have to re-authenticate for their different browsers, thick clients, desktop apps, and VPN connection.

Historically, increased security often comes at the tradeoff of user friction and frustration. But really, balance is key. Modern IAM intelligently reduces the number and complexity of logins while accommodating users’ individual working styles. For example, once a user on a known, trusted device completes MFA, you can grant them longer session times before prompting the user to authenticate again.

Risk-based authentication dynamically steps-up MFA when risk is detected based on known threat patterns, user and entity behavior analytics (UEBA), and continuous security research that keeps up with evolving attacks. Continuous evaluation of trust is important. It’s a cornerstone of improving security without impeding on productivity. If everything looks good, why should users have to re-authenticate?

We’ve already outlined a few foundational tenets of security-first IAM:

• Ensure MFA is truly everywhere and plug the often-overlooked holes in your security perimeter.

• Establish and set policies based on device trust. Be able to block or step up MFA controls for unknown and under-secured endpoints.

• Enable with proximity-based phishing-resistant authentication and get started with moving toward a fully passwordless future.

How do we get from a vision of stronger security and frictionless productivity from where we are today?

Does your current provider put identity or security first? If they lead with identity, do they look to “nickel and dime” you just to add basic security capabilities?

Can you trust the provider’s own security posture to protect your identity data? Has the company suffered breaches before? If so (it happens!), how did they handle the aftermath? Did they communicate effectively and take steps to better prevent future disasters?

The road to better security doesn’t have to be a rip-and-replace story. Choose an IAM solution that includes practical, forward-looking innovations like identity provider (IdP) brokering capabilities to streamline directory management and identity intelligence to self-assess your security posture.

Next week, we’ll outline an easy progression to start where you are and phase in security-first IAM without disrupting your current operations:

• Find gaps in MFA coverage and enrollment

• Identify unmanaged devices

• Detect long gaps between user logins and review privileges

In the meantime, check out Duo's learning hub to read more about fundamental (or advanced) identity concepts, and see how Duo is restoring trust in identity with our latest guide to security-first IAM.

Duo’s AI and Security Research team takes on security cases from customers digging into telemetry data to find actionable anomalies that can be searched for, alerted on, and remediated sometimes with AI and machine learning.

A user picks up their phone and sees a Duo Push they didn’t request. They think this is strange and deny the Push request. Their account is safe now but unbeknownst to them, the attacker will discover another avenue of attack and successfully compromise their account. In this blog, we’ll explore what happened in a peculiar case of SMS compromise.

Frequently, when the AI and Security Research Team receive a case, the customer requests to know more about how Duo products work or about follow-up actions and recommendations after an incident. In this case, a customer employee received a push to their mobile device, which they then denied. However, according to the customer, two successful authentication attempts followed, one of which used an SMS passcode.

The administrator requested that the user change their password and wanted to know how these authentications could have been successful after being denied by the user.

In the customer submission, a username was provided—this account was a service account that could have multiple devices tied to it. When service accounts are involved, the severity of the incident can go up drastically; there are increased permissions and therefore more opportunities for lateral movement into other accounts and systems. This case needed a closer eye to halt any further compromise.

Something notable occurred a month before the incident. According to logs, an administrator had unlocked the account after a few failed authentications, then added in a set of user authentication bypass policies.

When we looked back at the incident timeline, we saw that several new phone identifiers were created after the likely start of the incident. These new phone identifiers could be an attempt by an attacker to create a backup access method if their initial phone was removed from the account—an example of persistence.

Our first dive is to understand which devices authenticated to that account. Searching through phone models and versions, we learn that there are two associated devices with the same phone identifier. This is of note—two phone models associated with one identifier means that the account’s device was replaced in the self-service portal.

Finally, two separate locations with two different IPs were seen accessing the account, seemingly in tandem. This is where things get interesting...

Recall that our user reported that they denied the initial 2FA prompts received. Therefore, looking for prompts that received a ‘user denied’ response may lead to the action that caused the compromise. Sure enough, there were several denied responses from the primary phone tied to the account. But shortly after those denied responses were a set of successes...on a different phone key, from a different IP in a different state.

Looking back at this new phone key, it appears it was created and left alone- no activity occurred using it for months after its creation. This device could be the initial access point used by the attacker, or it could've been added later if the attacker compromised the original device's phone number.

These IPs duel for about a day—a login was initiated from devices in one state, followed by the legitimate user’s denial. Finally, an authentication is initiated by the attacker and responded to by the dormant device on the account, likely controlled by the attacker— this granted the attacker access.

