<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2022 3600 <![CDATA[Easily Enable Conditional Access by Country with Duo]]> ccherrie@duo.com (Chrysta Cherrie) https://duo.com/blog/easily-enable-conditional-access-by-country-with-duo https://duo.com/blog/easily-enable-conditional-access-by-country-with-duo Product & Engineering

The conflict in Ukraine has shined a light on threats from bad actors operating from specific parts of the world. If you haven’t done so already, this is an opportune time to evaluate, and if necessary tighten, your organization’s security posture. Enabling conditional access policies that block access from specific countries would be an excellent way to do this.

Our latest Duo Trusted Access Report found that roughly 74% of organizations implementing location restrictions choose to restrict access from Russia and China. Other countries topping the list include North Korea (42%), Iran (37%), Afghanistan (28%), Ukraine (22%), Iraq (21%), Nigeria (19%), Syria (19%) and South Korea (16%):

How to block access by location with Duo

Duo Access and Duo Beyond customers can set a conditional access policy in only a few minutes that prevents unauthorized access from any location.

To change your user location policy, go into the Duo Admin panel navigate to Policies and click “Edit Global Policy.” Start typing the country name into the Duo Admin Panel to select it from the list. Change the drop-down to “Deny access,” then click “Save.” This prevents all authentication attempts from IP addresses that originate from the selected country.

See the video at the blog post.

This policy setting overrides other access policies, like Authentication Policy, Authorized Networks and Remembered Devices, when the setting applied here is more restrictive than the setting applied by those other policy options.

Learn more about enabling conditional access by country

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and create custom conditional access policies based on role, device, location, and many other contextual factors.

<![CDATA[Improved Self-Service. Less Code. Hosted Device Management via Duo SSO Is Now in Public Preview.]]> cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/hosted-device-management-via-duo-sso-now-in-public-preview https://duo.com/blog/hosted-device-management-via-duo-sso-now-in-public-preview Product & Engineering

Millions of users carry Duo Mobile around in their pocket daily. On top of that, you have some users with it also installed on their tablets or who carry around their precious YubiKey. This authentication device is central to them being able to login and start their workday or to turn in that big assignment five minutes before that midnight due date. However, sometimes these devices change. Sometimes accidents happen. There are many reasons why users may need to update their Duo authentication device (eg: TouchID, security keys, mobile phone) and having an easily accessible way to do this, without needing to contact IT staff for help, is crucial to their overall experience with Duo.

We’ve made that easier than ever by enabling device management through Duo Single Sign-On (SSO) and Duo Central - now available in Public Preview!

See the video at the blog post.

In 2014, Duo added the Self-Service Portal to the Duo Prompt - allowing users to enroll and manage their authentication devices from any web-based application that was protected by Duo. Then, in 2016, we released the Device Management Portal which provided an SDK for customers to embed Duo’s self-service offering on their own web server, backed by their own primary authentication provider. This empowered customers to put their own security controls in front of the portal, have their own identifiable URL that points users towards the service, and link out to it from anywhere that they see fit. 

The next thing we knew, we started logging feature requests for a fully-hosted device management tool for users!

This was understandable as many customers we work with do not wish to host more on-premises servers than needed to work with Duo - a SaaS provider, or many times, they did not have the development resources necessary to spin up this service or configure it to work with their user directory.  Nonetheless, they had the same problem to solve - how to decrease friction for users when they need to add, remove or edit their authentication devices.

The challenge in solving this problem over the years is that while Duo has had ways to sync user information, we have not had a way to complete primary authentication from our cloud service to customer directories. That is, until we released Duo Single Sign-On.

Duo Single Sign-On is a fully hosted SSO service that connects to either on-premises Active Directory or a SAML Identity Provider. Users can authenticate either directly from cloud applications or from Duo Central, an application launcher for both SSO-enabled applications and bookmarks of your choice.

Now that we can tie into an authentication source of choice, securely hosting device management becomes possible! As part of this update, you can now enable access to the new Universal Prompt Self-Service Portal from a My Devices link in Duo Central and from a direct link.

See the video at the blog post.

When using the direct link, users will be directed to authenticate using Duo SSO, have their device policy checked through Duo Central’s policy stack, and finally land on the Self-Service Portal. We are excited to see how customers build out their help desk sites and automations without the reigns of on-premises servers!

This new way to manage authentication devices will start rolling out to Duo SSO customer accounts between May 19th and May 26th. Check out our documentation to get started!

If you still need to connect Duo Single Sign-On to your LDAP or SAML authentication source of choice, check out our Duo Single Sign-On Configuration Documentation!

Want to learn more how Duo Security can fit into your security stack?

Check out our on-demand #CiscoChat panel discussion with real-world security practitioners on how they have implemented secure access best practices for hybrid work using Duo.

Or, sign up for a 30-day trial to experience how Duo can simplify security access for your workforce. And feel free to reach out to sales@duo.com with questions, comments, and feedback.

<![CDATA[Managed or Unmanaged Device? Duo’s Device Trust Has You Covered]]> gumapathy@duo.com (Ganesh Umapathy) https://duo.com/blog/managed-or-unmanaged-device-duo-device-trust-has-you-covered https://duo.com/blog/managed-or-unmanaged-device-duo-device-trust-has-you-covered Product & Engineering

“How do I allow access only to devices that meet my organization’s trust and compliance standards?” This is the problem that many security practitioners are trying to solve. This problem is further complicated due to the mix of managed and unmanaged devices that access corporate applications. And the latter is made up of personal devices used by employees and devices used by partners and contractors that typically are not managed by the IT department.

In today’s world of hybrid and remote work, administrators must not only verify the user’s identity but also verify the posture of the device before granting access to minimize the risk of unauthorized access. Typically, organizations deploy device management solutions to gain visibility and control of corporate owned devices. And certain VPN clients or remote access agents perform posture checks to enforce device-based access policies. But organizations are moving their applications to the cloud, allowing BYOD and contractor devices for work, and reducing their reliance on VPN for remote access. To secure this modern remote access workflow, administrators need a mechanism to perform posture checks on devices and enforce access policies based on the device security posture.

Enter Duo’s Device Health application. The lightweight application collects device health information such as Operating System (OS) version, firewall status, disk encryption status, presence of Endpoint Detection and Response (EDR) agents and password status. Administrators can set access policies based on device health. For example, users can access their email only from devices that have the latest version of Operating System and security patches installed, and host firewall is enabled.

Duo’s Device Health application also collects unique device identifiers (UUIDs) to verify whether that the device is enrolled in the enterprise management system. Administrators can enforce Trusted Endpoints policy to distinguish between managed and unmanaged devices and block access to critical applications from unmanaged devices.

Easily Integrate Duo with Device Management Solution of Your Choice

For organizations that have deployed device management solutions, Duo provides out of box integrations with Unified Endpoint Management (UEM) solutions such as Active Directory domain-joined devices, Microsoft Intune, Jamf Pro and VMware Workspace ONE.

For organizations that have deployed a solution that is not listed above, Duo provides a Device API that allows administrators to upload a list of unique device identifiers from your enterprise device management systems to Duo. At the time of authentication, the Trusted Endpoint policy verifies that the device identifiers collected by the Device Health application are present in the identifiers stored in Duo and allows access only from trusted Windows and macOS devices. This API is available to all paying Duo Beyond customers.

With our efforts to simplify secure access to any application from any device, we are eliminating the requirement to deploy and manage device certificates to enforce the Trusted Endpoints policy. Using Device Health app instead, lowers administrative overhead while offering a simpler mechanism to enforce device trust. Check out this blog on how you can enable Trusted Endpoints policy using Device Health application in three simple steps.

Sign-up for a 30 day trial and experience how Duo can simplify secure access for your workforce.

Check out this on-demand #CiscoChat panel discussion with real-world security practitioners on how they have implemented secure access best practices for hybrid work using Duo.

<![CDATA[Duo Has Been Recognized as a Customers’ Choice for Access Management in Gartner® Peer Insights™ Two Years in a Row!]]> dgainer@duo.com (Darcie Gainer) https://duo.com/blog/duo-recognized-as-a-customers-choice-for-access-management-in-gartner-peer-insights-two-years-in-row https://duo.com/blog/duo-recognized-as-a-customers-choice-for-access-management-in-gartner-peer-insights-two-years-in-row Industry News

Duo is excited to announce we have been recognized as a Customers’ Choice vendor for 2022 in the Access Management category in Gartner® Peer Insights™. This distinction is a recognition of vendors in this market based on feedback and ratings from 89 verified end users of our product as of 28th Feb 2022. Overall, Duo reviewers gave us a 4.7 out of 5, with 92% saying they would recommend our product!

Everyone here at Duo is particularly honored to receive this distinction, since it comes from customers – the people we’re here to serve.

“Gartner Peer Insights is a free peer review and ratings platform designed for enterprise software and services decision makers. Reviews go through a strict validation and moderation process in an effort to ensure they are authentic. Vendors placed in the upper-right quadrant of the “Voice of the Customer” quadrants are recognized with the Gartner Peer Insights Customers’ Choice distinction, denoted with a Customers’ Choice badge. The recognized vendors meet or exceed both the market average Overall Rating and the market average User Interest and Adoption.”

Here are some comments from customers that contributed to this distinction:

  • “2FA and SSO is an essential for any enterprise company worth their salt and nobody does it better and more cost effective than Duo. From the start of the discovery process the sales team at Duo helped us to uncover extra areas of improvement with our current processes and ensure that we could maximise the value of their Trust Access Management platform. The icing on the cake was how easy it was to onboard all our new users seamlessly and naturally without any friction.” – Security Account Executive, Media and Publishing Industry

  • “We love how simple this is to use for our customers. We love the low overhead of maintenance supporting Duo for our Help Desk. We love that xx check in on us regularly and have answers for every question or get back to us within minutes.” – Systems Administrator, Provider Industry

  • “Duo has been exceptionally easy to implement and deploy. User uptake and engagement was extremely fast and well received with a very low training requirement.” – Infrastructure Solutions Architect, Undisclosed Industry

Read more reviews for Duo.

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please see the Access Management page on Gartner Peer Insights.

To all our customers who submitted reviews, thank you! Your feedback helps us create better products to fit your needs, and we look forward to earning the trust and confidence reflected in this distinction.

If you have a Duo story to share, we encourage you to join the Gartner Peer Insights crowd and weigh in.

The Gartner Peer Insights Customers’ Choice Badge, Gartner®, and Peer Insights™ are trademarks of Gartner, Inc. and/or its affiliates. All rights reserved.  Gartner® Peer Insights™ content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.
Gartner, Gartner Peer Insights ‘Voice of the Customer’: Access Management, By Peer Contributors, 29 April 2022.
<![CDATA[Paving the Way to Passwordless]]> rk11@cisco.com (Rick Kramer) https://duo.com/blog/paving-the-way-to-passwordless https://duo.com/blog/paving-the-way-to-passwordless Industry News

Do you remember all the passwords to your various accounts and profiles? How many times have you forgotten your login details, attempted to reset your password, and faced the painful reminder, ‘your new password cannot be the same as previous’?

