Users have left the building, and it's up to your security team to make sure they are protected on any device, wherever and whenever they choose to work. Remote workers need secure access to their applications and critical resources, whether they reside in the public cloud or on-premises behind perimeter security.

Did you know that 81% of breaches involve compromised credentials? The threat of compromised credentials can magnify when you are outside of your office work environment. How do you protect your users from phishing attacks? Start with a zero-trust framework that begins at the access request with strong multi-factor authentication (MFA).

Duo’s modern access security protects your users and applications by using a second source of validation. Designed to support every user login scenario from offline to limited cell service and internet connectivity.

Duo + FEITIAN

We partner with the most innovative enterprise technology vendors, like FEITIAN Technologies, to implement best-in-class security solutions. FEITIAN’s event-based OTP Tokens, OTP Cards, and FIDO Security Keys are supported by Duo as a secure and reliable MFA option.

The use of Duo and FEITIAN, provides a secure user-friendly customer experience including the deployment of FIDO certified security keys which makes user authentication accessible and flexible to customers by providing expanded options for secured data and information access.

"In these unprecedented times, cybersecurity attacks are threatening organizations every day. Over 300 million security breaches and 4000+ ransomware threats cost organizations an estimated $75 billion each year. This doesn’t include the cost of damage to consumer confidence and reputation. 

Most breaches involve weak, reused, or stolen passwords. 81% of breaches are caused by credential theft, 73% of passwords are reused, and 50% of employees use apps that violate their company’s security policy. To prevent this, we are on a mission to eradicate passwords.

FEITIAN Technologies is excited to partner with Duo by Cisco, the market leader in multi-factor authentication (MFA), to provide secure, trustworthy, and fast deployment of cloud and on-premise MFA solutions. Duo and FEITIAN Technologies share the same vision and mission to educate everyone that data protection and security are crucial parts of our everyday lives. MFA provides layered defense and peace of mind."

– Gautam Vij, CRO of FEITIAN Technologies US

Duo’s MFA For All Scenarios

Duo offers eight different MFA methods, including mobile apps, push notifications, offline options, WebAuthn, security keys, and more.

FEITIAN, a Duo Technology Partner, is well known for creating tokens and security keys that support authentication protocols OTP, FIDO U2F, and WebAuthn or FIDO2.

FIDO U2F

Users can quickly enter a code from their hardware token (One-time password) or tap a physical USB security key plugged into their device to log into their accounts securely (known as a FIDO U2F authenticator). This device protects private keys with a tamper-proof component known as a secure element (SE).

There are no special drivers required; all you need is a supported web browser, operating system, and a FIDO U2F device. FIDO U2F is software agnostic and seamless.

Using Duo with FEITIAN OTP tokens or FIDO security keys, provides strong authentication and gives your security team and users choices on which MFA method best fits their environment. 

We invite you to learn more about how Duo Security and FEITIAN work together to provide flexible and strong authentication options for organizations of all sizes. 

To learn more about the integration between FEITIAN and Duo, click here. 

To learn more about the Duo Technology Partner Program, benefits of partnership, and to apply, click here. 

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Securing Your Remote Workforce

In the sea of changes we have all witnessed in 2020, the one around remote work is one that seems like it is here to stay. More and more of our customers are making decisions to either extend or make working remotely a permanent choice for their employees.

From a Zero Trust security standpoint, this continues to amplify the need for ensuring that only authorized users, using trusted devices, are accessing corporate resources from wherever they are working today and will be tomorrow.

Meet Duo's Device Trust

Duo’s Device Trust capabilities were developed to handle the growing mix of managed and unmanaged devices that were already connecting to networks and applications. And now with remote work here to stay, these controls have become increasingly critical to InfoSec teams who want to control if a device needs to be managed and/or healthy to gain access to certain corporate applications.

With remote work becoming the new normal, one of the emerging trends we see is IT teams distributing Google Chromebooks, particularly for employees or contractors who need to use cloud-hosted web applications to stay productive. This is largely due to the fact that ChromeOS is already respected for both security and management controls within IT teams.

Adding Device Trust Support For Chromebooks

Naturally, we have been seeing an increased demand for Duo’s Device Trust capabilities, specifically Trusted Endpoints, to also extend to ChromeOS users so customers can ensure only corporate-managed Chromebooks can gain access to these productivity applications.

To address this increased interest and demand, we have deepened our partnership with Google’s ChromeOS Enterprise team and are excited to announce that we are introducing the Public Preview of Duo’s integration with Google’s Verified Access (GVA) service that enables access time-checks to ensure the device was indeed managed by the customer’s G Suite tenant.

The integration has been in a private preview since November 2019 and we have over 10 customers already using it with fleets ranging from a few hundred to over ten thousand ChromeOS devices. We have been working closely with the Google team on improving the reliability and latency of GVA checks and are looking forward to our mutual customers taking advantage of this integration to add a much-needed layer of assurance on the devices that are being used for access.

“Duo Beyond has enabled us to push our zero trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls,” — Mike Johnson, Former CISO at Lyft.

In terms of availability, the integration is available now. And if you have Duo Beyond you can setup this integration in minutes through the Duo Admin Panel.

We have step-by-step docs available here (as well as in the Admin Panel) to help you set things up.

One Solution To Enforce Them All

By integrating with Google’s Verified Access (GVA), Duo’s Device Trust now supports all major desktop and mobile platforms - Windows, macOS & iOS, Linux, ChromeOS, iOS & Android.

This means that customers can now apply consistent access policies across the increasingly diverse population of not just users but also devices, all from a single console. Keeping with the principles of Zero Trust, these policies verify users and devices on every access attempt based on signals coming through Duo’s integrations with IAM services from Microsoft, Google, Okta etc.; device management (MDM/EMM) solutions from G Suite, JAMF, Intune etc.; and endpoint detection & response (EDR) solutions from Crowdstrike, Carbon Black, Cisco AMP etc.

We will continue to work closely with the Google team on not just improving this integration — but also adding more capabilities that help solve security challenges for our mutual customers.

This will enable us to work even more closely with the Google team on not just improving this integration — but also adding more capabilities that help solve security challenges for our mutual customers.

We can’t wait to get you started and see how this additional control helps you up your security in this remote work reality that is here to stay.

Learn More

• Check out how Duo helped Lyft to establish Device Trust across all devices
• Read this ebook to learn more about Duo’s Device Trust
• Sign-up for a free trial to test drive

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

How Prepared Were You for the Shift to Mostly Remote Access?

Quick, where were you when you found out you had to work from home? I remember thinking, “Wow, they just shut down Italy. I have never heard of an entire country being shut down.” 

Millions of people had to prepare quickly to move their business online in real time (without warning). New skills were learned, access to technology was problematic for some, and fingers were crossed. 

Many workers thought the shutdown was for a few weeks tops, but many months later, there appears to be no end in sight. It seems like just yesterday working remotely was a perk for some, and now it is a requirement for most. 

Was your team prepared to move to a virtual work reality? If you said, “not very,” you are not alone. The truth is a few progressive companies transitioned easily. But schools, governments and many other businesses and services were underprepared. In the rush to move to a work from home (WFH) workforce — maintaining security remotely took a backseat to productivity and survival and risk.

“In the future — which is now, actually — ‘remote access’ will just become ‘access.'" — Wendy Nather, head of advisory CISOs at Cisco's Duo Security

The Remote Access Guide Version 3.0

In our new 3.0 version of the “The Essential Guide to Securing Remote Access” we will walk you through the latest breach techniques and how to protect against them. No matter what size your company is (large or small) at Duo we make security the right thing to do, as well as an easy thing to do with our world-class multi-factor authentication.

We are more than just MFA. We also offer Device Trust to automatically detect and remediate unhealthy devices, Trust Monitor to automatically pinpoint login anomalies for clear visibility into all devices (managed or unmanaged) connected to your on-prem and cloud applications. 

In This Guide You Will Learn:

• About specific types of threats targeting remote users
• Security challenges facing the remote workforce
• How users are targeted remotely
• How user devices are targeted remotely
• How access goes both ways
• About cloud security
• How to secure the modern remote workforce

Work anywhere, anytime - this adage has employees connecting to corporate networks via web and cloud apps, as well as remote access services like VPNs and RDP to do their job.

But with this convenience comes a number of threats to users - like phishing, brute-force attacks and password-stealing malware. Devices are also targeted by exploit kits and known vulnerabilities affecting out-of-date software. VPN, RDP, third-party vendor, and cloud and web app access are also targets of malicious hackers.

Learn how to mitigate these attacks in our guide. Ideal for security, compliance and risk management officers, IT administrators and other professionals concerned with information security, this guide is for any organization that allows remote access to their environment.

We updated our Essential Guide to Securing Remote Access to coincide with the current challenges the remote workforce faces. This guide will identify risks to look out for and offer solutions on how to mitigate those risks. 

Learn how to secure your remote workforce affordably, easily, and without rip and replace software. Duo’s zero-trust security MFA solution "offers one of the best defenses to password-related attacks and significantly decreases the risk of an account takeover." according to the U.S. Securities and Exchange Commission (SEC). Get started and learn best practices on how to get the most out of your free trial. 

Download the free Remote Access Guide 3.0 today!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

In the security industry there is an adage that usability needs to be sacrificed in the name of increasing security. The equation has traditionally been zero sum: increase usability, decrease security and vice-versa. However, at Duo we work hard to give customers fine-tune control over their security posture while maintaining and improving a user experience that is simple and easy to use.

Customization & The Universal Prompt Project

A major initiative that advances the Duo product on both the security and usability fronts is our Universal Prompt project. The project touches many aspects of Duo, but focuses on drastically improving Duo’s web-based authentication interface. The interface, or prompt, is a core component in delivering our secure access solution.