After the attacker gained full access to the user’s Duo account, they took steps to fortify their position. By changing the user’s default phone identifier to their own phone and adding several more phone identifiers, the attacker takes hold of the account.

Thankfully, there wasn’t any lateral movement off of the account—none of the associated phone identifiers had attempted to access any other user account.

Some cleanup activity was seen after the authentications and phone changes above. An administrator removed one of the phones from the account but didn’t successfully remove the others. For this reason, the response to the customer included a recommendation to change the user password and remove all devices from the account—this should lock the attacker out for good.

Additionally, the user authentication bypasses were placed a month before the incident but never removed. When a Duo Bypass is put into place, the user is not required to use Duo two-factor authentication at log on and is not subject to any policy settings that restrict access.

While this bypass was still in place and didn’t have anything to do with the initial access to the account, it could have made the attacker’s takeover significantly easier if they had taken advantage of it.

We also recommended that the customer perform a regular audit of devices on Duo accounts and of bypasses placed on them and turn off lower-level factors (like SMS and phone calls) if feasible.

In today’s day and age, the commonality of attacks on phone numbers and misconfigurations has drastically increased. The ‘SIM card swapping’ technique, in which attackers social engineer or bribe carriers into providing access to a phone number is used in a lot of attacks of varying complexity (including large-scale cybercriminal groups). Other attacks take advantage of user error, like those targeting common device vulnerabilities to find gaps in MFA.

Careful device management, including removal of stale/unused devices after a delay period, can remove the attack vector that becomes the downfall of your organization’s defenses.

Once the workday begins, most employees log into a wide range of tools. For the average knowledge worker, this can be as many as 11 different applications, nearly double that of 2019. These apps could span multiple identity providers creating a fragmented identity ecosystem. For many companies, keeping track of who has access to what is almost impossible and that lack of visibility leaves blind spots.

Cisco Talos threat intelligence found that, in 2024, 60% of all attacks were identity-based. Nearly half of those targeted Active Directory. Rather than cybersecurity incidents beginning with malware or exploiting vulnerabilities, adversaries often look to simply login.

This makes securing identity vital, but doing so can be messy. Organizations understand identity is a target but are less aware of how to take hold of the situation. Enter…the MSP opportunity.

Customers often look to MSPs to operationalize security through Identity and Access Management (IAM), streamlining onboarding, provisioning and deprovisioning, and managing workforce access day to day. Done well, IAM reduces friction, drives efficiency, and delivers measurable cost savings. It’s an essential foundation that is expected.

But IAM alone only locks the front door. MSPs can stand out by also offering advisory services that help customers prepare for tomorrow’s threats. This is where Cisco Identity Intelligence comes in. Identity Intelligence continuously analyzes identity activity across users, devices, and applications to spot risks and unusual behavior that IAM alone cannot see.

While IAM mainly covers the Identify and Protect functions, making sure the right keys go to the right people, Identity Intelligence extends coverage to Detect, Respond, and Recover. It acts like the surveillance system, spotting suspicious activity, alerting when someone tries the wrong door, and guiding recovery if a breach occurs. Together, IAM and Identity Intelligence provide a more complete approach to identity security that MSPs can deliver.

You can’t detect what you can’t see. Most organizations rely on multiple identity providers (IDPs), HR systems, and SaaS apps. Correlating that data becomes overwhelming especially for MSPs managing many tenants. Manual investigations and siloed tools slow response times and create blind spots that attackers can exploit.

The first step is visibility. MSPs need a single source of truth to identify risks early, filter out the noise and act with confidence. Identity Intelligence gives MSPs that visibility. It answers questions like “Are you sure MFA is configured everywhere?” by pulling together users, apps and device data across environments. But visibility alone isn’t enough. Identities are a constant target. Continuous monitoring, posture scoring, and trust checks ensure protection stays current, threats are flagged, and risks are remediated before they escalate.

To operationalize this approach, MSPs can follow a proven identity security blueprint built around five widely recognized security functions:

• Identify — Understand who your customer’s users are and what they have access to by building a user and device inventory. Use IAM to manage onboarding and provisioning and Identity Intelligence to get a holistic view.

• Protect — Enforce strong access controls with IAM, and pair posture scoring from Identity Intelligence with Duo policies to secure endpoints, strengthen authentication, and maintain compliance at scale.