I know I’m not alone with these frustrations and, with World Password Day on May 5, it would be nice to imagine a passwordless world where things remain protected while passwords become a burden of the past.

Every first Thursday of May is World Password Day – an opportunity to highlight the importance of secure passwords, promoting better password habits in our increasingly digitalized world.

Our passwords are the gatekeepers to our digital lives, from online banking and shopping accounts to social media platforms, a significant portion of our online accessibility is determined by the strength (and memorability) of our passwords.

Password management can be costly and burdensome as US-based enterprises allocate over $1 million annually to password-related support costs. Cumbersome password and authentication processes lead to poor user experiences and potential cyberthreats, putting the business and its people at risk.

No more lagging logins

We need to eliminate the countless forgotten passwords along with the risks we face using the same password across numerous accounts (I know many of us are guilty of this one). To create a more secure and convenient future, authentication must become passwordless.

Passwordless authentication (also known as modern authentication) is identity verification that doesn’t rely on passwords to provide a single, strong assurance of users' identities. This includes solutions like biometrics, security keys, and specialized mobile applications that provides secure access for every enterprise use case, such as hybrid, cloud, on-premises, and legacy apps.

However, going passwordless isn’t easy, especially when dealing with large network of users, apps, hybrid infrastructures, and complex login flows. While complete elimination of passwords is still far off, reducing reliance is already possible through multi-factor authentication, establishing trust in devices, leveraging single sign-on, and implementing adaptive-access policies.

According to the 2021 Data Breach Investigations Report:

Organizations that neglected to implement multi-factor authentication, along with virtual private networks (VPN), represented a significant percentage of victims targeted during the pandemic. The zero-trust model for access quickly became a fundamental security requirement rather than a future ideal.

Duo is innovating towards a truly passwordless future that balances intuitive usability with stronger authentication. Our mission is to provide users a frictionless login experience while reducing administrative burden, help-desk costs, and enterprise-security risks associated with password management.

Decreasing the administrative burden of password-related issues reduces the time and costs of IT management while eliminating frictions and frustrations. Going passwordless helps mitigate cyber risks and vulnerabilities without hindering user experience, accessibility, or convenience.

If you’re anything like me, remembering passwords is a pain. And I could do without the sense of defeat I feel whenever I have to click the ‘forgot your password’ link on a login page. As technology evolves to be more intelligent, so should our means of verification to be simpler AND more secure.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

<![CDATA[Duo Announces UK & India Data Centers to Support Data Localization Requirements and International Expansion]]> ivablazi@duo.com (Iva Blazina) https://duo.com/blog/duo-international-growth-2022 https://duo.com/blog/duo-international-growth-2022 Product & Engineering

Since 2017, the number of data localization measures in force globally has more than doubled. A report put together by the Information Technology & Innovation Foundation (ITIF) shows that while in 2017 35 countries had implemented 67 data localization barriers, by mid 2021, 62 countries had imposed similar restrictions.

Is this a big deal to the majority of organizations/companies? In a word, yes. Data localization imposes obligations on firms to store and process data locally rather than in servers located overseas. This leads to a significant bump in the operational cost. How significant? Massive. At least according to 88% of over 4900 security professionals across 27 countries that were surveyed for the recently released Cisco 2022 Data Privacy Benchmark Study.

In response to these trends, Duo is thrilled to announce the launch of the two new data centers in the UK and India. Supporting our customers’ data localization needs, this new launch expands our existing presence in the United States, Canada, Ireland, Germany, Australia, Singapore and Japan.

Both the new and existing data centers will provide Duo’s customers with a choice over service delivery locations and allow organizations to meet all local requirements, all while maintaining ISO27001 and SOC2 compliance and 99.999% service availability goal.

International Expansion

The launch of the new data centers is the backbone of Duo's international expansion strategy. It provides customers, particularly those in highly regulated industries such as public sector and financial services, with more choice over service delivery locations and by doing so enables Duo to grow internationally.

In the last two years, Duo has met key international growth milestones and completed the C5 attestation (Germany), AgID certification (Italy) and IRAP assessment (Australia) all of which demonstrate that Duo meets the mandatory baseline standards for use by the public sector in countries listed above.

Solution Availability

Duo recognizes the investment that organizations make to help protect sensitive information and hopes to remove some of that burden, all while making security accessible. All Duo features, including multi-factor authentication, single-sign-on, remote access, passwordless (in public preview) and device trust policies will be available via Duo MFA, Access and Beyond editions to help customers develop and execute a holistic secure access strategy.

The Importance of Teamwork

Establishing international data centers is no small job, and it took many cross-functional teams, across Duo and Cisco, to make this deployment a reality. This is an exciting step for Duo and our customers. We take our job as a trusted partner seriously, working together to keep organizations’ data secure.

To learn more about Duo’s privacy policies, see the Cisco Trust Portal for additional resources.

<![CDATA[Redesigning the Security Narrative]]> hmijinyawa@duo.com (Hafsah Mijinyawa) https://duo.com/blog/redesigning-the-security-narrative https://duo.com/blog/redesigning-the-security-narrative Industry News

When I joined Duo’s creative team back in 2017 as a junior designer, I recall the dim panic of feeling completely out of my element and fearing that I would end up getting the boot once my colleagues realized I had no idea what I was doing. A more technical phrase for that is probably “imposter syndrome.” Luckily, it would pass. A couple of months into the job proved that all I needed was some patience, to practice active listening, stop being afraid to ask “dumb” questions, and most of all, relax and have fun.

As I immersed myself in foreign concepts around the information security industry, marketing, and business practices at scale, I grew to appreciate not just the technology we were building at Duo, but the people who built it, the diverse audiences that we addressed, and the unique problems-to-solve around security at large. My new role as a designer became less daunting and more of an exciting challenge in storytelling. But where to begin?

Defining “storytelling” in an InfoSec context

Inspiration - We the People: Democratizing Security

“Storytelling” is a word that you will hear frequently within Duo’s creative team — now part of a Brand & Strategy unit for Cisco’s rebranded security organization Cisco Secure. As with other terms within the security industry, “storytelling” on its own can become a bit of a buzzword. What does it really mean? Do we need a more passionate sales pitch? Do the marketing materials need to “pop” more? Should we host flashy improv sessions at our booths during technology conferences? What is the intrinsic purpose of “storytelling” in the context of security, and how could it help solve the myriad problems and complexities facing the industry?

“Stories help solidify abstract concepts and simplify complex messages. Taking a lofty, non-tangible concept and relating it using concrete ideas is one of the biggest strengths of storytelling in business.” — Allie Decker, HubSpot

Several more months into the job at Duo, what I came to understand was the idea of storytelling from a business perspective. This was a way of strategically and authentically engaging the audiences that we needed to reach. This would involve building cohesive narratives around our company values; our users, customers, and employees; and the information security industry at large.

In the infosec landscape, this story-driven approach was somewhat unique to the Duo way of doing business. Rather than hanging our efforts solely on a product pitch, we built our story around our value differentiators and the real world perspectives of customers, employees and industry experts. By doing this, we could effectively show — not just tell — our audiences who we were and how our solutions did what they said on the box.

But where did visual design fit into that storytelling strategy?

Source - "Creating an Authentic Security Brand From Within"

A new player has entered the game: The “security designer”

As I continued to learn more about being a designer for a security company, I came across an intriguing idea: reimagining information security through visual design and design thinking. Duo’s co-founder Dug Song spoke of security being “the biggest geopolitical issue of our time. …When governments can’t keep their secrets safe, what hope does anyone else have? We want to make sure we provide security that everyone can use.”

The implication of that perspective, at the time of learning it, was surprising to me. It meant that security had sociopolitical impact equivalent to some of the biggest issues at hand in the mainstream vocabulary, such as climate change and economics. But if security was a concept that influenced or even determined the nature of our privacy, autonomy, and independence, then why wasn’t it given a more considered and mainstream approach? Where was the attention to detail and image? The endeavor to develop a global standard-setting design system for security products? A broader initiative to support varying scales of modern IT expertise, or educate a public whose identities were becoming inextricably digital?

The broader problem-to-solve seemed to be how to convince the security industry of its need to embrace design as a key strategic tool.

“[At Duo], we wanted to redefine how we communicate across every interaction — not just in the experience of using our product, but in the experience of interacting with our company. All of this combined into a single mission: to democratize security and make it accessible and simple for everyone, not just those with unlimited resources.” — Peter Baker, Radical Simplicity: Creating an Authentic Security Brand from Within

Traditionally, visual design in the infosec industry has been more of a topical treatment often fulfilled through the ad hoc support of marketing and creative agencies. When present in-house, creative roles will almost always sit within a marketing structure, and there is generally little strategic collaboration between visual design and other organizational functions such as product marketing, sales, engineering, or product design.

One of Duo Security’s unique advantages was having a design thinking perspective at the strategic table early on during its inception. The idea was that towards the end of making security simple (but not simplistic), design thinking needed to be integral to building the brand narrative. This meant that future architects of that brand (content writers, web developers, videographers, designers, etc.) would ideally sit in-house, and not only be responsible for the stylistic direction of the brand but would additionally be encouraged to think like strategic contributors within the context of a security business.

For me, this newfound understanding meant taking a step back from what I originally believed a designer’s primary responsibility was — making things look aesthetically pleasing and supporting a client — and instead coming to embrace a more (buzzword incoming) holistic approach to design. Beyond the “pixel pushing,” my role for this company would span being a strategic creative partner, rather than ticket-taker, for my colleagues across teams. I needed to make an effort to understand and empathize with customer and business issues so that I could develop bespoke, rather than assumptive, creative solutions.

Why information security needs design thinking

The idea of design being an integral part of business strategy isn’t new. In 2006, Tim Brown, CEO and President of IDEO, wrote for Fast Company that “...design thinking is indisputably a catalyst for innovation productivity. …Where you innovate, how you innovate, and what you innovate are design problems. When you bring design thinking into that strategic discussion, you join a powerful tool with the purpose of the entire endeavor, which is to grow.”

Much earlier in 1973, a heavily researched and detailed Design Necessity compendium was published with support from the National Endowment for the Arts. It was created to help encourage the application of design thinking practices and strategy to the complexity-challenged federal government.

“...Design [is] an instrument of organization, a medium for persuasion, a means of relating objects to people, a method for improving safety and efficiency, and way of coping with [] complexity.” — Diana Budds, Nixon, NASA, and How the Federal Government Got Design

One takeaway here is that design really isn’t merely the sum of its stylistic parts. Rather, it functions as a necessary problem-solving tool, invaluable for persuasion, communication, and community-building. By having modern design principles fundamentally built into a company’s strategic architecture, a cohesive brand vision, voice, and aesthetic can then be customized as needed to help encourage audience engagement, communicate effectively, and set overall expectations for everyone who engages with the business’ touchpoints.

But the question remained: what were the specific problems-to-solve for security? Though the security industry typically serves the B2B space, there is increasing nuance in the types of clientele served. Traditionally the realm of technologists, computer engineers and academics, information technology’s applications are no longer limited to their specific use cases. With the advent of open API, cloud based applications, IoT (the Internet of Things), and the realities of being part of an exponentially growing remote workforce, security products begin to necessitate more considered, simplified interfaces and user experiences — on the admin side and the end user side — in order to facilitate implementation and adoption.