Many of the benefits of this project will be apparent to end users out-of-the-box. For example, the new Duo Universal Prompt will be simpler and more intuitive. However, there are also some significant changes that customers will be able to implement as a choice, specific to their preferences and individual environment.

“A consistent request we’ve heard from customers is, ‘we want more flexibility around customizing the authentication prompt. We take requests like this seriously at Duo.” — noted Scott Christopher, Authentication Product Manager at Duo.

There are many reasons to request customization, but we find that our customers want to provide the most seamless security experience to their end users.

One important driver of the customization request is ensuring that end users can clearly identify that they’re authenticating at the right spot. Multi-factor authentication is the purposeful addition of a step in the user authentication experience, but that step need not be abrupt or startling.

Customers invest significant time (and money) teaching their end users to spot and avoid phishing attacks, and our forthcoming changes will make sure that the Duo authentication experience can be customized to be as familiar as possible.

To accomplish this goal, Duo is building out functionality that will enable customers to provide both branding and language customization.

Infusing MFA with White Label Branded Elements

On the branding front, customers will be able to select a company logo and background image to display in the Universal Prompt authentication experience.

This way, end users can reference these images (icons and imagery of the brand they know) to help assess safety of their authentication. Customers will also be able to select a specific accent color that aligns with their branding to be used throughout the authentication prompt and mobile app experience.

When system administrators are setting up Duo to protect applications, they will also have the ability to provide familiar and consistent names for these applications. By keeping things consistent end users can easily identify that they are authenticating into the right application.

Customize Help Desk Information to Guide Users Effectively

Sometimes end users get stuck during the authentication experience and need help gaining access to their applications. As another way to customize the prompt, customers can include company-specific help desk information that could include a phone number, website address or email address, so that end users can quickly get the help they need.

Our customers work hard to brand their end users’ work tools and expect the same of Duo.

With Duo’s new Universal Prompt customization, end users will be able to assess that they’re in the right place and get help if they need it more easily and quickly.

Display Local Languages With the Universal Prompt

Ensuring that users are familiar with the branding is one important customization — but for our customers that work globally, leveraging a local language is also top of mind.

With the Universal Prompt, additional language support will be enabled for end users. While translating words and phrases is one important consideration in providing language support, the task requires a thoughtful approach to a variety of other components as well.

For example, considerations like iconography, colors and location context are all important factors in user interfaces that must be accounted for when supporting additional languages and regional contexts.

Today, the Duo Prompt is available in English, French and German. With the introduction of the Universal Prompt, Spanish and Japanese will also be supported for end users, with plans to support up to 20 languages. 

Previously, the end users’ language was set by a configuration in the Duo’ Administration Panel. 

However, with the Universal Prompt, the prompt will reflect the language the end user sets in their browser or their device, provided it is a language supported by Duo. 

Increasing Customization Improves UX and Security

The Universal Prompt Project is broad in scope. It not only increases security, but it also improves the overall end users experience with improved design and accessibility. On top of that, Duo is providing customized branding and additional language support to the new authentication prompt so that end users have a seamless, familiar, and secure experience accessing the applications they need.

What’s Next?

We’ve got a lot more to tell you about the Universal Prompt Project, so look for regular blog updates as we delve into more detail on each component of this project.

As we get closer to making these changes generally available, we will provide guidance on planning your migration to the Universal Prompt, including:

• Communications templates for your organization and end-users
• Updated documentation and Duo Knowledge Base articles
• Tools in the Duo Admin Panel to track your progress

Today, we invite customers interested in participating in a private preview of the new Duo Universal Prompt to fill out this brief interest form. 

We will begin reaching out to you for your help in testing and deploying the future of Duo!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

The time has come where we analyze authentication data and produce our wildly popular Duo Trusted Access Report. 

The 2020 Duo Trusted Access Report details the security state of thousands of the world’s largest and fastest-growing organizations. The report examines 26 million devices used for work and 700 million user authentication events per month to more than 500,000 unique corporate applications, based on de-identified and aggregated data from Duo’s customer base.

This year our report is also interactive!

In this report you learn:

• The security consequences of a massive shift to remote work and its security challenges
• What caused a 90% spike in blocked out-of-date devices attempting to access protected business apps 
• How biometrics is configured on 80% of devices, paving the way for a passwordless future 
• How authentications to virtual private networks (VPN) and remote desktop protocol (RDP) swelled by 60%
• How the sheer volume of activity caused Duo’s monthly authentications to jump from more than 600 million to 800 million per month, with 71.9% of the increase due to remote access technology
• Why more Duo customers are setting policies to disallow SMS as an authentication method
• The rise of authentications to cloud apps and the fall of authentications to on-prem apps
• Which phones are updated quickest after a security patch or update is released 
• Which operating systems and browsers are most frequently used
• Regional differences in remote access, policy enforcement and application use
• Which policies are used most frequently across industries and which industries have the most out-of-date devices.

These are just a few of many findings you will see when you download the 2020 Duo Trusted Access Report. 

“As work from home for most began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end. Duo is in the business of helping others stay in business securely, and was able to provide CISOs a backstop when security took a back seat to business resilience.” — Dave Lewis, Global Advisory CISO at Duo Security at Cisco.

This year’s report is our best yet! You will enjoy interacting with it and learning more about what is happening with secure access this year. Let us know what you think. Tweet to us at @DuoSec

Download the free 2020 Trusted Access Report today!

Try Duo For Free

With our free 30-day trial see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Let’s face it, these days the information we keep online is too important to safeguard with a username and password — especially with target credential attacks becoming inherently more common.

In fact, according to Verizon’s 2020 Data Breach Investigations Report, 80% of security breaches involve compromised passwords.

That's why earlier this year, Datto, the world's leading innovator of MSP delivered IT solutions, partnered with Duo Security’s Managed Service Provider (MSP) Program to implement one of the most important resources for advanced secure access —two-factor authentication, or better known as 2FA or MFA.

“Datto is the largest BCDR vendor in the MSP market, and they understand how important security is to MSPs. We’re so excited to officially partner with Datto to bring the most loved company in security to their platform. Our partnership with Datto enables our mutual partners to utilize Duo with yet another internal platform that is critical to supporting their customers.” — Jacob Heisey, MSP Solutions Engineer at Duo

Here’s a Real MSP Breach Scenario

In the fall of 2018, Datto was tracking cyber security threats and noticed a shift. Rather than hackers targeting their usual Enterprise suspect, they were focusing more on hacking MSPs and small and medium businesses (SMB). According to Verizon’s 2018 Data Breach Investigations Report, 58% of data breaches resulting from compromised passwords came from SMB.

Here we are in 2020, and cybersecurity attacks have increasingly made headlines. It's an ever-evolving industry where criminals find new ways to attack or put a twist on an old threat. This year, Datto unfortunately experienced a small, targeted credential breach.

The attackers reused credentials that were compromised in the past from known breaches unaffiliated with Datto to access MSP’s client accounts (through one of Datto’s products). Although over 99% of the attempts failed, hundreds of valid accounts experienced a breach attempt. It only took one client without MFA and a recycled password to put the partners’ data at risk. This attack validated that Datto needed its partners to use MFA — and its partners’ clients to utilize this secure tool.

Datto’s Testimonial for Duo

Before rolling Duo’s MFA out to its entire partner database, Datto conducted a pilot program. Jeff Reingold, Sr. Vice President of Services and CTO at Panurgy, was one of the companies that participated. Panurgy had actually implemented Duo two years prior, seeing a need to have an additional layer of security for its organization.

“As an MSP, we have the responsibility to protect the data and integrity of our clients. We also have the responsibility to protect our own network. For the past two years, we have made MFA mandatory for our entire team.” — Jeff Reingold, Sr. Vice President of Services and CTO at Panurgy

Panurgy looked for a solution it could standardize across the organization and also help with monitoring and compliance reporting. After the implementation, Panurgy had the ability to see who was logging into the network, from where, and if there were device issues. One of Reingold’s favorite features is the Duo Push.

Duo Push Authentication

Duo Push allowed Panurgy’s employees to sign in simply and easily. They were also offered other options of their liking to sign in, such as a call, tokens and duo mobile. The largest benefit to Panurgy — it offered a second line of defense to its network.

Why Datto Selected Duo MFA: The Solution

According to Datto, there were several reasons as to why it decided to move forward with Duo as its preferred partner. 

1. Duo has a strong relationship with its MSP partners 
2. Duo’s user-friendly experience lets users enroll in multi-factor authentication and maintain the health of their own devices without having to go through a help desk
3. The licenses for MSPs are initially free 
4. Resell clients have a new offering through Datto where they can sell Duo to end users
5. Controls over which factors are used within a company
6. Most of Datto’s users were familiar with Duo MFA and were already using the solution

With 2FA, Datto partners along with Pangury can now experience protection in the Datto Partner Portal while accessing critical applications for their business. Risks associated with compromised passwords are immediately minimized since the password alone is useless without the approval of the verified user through a second source of authentication.   

Key benefits Datto customers can now experience include: 

• A unified login experience through SSO
• Various approaches to authenticate, including Push and Yubikey 
• Device trust to ensure applications are accessed by the devices permitted
• The ability to see, track and report all end users from a single dashboard

Learn About Duo’s Managed Service Provider Program

Duo’s MSP Program delivers security solutions that are simple to set-up and can easily scale with your business as a service. It enables partners to use Duo’s cloud-based, multi-tenant architecture to secure your customer’s environments within minutes, with no physical agents to deploy. Through this initiative, partners can ensure that only trusted users and trusted devices may access protected applications. 

With Duo’s MSP Program, you can have:

• Deploy without ordering 
• Consolidated billing 
• Multi-tenant management console 
• Excellent documentation and support 
• Assessments and tools 
• Sales support 

To learn more about the Duo’s MSP program, schedule a demo today or become a partner.