• Detect — Monitor continuously for anomalies, such as multiple failed login attempts or unusual locations. Identity Intelligence applies cross-platform analytics to surface patterns and outliers quickly, giving MSPs an early warning system.

• Respond — Use high fidelity insights to guide incident response. Identity Intelligence helps MSPs prioritize, escalate, and act quickly. With playbooks or SIEM/SOAR integrations, they can contain threats, adjust policies, and document every action.

• Recover — Ensure customers bounce back quickly. MSPs can help organizations learn from incidents, close gaps, and harden policies. By reviewing Identity Intelligence insights alongside response playbooks, they guide recovery, demonstrate resilience, and build long-term trust.

Many organizations assume they know their identity environment, that is, until evidence shows otherwise. That’s why assessments matter. With Duo’s Identity Security Posture Management, MSPs can surface blind spots customers didn't realize they had such as dormant or “never logged into” accounts, weak MFA adoption, and devices slipping through compliance checks. The results come back in a clear, actionable report. For MSPs, these insights aren’t just findings; they are conversation starters that build trust, open the door to ongoing advisory services and create opportunities to expand your footprint.

Want to see it in action? Check out the interactive demo.

Ready to become a partner? Sign up here to uncover hidden risks, demonstrate immediate value and lay the foundation for long-term identity security partnerships.

Imagine a world where your most tedious tasks are no longer “your” tasks. They vanish from your day-to-day life. No more manually copying data from a spreadsheet, pasting it into your CRM, and then toggling to another app to create a support ticket.

This is the promise of AI agents: a seamless, intelligent workforce that handles tedious tasks automatically, freeing up your team for more meaningful work. This future is arriving faster than we think, powered by technologies like Model Context Protocol (MCP) servers that act as bridges, allowing AI to securely interact with your company’s applications and data. The potential is immense.

The excitement around AI agents can obscure a simple truth. While we dream of revolutionary gains, the most immediate risks aren’t a rogue Skynet, but something far more mundane: lack of visibility and unmanaged permissions. This is where, as your friendly security advisor, I’d suggest we pause and take our vitamins. The agentic future will be incredible, but only if we build it on a foundation of trust and visibility.

While your security team diligently manages human identities, a new workforce is quietly materializing in the shadows. A marketer streamlining a campaign or a developer experimenting with a new tool can now spin up a powerful AI agent in minutes.

The problem? These agents are often built for speed, not security, creating a chaotic and unsupervised digital workforce. At Cisco Security, we’re seeing a pattern of significant risks emerge:

1. A New Identity Blind Spot: Every one of these agents is a Non-Human Identity (NHI) that needs a “registered home.” It’s impossible to protect or secure what you can’t see, which is why without a proper inventory of agents – security teams are left in the dark.

2. Too Many Permissions: In the rush to innovate, many agents are built with hard-coded admin credentials, giving them—and by extension, their users—far more access than they need. It's the digital equivalent of giving a new intern a master key to every room in the building.

3. Uncontrolled Activity: An AI agent has no hesitation. It will execute its programming at a machine-driven pace, potentially racking up enormous API costs from services like Salesforce or Snowflake before anyone even notices.

We wouldn't hire a human employee without an identity, a defined role, and clear access rules. The principles that govern human identity and access management (IAM) must be adapted for this new, non-human workforce. The first and most critical step is visibility.

This is why we’re enhancing Cisco Identity Intelligence to shine a light on this new shadow workforce. Our goal is to provide the foundational visibility needed to securely enable AI innovation. We help you:

1. Discover Agents: We actively identify AI agents and MCP servers across your environment, turning unknown entities into a known inventory.

2. Map Their Activities: We connect the dots between agents, the credentials they use, and the applications they access, creating a clear picture of your NHI landscape.

3. Bridge the Gap to Governance: Once discovered, these NHIs can be brought into your identity governance and administration (IGA) program. This allows you to treat an agent like any other privileged identity—subject to access reviews and fine-grained controls.

The age of AI agents is here, and it will transform your business for the better. By prioritizing visibility, you can ensure this transformation is not only powerful but also secure. To learn more about our approach to agent visibility, check out Cisco Identity Intelligence or reach out to an identity expert.

Security Operations Centers (SOCs) rely heavily on Splunk for its powerful capabilities in collecting, indexing, and analyzing vast amounts of security data from diverse sources. Splunk excels in processing logs and security events but achieving comprehensive correlation across today’s diverse and sometimes fragmented enterprise identity landscape has always been a difficult task. That’s why several new integrations bringing relevant and timely identity information into Splunk are true game changers for security teams.