Another problem-to-solve is the issue of how to communicate the practical and philosophical value of security to its diverse audiences in a similarly nuanced way. Security and networking audiences have different but adjacent cultures, processes, needs and perspectives. Likewise, every day end users such as students, employees, or friends and relatives have a different take on the immediate value of digital security. Both audiences are often inundated with product pitches laced with fear, uncertainty and doubt (often shorthanded as FUD), emotionally provocative marketing, and are potentially pliable to a variety of assumptions flavored by media clickbait.

With those realities in mind, how could design be used to introduce a solution, or at the very least, a new way of approaching problem solving in security?

Using design to set the tone

Source - Keith Yamashita “Fifteen Things Charles and Ray Eames Teach Us”

The values espoused by both design and computer technology are closer than they seem from a high level. Though separated by technical expertise, application and overall use case or context, they are both mediums that rely on constant iteration, collaboration, and close attention to context. Ultimately, both mediums are the vehicles for analog and digital experiences that attempt to deliver — at varying scales — enablement, productivity, and satisfaction.

Of being a designer, renowned industrial designer Charles Eames had this to say: “The role of the designer is that of a very good, thoughtful host anticipating the needs of his guests.” This was his philosophical approach to design and the act of being a designer. What is that first impression that someone has of a thing that’s been built? What is the mood or tone that the designer wishes the guest to have? What will the guest be expecting — and how do we build to meet that guest’s desires or expectations?

To return to the earlier inciting idea of design and storytelling strategy in the context of the security industry, let’s consider six “characters” that share architectural responsibilities for security’s narrative. What do they do, what are their needs and perspectives. How might we build better experiences for them, and in doing so, tell a business story that puts them at the forefront?

  • A product designer works on the look and feel of a component. They are tasked with considering the most effective way to implement elements of a design system — graphics, images, shapes, typography. The design has to be executed in a way that is scalable to iterate on as the product develops, that is accessible across a broad array of touchpoints, and that won’t result in confusing user behaviors.

  • An engineer (specialty intentionally vague for the needs of this paragraph) is responsible for building the component with clean and effective language. Among many other things, they may seek to minimize bloated code, ensure that the architecture is built in a scalable, modern way, and help the final shipped experience be as frictionless as possible.

  • A security buyer is tasked with navigating a daunting gauntlet of offerings, and must separate the wheat from the chaff. What software suites are trusted and reputable? Easy to manage? Secure by design? Will the solution solve compliance issues, and help keep their infrastructure from costly audits? What will the solution cost to implement, and will it work at scale?

  • A security administrator is responsible for implementing the component, interpreting a CISO's policy requirements, configuring the component to implement any number of actions and policies, and effectively dealing with the support of and reactions from end users. With the support of simple, effective documentation and assorted educational materials supplied by the products vendor, the administrator’s life is made just a bit easier.

  • An end user (specialty also intentionally vague) needs to log in to their account or product interface. Ideally, thanks to a convergence of design intentionality from the beginning, all they deal with is an easy-to-navigate interface. They’ll be able to scan their options easily because the UI has been thoroughly tested and quality checked to ensure it meets a variety of accessibility requirements. They’ll be able to intuitively hook up an integration or third party tool. They’ll also be able to painlessly put in a support ticket, with no long waits or communication issues. And they will feel like their feedback is being heard when they see detailed patch updates that confirm how the product is being continually iterated on with feedback they volunteered or submitted.

  • Out in the world, the product’s marketing effectively communicates the value and purpose of the product through customer-centric anecdotes, live demos or free trials, and the expertise of easily accessible sales representatives. The consistent public-facing experience with the brand cultivates a level of trust and enthusiasm that encourages audiences to explore further.

In the spirit of Charles Eames’ philosophy, empathy and design intentionality for our guests — or rather customers and users — should come together to present an excellent first impression. Not all their problems will be instantly solved—all things come with time. But the act of putting ourselves in our guests place, iterating on the experiences we build for them, and using design thinking, will be a strong step towards the security industry no longer being stifled by complexity, confusion, or legacy processes.

The necessity of redesigning security

I would never have expected that, nearly six years after those first few months with Duo’s creative team, I would find myself invested in something as seemingly far removed from the creative realm as security. What my work within this industry has revealed is that neither creativity nor the craft of design are binaries of geometry, color and abstract ideation. Rather they are natural problem-solving processes that can and should be applied to every possible function that will be engaged with by humanity. An early paragraph in the Design Necessity says it best:

“It should go without saying, but unfortunately doesn’t, that design is directed towards human beings. To design is to solve human problems by identifying them, examining alternate solutions to them, choosing and executing the best solution.” — The Design Necessity, pg. 8 - 9

As both a product and a feeling, security has an imperative to become accessible and achievable for the broader market. With concepts like remote work and data privacy here to stay, the need to provide frictionless, scalable security for every network, user, device and application is more critical than ever. One of the best ways that the industry can ensure that solutions are enduring and innovative is by consistently including design in the security architecture conversation. Security for our modern world should be built to be timeless, and a security narrative created without the inclusion of design runs an unacceptable risk of not standing the test of time.

Want to work with a forward-thinking design team?

Duo security is hiring! Check out our job postings today to learn more about how you can help push cybersecurity design forward.

For further reading

On marketing as storytelling: The Ultimate Guide to Storytelling

On design and the federal government: Nixon, NASA, and How the Federal Government Got Design

On design in the federal space: The Design Necessity

On the history behind NASA's branding: The ‘Meatball’ vs the ‘Worm: How NASA Brands Space

On how Hewlett Packard and OpenIDEO challenged designers to visualize cybersecurity: Reimagining Visuals for Cybersecurity
On how users fit into the cybersecurity industry: We the People: Democratizing Security

On how Duo uses simplicity to create an authentic brand: Radical Simplicity: Creating an Authentic Security Brand From Within

<![CDATA[Duo’s Recipe for Great Culture]]> swolfkostin@duo.com (Sierre Wolfkostin) https://duo.com/blog/duo-s-recipe-for-great-culture https://duo.com/blog/duo-s-recipe-for-great-culture Industry News

After years of immersion, here’s what I believe is Duo’s recipe for great culture. It’s based on my interviews and observations of about 200 people in Duo’s R&D team of designers, engineers, and product managers—all of whom were 100% remote during the height of COVID-19. My hope is that if I put these ingredients under a magnifying glass, then you’ll be able to more easily recognize the signs of a good workplace and, by joining one, discover more fulfillment in work and life. 

As I toured Duo’s office at 123 N Ashley after a long day of interviews, what struck me most wasn’t the security startup’s craft beer or floor-to-ceiling murals: it was the people. They seemed so…engaged. In this quiet, pure, humble way. I pass by a desk (“hey, Josh!”) and a guy gives the biggest smile. He shows what he’s working on (reviewing UIs). Asks if I got free pizza during my last job designing for Domino’s. Offers to grab lunch tomorrow. I talk to someone else. Same deal. 

I left the building confused. Was everyone nice just because I was the “new hire” on tour? But after checking Glassdoor (employee rating of 4.6), and Google (5.0), I started to believe it was real. 

“Out of my 150 clients, literally, it’s only the Duo employees who are happy,” said my fiancé, Desert. He’s a realtor in Ann Arbor, and has personally sold homes for three couples at the company. 

It wasn’t just the reviews that got my attention — Duo had results, too. Since its founders Dug and Jon spun up the software business in 2009, the company steadily and then explosively grew to support 30,000 customers and 30 million users. This is typically only seen by startups in hubs like San Francisco or New York. But here it was, right in our home of the Midwest. And customers loved the product: when I joined Duo in late 2019, polls showed that nearly 80% of customers were so satisfied by the product that they’d recommend it to their friends. 

It’s rare these days to see an undoubtedly happy and successful company. I wanted to see what made Duo’s culture tick. 

A safe environment

Duo is a psychologically safe place to work. The company allows for all the slips, mistakes and failures that are necessary for innovation, progress and growth. As is the case with many destinations, the road to where Duo wants to go is never perfectly straight. It’s filled with bends and detours. Having an all-terrain vehicle on that road is like being surrounded by a safe environment at work — you’re well-protected during the journey.

What makes Duo safe:  

  1. Normalizing failure: People at all levels of the company try to normalize failure. Project managers host “stop/start/continue” retros after projects. Engineers bring summaries of outages up to the team to discuss what went wrong. The underlying tone is: you don’t have to be perfect, but you do have to learn. Only by learning and continuously improving can we use these short-term problems to enable long-term success. 

  2. Growth mindset: People share a deep appreciation of learning. Duo’s core value of Learn Together is invoked strongly and often which — over time — creates a shared reality where anything can be seen as a learning opportunity for the group. 

  3. Candid and loving feedback: People take seriously the art of giving feedback. There’s feedback that unnecessarily hurts and demoralizes; we’ve all felt it before. But there’s also feedback that critiques yet uplifts, tears-apart yet pushes-forward. The key is positive intent. This type of constructive criticism is taught at workshops, critiques, and lunches. It helps you feel ok asking for feedback, even on messy drafts.

  4. Sharing vulnerability: People openly talk about weakness. It’s common for a leader to mention a personal shortcoming during a meeting, even in front of hundreds of people. When the pandemic hit, the oft repeated saying was, “You’re not working at home during a pandemic; you’re in a pandemic at home trying to work”. Being open about weakness makes it easier to ask for and give support. 

  5. Norm of asking for help: People understand that asking for help can feel pit-of-stomach scary. Maybe you’re worried about looking incompetent. But only by helping and supporting one another can the whole team move forward confidently. Duo managers lead by example here, often posting on Teams an ask for help, and sending a sincere thank-you to the people who show up to support. 

  6. Separating growth from performance reviews: Managers focus on nurturing growth on a regular basis, normally as a result of giving and receiving critical feedback (which is very encouraged, to the point above). This is kept away from performance reviews — where work output, bonuses, and promotions are discussed — so that people have a safe space to try, fail, and learn from their mistakes.  

  7. Taking no chances: People understand that proactive effort, not luck, is what creates a truly safe environment. Leaders manage towards this by hiring the right people. It’s common to have workshops, training, and knowledge sharing (like this article!) focused on psychological safety. People want this type of culture, so they put in the effort to build it. 

From the moment I walked into Duo’s R&D headquarters, I could feel a sense of safety. There were lots of small cues, like the humble attitude of the people at their desks and the “learn together” artwork on the walls. I didn’t have words to describe it at the time, but now I can label the ingredients: failure, feedback, vulnerability, and support, to name a few. Together they form the first pillar of Duo’s culture.

A sense of belonging 

As humans we want, deep down, to belong. Whether it’s to a group, a mission, or a country, we love the feeling of being part of something greater. Just as 100 grains of rice eventually make a bowl, Duo’s many individual practices add up to create a visceral sense of belonging.

Duo creates it with:

  1. Collision-rich spaces: People who designed Duo’s space in 123 North Ashley St drilled in natural gathering spots. The kitchen, for instance, is stocked with brewing kits and barstools. This makes it easy to meet people who ritualistically make coffee every morning. If you’re working from home, there’s space at the beginning of every meeting to socialize. People often meet all-online to include everyone regardless of location.  