Check out the webinar below for more information:

See the video at the blog post.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Swetha Amruthur

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer or Account Executive Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Senior Customer Success Manager, Swetha Amruthur to learn about what she does and her experience at Duo.

Swetha Amruthur

Title / Department / Office Location

Senior Customer Success Manager / Remote in Washington D.C.

How long have you been at Duo, and what do you do here?

I have been at Duo for a little over a year now. I work closely with our enterprise Federal sector customers to ensure their business goals & needs are met and all their Duo deployments are successful throughout their life cycle with Duo.

What's your day-to-day like at Duo?

I would describe a typical week vs. a typical day at Duo. As my customers are my main focus and priority, I tend to have weekly or bi-weekly syncs with them (discuss deployment status, issues, concerns etc.), in addition to the impromptu chats and emails. Also, I find myself connecting internally with Duo individuals from other teams for knowledge sharing; discussing lessons learned or just to get to know them better! Planning out the week is key, but then so is being prepared to let customer needs take precedence as needed.

What tools do you use to help you do your job? 

Data and access to it is key for me to be successful in my role. Our documentation and knowledge base is robust. I often find myself referring to each, and guiding our customers to them as well. We also have several internal tools that are highly useful and most of them can be found in our internal CS Hub. Access to individuals across the organization has also been a key part in gaining knowledge and solving complex customer problems and Slack has been a great tool in achieving this.

How do you and your team collaborate with other teams within Duo?

The one thing that never fails to amaze me about Duo is the collaborative mindset of the individuals who work here. Each Customer Success Manager is partnered with a Customer Solutions Engineer and we work together on all customer engagements. I also find myself reaching out to individuals from various teams (product, marketing, compliance, training, sales etc.) and love how everyone goes above and beyond to achieve our customers' success!  Strong relationships and communicating internally often is one of the most important aspects of being a successful CSM.

How did you get your job at Duo?

I came across a job posting on LinkedIn and started researching the company.  The culture, the people and the business problem the company was trying to solve piqued my interest.  After several interviews and getting to know a few individuals at Duo, I was sold and apparently so was Duo making for a great fit!

What is the first thing you do when you come into the office? 

Since I work remotely, the first thing I usually do is brew a large pot of coffee or tea (depending on my mood). With a cup in hand, usually the first thing I do is plan out my day and create my checklist.  Checking my emails and knocking out the critical items usually comes next. Organization and discipline is very important, more so being a remote worker as time can get away from you very fast!

Any big projects or goals you're currently working on?

Our Federal CS team just added two new hires, yay! Onboarding them and showing them the ropes both internally and externally has become a priority.  They are a great addition to the team and it's a great feeling watching this team grow!

What’s an important lesson you’ve learned while working at Duo?

Coming from a non-security background, everything was new to me.  Keeping an open mind and the willingness to learn has played a key part in being successful here at Duo.

How is Duo different than other places you've worked?

Culture! I have yet to come across a group of individuals that are open, willing to teach/collaborate, and invested in each other's success. It has been an amazing ride so far and I don’t see myself jumping off any time soon! 

How is your role at Duo different from roles you've had with other companies?

Being the first Federal (customer service manager (CSM), I knew what the ultimate goal was. However, the path to the end goal was not defined yet. Having that opportunity to define and build that path has been very exciting and fruitful (with the help of amazing colleagues and management)!!

What would you tell someone considering a role at Duo?

Yassss, you will love it! 

####

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Announcing the General Availability of Duo’s new SSO and Duo Central!

Over the last few years we’ve seen our customers move increasingly more on-premises applications to the cloud. Single Sign-On (SSO) services are no different and we repeatedly had requests from current customers and prospects that Duo needs to develop a cloud-hosted SSO service. 

A few years ago, we embarked on the journey to develop a cloud-based SSO service that our customers will love. At Duo, we take research and design very seriously because we know that products that are hard to use end up being products people don’t use.

The SSO journey included:

• Thousands of customer and community conversations
• Numerous prototypes 
• Usability testing
• A year long preview producing valuable feedback that included:
• Over 670 customers
• More than 58,000 users 
• 3.4 millions authentications into 1,500 applications 

After a lot of hard work by very smart people that took all that feedback to heart, I am happy to announce the general availability of our new cloud-based Duo SSO.

Cloud-based and hosted by Duo, it frees our customers from the burden of maintaining on-premises SSO components and instead allows them to focus on more pressing projects. Gone are the hours lost to setting up machines, ensuring high availability, managing certificates, and keeping everything up-to-date. As one of our preview customers said it best: 

"Migrating to the Duo-hosted SSO service helped us by simplifying our local environment and added extra redundancy to our deployment. The nice thing was that our users didn’t even know that it happened." — Marco DiCicco, Senior Infrastructure Engineer, Ascent Aerospace

Let’s take a deeper look at how our new cloud-based Duo SSO provides simple, secure access to every application, whether it’s on-premises or cloud-based.

Organizations often are asked to make a terrible trade-off between increasing user productivity or providing better security. We at Duo challenge the idea that a user’s productivity must be hindered in order to have strong security. SSO and MFA should be easily configured for each application while allowing a seamless authentication flow for the user. This pairing of SSO and MFA is at the heart of our new cloud-based Duo SSO.

Cloud-Based Duo SSO Authentication Flow From Primary Credentials Through the Multi-Factor Prompt

Duo’s cloud-based SSO service is designed from a security-first perspective and allows you to configure access policies that can differ by application, depending on the sensitivity of its data, the privileges of the user and the device being used. This approach allows you to reduce user friction while protecting your most important assets.

Since our new SSO is cloud-based and Duo-hosted, that means you don’t have to worry about deploying and maintaining servers - saving your team time and resources. It also means that the new SSO service is also extremely easy to set up and configure.

You can be up and running in minutes, protecting your most important applications with not only SSO but also Duo’s industry leading multi-factor authentication (MFA), device trust and access controls!

All you need to get started is a Duo account and a user directory such as Active Directory or one that is SAML-based like Azure, Okta or OneLogin.

"We don’t have an army of people - technology needs to be simple and straightforward to use. Duo SSO is a great product that is designed well and really easy to use. Our users are happy and Duo is one of those rare IT projects that doesn’t drag on endlessly or ends up half-implemented." —Iasen Ognianov, Global Director of Cybersecurity, Diebold Nixdorf

For your users, Duo SSO now means they need to remember just one username, one password and one website - Duo Central - to access all their applications.

Duo Central Is a Single Place to Access All Your Organizations’ Applications

Duo Central makes life even easier by giving users a single place to access applications. Part of our new SSO, Duo Central is a cloud-based site where users login once to see and launch their cloud applications.

No more looking through bookmarks, searching your memory or asking a co-worker. One password and website means switching costs are drastically reduced and users can stay focused and productive. But don’t take our word for it, see what our customers are saying.

"I highly recommend Duo’s new SSO. It’s simple to set up and anyone should be able to breeze through it. The straightforward design makes it easy to use and it is great to have applications in one place with Duo Central." — Carlos Mosley, Senior Security Systems & Network Engineer , Beacon

While it has taken a lot of work to get here, this is just the beginning. Our team is excited to celebrate, but we are even more excited about what’s to come. Be on the lookout as we continue to add valuable features and updates to Duo SSO and Duo Central. You can follow along by subscribing to our release notes.

If you are interested in participating in future previews or research, let us know here.

You can learn more about the new Duo SSO and Duo Central by visiting our documentation.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

It's 2019, we have just finished the last group karaoke sing-a-long to Toto's "Africa” and said farewell to all of our amazing partners that attended our last partner kick off at Sopwell House. We spent the past couple of days discussing what the next year is going to bring us, and we naively said “can't wait for PKO 2020!” 

None of us could've predicted the year that we have had, but what stood out to us against all the odds is we can still come together, virtually, and give the best that we have got to make sure we deliver first class solutions to our customers.  After all “It's gonna take a lot to drag me away from you”

At the event, we delved into the Zero Trust Market Opportunity with Forrester’s Dr. Chase Cunningham. We showed you where Duo is heading with a look at our Product Roadmap, and we delved into how Duo’s Zero Trust offering can benefit your customers during a product walk through. 

We recognized the achievements of our partners, and we explored Umbrella’s solutions. We also sat down with Dug Song and Wendy Nather to learn about how Duo is handling this time of uncertainty with our speed of change and integrations. Lastly, we got a look at how attackers work with our guest speakers, Cygenta’s Dr. Jessica Barker and her husband, FC.

Watch the Session On Demand

All the on demand presentation can be found below, you will just need a Cisco.com account to access them - 

Introduction with Ryan Franks & Lothar Renner 

Market Opportunity with Forrester 

What’s New with Duo, Jim Simpson 

Live Demo with Josh Green 

How Duo Works with Umbrella 

Panel Discussion with Duo GM Dug Song, Duo Head of Advisory CISOs Wendy Nather 

Live Hacking with Dr Jessica Barker 

On behalf of Fiona Doak and Ryan Franks - “It was a pleasure to host the MSP and Strategic partner breakout sessions, and share knowledge and direction with so many of our partners. "It’s amazing what we can achieve when we do it together." We are excited to support and grow with our partners this year. As we did at the kick-off, we want to encourage Duo partners to try Duo yourself via the NFR, tell our story to your customers and lead the success of our customers who need Duo right now.

This year, we reviewed the many partnerships we have and looked at which stood out in the following categories: Best MSP Newcomer, Best Partner Newcomer, MSP of the Year, and Strategic Partner of the Year. We want to thank all four of these companies, and highlight why we’ve chosen them.  