A quick example of this type of identity enrichment is the new Cisco Duo Suspicious Activity analytic story in Splunk ESCU 5.10, with 14 Duo based detections for identifying risky admin behavior and insecure Duo policy settings.

However, the core theme of this blog is the power of a new integration between Cisco Identity Intelligence and Splunk. For the unfamiliar, Cisco Identity Intelligence is a multi-sourced, vendor-agnostic solution that works across your existing identity stack and brings together authentication and access insights. This integration is facilitated through the Cisco Security Cloud, enabling you to effectively mitigate posture and threat-based risks within diverse, multi-vendor identity environments. For Splunk customers, this means enhanced operational integrity, prioritized efforts based on severity, and granular user-specific insights that drive faster, more accurate security decisions.

Here’s how this integration accelerates your security operations:

• Risk-Based Prioritization: This integration surfaces the most critical identity risks and anomalies, enabling security teams to focus on high-priority threats that pose the greatest risk to the organization, and highlighting the risks that may arise due to weak identity security posture.

• Unified Identity Timeline: The data from Identity Intelligence provides you with a unified view in Splunk, highlighting event volume, user activity, and failures by check ID across multi-vendor identity environments. By correlating this data with other sources such as firewall logs and endpoint data, you can gain deeper insights and enriched context—enabling more effective detection, investigation, and response to sophisticated threats like lateral movement, privilege escalation, and insider misuse.

• Seamless Workflow Integration: To enhance SOC efficiency, analysts are equipped with a streamlined workflow experience that boosts productivity. Security analysts can use Splunk Enterprise Security, Mission Control to create unified workflows based on insights from the Cisco Identity Intelligence that provide the foundation to unify detection, investigation, and response to identity-based security risks.

This powerful combination transforms security operations from a reactive, fragmented approach into a proactive, context-rich defense. It empowers security teams to work smarter, not harder, by providing deep identity insights that enhance detection, investigation, and response—ultimately protecting your organization more effectively against today’s evolving threat landscape.

Cisco Identity Intelligence is available for Duo customers at both the Duo Advantage and Duo Premier tiers.

Want to learn more? Head to Splunkbase or check out the integration documentation.

Year after year, the headlines tell the same story: Identity-based threats continue to plague organizations of every size. According to <insert effectively any industry report>, identity is at the center of the majority of breaches.

Why? Too often, it's because security infrastructure is built on a cracked foundation of identity systems that are too old, too inadequate—or just don’t prioritize security. Many organizations are running outdated identity tools that are inherently vulnerable, or they're working with vendors who treat robust security as an expensive, optional add-on rather than a core requirement. In today's threat landscape, you need a partner who knows how to defend against sophisticated attacks, not one who isn't paying attention.

For years, Duo has been synonymous with best-in-class multi-factor authentication (MFA) and seamless single sign-on (SSO). We're proud of the trust we've built helping organizations implement access controls like MFA. But the security landscape doesn't stand still, and neither do we. In response to the persistent rise of identity-based attacks, we've evolved to provide the foundational identity services your organization needs with the new Duo Directory.

Duo Directory enables organizations to use Duo for all core components of their identity strategy. As a modern, cloud-native service, the new directory functionality:

• Syncs effortlessly with your existing identity systems

• Ingests custom attributes on the fly

• Automates user provisioning to necessary applications

And, of course, it gives Duo the last (satisfying to place) piece of the puzzle required to provide core IAM.

Crucially, this isn't just about adding a new component. When you build on Duo Directory, you instantly unlock the powerful and robust security controls Duo has developed over the years to effectively address identity-based attacks from the ground up.

We hear this question a lot, and it’s a fair one. Ripping out and replacing core identity infrastructure is a massive undertaking, and we would never ask you to do it overnight – or at all. That's why we designed Duo Directory for flexibility.

Duo Directory can be deployed standalone, acting as the primary identity directory for an organization - but it also easily integrates with other identity providers in a complementary fashion. When integrating with current identity infrastructure, Duo Directory can sit as a security layer unlocking advanced functionality like phishing-resistant MFA.

Unconvinced? Why not start by migrating some users who need tighter security controls, like system administrators or third-party contractors? This allows you to experience the security benefits in a controlled way.

Let’s address some reasons you may want to consider Duo IAM:

1. If you're running on older infrastructure or freemium infrastructure with limited functionality, introducing Duo Directory offers the perfect opportunity to modernize with a cloud-native solution that provides flexibility, granularity, and simplicity in identity management.