  2. Connection sparks: People have low-friction ways to meet one another. There’s a wall-basket full of free Roos Roast gift cards to use, for example, when you take a colleague out for coffee. If you can’t find anyone nearly, then join the #donut social channel and get matched to a coffee date automatically. My first match was Jon Oberheide, Duo’s co-founder. You can meet anyone.

  3. Shows of gratitude: People regularly give and receive sincere appreciation. If you’re thankful for someone, you can send Karma (@username++) in their #design or #engineering channel or make a virtual post-it note. Team meetings always open or close with live appreciations. There’s a virtuous cycle of sharing gratitude, receiving it, and feeling a sense of belonging, which inspires more gratitude…

  4. Thoughtful gifts: People treat gifts as another expression of gratitude. Over the holidays, for example, it’s common for leaders to send a box filled with teas or hot chocolate to their team from a local store like Zingerman’s. Surprise parties and photoshop shrines often celebrate your 3rd or 5th year. The message is clear: we really appreciate you. 

  5. Campfire moments: People make space for intimate conversations. On design retreats, for example, there’s  a journal activity about your proudest recollection of Duo. Everyone writes down a mini-story and shares them over a virtual campfire. Remember that one time when everyone showed solidarity to a colleague who had lost his partner. Or when we threw a virtual baby shower. By making space for campfire moments, people retain a sense of intimacy even while working remotely. 

  6. Personalized welcome: People get a personal introduction to Duo. Each group of newbies spends time with the founders, Dug and Jon, who walk you through a presentation about the company. You learn their purpose and plans for the future. You have lunch. Afterwards, there’s a role-tailored 30/60/90 day plan that spells out suggestions — people to meet, teams to shadow, things to read — that help you acclimate during your first months. A mentor gives you even more personalized tips.

  7. Caring personally: Managers are relationship-focused and genuinely care about people on their teams. For example, one manager spent hours writing a 2-page email full of handpicked design resources to answer a question that someone had asked during the interview process. Another went to great lengths to seek out opportunities — guest speakers, projects, mentors, etc. — after I expressed an interest in creative writing. People still get drinks with their former managers, even years after leaving the company. As the saying goes, “We want Duo to be known as a great place to be from.” When you know that people care about you, not just your work, it makes a huge difference. 

I first felt a sense of belonging at Duo during my interviews at the group’s R&D headquarters in Ann Arbor. I had talked to nine designers, engineers, and product managers that day. I didn’t recognize it at the time, but I felt a sense of “They get me” and “It’d be great to work here someday.” Today I understand that many ingredients — from a personal touch to collision-rich spaces — come together to create belonging.

A shared identity 

Successful groups have a strong sense of identity. Patagonia, for example, values using business to protect nature. They’re on a mission to save our home planet. City Year puts students first, and so on. Nurturing a common sense of self and attracting people with whom it most resonates is a huge enabler of impact. 

How Duo does it:

  1. Strong values: People have a well-practiced set of values. There are three to live by: be kinder than necessary, learn together, and engineer the business. They’re what Timothy Morton calls hyper-objects. You only see them in small patches, maybe part of a Duo livestream or deep in a Webex chat, but their presence is much larger and fully seeped into everyone’s behavior. There’s a huge emphasis on authenticity, walking-the-walk. It’s not uncommon when onboarding a new person for someone to say, “yep, kinder than necessary, it’s not just a saying — people are really like that”. 

  2. Sustained mission: People have long-supported Duo’s mission to democratize security, and make it easy and effective for everyone. The mission appears unaltered since the group began in 2009. This resoluteness brings a certain sense of stability, a “this is ok”, even during times of change. When COVID practically invaded the world back in 2020, for example, you could find solace in this ongoing purpose. 

  3. Symbols and artifacts: People take care to physically embody Duo’s values and mission. The words “kinder than necessary” are on wall-art, laptops, drinks, clothing. When Dug walks to a mic on stage, you know it’s only a matter of time until he pulls a “Duo values” reference into the conversation. These reinforcements are oxygen to a flame: they keep a shared identity alive.  

  4. Folk tales: Leaders pass on great stories. Once, for example, there was someone at Duo who recently lost a life partner. In a show of solidarity, people showed up to the next group gathering wearing shirts of classic rock, his partner’s favorite kind of music. Another time, a large company (not a Duo customer) was going through a particularly nasty data breach. Their engineers stayed up at night trying to fix the problem. So people at Duo delivered pizza. Stories like that, that shine a light on common humanity, are the ones that get passed down to new generations. Together they create an even stronger sense of shared identity. 

There’s a big difference between saying you share values (read: many corporate websites) and actually living by them. I felt Duo’s authenticity from the moment I first spoke to someone there and realized wow, this lady is the human embodiment of “kinder than necessary.” And now I understand that strong values can flourish with the right symbols, artifacts, and stories to support them.

Culture’s true impact

Living in a healthy culture physiologically changes your state of being. 

That’s the most significant thing I learned from a 2-year immersion — something that you simply can’t grasp from reading a book, watching a video, or taking a course. 

Before Duo, I had a lot of paranoia and stress at work. My “fight or flight” response had kicked into high gear, due to a couple of traumatic experiences, so I was always on guard for potential threats. I developed a harsh self-critic that was never satisfied, it seemed, by anything. My Apple Watch logged above-average resting heart rates, sometimes accompanied by chest pain. The doctor said to keep an eye on it and tell her when I needed anti-anxiety medication. 

But a few months into joining Duo, I noticed a change — I had walked into an environment that felt safe, surrounded by people who shared my values and purpose, and felt like I really belonged. My heart-rate slowed back down. The chest pain came in light bursts, then stopped altogether. I’m building up my new, more positive neural pathways (one way to overcome a harsh inner critic), and healing over time. 

Once you discover the signs of a healthy culture, you can’t unsee it. 

If you take one thing from this post, I hope it’s this: Don’t compromise on culture. If there’s anything that the COVID-19 pandemic, burnout and the Great Resignation have illuminated, it’s that you deserve a healthy place to work. You spend too many hours “at work” to not surround yourself with a great culture. 

Companies with truly great cultures — like Duo, according to what I observed over the last two years — can seem like a rare breed nowadays, but they’re out there. Don’t compromise. It might just change your life. 

Come Build With Us

At Duo, we protect our customers so they can pursue their passions. We’re looking for enthusiastic, proactive people who are driven to help others, make the world a better place through technology, and cultivate their career path along the way. If you get a kick out of collaborating with inspiring teammates, creating and supporting products that really make a difference, we want you.

<![CDATA[Behind the Scenes: Migrating Duo to Kubernetes]]> gdury@duo.com (Guillaume Dury) https://duo.com/blog/behind-the-scenes-migrating-duo-to-kubernetes https://duo.com/blog/behind-the-scenes-migrating-duo-to-kubernetes Product & Engineering

Duo Security has historically been a Python shop hosted on Amazon Web Services (AWS) and Amazon Elastic Compute Cloud (Amazon EC2) instances. Like many tech companies, we originally adopted a three-tier architecture — consisting of load balancers, servers and databases. And, as we have grown, we also added caching to the stack to better meet our customers' needs.

This three-tiered architecture is great, but also comes with its own set of challenges, which Duo and many companies have sought to mitigate with their own internal tooling.

Here are some of the largest challenges that come with our original approach:

  • Multiple teams working on the same code base (which has the advantages of making it easier to manage dependencies and facilitating cross-project changes, but also comes with disadvantages, like small changes having a larger ripple effect and making the deployment process more complex)

  • Lengthy lead time to move app updates from development to production

  • Impediments to scalability and cost optimization

To address these challenges, our site reliability engineering (SRE) team started investigating microservice architecture — a new paradigm theorized by Martin Fowler, the “father” of microservices.

The approach goes something like this: Splitting large, monolithic programs into smaller, self-contained, loosely coupled services allows for faster iteration and more independent work to be done by various teams. The technology that enables this is known as containerization — basically, creating lightweight, standalone executable packages of software code that are more nimble and easier to work on independently, compared to a single, massive code base.

A shift to a microservices model comes with its own set of challenges — like additional complexity — but an open-source system known as Kubernetes, or K8s for short, offered promise for automating deployment, scaling and managing containerized applications.

Kubernetes at Duo

While Kubernetes initially had strong competition from several other frameworks, it soon emerged as the industry standard.

As you can imagine, migrating from a classic three-tier stack to a microservices architecture is not an easy task. Our SRE team started discussing a K8s migration proof-of-concept in 2020. We needed to vet K8s to ensure that it was going to meet our high standards for reliability, availability and, most importantly, security.

As an organization, we decided to gradually migrate portions of our codebase to Kubernetes. Rome was not built in a day, as they say, and so neither was our infrastructure. We also wanted to avoid side effects that could arise when migrating everything all at once.

To share the knowledge and document all the technical choices made around the migration, we created an architectural decision record (ADR) to capture our decision-making. This also has the advantage of giving context to new engineers as they on-board, and it has drastically decreased the need for future discussions around why individual technological choices were made.

Technical challenges

Our SRE team faced several challenges in implementing Kubernetes, both technological and operational.

The impossible vanilla cluster

When a piece of software is ready to be used without any customization, we call that “vanilla.” But it was obvious that the K8s vanilla cluster did not meet our needs for security, configuration management, policy verification or networking. While several tools have been developed to help manage and simplify the complexities of Kubernetes applications — such as Helm, which bundles various resources into a “charts” that can then be installed in one command — we went with kustomize, which offered more granular control over our cluster. Today, we have around 30 addons installed on our cluster to make it workload-ready.

Dealing with legacy and hybrid software

One of the main advantages of containerization, and a key to its success, is its low installation friction. Indeed “dockerizing” an application is usually trivial since Docker enables infrastructure engineers to easily replicate the underlying operating system (OS) layer with all the dependencies.

However, I say “usually” because working at a certain scale and with security in mind has some other dependencies, and also sometimes complicated processes. For us, the challenge was figuring out how to replicate all of our EC2 dependencies inside Kubernetes. That’s why today we have a hybrid stack, where EC2 and Kubernetes workloads are both well-integrated into the same logging and monitoring tools. This was done to ensure technical consistency and make sure that K8s was not going to be disruptive

Identity management

Identity management was also a key challenge. Kubernetes presented a whole new infrastructure perimeter — and while we had AWS roles, permissions and accounts segregation in place, it was hard to replicate on K8s. Since we are relying on Amazon Elastic Kubernetes Service (EKS), we are combining AWS roles and Kubernetes roles by relying on AWS to manage access identity and authorization to our clusters. Today, although our current access level is uniform, one of our challenges is to bring role-based access control into our cluster to allow for more granularity to be able to promote more ownership for our software development teams.

Operational challenges

Code doesn’t exist in a vacuum. In any organization, technological challenges are paired with operational challenges. How do you get a whole engineering organization to learn, adopt, use and grow a new technology?