The Award Winners of 2020 

Strategic Partner of The Year - CDW

Throughout 2020, our relationship with CDW grew significantly, and because of their demonstrated thought leadership and teamwork with Duo, CDW is a worthy winner in this category. Together we have educated teams, shared best practices and explored new routes to market, which resulted in some key customer wins, including the University of Liverpool.  We look forward to building on these foundations and repeating this success with them in FY21.

MSP of The Year - Telenor 

Telenor joined the Duo MSP program in mid-2018 after years of being a Duo customer for their internal deployment. They worked closely with our channel and MSP teams to ensure they understood the Duo product inside out, both from a technical perspective as well as the various ways of packaging it up for their customers, and they launched their MSP practise in early 2020. Since then, they have successfully managed Duo for an ever-expanding list of their MSP customers, and we look forward to continued growth together!

Best Partner Newcomer - Motiv

Since the adoption of the Cisco security suite of products, Motiv has proven to be a focused partner in these solutions. They value the Duo relationship, and great progress has been made in FY20. We look forward to a fruitful and successful FY21, and we embrace the trusted partnership between Motiv and Duo Security! 

Best MSP Newcomer - Paradyn 

Paradyn has been a valued Duo MSP Partner since the end of 2018, using Duo for their own internal deployment. Since March 2020 they have grown more and more in the Irish public sector and have worked very closely with our MSP Team to ensure that the customers they onboarded were protected with Duo. We thank Paradyn for a wonderful partnership so far and we look forward to growing even further with them in the future!

Congratulations to all four of our award winners. At Duo, we’ve made it our mission to democratize security, and with your help, we continue to widen our reach and ensure companies big and small are protected. Thank you again for your support and teamwork. We’re proud to have you in our partner community, and we’re excited to continue that partnership in the years ahead. 

More information on our partners can be found at https://duo.com/partners. Find out what Duo can do for you too. Take advantage of the free 30-day trial and experience Duo for yourself at https://signup.duo.com/.

We look forward to welcoming you to our next EMEA partner event 2021, and hope we get to see you all in person soon!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Welcome back to the Plaintext Podcast with your host Dave Lewis, Global Advisory CISO for Duo Security, now part of Cisco.

In this installment, I have the honour of interviewing friend and former colleague Andy Ellis, CSO of my previous employer, Akamai.

See the video at the blog post.

In this episode, Ellis and I chat about his career path, how to adjust to a remote (or distributed) work life and advice for security pros, or those who are considering a career in information security.

If you the listeners have suggestions as to who you'd like to see join me on the show email me hacker @ duo dot com.

LIke what you hear? Be sure to check out previous episodes of Plaintext Podcast.

At Duo we like to make the right thing to do, the easy thing to do. Duo recently announced that we’re simplifying our multi-factor authentication experience by building our new Universal Prompt.

The goal of the project is to both make the authentication prompt more secure and reduce user experience friction. When it comes to reducing friction, one of the fundamental pillars of this project is to provide a better authentication experience for everyone, including the many Duo users with disabilities.

We know that not everyone uses technology in the same way, but it’s important that our users with disabilities are able to access their accounts easily without compromising security. That’s why we’re committed to providing a high quality authentication experience regardless of how you use a computer.

Whether you need text magnified, use software to read websites to you, or only use a keyboard, we have strived to make authentication easier for all people. No workarounds should ever be needed to quickly authenticate.

Duo’s Core Value of Democratizing Security

Duo values access for all. One of our core values is to democratize security.

In the words of our founder, Dug Song, we can democratize security “by making it easy and effective -- something the industry has never really cared about.”

We care. So we have made some exciting changes to make it easy for administrators to set up Duo in all scenarios and deploy in hours. We made it easy for all users with different access needs to self-enroll, saving countless hours

Web Content Accessibility Guidelines (WCAG)

To make sure that we’re meeting the goals we have set, Duo is committing to meeting the Web Content Accessibility Guidelines (WCAG) 2.1 standards at the AA level. WCAG is a collaboratively created set of guidelines from contributors across the globe.

Duo chose the WCAG 2.1 AA standard to ensure that we are complying with the latest recommendations and to help our customers meet their compliance requirements. We are also watching these standards as they get updated so that we’re ready to support our customers' requirements as they evolve.

We’ve Set the Bar, Now Let’s Surpass It

The WCAG standard provides recommendations to help ensure applications are accessible, but with the Universal Prompt we want to be more than just accessible for users with disabilities. We want to give them a great, easy, secure experience. To accomplish this, Duo works with our customers to hear their individual needs and we test new features and products with users with disabilities.

From the first design concepts, we thought about how things would work for our users with disabilities. Some of the aspects that we focused on include providing easy to see text and interactable elements, making clean and intuitive layouts and honoring users’ accessibility preferences.

Early design documentation enumerating possible designs that differentiate between default, hover, and focus states.

The focus state design as it exists in the Universal Prompt today.

The hover state design as it exists in the Universal Prompt today.

Color Contrast

The current Duo Prompt includes buttons and elements with insufficient color contrast which could make discerning text from the background difficult. The new Universal prompt is an opportunity for us to introduce a color scheme where all text is comfortable to read for people with low vision and color blindness. In addition, we ensured that clickable elements like buttons and links have dark borders or underlines so they are clearly separated from plain text.

Reducing Primary Actions Per Page

The Universal Prompt employs a design principle of keeping primary actions reduced to one per page.

In the current version of the Duo Prompt, a user can see options for sending a Push notification, making a phone call, or entering a passcode all on one page. After selecting a method a message pops up at the bottom of the screen to tell you what the prompt is doing.

An image of the default screen for the current Duo Prompt. Note that it includes four links, a device selection dropdown, three buttons to initiate two-factor authentication, and one checkbox for remembering this authentication.

In the Universal Prompt, we show one authentication method per screen, with full screen messages relating directly to that authentication, instead of small popups. This will improve the ability of screen readers to announce messages correctly and make it easier for any user to see the text most relevant to what they are doing.

An image of the default screen for the Universal Prompt. Note that the push request has already been sent and it includes two links -- one to view other login options and another if you need help.

Honoring Accessibility Settings

The redesigned prompt includes animations to visually communicate status changes and progress, but we know that some users can find animations distracting. We’re detecting user settings such as preferences to reduce motion and turning off those animations when requested. In addition, the prompt was built in such a way that users can greatly increase their text sizes without any compromise to the user experience.

Rethinking Previous Design Decisions

By redesigning the elements of the current Duo Prompt that are difficult for our users with disabilities to use, we are surpassing the standards set by WCAG. Rather than making existing problematic elements merely usable, we are providing a new simplified design altogether.

An image of the current Duo Prompt with a “toast message” at the bottom of the screen. These toast messages have been removed from the Universal Prompt completely.

Summary

Duo recognizes the various needs that businesses and users have when it comes to accessibility. With the Universal Prompt we are helping businesses meet those needs while also designing user interfaces that work great for people with and without a wide range of disabilities. The Universal Prompt project embodies our mission of democratizing security and we are confident that users with disabilities will find the new authentication prompt both easy and pleasant to use.

While we continue working on this project, we’re performing accessibility audits, testing with screen readers, and getting feedback from folks with all types of abilities. When we make an accessible product, we are able to accommodate everyone.

What’s Next?

We’ve got a lot more to tell you about the Universal Prompt Project, so look for regular blog updates as we delve into more detail on each component of this project.

As we get closer to making these changes generally available, we will provide guidance on planning your migration to the Universal Prompt, including:

• Communications templates for your organization and end-users
• Updated documentation and Duo Knowledge Base articles
• Tools in the Duo Admin Panel to track your progress

Today, we invite customers interested in participating in a private preview of the new Duo Universal Prompt to fill out this brief interest form. 

We will begin reaching out to you for your help in testing and deploying the future of Duo!

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Students all over the world are required to use Duo two-factor authentication (2FA)… and they hate it. You might be one of them.

They hate it because their phone is currently sitting on the other side of campus after a fun night out. They hate it because their phone is dead. They hate it because it’s one extra step to get their financial aid money.

But if you understood how Duo protects you, you might even secretly love it.

Why Do I Need Duo?

You see an email from your school telling you to enroll in Duo. Your first thoughts are why do I have to do this?

Does Duo even do anything? Yes! Duo performs an extremely valuable function that benefits not just your school, but also you personally. Let’s take a look at how Duo and 2FA protects you (and more importantly your private data)!

In January 2019, a popular online streaming gaming site reported a flood of hijacked accounts when the popular game “Town of Salem” had 7.8 million passwords stolen because many users had the same exact passwords for “Town of Salem” and the online game streaming site to login. Hackers successfully used a bot to test the “Town of Salem” credentials on the gaming site and stole stored payment information. The gaming site already allows users to set up free 2FA on their accounts. However, most end users did not opt-in, leaving them vulnerable. Breach researchers found the gaming site is no longer accepting email addresses to log in and is incentivizing users to set up two-factor authentication — because it would eliminate the problem.

How Duo Verifies Your Identity

2FA can be like a Bumble date. You agree to meet at a specific date and location (something you know) but pictures can be deceiving. You tell each other what you are wearing (something you have) to ensure you recognize each other.

Just like you needed the clothing description to verify your date, you need Duo to validate your identity! Like your password (something you know), the date and location are relatively easy to hack. To protect against this, Duo requires a second factor device that is unique to you, like your phone (something you have). Now if your primary credentials are stolen, attackers will have a much harder time gaining access to your accounts without having access to your phone. If the online gaming users had 2FA enabled on their accounts, it would be more difficult for hackers to gain access to the accounts because of the use of 2FA. 

Duo deployed at universities may result in up to a 96% decrease in stolen credentials. 

What Is Two-Factor Authentication?

Passwords are extremely vulnerable to hackers as a single factor by themselves. With multi-factor authentication (MFA or also known as 2FA - two-factor authentication) a user’s identity can be authenticated and user trust (authorization) established by using two or three factor combinations.