2. If you wish your current identity provider didn’t charge extra for security, Duo is the clear choice. We ensure robust security controls like strong MFA, Device Trust, and a path to Passwordless are not just available, but are foundational parts of the platform.

3. If you want the most future-proofed defenses on the market today, Duo's security-first approach culminates in what every organization needs: end-to-end phishing resistance. It's the industry's leading defense against the most sophisticated identity threats, and it's at the core of Duo's IAM philosophy.

By building on Duo Directory, you're not just managing identities—you're securing them with a new foundation of trust.

Ready to put security first? Reach out to one of our identity experts.

The digital world has exploded, and with it, the complexity of managing who accesses what. Today's workforce expands beyond just "employees"—it's a dynamic mix of contractors, partners, and even unique groups like alumni and retirement beneficiaries. Each has distinct access needs. Add to this the sprawl of identity providers (IdPs) and directories from mergers and acquisitions (M&A) or organic growth, and you're left with a tangled web of Active Directory, Okta, Entra ID, and more. It's like trying to conduct an orchestra where every section is playing from a different score.

This sprawling infrastructure creates a constant security headache. How do you set consistent, secure policies when identities are scattered across various systems, each with different security capabilities?

The result for many: Identity management leads to security gaps and administrative burnout. A recent survey even found that 73% of IT and security leaders feel security is an afterthought in identity infrastructure decisions, and 75% cite complexity as a key security challenge. Admins on the ground are no stranger to complexity—the average enterprise identity stack is now spread across nearly five separate systems, introducing friction and increasing the attack surface.

The challenge organizations face is that traditional identity and access management (IAM) vendors prioritize their own roadmap (not integration or orchestration) and never seem to make time for security features—relegating it to expensive add-ons for limited functionality. This trend leaves glaring security gaps in identity environments.

At Duo, we believe security and simplicity should be foundational. It’s why we recently announced our Duo IAM platform—the security-first approach to IAM. As a part of that offering, we developed Duo Directory, our cloud-native identity provider, and Routing Rules for Duo Single Sign-On (SSO). These innovations enable Duo to act as a powerful, secure orchestration layer atop your existing identity investments. Think of Duo as a uniting score across the orchestra. Now administrators, your conductors, can bring harmony to the identity symphony, ensuring every authentication is delivered to the right source, with the right security, at the right moment with the least amount of friction possible.

What is an identity broker?

An identity broker complements heterogenous identity systems by implementing secure, consistent policy for any identity regardless of source system and target resource.

This "identity broker” layer is crucial because it ensures every identity, from every provider, is routed to the right place with the most effective security policy and controls in place.

Take, for example, securing contractors and third parties. Organizations often struggle to apply consistent security to these transient identities that require faster identity lifecycles and higher access scrutiny. With Duo as your identity broker, you can easily separate employee and contractor access:

• Place contractor identities directly into Duo Directory using an easy external directory sync to pull attributes from your existing IdPs.

• Enforce powerful controls like Risk-Based Authentication and phishing-resistant MFA on third parties and contractors to enhance security posture.

• Your employees remain on their existing IdP, with the option to apply Duo's powerful security functionality for them if desired.

• Routing Rules intelligently directs traffic: Contractors authenticate via Duo Directory, while employees are routed to their established source. This extends Duo's best-in-class security to all identities.

As another example, consider Mergers and Acquisitions (M&A). When two companies merge, you face distinct infrastructures and multiple IdPs. The complexity slows down integrations, delays onboarding and drives up operating costs. Routing Rules intelligently directs users based on email domain, network, or application. For example, acquired users accessing Workday might go to Okta to establish authentication, while existing employees use Active Directory. Duo ensures everyone gets the correct, secure experience.

In each of these cases, seamless access is coupled with robust security functionality.

This is security-first IAM in action: providing powerful controls like phishing-resistant MFA, Risk-Based Authentication, and Device Trust—but at the same time prioritizing simplicity and flexibility for administrators and end-users.

The identity landscape remains complex. But with Duo as your secure identity broker, you can finally make sense of the noise and untangle the mess. Our flexible, security-first approach ensures all identity types securely access corporate resources. It's time to bring harmony back to your identity infrastructure.

In the music mood? Watch all the ways Duo Directory can secure your environment in our on-demand webinar “Protecting Here, There, and Everywhere with Duo IAM” and see a cheeky way to put the “fun” in AI functionality.

Or, jump straight in and reach out to an identity expert.