Knowledge sharing

Earlier I mentioned how developing an ADR was a foundation of the Kubernetes project at Duo. But be mindful, it makes more than a few wiki docs to get an organization moving in a new direction. Over many presentations to everyone from senior leadership to individual contributors, we created excitement around the project and understanding of K8s strengths and drawbacks. We also developed dedicated documentation and workshops to ensure that teams were well-armed to move their services over to Kubernetes.


We fostered internal collaboration by creating a Kubernetes learning group, which would gather every two weeks to ramp up our skills and work toward Certified Kubernetes Administrator certification. We also learned from the mistakes of others through an archive of Kubernetes failure stories. Indeed, learning by understanding the failures of other companies would give us precious insights on how to operate K8s. We ran a Kubernetes book club across the organization to introduce K8s concepts and spark discussions about architectural decision making in the Kubernetes space. Lastly, we would often invite subject-matter experts to present on a particular area of K8s, such as networking, scaling and so on. This helped ensure our training stayed aligned with our actual implementation at Duo.


The last challenge I will talk about is recruiting. While Kubernetes is the industry leader for containerization, it’s challenging to find engineers who are experienced with it. It has a steep learning curve and requires significant time investment to learn.

And while Kubernetes has a strong reputation for scalability, we have found it to be a large leap from operating a cluster with a few nodes to operating dozens of clusters with dozens — or even hundreds — of nodes and high-volume traffic. That’s one of the reasons there are only a handful of companies operating with this kind of infrastructure. That’s why, within Duo, we created a dedicated team of people with Kubernetes experience to help bridge the gap between core engineers working on maintaining the cluster, and software developers who wanted to tap into Kubernetes. This team, SRE Applications, helps maintain and promote K8s knowledge while keeping the software development team’s perspective in mind, too. And, of course, we are always looking for engineers with Kubernetes experience!

Where things stand today

Today at Duo, we are serving our customers from 10 regional data centers across the world and are about to add two more. In our biggest cluster we have around 400 pods running currently to ensure we serve our customers from around 20 different services.

The advantages to our shift to Kubernetes have been striking. It used to take a dozen hours to redeploy a service after its code was updated. Today it takes about 10 minutes. And simple configuration changes can be deployed in less than five minutes. This allows us to be more nimble in pushing needed updates to our customers as quickly as possible, while still maintaining our focus on security and quality.

The road to Kubernetes implementation was not easy, especially since it introduced a new way of doing things on the application layer as well. Kubernetes has a strong learning curve, so engineers need time to experiment and learn. At Duo, we overcome those operational challenges by investing into the training, recruiting and nurturing collaboration. For the technical challenges, we bridged the gap between traditional and new architectures with hybrid workloads and we hardened our clusters.

The benefits of Kubernetes are numerous. There are good reasons it has become the standard, based on the foundation and the knowledge of engineers working at Borg, and is the new abstracted layer for the infrastructure. It being open-source with not less than 3,180 contributors today, we can rely on it with trust and drive our own audits if necessary.

Yes, there are more challenges to overcome to fully integrate Kubernetes in our stack, but we are also now leading a proof-of-concept with the new big thing in the infrastructure world: service mesh. Come experiment with us!

<![CDATA[Cyber Liability Insurance Essentials for Small and Medium-Sized Enterprises]]> ocheal@duo.com (Oliver Cheal) https://duo.com/blog/cyber-liability-insurance-essentials-for-small-and-medium-sized-enterprises https://duo.com/blog/cyber-liability-insurance-essentials-for-small-and-medium-sized-enterprises Industry News

For as long as organizations have existed to grow crops, move goods or produce items there have been insurance firms to help these markets survive cyclical events. As we’ve moved to digitize our economies, a trend that hugely accelerated during the pandemic, this age-old industry has come to the fore. It’s been fascinating to see this most traditional of industries being thrust into the center of one of the most relevant business topics of our era — cybersecurity risk. In this blog we explore how small and medium-sized enterprises (SMEs) in particular can mitigate these risks to get a manageable insurance cover, so they can focus on making their business thrive in today’s uncertain times.

The pandemic gave rise to unimaginable amounts of change to applications and user workflows in a remarkably short space of time. So much so that McKinsey research indicates that this acceleration was 20-25x pre-pandemic levels. When you accelerate change to this degree and move your workforce to an entirely new dynamic of hybrid work, it is inevitable that fast workarounds may not be as secure as they could be. 

As a result, organizations have been exposed to significant risks as threat actors have stepped up their game in response to the massive increase in opportunity. This has been borne out by the explosion in cyber attacks and resulting payouts from insurers, even to the extent that AXA France has signaled that they will not be paying out for ransomware attacks. A move that is not all that surprising when you hear that in 2021, businesses suffered 50% more cyberattacks than in 2020.

In my conversations with insurers, many have been playing multiple roles; helping companies put basic controls in place, insuring them against loss and assisting them to recover should the worst happen. As they are at the financial heart of this problem, insurers have run some extremely insightful analysis of exactly which losses cause the most financial harm and therefore where to place cyber investments.

The consensus from the insurers I have spoken to is that the largest area of focus needs to be around hybrid work with effective security for Remote Desktop Protocol (RDP), as attacks in this area have been a great source of loss for them and their clients. This point is further backed up in reports that RDP attacks grew by 768% in 2020.

So what can SMEs do to protect themselves, especially when they might not have extensive IT resources in place?

Many SMEs have a decent handle on the basics, but most struggle with ensuring that they patch consistently and that users are who they say they are. One of the most important steps they can take to safeguard their businesses is to employ multi-factor authentication (MFA). In short, MFA gives organizations the ability to ensure that users trying to access applications and devices are who they say they are and not anyone else. They can also enable full visibility into the attributes and behaviors of the devices that access your applications via an inventory. Unsurprisingly, we are seeing more and more MFA requirements in cyber liability insurance policies as it has such a significant impact in reducing the chance of financial loss.

“I’d say multi-factor authentication is what’s going to mostly determine your ability to purchase cyber insurance.” —Cole Haney, Assistant Vice President, Professional and Cyber Practice, Hays Companies

But not all MFA solutions are created equal. And many are not created with the needs of SMEs in mind. So what should these kinds of firms look to have in place to keep those premiums manageable?

Without extensive time or resources to expend on complex implementation, SMEs need an easy to deploy and use cloud-based MFA solution that integrates with their existing infrastructure. Authentication methods should also be flexible enough to fit into any SME’s workflow requirements, whether that is push notifications, tokens, or biometrics.

Along with MFA, demonstrating security awareness and behaviors across the business can help mitigate risk and help lower cyber liability insurance premiums. With a self-remediation facility, SMEs can keep overview of device security hygiene while empowering users to take control of their own security concerns. A strong health app that checks for firewall, encryption, and up-to-date operating systems can help build strong security habits that paint a positive picture for insurers.

Logically, issuance of corporate-owned devices may seem to be a safe way to demonstrate control over a firm’s IT security. However, this is simply not feasible for SMEs who need to rely on a ‘bring your own device’ (BYOD) policy. Additionally, many of these firms depend on temporary workers. According to SME Today, ‘with a greater reluctance among candidates to seek new roles due to uncertainty and concerns over job security, the gig economy (temporary workers and independent contractors) will only continue to rise’. This is why it is crucial SMEs have access controls and complete visibility into endpoint security across all devices, whether personal or corporate-owned, no matter the length of time they are needed for.

Finally, it is crucial that SMEs demonstrate their cybersecurity coverage grows as they do to avoid future penalties. Their solution needs to scale to meet the companies' security needs, and have the ability to add users and devices at any time. It should feature MFA capabilities that can pair with single sign-on to create a consistent login workflow across all applications and syncs with directories to ensure policies stay current even as the user base changes.

As we move forward, we will see the insurance market develop such that the best premiums will be on offer to those companies with a series of basic security controls in place and undoubtedly MFA will be among them. Organizations that have embraced these steps will be making themselves more resilient, reducing their chance of loss and ensuring that they’ll be well supported by their insurance partner should the worst come to pass. Duo can help organizations comply with insurance requirements through MFA, device trust, and establishing least-privileges access policies.

 For more information download our Cyber Liability Insurance Guide. Or, contact an expert and sign up for a free trial to learn how an MFA solution can improve your security posture.

<![CDATA[Balancing Convenience and Caution with One-Time Passwords]]> dellis@duosecurity.com (Deidre Ellis) https://duo.com/blog/balancing-convenience-and-caution-with-one-time-passwords https://duo.com/blog/balancing-convenience-and-caution-with-one-time-passwords Product & Engineering

From chat rooms, to emails, to bank accounts, to medical information, proving that someone is who they say they are is a continuously evolving challenge. One-time passwords (OTPs) have become mainstream because a randomly generated one-time use code solves many of the security problems associated with a static password associated with a static account. However, recent trends show that bad actors are targeting organizations by using OTPs in phishing attacks.

Let’s review what one-time passwords are, how phishing takes advantage of them, and how multi-factor authentication can help mitigate this risk.

What is a One-Time Password?

A one-time password is a randomly, automatically generated code that is sent to a known device of a user trying to log in. With an OTP, a user must authenticate by entering a code either sent to or generated from their device into the input screen they’re trying to access. 

How Phishing Attacks Can Capture OTPs

Attackers may gain access to a user’s account by sending a phishing email that contains a link to a familiar login page. The login page asks for a username and password and then redirects the user to a fake authentication page that mimics the look and feel of well-known OTP providers. Here, the user is prompted to generate a one-time passcode and then provide it on a fake OTP page. The attacker then possesses the user’s primary credentials and the generated code that will allow them to gain access to the account.

Cisco Secure Talos recently observed instances of a scenario like this, executed with fake Duo authentication pages as well as other access providers.

Quick Tips to Mitigate Risk Around OTPs

  • Check your OTP settings and only enable OTP if required.

  • When applicable, encourage users to use other authentication options, such as security keys.

  • Educate your users about security hygiene topics, like confirming whether an email or website is legitimate, or rejecting a fraudulent request:

  • Check the links and URLs in any message asking you to enter credentials. 

    • Is the URL secure (https)? 

    • Do the links go to your official organization (for example, domain ending in .edu for academics)? 

    • Does the authentication site go to duo.com (or whatever access provider your organization uses)?

  • Deny any suspicious authorization request.

    • Did you request this access to the stated application?

    • Is the request coming from your location?

  • For Duo users specifically, Duo Mobile offers the ability to generate a one-time passcode. The primary use case is offline 2FA access. If you don’t have a need for offline access in your organization, Duo strongly recommends checking what your settings are and turning this feature off

  • Whenever possible, train your community to use Security Keys or Duo Push through the app. These are the most secure remote authentication options, as illustrated below.

If you have any questions about this trend or what Duo can do to help protect you and your applications, please contact Duo Support.

<![CDATA[What Duo Unix Administrators Need to Know About Pluggable Authentication Modules]]> jquiroga@duo.com (Jessica Quiroga) bscott@duo.com (Briar Scott) https://duo.com/blog/what-duo-unix-administrators-need-to-know-about-pluggable-authentication-modules https://duo.com/blog/what-duo-unix-administrators-need-to-know-about-pluggable-authentication-modules Product & Engineering

One common hurdle for systems administrators setting up new Duo Unix integrations is PAM — Pluggable Authentication Modules.