1. Something you know (e.g., passwords)
2. Something you have (e.g., your smartphone)
3. Something you are (e.g., biometrics, like fingerprints)

How Breaches Happen

You may still be thinking along the lines of, 'I’ve got nothing they want.'

Think again! Your personally identifiable information is extremely valuable and its theft can have widespread implications. While a hacked and locked Instagram account is devastating, your school is trying to prevent phishing attacks, which often targets your largest assets: financial aid, your on-campus job paycheck, and other stipends. 

Don’t Get Phished!

Many students have been victimized by phishing attacks to gain access to Federal Aid Refunds. Federal Aid Refunds are what’s left over after you use aid to cover room, board and tuition. Universities transfer the remaining balance to students, often by electronic deposits. These electronic deposits are very vulnerable to attack. 

The attack begins with a phishing email sent to the student's EDU address. The students are taken to a website that replicates the school systems. After the student enters their username and password, the hacker has their credentials and can divert the student’s direct deposit destination to a bank account controlled by the hacker. 

As a result, Federal Student Aid intended for the student is sent directly to the attacker. The US Education Department recommends schools mitigate this risk through the use of 2FA. The attacker would need to have access to the second factor to divert the deposit. 

Improve Your Duo Experience and Save Time with Duo Push!

With Duo Push, you tap a notification and can access your applications in seconds instead of waiting for a text and entering a password.

In addition to being a faster way to authenticate, Duo Push is also more secure than SMS and phone calls, uses almost no data and contains passcodes you can use while offline (like when you are on a plane). Nothing can stop you from authenticating quickly!  

If you want to save even more time, your school may allow you to purchase a U2F token like a Yubikey to authenticate even faster. You simply tap a physical USB key plugged into your laptop. Check with your school to see if this is an option. You may be able to purchase one at the bookstore. 

Tick Tock! Which Factor is Faster? 2FA push! 

A user that uses SMS as their second factor could save time by switching to other, more secure, authentication methods like Duo's two-factor authentication aka Duo Push.

In Summary

While hackers will continue to try to access your accounts and steal your credentials, Duo decreases the risk of compromised credentials at universities by up to 96%.

Next time you have to approve a Duo Push to access your financial aid, you won’t be thinking about the inconvenience of one more tap, but instead of the security Duo provides.

Download Duo's free 2-Step Authenticator App available at Google Play and the Apple App store and start protecting all of your online accounts today. 

See the video at the blog post.

Jordan Wray

Have you ever wondered what life at Duo is like? Or what it’s like to be an Engineer, Product Designer or Account Executive Duo? How current employees landed their jobs or important lessons they’ve learned while working at Duo? 

We get these questions all the time and that’s why we’re sitting down with employees to learn what life at Duo is like for them! #WeAreDuo

We sat down with Head of Americas for Technical Support, Jordan Wray to learn about what she does and her experience at Duo. 

Jordan Wray

Title / Department / Office Location

Head of Americas - Technical Support / Customer Success / Ann Arbor, MI

How long have you been at Duo, and what do you do here?

I started in March of 2019. I am the Head of our America’s Region, leading Technical Support Managers and Engineers in Ann Arbor, MI, and San Francisco, CA. Our teams assist Duo Administrators through phone, email, and chat.

What's your day-to-day like at Duo?

Most days you’ll find me alternating between meetings with my management team or their engineers, measuring team performance, and ensuring our Support team is meeting Service Level Agreements. I also contribute to cross-functional projects that vary quarter-to-quarter. These include reviewing and implementing technology solutions that help streamline operations and initiatives that cultivate ongoing, long-term customer loyalty. Occasionally, I also step in as an escalation point for customer issues should the need arise. Our Support Engineers and Managers are incredible at what they do, and it’s my job to ensure the support team is enabled and ready to take on any customer challenges.

What tools do you use to help you do your job? 

I rely heavily on Slack and Webex to communicate with my team daily. One of our team’s most important tools is Outlook Calendar, which we use for scheduling meetings, customer calls, and tracking staffing levels across mediums. I also use Monday.com quite a bit as a resource for tracking quarterly goals and project milestones.

How do you and your team collaborate with other teams within Duo?

Our teams receive feedback from customers every day, and it’s important for us to raise it to stakeholders in the organization. One way we do this is by meeting monthly with Product Management to help remediate issues driving top ticket volumes. Support is usually the first team aware of any new bugs and service outages, too. When this happens, we trigger a Red Alert process that engages Engineering and enables them to investigate immediately.   We also collaborate frequently with the Enablement and Operations teams within our Customer Success organization. Our Enablement team helps us design targeted training content to level up our Managers and Support Engineers in essential skill areas. Our Operations team helps us build and coordinate staff schedules so that adequate coverage is maintained at all times. We couldn’t do our jobs without the support of our teammates in these organizations! 

How did you get your job at Duo?

At a previous company in Chicago, IL, I used Duo Mobile to authenticate into our work applications. I loved the simplicity of accepting a push notification and how easy it was to use their service to protect our sensitive information. I was relocating to Southeast Michigan to be closer to family, and I was so excited to discover Duo was headquartered there. I applied to a post on their website for a Technical Support Manager, and within a few days a recruiter contacted me about the position. As soon as I met the team, I knew I had found something special in Duo. I’ve loved working here ever since!

 What is the first thing you do when you come into the office? 

Normally, the first thing I did after arriving at the office was make a cup of coffee. These days, with a short commute from my bedroom to the bonus room above my garage, I’m at least a half-pot of coffee deep when I start working. Once I’ve logged on, I say hello and good morning to the team on Slack. Then I review my calendar for the day to prepare for any upcoming meetings and begin responding to emails.

Any big projects or goals you're currently working on?

To match pace with the speed at which Duo is expanding globally, we’re working towards increasing our support hours for customers by hiring weekend engineers in preparation for going 24x7. We’re also hiring more bilingual employees to expand our language offerings. Something near and dear to my heart is career development, so I’m really excited about ongoing investments we’re making in our team members by partnering with leadership across other teams at Duo to establish career paths for our Support Engineers.

What’s an important lesson you’ve learned while working at Duo?

Don’t be afraid to ask questions when you don’t understand something. At times in my career I shied away from asking questions out of fear it would undermine others’ confidence in me, when in reality, I was doing myself and others a disservice for not speaking up. At Duo we encourage Learning Together, and I have yet to find someone who wasn’t extremely kind and helpful in response to the many, many questions I have asked.  Another lesson I’ve learned (I can include two, right?!) is the importance of diversifying your teams through targeted hiring. Pretend you’re assembling a fantasy football team. You wouldn’t draft all quarterbacks, would you? Building well-rounded teams by hiring for skills and backgrounds your existing team lacks will benefit you tremendously! I promise you will see higher performance, more engaged teams, and individuals learning from one another. Unique perspectives will result in your team having stronger problem solving abilities, too. You can thank my husband for the football analogy used here.

How is Duo different than other places you've worked?

Duo is different in the BEST way in that they encourage their employees to prioritize family first. I’ve never worked for a company where when someone has an emergency with a partner, child, or parent, they’re told to leave work and do what’s necessary to take care of their family — no questions asked. Family members and children are also always welcome at company and team events, which makes it easier for employees to attend and also gives their teammates an opportunity to get to know them better. I feel confident I will be able to build a long-term career at Duo because of this value we both share.

 How is your role at Duo different from roles you've had with other companies?

How highly valued our Support team is. Our Support Engineers are on the front lines every day working with customers, and their job is NOT easy, but what they do is fundamental to the success of our business. We have really close partnerships with Product and Engineering, and they incorporate the customer feedback we share with them into their product design and development. Duo recognizes customers are our BEST resource for building user friendly and simple-to-use security solutions. Our Support team is essential to this, and on the daily they’re creating exceptional experiences for our customers that help make us the most loved company in security.

What would you tell someone considering a role at Duo?

APPLY! You won’t regret it! I feel so grateful to have found a company and teammates that are always kind, doing what’s right for our employees and customers, and challenging me to learn new things. There are so many opportunities to grow your skill set and build your career here.

####

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

As we debate the necessity of various authentication factors, particularly for passwordless projects, it’s good to take a step back and remember how we got here. There are key three types of authentication:

The 3 Key Types of Authentication

1. “Something you know,” otherwise known as a “shared secret.” This used to be something you memorized, but it turns out that fallible organic storage is not that great for storing complex character strings that now number in the hundreds (you ARE using unique passwords for every account, right? … Right?). 

2. “Something you have,” meaning something that can’t be possessed by more than one entity at a time. This could be something that is too difficult to copy or generate independently, that is tied to storage and can’t be removed, or that exists as a unique physical item (such as a hard token or a key).

3. “Something you are,” referring to an attribute that is physically unique to an individual, such as a fingerprint, a palmprint, a retinal pattern, a gait, a typing pattern, or even a heartbeat. 

Each of these factors comes with a downside:

“Something you know” = “Something you forgot,” or “Something that someone beat out of you.” 

A shared secret that is guessed or derived  … is not a secret any more. Worse yet, it can be silently stolen without anyone noticing. But it’s also the cheapest factor, in the sense that it can be created, changed, expanded, distributed and used without having to buy any extra technology. 

If you need to identify someone more definitively, you ask them for information they’re not likely to forget, such as the name of the street they grew up on. But any of that historical information is increasingly available on the Internet, or can be tricked out of the user through phishing or social media “quizzes.” 

Another downside to “something you know” is that it may appear to be cheap in terms of technology, but in terms of support cost — help desk time when someone forgets a username or password, or can’t log in for another reason — it can be more expensive than a better-designed factor that is harder to get wrong. 

This is why we’re working on the journey to a passwordless future.

“Something you have” = “Something you lost,” or “Something you broke.” 