With PAM, some advance planning will help prevent running into issues later on. That’s because modifying PAM incorrectly can lead to some serious problems, like bypassing Duo altogether or locking users out of their machines.

We hope that the guidance below, combined with our extensive documentation, will help those setting up new integrations get their systems configured quickly and easily.

What is PAM?

PAM stands for Pluggable Authentication Modules. It is used to standardize authentication for Linux systems.

What Does Duo Use PAM For?

Duo makes use of PAM to provide 2FA during login to a Unix system. We integrate with your existing PAM stack configuration, so it’s important that you have a working system before adding Duo.

PAM Basics

  • PAM has a global state that determines whether an authentication will fail or succeed. If the global state is true, then the authentication will pass; otherwise it will fail. This state is determined based on the outcome of the authentication passing through a module.

  • PAM has multiple service modules, such as “auth,” “password,” “account” and “session.” In this context, our concern is the “auth” service module.

  • Each module in the PAM stack will have a different control flag indicating what should happen if the module is passed or failed.

Setting Control Flags

For PAM to function as desired, make sure to properly configure control flags. These come in several different “flavors” that will determine the continuation or failure behavior of a module.

The requisite, sufficient and required flags each lead to different outcomes.

Requisite: If a requisite module passes, then continue down the PAM stack. If a requisite module fails, then set the global state to false and terminate the PAM stack, failing the authentication.

Sufficient: If a sufficient module passes then set the global state to true and return, succeeding the authentication (there are stipulations on this which will be detailed later). If a sufficient module fails, then do not set the global state to true and keep running the PAM stack.

Required: If a required module passes, then continue down the PAM stack. If a required module fails, then set the global state to false and continue down the PAM stack. This will continue to run the rest of the PAM stacks without setting the global state again.

For example, if the user fails a required module but succeeds a sufficient one, then the global state will NOT be set to true but the stack will terminate, ultimately failing the authentication.

This is useful against brute force attacks. The attacker will not be able to tell if for instance they failed the password authentication or the Duo authentication.

The requisite, sufficient, and required flags are the most common ones you’ll see in a PAM stack, but wait - there’s more!

Include and Substack: These flags allow you to include other PAM stacks within the larger stack. For Include, if the stack terminates with a sufficient, the auth ends. For Substack, if the stack terminates with a sufficient, then you continue with the parent stack.

Optional: This flag allows you to run a module without the outcome of the module affecting the global state.

Type: PAM modules are not limited to returning only pass or fail. Linux PAM defines over 30 different values that a module might return. Instead of one of the original control flags (required, sufficient, requisite, and optional) you can use the new syntax with square braces. You can list any one of seven different actions for each possible return type.

The action says how to combine this return value for the module in the overall pass or fail value that is returned to the application for the whole stack. Each of the four control-flag keywords (required, requisite, sufficient, and optional) have an equivalent expression in terms of the [...] syntax.

The Order of the Modules is Significant

Note: If a prior required module fails, and a later sufficient module passes, access will be denied. To say that another way, the order in which required modules are called doesn’t matter. Only the order of the sufficient and requisite control flags come into play.

The following module says access is allowed if both modules A and B pass, or if both modules A and C pass:

auth required pam_moduleA
auth sufficient pam_moduleB
auth required pam_moduleC

On the other hand, the policy implemented with the following says to allow access if module B passes, or if modules A and C both pass:

auth sufficient pam_moduleB
auth required pam_moduleA
auth required pam_moduleC

Common PAM Modules

These modules are among the most common ones seen in a PAM stack, particularly if you’re configuring a new system. Duo does not interact with them directly, but some of them are likely to be part of an authentication:

  • pam_unix.so: First factor authentication that uses /etc/passwd and /etc/shadow to check passwords

  • pam_permit.so: Always allows access

  • pam_deny.so: Always denies access

  • pam_sss.so: Allows authentication with LDAP

  • pam_krb5.so: Allows authentication with Kerberos

Other Flags

These flags are less common, but you may still encounter them as you configure your stack:

  • nullok: Users can have a blank password and still access the machine
  • nullok_secure: Same as nullok, but with added security - PAM_TTY needs to be set to a value found in /etc/security
  • try_first_pass: Try the password from a previous module first - if the password is wrong/not applicable, then ask for a new password
  • use_first_pass: Needs to use the previous password, and deny access if the password is not available/did not work

Putting the Pieces Together

Now that we know the basics, let’s talk about what’s going on in this authentication.

When a user tries to log in, we will run the auth service.

The user will be prompted for a password with pam_unix.so. If they type in the correct password, then they will be shown a Duo Unix prompt. If they successfully authenticate with Duo (via push/passcode/phone call/SMS), then the global state will be set to true and they will successfully authenticate.

If the user has a wrong password, then the global state will be set to false, though the user will still be shown a Duo Unix prompt. Even if the user succeeds with the Duo authentication, the sufficient condition will cause the PAM stack to terminate and the auth will fail.

If the user has a wrong password and does not authenticate successfully with Duo Unix, then the pam_deny.so module will run. This would set the state to false (though the state is already false) and then terminate running the PAM stack.

How Do I Navigate This as a Duo Administrator?

There are a lot of moving pieces here, and it can be tricky to pinpoint where Duo comes into play. Our documentation provides several examples to help you integrate the Duo module into your environment. It is important to remember that your PAM stack may not match our examples, and having a strong understanding of the control flags above will help you ensure that you’ve added Duo at the right step.

Our Support teams have seen an untold number of different configurations, and they’re here to help you if you’re seeing specific Duo-related errors. Because each PAM stack is different, they may not be able to assist you in troubleshooting your specific configuration. That being said, our engineers have built a tool that can pull the necessary logs for troubleshooting, and it’s a great place to start tracking down any issues.

One of the best ways to determine if you’re seeing a Duo-related issue or if the PAM stack is configured incorrectly is to check your logs to see if the Duo module is ever engaged. If it isn’t, something in the stack is causing the Duo portion to be skipped, and you’ll never see 2FA.

A few other best practices to follow:

  • Always make a backup copy of the /etc/ssh/sshd_config prior to implementing Duo.

  • Always make a backup copy of your PAM configuration files in /etc/pam.d prior to implementing Duo.

  • Always test logins post-configuration with a separate terminal session, to prevent yourself from being locked out.

One last thing to remember is that there are many different Unix distributions out there, each with its own configuration quirks. We do our best to ensure that pam_duo is as widely compatible as possible, but we’re not able to test every possibility. Ensuring that you have a strong understanding of how to configure your PAM stack before involving Duo will ensure that you’re ready for the next step of securing your systems.

<![CDATA[Announcing General Availability of Remote Desktop Protocol Support for Duo Network Gateway]]> skathuria@duo.com (Seema Kathuria) https://duo.com/blog/announcing-general-availability-of-remote-desktop-protocol-support-for-duo-network-gateway https://duo.com/blog/announcing-general-availability-of-remote-desktop-protocol-support-for-duo-network-gateway Product & Engineering

A few months ago, Duo announced the public preview of Remote Desktop Protocol (RDP) for the Duo Network Gateway (DNG), and today we are happy to share that this capability is generally available for  Duo Beyond  customers. The DNG now allows users to access on-premises applications and desktops securely and easily via RDP, without requiring a VPN connection.

Over 50 customers have already used the new feature and are pleased with the ease of setup and deployment, strong security controls and positive experience for end users. To learn how this feature works, check out the blog post How New Duo Feature Lets Users Skip the VPN Hassle from two Duo Engineering team members.

For those unfamiliar with DNG, it is a remote access proxy security solution that enables organizations to provide zero trust remote access to web applications, web pages and Secure Shell (SSH) servers without the requirement of a VPN or exposing those applications to the internet directly. 

It is no surprise that for an information worker, the new normal is about being able to access information and applications from any location and device. Convenient and seamless access to applications has become a must-have rather than a nice-to-have. For over two decades, the only way we could access corporate applications – like the employee directory, HR applications and other SaaS applications – was by first remembering to and trying to connect successfully to a VPN client on a corporate managed device. Fortunately, there is another way to get to many of those apps and from any device – an alternative to VPNs. 

Duo Network Gateway has already helped hundreds of organizations across multiple industries (technology and IT services, education, finance, healthcare and more) offer their workforces consistent and secure access to corporate resources from any device and location – and customers are already benefiting from adopting this solution.

“If you want to get rid of the VPN management burden, use the Duo Network Gateway to give access to your web and desktop applications. Users – and their access – are managed in the Duo Admin platform. No more firewall, no more AAA or whatsoever complicated thing. Once you go for DNG, you never go back.” –Antony Gallez, Operations Manager at Cameo Global, a New Era Technology Company

Longer term, we will build upon this enhancement. With this feature release, we have developed an architecture for the DNG that allows for protecting RDP today and more Transmission Control Protocol (TCP) services over time. In the coming months, as we continue learning from our customers about the applications that they are most interested in protecting with the DNG, we will support additional protocols. 

<![CDATA[Modernizing Secure Remote Access for a Hybrid Workforce]]> skathuria@duo.com (Seema Kathuria) https://duo.com/blog/modernizing-secure-remote-access-for-a-hybrid-workforce https://duo.com/blog/modernizing-secure-remote-access-for-a-hybrid-workforce Product & Engineering

Problem: The Traditional VPN Is No Longer Enough

Since the 1990s, virtual private networks (VPNs) have been well-suited for the purpose they were built for – to grant employees temporary access to corporate networks and resources when they weren't logging in from an office. While VPNs have since been the widely used standard in doing this, they weren’t built to handle a scenario in which most – or even all – employees wouldn’t be in a physical office for months at a time.

As we all know by now, today’s work environment has shifted to being largely remote. Driven significantly by the COVID-19 pandemic in 2020, remote work hasn’t been the ephemeral experiment some may have seen it as before: A recent survey by Upwork estimated that over 36 million Americans will be working remotely by 2025. While organizations could benefit from giving employees this added flexibility, IT and security teams have had their hands full.

With VPNs, employees are generally given broad access to the network without any sort of intentional vetting of their role, workgroup, device, or location. The massive influx of remote work has complicated this, as security vulnerabilities could be exposed through a traditional VPN. This has made it challenging for organizations to rely exclusively on VPNs for securing remote access for the entire workforce.  

 Here are some of the modern-day realities that challenge traditional VPN usage:  

  • Limited access to distributed applications, whether on site, available as a cloud software-as-a-service (SaaS) offering, or within a private cloud infrastructure like Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure.

  • Temporary workers, contractors and vendors might not be able to connect to company networks.

  • A significant increase in remote work at scale has put an unexpected and often unmanageable load on VPNs. It is no surprise then, according to Gartner’s analysis, that an estimated 60% of enterprises will phase out most of their remote access VPNs in favor of zero trust network access (ZTNA) by 2023.  

Solution: Zero Trust Secure Remote Access 

Since 2014 when Google shared their architectural approach to VPN-less called BeyondCorp, many organizations have adopted a VPN-less approach for enabling access to private applications. They, too, have experienced the benefits over a VPN-only model. These benefits include:  

Reduced Risk Through Application-Specific and Granular Access Controls  

A solution that enforces zero trust remote access policies is less permissive and highly granular. Every user must log in with multi-factor authentication (MFA), and every device is checked for its health posture, operating system updates and more before being granted access.

Streamlined Experiences for End Users and Administrators 

A zero trust solution gives way to a seamless end-user experience that enables high productivity, on site or remote. Users only see the applications to which they have access. Application access is simple and secure, irrespective of user and application locations. 

Flexible and Adaptive Security Policies 

Instead of being based on IP addresses and subnets, zero trust remote access policies are based on user identity and other factors, including endpoint posture, location and time. Also, security can be adapted to a broad range of users (for example, partners, suppliers and contractors) and devices (managed or unmanaged, corporate, or personally-owned, also known as Bring Your Own Device (BYOD). 

Deployment Thats Simple, Less Cumbersome and Cheaper 

With a zero trust solution, you don’t need to buy, maintain or upgrade VPN hardware. You don’t have to set up site-to-site VPNs, and deployment may be faster because there are not complex policies to configure. Furthermore, the costs for deploying and maintaining a zero trust solution may be lower than that for a VPN solution. 

To stay competitive in today’s marketplace, you need to offer flexible options to your employees, and security should be kept at top of mind. 

Consider adopting a zero trust remote access strategy that reduces complexity, enables security and keeps users productive on any device and from any location whenever they access corporate resources.

Try Duo for Free

Duo’s secure access solution – which includes the Duo Network Gateway – lets you validate user identities, continuously verify device trust, and protect every application without compromising on user experience. Try Duo free for 30 days

<![CDATA[Celebrating Women’s History Month: Women Senior Leaders from Duo Share Their Stories]]> ccherrie@duo.com (Chrysta Cherrie) https://duo.com/blog/celebrating-womens-history-month-women-senior-leaders-from-duo-share-their-stories https://duo.com/blog/celebrating-womens-history-month-women-senior-leaders-from-duo-share-their-stories Product & Engineering

At Duo, we celebrated Women’s History Month with a panel discussion on International Women’s Day, featuring women from Duo discussing the importance of challenging biases and misconceptions in pursuit of a more inclusive, gender-equitable world.

The panel consisted of five women senior leaders from Duo:

  • Jackie Castelli, Director, Product and Technical Marketing

  • Connie Dimitroff, Director, Go to Market

  • Megan Furman, Chief of Staff

  • Amber Lindholm, Head of Design

  • Iva Blazina Vukelja, Senior Director, Product Management

Bringing it all together was moderator Aubrey Blanche, Senior Director of Equitable Design, Product & People at CultureAmp, who helps organizations like ours build equitable processes, products and experiences to create meaningful, sustainable change.

We’re sharing some of our favorite quotes and lessons learned from the discussion:

Unique Paths to a Career in Technology

Iva Blazina Vukelja, Senior Director, Product Management, had the opportunity to take on a VP role at a startup. It made sense on paper, and it was a good next step based on her career trajectory. However, it would’ve required moving to another new country, building a life and learning a new culture again. Iva decided not to pursue the opportunity — which took her to where she is today:

“Sometimes we perceive that our career path is supposed to go in a straight line — there are expectations of society, our friends, our peers. But the reality is what’s ahead of us isn’t a straight line — it’s a starfield out there. There are many exciting, fun possible paths. It’s the essence of freedom that we have today, which wasn’t always there and wasn’t always granted.”

Amber Lindholm, Head of Design, was close to 30 and wanted to expand her options and what she was working on. She pursued a role at a world-class design consulting firm and was offered a three-month internship with no guarantee of a permanent position. Taking a chance on the opportunity, Amber and her husband relocated from Chicago to Austin, a city that they were unfamiliar with and where they had no other personal or professional roots.

“I believed I could take this leap and turn it into a larger opportunity in the future. In the short term it might not have looked good on paper, but I was able to work really hard and turn it into a full-time job at the end, and it opened doors to incredible opportunities and relationships.”

Megan Furman, Chief of Staff, went to graduate school for political science, but it wasn’t until she put her studies to work that her goals came into clear focus. After working for the Department of Defense and with other smart people who lacked the tools to help them answer the questions they needed to answer to be safe, she saw her future in tech.

“I had been leading one set of products, and that was important to me and interesting, but at the end of the day making sure our people are OK is so much more impactful.” For example, while mentoring someone about how to lead a program, Megan discovered that the way a customer spoke to her mentee was sexual harassment, and she immediately took actions to address it.

Tradeoffs Women Make in Service of Career Progress

Jackie Castelli, Director, Product and Technical Marketing, talked about the importance of women simply understanding that they’re more likely than men to have to weigh work-related decisions: “The obvious one is always, ‘I want a promotion, I want more responsibility,’ but you also need to understand that usually this comes with more work, and more work means less time for yourself, your family, your self-care. Are you comfortable with accepting this kind of tradeoff?”

However, she also pointed out this works in reverse; you can choose to prioritize something other than career advancement. Jackie shared an experience similar to Iva turning down a VP role: “I had a very technical career but wanted to get into product marketing. In order to do that, I had to take a demotion. I did it, but the tradeoff is seeing other people move forward with their career faster than I am. There’s no right answer; you have to do what’s good for you.”

Amber put it in a different perspective: “I don’t necessarily think of it as tradeoffs, but there are so many decisions that you have to make all the time that impact how you focus your energy.” As a career-oriented person in her 20s, she was unsure whether she wanted to add the role of “mom” to her identity.

Ultimately, Amber decided in her mid-30s to start a family and is incredibly grateful to now have three children. She also acknowledged the implications and challenges of being a parent, especially as a woman, that demand a lot of her mentally and physically. For example, she worked in a high-pressure, always-on consulting role, working until the night before having her first child. Immediately it was clear that lifestyle would no longer work for her. 

“I had to figure out how to say ‘no’ to certain things, or ‘not right now.’ Thinking through those decisions, I have to really prioritize what I can spend my time on now, what’s most important to me, and understand that even though I can’t do everything right now that I want to, there’s plenty of time to do those things.”

Experiences With Imposter Syndrome and Working Through It

Aubrey Blanche, Senior Director of Equitable Design, Product & People at CultureAmp, who moderated the discussion, shared the story Stop Telling Women They Have Imposter Syndrome. It details how “imposter syndrome took a fairly universal feeling of discomfort, second-guessing, and mild anxiety in the workplace and pathologized it, especially for women.”

To address imposter syndrome, we don’t need to “fix” women, but rather we need to focus on workplaces — making space for a variety of leadership styles and recognizing that diversity of backgrounds and perspectives is just as professional as the “Eurocentric, masculine and heteronormative” model we consider the norm. Another powerful way to deal with imposter syndrome is to shine light on it and speak it.

Megan reflected on her experience transitioning from Head of Operations to Chief of Staff: “When I first took on this new role, getting comfortable — with my voice, asking questions — took adjustment. I was feeling like, ‘Do I belong here?’ and there’s this amazing team of people who all told me the answer is, ‘Yes.’”

She also addressed the importance of pushing her boundaries, and understanding that there are layers to strengths and weaknesses: “There are things I’m really good at — those are in my comfort zone. And then there are other things that are a stretch for me, and other things that are kind of panic-inducing. Being conscious of that, and knowing that I’m building opportunities for myself where some things I’ll be great at and some things are gonna be really new — and I can’t expect the new things to feel the same way as the comfortable things, and I wouldn’t want them to — helps a lot. I also think about strengths and weaknesses. The things that are my strengths will also have a flip side that can be a weakness — being aware of that and working on that while remembering I have this weakness because I have this other strength.”

Iva often experienced imposter syndrome earlier in her work life, which influenced her to push things forward for people earlier in their careers as she advanced professionally. However, she realizes that as a woman, she risks being perceived as aggressive or abrasive, which can put a limit on her career growth: “There’s a lot of self-management to overcome the self-doubt and what I’m gonna call ‘internalized discrimination.’ It’s not necessarily that somebody will discriminate against me, but I’m expecting that they might because of what I’ve seen.”

This “internalized discrimination” often manifests in the differences based on gender that people approach job opportunities, as Iva observed: “Men will reach for more, and then learn the role and excel. Women will want to learn and get comfortable, and then want to reach for more. If a job posting has 10 bullets, a man goes, ‘OK, I check five of these. Good, I’ll apply.’ I’ve personally had to push women to apply to similar positions where they meet eight out of 10 requirements and think they’re not qualified. This is my plea: Please, ladies, if you want it, reach for it. At the worst, you’ll learn something about yourself, what they require for the role. Don’t negotiate against yourself!”

Intersectionality & Women Leaders Lifting as They Climb

Aubrey highlighted that Kimberlé Crenshaw coined the term “intersectionality” in 1989 to describe how sexism and racism combine to define and shape Black women’s experiences. As discussion around intersectionality has grown, it’s been used to understand different interlocking oppressions.

There’s no such thing as an intersectional person, but everyone has intersections that are unique and important — where we have advantages we can be allies; where we have disadvantages we can look to connect with our communities to understand the systemic barriers holding us back.

Connie looked back on how allies helped shape her career, and how as a senior leader she gets to return the favor. “We all have a specific set of privileges and disadvantages. This hits home for me because the allies I had helped me grow. I grew up in a blue-collar, food-insecure household. I was surrounded by folks who had jobs, not careers. I was the first one to go to college. I wasn’t polished — I learned you just do what it takes to get things done. We all come from different backgrounds, and it’s because of allies — and the proximity they gave me and what they saw in me — that helped me learn, grow and be successful in a complex environment like Cisco.” 

“My allyship practice shows up in two ways. One is more informal, and I think everyone can be an ally in this way, through day-to-day interactions in meetings or side conversations with others who I know can influence their career. I always create a safe space for everyone that I work and interact with for them to be themselves — that’s an important part of allyship. I also put others in a position to succeed and help them get what they want — inviting folks to a key meeting where they want to be involved or where they can be in a position to shine. More formally, my allyship is focused on giving back what was given to me. Participating in any forum like this, and doing other internal programs for mentorship and job shadowing so that I can grow my network and be an ally for many more people along the way.”

Advice for Work and Personal Life

The panelists each shared key words of wisdom:

Amber - “Listen to how you describe the things you’re doing. If you hear yourself often saying ‘should,’ this feeling of obligation, pay attention and ask yourself, ‘Is this really something I uniquely need to do?’. This saves me a lot from signing up to obligations that really aren’t serving me or helping me prioritize what I really need to do.”

Connie - “Live with intention and mindfulness in each moment. Just be present in that moment. Drive fierce prioritization, don’t try to do it all. From a career standpoint, ask yourself, ‘What are the two or three things that I need to prioritize in my job today, this week, this year?’ As you’re being mindful about your career, take the time to do the same for your personal life, because you need to put your mental and physical health first. If that’s not right, the rest doesn’t matter — and at the end of the day it’s you who gets to shape your life. If you don’t take the time to do it, no one else will do it for you.”