One of the biggest threats today is SIM theft, in which an attacker manages to steal an assigned mobile phone number so that they can receive SMS authentication codes. This is nefarious because once again, it can be stolen silently; the victim still has the physical phone but may not realize that the number has been assigned to someone else until it’s too late. 

Hard tokens that generate codes can run out their batteries in a few years; they’re also unwieldy to carry around if you have several of them for different accounts. Generally speaking, if a user loses the “something you have,” the fallback is “something you know,” which we’ve just discussed above.

“Something you are” = “Something that aged” 

At least in my case; gait analysis for me would lose its baseline every time I had an arthritis flare-up. The other problem with biometrics is that you can’t change your retinal patterns or fingerprints if the records of them are stolen. 

Covid has revealed some problems with biometrics. For example: If you’re wearing a mask, FaceID doesn’t work; shared fingerprint readers aren’t sanitary these days. But biometrics are extremely convenient as a factor because you can’t forget them, you can’t leave them behind in the taxi, and chances are good that nobody can steal the originals without you noticing (water glasses in spy movies aside).

But what risks are these authentication factors actually trying to address? Let’s list some out.

Risks of Authentication

1. Someone is trying to log in at the user’s machine with the real user’s username and password.
2. The real user walked away from their unlocked machine and now an attacker is trying to use it.
3. Someone is remotely connected to the user’s machine and is trying to pretend to be the user sitting at that machine.
4. Someone is trying to log in with the real user’s username and password from a different system (such as a compromised machine in a botnet).
5. The real user is trying to log in, but the machine is compromised and could be used to steal the username and password, or plant malware.
6. The real user is trying to log in from one location, but someone else is also trying to log in as that user from a different location.
7. Someone has gained access to the real user’s username, password, and second factor (such as a hard token or phone number for receiving SMS texts), and is trying to log in from a different device.
8. Someone is listening in on the network stream and trying to hijack the user’s session in progress.

When we do threat modeling, we come up with these sorts of attacks and more. CISOs often run through a whole laundry list of possible attacks in their head whenever they’re looking at a new proposal. Then they have to pick the controls that address as many of the risks as possible. For example:

Controls to Authentication Risks

A 2FA factor that is physically separate from a user’s laptop would protect against 1), 2), 3), 4), and 6 listed in the previous section) — assuming that the user has that factor with them and doesn’t leave it near the laptop.

A session timeout, requiring reauthentication, is often used to protect against 2), 3), and to some extent 8).

Marking a laptop as trusted, bound specifically to the user, is used to prevent 4), 6), and 7).

Ensuring that the network connection is encrypted all the way between the user and the application protects against 8).

Using a biometric for authentication is intended to protect against 1), 2), 3), 4), 6), and 7), but that’s assuming that the user isn’t under duress (being forced by an attacker to supply it).

Checking the user’s device for security state and any evidence of compromise is meant to protect against 2), 3), and 5).

Using a second factor such as a U2F key, that requires a physical response from the user to activate, also protects against 3) and 5) -- it proves that the user is actually present and intends to authenticate.

Set Policy Controls As Guardrails

For added protection set policy controls, using other factors, as guardrails. Factors such as location (either by GPS or IP address) can help to narrow down the vectors of attack if, for example, you never expect a user to try to authenticate from anyplace other than a certain network or geographic region. But we know that IP addresses aren’t foolproof — all you have to do is gain access to a system on the “right” network.  So these can’t be the sole authentication factors to rely on. Think of these more as a narrowing function: you are blocking more attacks right from the outset, leaving fewer to sift through and validate. 

Conclusion

As you can see, there are layers upon layers of defense that you can build to try to address the most common risk scenarios. But you also have to take into account the downsides of each factor when designing the solution. 

If you have an endlessly changing roster of 30 people using the same point of sale system, you can’t register a biometric or phone app for each of them, make each of them log in and out of accounts if they are rushing to serve a line of customers, or make them all share a hard token. The modern enterprise ends up with a portfolio of factors, deployed where they work the best and where they address the right risks.

We’ve learned a lot this year about assumptions we made when choosing the original authentication factors for an organization — factors that stopped working so well when we became physically separated from other people. As we make plans for the future state of authentication, it helps to go back to first principles and update the above lists for a flexible outcome.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

How Did You Make a Career Change?

I can remember the first time I got into programming. My family got an Apple IIe and I taught myself BASIC so I could make it “do cool stuff”. This kicked off years of tinkering with computers, writing code and even building a few of my own. I loved building things and solving problems so I could get my program working just right.

Fast-forward (many) years later to my college years. While I started out in Computer Science, I quickly decided it wasn’t for me and switched over to an art/marketing degree plan. I kept my passion for programming, though. The internet was just starting to really catch on and it was another puzzle I felt drawn to try and solve. I spent plenty of time sitting in the computer labs at school learning everything I could about HTML, CSS, Javascript and, eventually, PHP. When I graduated, my first job was using exactly that same technology. 

My Early Career as an Engineer

The next twelve years were spent working at a variety of companies building web applications. All the while I was growing my knowledge of how applications should be architected and where new technologies could be integrated. As I grew in my knowledge and experience, I moved up the line, first to Senior Engineer, then Lead Engineer but then I reached a certain point and I felt like my knowledge was plateauing. It seemed like a lot of the same functionality was being requested and the same problems kept coming up. That same spark in the work I was doing had faded, so I decided to make a change. 

I took a step back and looked at what I enjoyed and where I felt I could grow. I had learned a bit about securing applications during my engineering career, but something about it struck a chord with me. I saw new challenges and new problems to solve. I saw how important security had become and wanted to be on the front lines, bridging the gap between development and security. 

Pivoting Into Application Security

Application security was a natural fit so I started digging in. I read as much as I could from multiple sources - books, online articles, tutorials - all refreshing some concepts and learning entirely new ones. 

My day-to-day was still programming, but I had a different perspective on it. I started to see places where the security of the application I was working on could be improved. I also learned more about security testing and, after trying my hand at it, found some endpoints that weren’t protected. Fortunately, we caught it before it was released and it felt good knowing I’d done at least a bit to secure the application. I knew that this was the direction I wanted to go.

Once I realized that I wanted to focus on application security, the next step was to find a role where I could not only explore this passion but also grow and improve my skills. I was definitely stepping outside of my comfort zone.

I interviewed at a few different companies but they weren’t quite a match. Finally, I interviewed with Salesforce for an AppSec role with a product with a large PHP codebase. It turned out to be a good fit and I got my first official application security job! 

I spent the next three years drinking from the security firehose, learning as much as I could. I worked directly with the development teams, collaborating with them on security reviews and implementations. My background in development came in handy too, helping me to see things from their perspective and make sure that I was putting things into a context where they could apply it easily in their day-to-day work. 

Ready to tackle my next security challenge, fearful of another plateau, I chose a security company. I came here to Duo, excited about moving into a more security-focused team. I’ve been here about two and a half years and am still learning new things every day and loving it.

My Advice to My Past Engineer Self Would Be...

The main piece of advice I would have given to myself back in my days of just writing code would be to take the time to learn some of the best security practices and, most importantly, integrate them into your daily work. Some of the resources linked down below are a great place to start.

I can remember thinking, especially when I was first starting out in the industry, that security was something to consider later. There was a time when the only concern in my mind was to make sure the code that I was writing was functional.

We’d take the feature request in, break it down into its parts and split out those tasks among the team. Unfortunately, security considerations weren’t included in that list and there wasn’t a push for it from those higher up the chain.

It sounds terrible to say now, but back then I didn’t care as much about whether what I was developing was secure. Most early-career developers focus on proof-of-concept vs. security. I knew about some of the basics about securing web applications like “there should be authentication” and “SQL injection is bad” but I had no idea about more complex attacks. It wasn’t until later, after I really started digging into application security, that I realized how vulnerable some of the code I had written was. 

I think every application security engineer that has come over from the development world has a story similar to mine. You don’t know what you don’t know, but once you learn something new you can work hard to better secure your code.

How Do You Think AppSec Engineers Can Work Best With Software Engineers?

Software engineers and security engineers have a lot in common. True, when I first started working in application security, I was surprised that some Application Security Engineers hadn’t done much programming at all. Others were like me and had come from a development background. While they have different areas of focus, the drive to learn and grow in their knowledge and experience was the same. We work best when collaborating. 

That’s the main thing I’d recommend to anyone in a security role. Don’t work in isolation, just passing a report back or just filing bugs. You need to build a relationship and trust with the engineers. Sit down and really understand what they’re working on and what they’re asking for. Sometimes that is just a report at the end of an assessment. Other times engineers need someone to work through a concept or feature to make sure they’re making the most secure product they can.

The engineer is not the only one who benefits, this collaboration is positive for the security engineer too. In working with the software engineer who spends the majority of their time in the code, they gain more perspective on the inner workings of the system and what really makes it tick. That way the security engineer doesn’t have to be an expert in the codebase, they just need to know who to ask for what kinds of details. 

Each side brings their own specialized knowledge to the table, making for a good balance of knowledge and not requiring either to be a “jack of all trades.” Having engineering connections like this can be an invaluable resource and security engineers shouldn’t be afraid to ask questions to gain more context . In my experience, software engineers are more than happy to share if they know they’re being listened to.

My Favorite AppSec Resources

One of the recommendations I’d make to those either wanting to get into application security or those new to the field is to check out some of the resources the OWASP group has released. More specifically, I’d recommend their OWASP Top 10 list (most common vulnerability types, refreshed every few years), their “OWASP cheatsheets”, and some of the tools like the ZAP Proxy. Some of their information can be a bit out of date, as it’s a community-driven project so just be mindful of the date the resource was published on.

Outside of that I found that learning organically works well, starting with a source (like the Top 10 list) and working out from there, researching any terms or concepts I’m not familiar with. There’s some topics that are a bit more elusive than others, though. Cryptography is a good example. I’ve always had difficulty wrapping my head around its concepts and with it being such an important part of cybersecurity, it was frustrating. 

The basic concepts were easier to grasp but when I started to dive into the specifics of ciphers, block modes, and algorithms things started to get a little fuzzy. So, instead of trying to bite off a big chunk of knowledge, I took it slow. I learned more “hands on” during my day to day work, reading up on concepts and technology as they came up. This “bite size” approach still grew my knowledge without it being overwhelming and frustrating.

One last thing I would recommend to those security engineers that don’t have much experience in development that they set aside some time to read about programming-related topics or, even better, write something in the language of their choice. It gives some amazing perspective on what software engineers do day-to-day and can help improve communication through common understanding. 

We’re hiring! If your mission is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want you! Learn more at duo.com/careers

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Trust is a fickle thing. Some people in life assume that trust should be implicit -  that you can trust others based on little more than intuition, a smile or a handshake. Trust is a natural human condition and, as Malcolm Gladwell pointed out in his book “Talking to Strangers,” we have a tendency to default to trust. 

Problems With Defaulting to Trust

However, defaulting to trust comes with its share of problems, the proverbial “wolf in sheep’s clothing” comes to mind. Good thing there are ways to verify trust and make sure we aren’t getting duped. In the real world to establish trust we might rely on an initial verification like an introduction from a trusted friend.

The tricky part comes in maintaining trust after an initial verification. In the real world, there’s no need to be actively suspicious of an acquaintance. But, if things start going missing from your home when this, and only this, acquaintance stops by - well, then your level of trust may alter. Without jumping to the worst conclusions - it may be worth monitoring their behavior. 

In the digital world, multi-factor authentication can be an initial verification of trust - but there are strange contextual variables that should throw off red flags when it comes to assessing trust. 

Ockham’s Razor - The Simplest Explanation is Typically Right

But before we move into that discussion I can’t help but to turn attention to Ockham’s Razor. This was attributed to William of Ockham who was a monk born in the year 1285. He has been credited with the problem solving idea that "entities should not be multiplied without necessity." To put that in simpler terms, the simplest explanation is most likely the right one. So when we’re dealing with computer security we want to be sure that we have clarity in our information.

"Entities should not be multiplied without necessity" — William Ockham

Simplicity and Clarity in Security

Simplicity and clarity are two key tenets when thinking about monitoring trust. It is important to remember that the simplest answer when something goes missing is: you lost it. That being said, if you have a security camera above your garage and it shows your acquaintance entering and leaving with the lost item, the camera provides clarity into the situation.

For the perspective of trusting access to our networks and systems, simplicity and clarity take on different forms. For simplicity, it’s important to remember that humans act in strange ways - they go on business trips, they log in from coffee shops, they use their mother-in-law’s computer to access work email. The simplest answer is probably that strange access is probably just that: strange. 

However, clarity means setting up the proper controls to provide context around access. When something goes wrong we need to be able to ascertain what has transpired in a clear and coherent manner and rather than defaulting to trust we need to be able to discover the likely answer with clear data. 

Get to Know Duo Trust Monitor

Enter Duo Trust Monitor. Duo is known for providing easy-to-use MFA to verify users are who they say they are. 

To expand on that offering by monitoring the trust of users, we are releasing new access analytics functionality. This Duo feature analyzes and models user authentication telemetry in order to create a baseline of normal user behavior. Once typical access patterns are observed, Duo Trust Monitor highlights high risk logins. 

Find anomalous behavior with Duo Trust Monitor

Reducing False Positives

A key difference between Duo Trust Monitor and many other access analytics tools on the market is our commitment to simplicity and clarity. It is easy to sound an alarm for every new device or login location — but this is a little like kicking your acquaintance out of the house for wearing a new outfit (false positive much?). The simplest answer is that if most of the variables are consistent — the user can still be trusted. 

However, Duo Trust Monitor does give customers clarity as to the historical context around user access behavior. The feature monitors many access variables, looking for anomalies along a variety of dimensions and between commonly associated variables (ex: it’s typical for a user to use X device while accessing from Y). This way, if an “acquaintance” shows up at your house at 3AM with a crowbar —you have the clarity to turn on the lights and sound the alarm.

Reduce false positives with contextual clarity

In a nutshell, Duo Trust Monitor helps the CISO sleep at night knowing that the information needed to ensure access trust is being actively monitored. The feature will seek out anomalies, but also reduce the number of false positives to ensure that we get to clear and concise answers.

We are born into this world hardwired to trust each other. We are set up with an ability to build connections with others. But, that doesn’t mean we shouldn’t monitor that trust, hopefully remembering that though the simple answer is probably the right one, it doesn’t hurt to have clarity and context. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.

There is no denying that the era of electric vehicles is upon us. These vehicles become evermore capable with new features and improvements being delivered via over the air software updates. As software-centric vehicles become more ubiquitous one question has been left unanswered. How do we protect them as individual owners and at scale for organizations?

Perform a quick Google search of Tesla MFA and you will find that many Tesla vehicle owners have requested the ability to protect their Tesla accounts, which controls various car features, with some form of MFA (multi-factor authentication). It may sound like a dystopian future in which your car can be digitally compromised or remotely controlled — but the truth is that this is a reality in today’s world.

In 2019 alone, Tesla delivered close to 368,000 vehicles to customers, officially making it the leading electric vehicle manufacturer. Other electric vehicle manufacturers provide similar remote control capabilities of the vehicles through mobile applications as well. This remote control feature works very similar from a network communication standpoint by leveraging API’s built for each vehicle type.

Reverse Engineering Telsa’s API is Possible

As with other technologies, if you understand the software architecture of the target and have the appropriate credentials to execute commands, then you are in control of that target. Tesla, for example, does not grant users access to their API, so consumers might think that security through obscurity is enough. However, there are many people with the skills necessary to reverse engineer APIs in today’s technology driven culture.

While obscure to many Tesla owners, teslaapi.io is a website dedicated to doing just that. Through their research they have deconstructed the commands necessary to achieve things like unlocking doors, setting a speed limit and stopping charging. This combined with phished credentials poses the threat to software-centric vehicles.

Customers Are Asking for MFA for Tesla Accounts

YouTuber Alex Venz even goes as far as demonstrating how to unlock and drive away in a Tesla in this video:

https://youtu.be/ViHOD5vX428?t=169

Tesla CEO, Elon Musk, acknowledged customer’s request for greater security in May 2019 with this tweet:

Elon followed up on this comment in November of 2019 with this tweet:

On his most recent tweet on the subject, he explains that a solution is on the horizon:

With time, we are certain that Tesla will deliver MFA Security as it has for other customer requested features, but until then the security gap still exists.

How Duo’s MFA Helps Software-Centric Cars

There are many security and user experience complexities that can come into play when deploying MFA at scale to an established user base. Duo is a leader in the industry not only for its world-class product — but also for the ability to make the user experience as easy and intuitive as possible.

Ease of use will be the leading factor in adoption and reception when Tesla deploys MFA to its consumers. As noted by user Pueo in this Tesla Motors Club forum thread, “Hopefully 2FA happens in a timely fashion”

On the other end of the spectrum, Porsche’s recently released Tycan shares similar remote control features with an added cost service they call Porsche Connect. The security layer requires an owner to register via a website and obtain an activation code before being able to register their mobile device for remote control. While the website itself implements MFA via SMS for first time logins, the process is cumbersome and does not directly protect the vehicle, but rather the service which makes remote control possible.

Individual owners might not find this security gap concerning but organizations that use these vehicles as part of their business will seek to protect their assets. We hope to see the reach of these vehicles expand to ride sharing and rental services in the near future. With that comes a new perspective on the ability to manage these vehicles. Organizations go through great lengths to protect their digital infrastructure, and we believe that electric vehicles will soon fall into that category.

As Jim Simpson, Director of Product Management at Duo put it, “What are the security implications of having a fleet and how do you manage that?”

We believe support for MFA is a good starting point in protecting these assets, but that will only be the beginning of the security journey for software centric vehicles and the organizations which leverage their incredible technology. 

UPDATE: At the time of this writing it appears Tesla has just added 2FA. 

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.

What happens when four election security specialists gather together to talk shop? They dispel myths, share deep knowledge, and bring clarity to the state of our elections. As confusing contradictory messages abound on both sides of the aisle, we’ve assembled a crack team of election security educators in different fields to help explain to voters what exactly is going on.

(Pro tip: Don’t panic! Disinformation campaigns on the regular is normal and happens every election)

If you have questions about the security around the logistics of holding national elections during a pandemic, the increase and safety of mail-in ballots, the growing adoption of electronic voting machines and online registrations and how hackers might try to use malware to disrupt them — then this is one webinar you will not want to miss, as we round the homestretch toward the November 3rd election.

Meet Our Panelists

• Maggie MacAlpine, a co-organizer of DEF CON’s Voting Village and recently featured in HBO’s “Kill Chain,” will outline what we’ve learned from security testing electronic voting machines as well as her experience as an election volunteer.
• Michael Daniel, an election security policy expert and former cybersecurity coordinator for the Obama administration, will share historical context we can apply to the current election and why our election systems are more resilient than one may think based on the news.
• Matt Olney from Cisco Talos will review recent research by his team on foreign disinformation tactics for election disruption, and why election results are not their true target.
• Rachel Tobac, CEO of SocialProof Security and a frequent commentator on social engineering stories for outlets like CNN and the New York Times, will explain why those managing elections often pose a more attractive target for attackers than hardware.

“I’m looking forward to this panel because we’re getting to dig past the ubiquitous surface-level discussion of election security, and really break down the puzzle pieces that make up the whole picture. Our goal is that everyone who attends will walk away with a deeper understanding of the election safeguards we have in place and why this election isn’t as unique or unprecedented as one might think!” — Zoe Lindsey, Security Strategist at Duo

Recommended Election Security Info

To prepare for the big day, we’ve also assembled some great election security information for your consideration: 

• READ: Duo’s blog, “We Can Protect Election Security in One Easy Step,” discusses elements of the voting system, the importance of protecting democracy, and why it doesn't have to be complicated. 

• LISTEN: Cisco’s “Security Stories” podcast brings CISOs center stage to discuss important topics. The podcast recently explored election security with Curtis Simpson, Chief Information Security Officer at Armis.

• WATCH: This Government Matters webinar brings together thought leaders from the public and private sectors at all levels of that effort – to outline the challenges, share the best practices, and address the impact COVID-19 could have on election security in 2020.

• READ: Cisco’s election security at-a-glance handout. 

The webinar will be recorded and we look forward to seeing you soon!

Try Duo For Free

With our free 30-day trial, you'll see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Secure Your Amazon Account

You have upped your Amazon game and find that you are ordering more and more things online from groceries to gifts, when suddenly you notice it. Uh oh. You’re looking through your purchases and Amazon and see a few things that you definitely didn’t buy. Looks like someone gained access to your Amazon account and is spending all your hard-earned cash on an Amazon shopping spree! 

Keeping hackers out of your Amazon and other shopping accounts is simple with Duo's two-factor authentication (2FA) which is available for free at the Google Play and Apple App store. 

You can use Duo to secure your other online accounts like Instagram and Twitter too!

With the shopping season right around the corner, I wanted to show you how easy it is to secure your online purchases using Duo Mobile!

How To Set-Up Duo 2FA With Your Amazon Account

Let’s take a look at how to protect your Amazon account using Duo Mobile. 

Step 1

Log in to your Amazon account, and go to “Your Account” settings.

Step 2

Click on the “Login & Security” settings.

Step 3

At the bottom of the list, click “Edit” in the “Two-Step Verification Settings” section

Step 4

Click “Get Started”

Step 5

Select “Authenticator App” for your Two Step Verification

Step 6

Open Duo Mobile on your smartphone. Tap the “+” button in the top right corner, and scan the barcode that appears on screen

Step 7

Once you scan the QR code, an Amazon account will appear in Duo Mobile. Type this passcode that appears in Duo Mobile into the text box under the QR code in your browser

Step 8

Amazon requires a phone number as a backup form of Two-Factor. Put in your phone number, and click “Call me now” to verify your phone.

Success! Your Amazon Account is Secure!

You’re all set! Whenever you log in, you’ll use a 6-digit passcode from Duo Mobile after your username and password. You’re now secured with two-factor authentication (2FA) and you can be confident in your online shopping, knowing Duo has your back.

Duo Restore for Third-Party Accounts

Ditching your old phone? Don't forget to transfer your two-factor authentication (2FA) accounts to your new phone. Knowing how important it is to access your accounts when you need to, Duo has developed an easier way to get your Duo-protected accounts set up on your new phone or tablet so you can continue to verify your identity when logging in, preventing a potential account lockout. It’s really easy. Learn more. 

Download Duo's free 2-Step Authenticator App available at Google Play and the Apple App store. 

See the video at the blog post.

The Current Security Landscape

The shift to remote work has had IT security ramifications: not only are people using both their personal and corporate-managed devices to access business applications, they’re also logging onto systems from various locations, sharing devices with family members, and installing various software for personal use. While these changes are in some ways necessary to adapting to all that’s happened in the last year, they also provide opportunities for attackers.

This year has seen a rise of attacks targeting cloud services, with Microsoft Office 365 being the most commonly targeted service. So how can organizations better track what’s happening in their environments and protect their employees’ identities while securing access to their Microsoft applications from any device? 

A Better Approach to Security: Zero Trust 

Zero trust is an approach where trust is established for every access request, regardless of where the request is coming from, by requiring multiple factors to confirm before granting access. This method secures access across applications and networks, ensuring only the right users and devices have access. Taking a zero trust approach to security can extend trust by providing visibility and adding layers of protection which are easy for end users and support modern enterprises with BYOD (bring your own device), cloud apps, hybrid environments, and more.

Duo delivers zero trust for the workforce by verifying the identity of users and the health of their devices before connecting to the applications they need. 

The Three Pillars of Duo’s Zero-Trust Approach:

1: Establish User Trust 

Duo provides a set of tools for verifying a user’s identity through our strong multi-factor authentication (MFA or two-factor authentication,) which asks for validation via something you know, something you have and something you are. According to Microsoft, using MFA prevents 99.9% of account hacks. By gathering information in the context of the user’s access request, such as location of access, time of access, network of accessand the device used to request the access, Duo can greenlight or block a user’s access.

Our MFA solution is one of the most easy-to-use and secure solutions out there, both for end users and administrators. Administrators can deploy our solution quickly and efficiently (rollouts can take merely a few days,) and end users have the option of self-enrollment, which empowers the user to enroll themselves without impacting productivity, therefore saving time. 

Our MFA solution is also incredibly secure, supporting out-of-band methods such as Duo Push, and providing flexible authentication options such as SMS, OTPs, and soft tokens through our mobile application, as well as more advanced methods such as universal two-factor authentication using security keys such as Yubikey.

Duo can work with any application, whether it’s a cloud-based Saas application like O365, an on-prem environment, or a hybrid environment.

2: Establishing Device Trust

Because Duo is in the application access path, we can provide complete visibility into all devices accessing Duo-protected applications. Many organizations underestimate the number of devices accessing their networks, but Duo can help inventory previously undetected devices. For example, we had a customer’s IT team discover that there were twice as many devices connecting to their network than they had accounted for.  

Duo can also perform posture (security risk) assessments on these devices by checking if the device is corporate-managed, if the operating system and browsers are up-to-date, whether Java plugins are installed, or if password encryption is turned on. And because we follow the zero-trust framework of “never trust, always verify,” these checks are performed every time access is requested, creating a tight ring of security around your organization’s network

3: Enforcing Adaptive Policies

Duo enables rich user and device context, as well as adaptive granular policy controls. For example, a typical policy of Duo customers might limit access to users in the US who are using a particular set of networks with a particular set of IP addresses from a managed device. In this way, Duo allows the organization to adhere to whatever compliance frameworks are required.

Duo’s policy engine is quite robust, enabling organizations to set policies at a global level for the entire organization, at each application level based on the sensitivity of the application, or at a user group level based on that group’s set of privileges. There are many levels of controls and policies for access that can be set at a granular level. This is truly one of the most important security features Duo offers. 

Providing Duo’s Zero-Trust Security Framework to Microsoft Environments

Duo has a great partnership with Microsoft. Currently, we have over 10,000 joint customers, including Qualcomm, Expedia, 3M, and MIT, and over 5,000 of these customers use Duo to protect Azure Active Directory. And these customers are not just using Duo for our expertise in MFA, but for our expertise in security, including our device hygiene and policy engine. 

Wherever you are in your journey to the cloud, whether your directory is in AD or Azure AD, or you’re in the process of migrating from Outlook to Office 365, Duo can protect your applications securely and with the same ease of use. 

How Duo Protects Microsoft Azure

Duo natively integrates with Azure AD’s conditional access policies, as well as secures access to remote desktop, Exchange, and O365 deployments. In fact, with the move to remote work, Duo has seen RDP authications go up by over a million authentications a day. Duo also has the ability to protect offline access into Windows machines using OTP and U2F tokens.

How Duo Secures Managed Devices

In a basic use case, organizations want to set policies to allow access only to managed devices into certain applications. There are different ways to do this, but in today’s remote world, where the VPN load is being tested for many organizations, IT administrators are asking users to select VPN only if they are using it to log into network devices and accessing SaaS applications over the internet to manage the bandwidth. 

In this situation, there’s no easy way to check whether the device is managed or not. However, Duo’s authentication workflow can intercept the access request, and thanks to our recent integration with Microsoft's Intune, allows you to check if the device is enrolled in your Intune management system. Alternatively, we can check to see if the device is a Windows AD domain-joined device. 

How Duo Protects Unmanaged Devices

A second use case we’ve seen embraces bring your own device (BYOD). Typically these devices are outside of IT’s control, and it can be hard if not impossible for them to check if the device has a high enough level of hygiene to grant application access.

Luckily, Duo has several options, including an agentless option, which assesses device hygiene through browsers. We also have a lightweight client, the Duo Device Health application, which checks the device hygiene at the time of access, and only performs certain checks.

Duo's Device Health Checks Include: 

• Is the Windows OS updated? 
• Is the device encrypted?
• Is it password protected?
• Is Windows Defender running?
• Is the firewall enabled?

In Summary

Duo protects Microsoft applications by verifying the trust of the user and the health of the device before granting access to the application, and we do this each time access is requested. 

We do this with our consistent access policies, whether the applications are in the cloud or on-prem, online or offline. We do this through speed to security through our native integrations with Office 365, Azure Active Directory, and Intune and self-service workflows, which can be deployed in minutes. (Yes, minutes! In previous speed tests, one of our security engineers was able to set up a native integration in Azure AD in less than five minutes.) 

We balance security with user experience by reducing friction, boosting productivity, and allowing for customizable policy controls and self-remediation options to decrease helpdesk tickets. All of these things allow you to mitigate your risk due to BYOD, and Duo helps you do this by improving device visibility and risk assessment options without agents and without performing actions without the user’s permission.

For a more in-depth discussion on simplifying remote work and reducing risk with Microsoft and Duo, please take a look at this recent webinar (below), hosted by SANS Analyst Dave Shackleford, and Duo’s Leya Leydiker and Ganesh Umapathy. 

See the video at the blog post.

Try Duo For Free

Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.