Iva - “Early in my career, I didn’t think about what I could achieve. I was just happy to have a seat at the table. Everything is on the table for you! You can set your mind to whatever you want to achieve, put your energy into it and plan around it. Temper that with time and understanding yourself and what matters to you. Ultimately you need to know what you want out of your life. Keep learning as you level up, and understand the boss at the end of all those levels is you. That’s who you have to understand and win against.”

Jackie - “Do not compare yourself to others. Nothing good ever comes out of that, and comparison is really like a self-imposed trap. It works great if you’re on top, but you’ll never be on top all the time, and that’s really going to ding your confidence. It’s useless and pointless — your path is your own, your values are your own. You know what you’re doing, and you’re doing it for yourself. You’re your own boss, so there’s really no need for you to compare yourself to others unless you want to feel bad. Don’t do that!”

Megan - “You’ll have to say no to some things — sometimes personal, sometimes work. Your ‘no’ can be an opportunity for someone else. It’s like, ‘No, I don’t have the capacity to work on that right now, but here’s an amazing person who I’m sponsoring who would be really excellent to work on that thing,’ or ‘Here’s an opportunity that’s not right for me right now, but here’s this other person.’ Taking the time to be really mindful about those things is a wonderful thing that you can do for yourself, because you’ll feel good — and a wonderful thing to do for the people around you, because you’ll be lifting them up.”

Come Build With Us

At Duo, we protect our customers so they can pursue their passions. We’re looking for enthusiastic, proactive people who are driven to help others, make the world a better place through technology, and cultivate their career path along the way. If you get a kick out of collaborating with inspiring teammates, creating and supporting products that really make a difference, we want you.

<![CDATA[Site Reliability Engineering Spotlight: Powering Our Platform to Support Our Customers]]> klittonruggiero@duo.com (Kathryn Litton) https://duo.com/blog/site-reliability-engineering-spotlight-powering-our-platform-to-support-our-customers https://duo.com/blog/site-reliability-engineering-spotlight-powering-our-platform-to-support-our-customers Product & Engineering

Duo Security is now part of the largest enterprise cybersecurity organization, Cisco Secure. We’re actively seeking both back-end and front-end developer and software engineering talent to help expand our reach even further. Duo’s Site Reliability Engineering (SRE) team is particularly experiencing an increase in demand, in direct proportion with both technical advancements and Cisco’s overhead expansion of cybersecurity investment. 

Back in 2018, Cisco’s procurement teams made massive strides within the cybersecurity industry by way of multi-billion dollar purchase and acquisition agreements with cybersecurity companies like Duo Security and Umbrella. Today, modern security solutions like zero trust, Secure Access Service Edge and extended detection and response are evolving rapidly within Cisco Secure. As a result, there’s an imminent need for more front-end representation.

By bolstering consumer accessibility (for example, ensuring the websites are working as effectively as they should), SREs at Duo play a vital role in keeping the world safe. The SRE team is a diverse, collaborative work environment that empowers its engineers both inside and outside of the workplace. In this post, we’ll introduce you to some of our SREs.

Laura Garza, Deepak Bhaskaran and Sanket Gajjar from Duo’s Site Reliability Engineering team

Laura Garza is a nature-lover, wife, dog mom and SRE at Duo. She explains how her job at Duo has empowered her as a changemaker not just within the industry, but also as a woman. Even with a large enterprise overhead, she feels that Duo’s people-focused ethos has been anything but swallowed. Speaking to this feeling of empowerment within the company, Laura says her pride lies mainly in the fact that “Duo [and] Cisco Secure makes a difference; they ‘do good’ [for people].” 

Women who work in traditionally male-dominated industries often face unique roadblocks. While not exclusive to information security, underrepresented groups in engineering are often othered. They feel unwelcome, confront biases, and rarely see people like them in leadership. These issues surrounding equity, belonging and being heard often cannot be measured until the resulting discouragement drives away diverse talent. The resulting cost for companies is often loss of money, time, reputation and wasted potential.

Laura can attest to this. “Women in tech are often not taken as seriously,” she says. What’s different at Duo, however, is that workplace diversity is a priority. Laura says she’s never felt as heard, as supported, or as important as she does here:

“This is such a diverse culture here at Duo! I’ve never worked in such a diverse cultural environment. Representation matters here; I like [working with] people who look like me!” —Laura Garza, Site Reliability Engineer

“Duo-Cisco is a great place for immigrants,” Deepak Bhaskaran chimes in. “I’m still on a visa, and knowing that I have the same opportunities to grow as everyone else here has really put my mind at ease.” A father of two, an amateur woodworker and our Director of SRE, Deepak spoke to the enthusiasm and support he felt throughout his hiring process. In stark contrast from other organizations that may have avoided even considering an immigrant for the job, Duo offered Deepak a sense of belonging that ultimately empowered him to become a changemaker in the workplace:

“I'm glad [my manager] took a chance on me and was willing to do the additional paperwork required to hire me all those years ago. And over the years, I've been able to be an informal resource for all our hiring managers, in all things immigration related. We’d be at a loss if we shied away from hiring the best people for the job because of a lack of understanding of the complexities of the US immigration system.” —Deepak Bhaskaran, Director of Site Reliability Engineering

A diverse workforce is smarter and more profitable. While many companies fail to recognize this, Duo and Cisco are paving the way for other industry players to follow suit. Empowering underrepresented groups helps foster diversity of thought. When you bring together people with different thought patterns, ideas, problem-solving methods and mental perspectives, you make more innovative decisions, solve problems faster and boost team engagement.

Sanket Gajjar is an SRE and MBA student who works to empower people of color as they develop professionally, both internally at Duo and externally at his university. What Sanket loves most about being an SRE is the individualized support he feels both in his cultural pursuits and in solving workplace problems.

“We encourage individual contributors to work on their passion [while] solving complex business issues,” Sanket begins. “We support them in sharing issues and their recommendations in solving them. We align all these with business, customers and employees.” Laura adds that the workplace encouragement that Sanket described is one of Duo’s key selling points for prospective hires, mentioning that  “tech is driven by individual contributors, which is attractive to engineers.” 

Duo’s SREs not only have a voice within their teams but also, as Sanket, Laura and Deepak collectively agree, throughout the entire organization. “We have a positive feedback loop,” Sanket says, relaying that leaders on both Duo and Cisco sides of the house offer SRE team members a familial sense of transparency and support as they work. Laura says that it’s the communicative, collaborative culture, plus the amount of resources she now has at her disposal, that make post-acquisition Duo engineering teams even stronger.

Cisco’s enterprise overhead means that the sheer number of SaaS tools and application environments available to Duo SREs is immense. Laura and Sanket say that having access to every tool they could possibly need and the freedom to choose what works best makes their jobs easier. “We now have [more of a] democratic process with the Duo-Cisco merger [partly because] we have access to more resources under this corporate umbrella,” says Sanket. 

Autonomy as an SRE isn’t limited to tools, however. “We have internal mobility!” Sanket adds, as his colleagues nod in agreement. He provides a list to demonstrate just how many roles an individual contributor on the team could move into. Furthermore, he says:

“The culture is supportive in all possible ways one need to grow professionally and personally. We have quarterly talent reviews which is a forcing function for everyone to find opportunities to improve and develop. We have a dedicated education and training budget. We have [a] continuous learning culture with time and budget for it.” –Sanket Gajjar, Site Reliability Engineer

Continuous learning is something that Duo’s SRE’s can attest to on all fronts. Engineers like Sanket are encouraged to pursue MBA and other higher education programs outside of work. He spoke of how tuition reimbursements and a focus on work-life balance have facilitated his choice to go back to school. For Laura and Deepak, work-life balance at Duo also plays a vital role in their professional and personal journeys. 

Laura says that she’s found her career within this SRE team to not only be immensely supportive of her hiking passion, but also offers her the time to simply relax. “I love to hike and be with nature on my time off,” she says. “My husband and our red setter are usually up for finding new trails and trees to hug!”

When Laura, her spouse and her canine companion aren’t seeking naturalist adventures, she spends her free time relaxing at home with them, sometimes knitting or reading, too. She adds that she’s taken to roller skating — a hobby that aids in her post-workday decompression, as well as speaks to the amount of time and energy she has to devote to her passions outside of work. 

Post-workday time and energy is also a priority for Deepak. “I am an amateur woodworker and tried a lot of different things before settling on scroll saw work and woodturning as my favorite things to do with wood,” he says when asked how he uses the free time Duo offers. However, he explains that as he pursues his SRE career and woodworking passions, at the end of the day he’s a father of two. Parents working outside of the home can attest to how some professional ventures can inadvertently eclipse their family life. But for Deepak, Duo has made fatherhood better than ever: “I have two young kids, and I love how present I'm able to be in their lives,” he says. “At Duo-Cisco, doing well at work and career growth has never come at the expense of time spent with my family.”

What many organizations fail to recognize is how much more effectively work can be done when people are happy. Duo’s secure access solutions work from all angles because our teams do. We empower people to bring their authentic identities and experiences to the workplace because we believe people do their best work when they can be themselves. Duo is an organization that has always taken this seriously, so we continue to prioritize our team members’ needs even after becoming part of Cisco. Through diversity, inclusion, individualism, access to resources – and so much more – SREs (and every other Duo employee) are as loved, supported and unique as our presence in the cybersecurity industry. 

Come Build With Us

Solving security challenges through our focus on simplicity and effectiveness is what inspires us every day. Want to make the world more secure? We’re seeking top talent for the SRE team and beyond.

<![CDATA[5 Actions to Comply with NCSC’s New BYOD Rules]]> amayle@duo.com (Andy Mayle) https://duo.com/blog/5-actions-to-comply-with-ncsc-new-byod-rules https://duo.com/blog/5-actions-to-comply-with-ncsc-new-byod-rules Industry News

We recently explored in the blog the National Cyber Security Center’s (NCSC) newly revised Cyber Essentials scheme, and how its specific post-pandemic “Bring Your Own Device” policies have led to some publications labeling the change “BYOD 2.0.” 

The NCSC has provided a lot of guidance regarding what it’s looking for from UK firms of all sizes and sectors. Because the changes are so vast — and because we like to share our own cybersecurity expertise with the market — in this blog we’re delving deeper into what you need to do to choose and implement the right solution, in the right way, using the five actions outlined by the NCSC as a starting point. 

1. Determine Your Objectives, User Needs and Risks

This action is all about asking a comprehensive list of BYOD readiness questions, including what business functions you need to achieve, what types of devices and platforms you intend to facilitate working from, and where BYOD devices will be used. Crucially at this stage, the NCSC also urges firms to take an honest view about just how long BYOD plans need to be in place, because “short-term solutions often start with the right intentions but can rapidly become long-term implementations that are not fit for purpose and difficult to remove.” 

Before we get to the NCSC’s second step, we want to provide additional guidance to ensure firms get the best possible start. It’s important for all firms to have an accurate understanding of the number of devices in their ecosystem. In our experience, it’s very common that it’s often double the amount they originally thought! 

Once all devices are known, you must understand the inventory and identify the status and vulnerabilities of devices without being intrusive to your users. Firms should consider a solution that collects only security information about devices – the less personal data collected, the better. An “agentless” approach to find out devices’ security posture is the best way to do this, as well as a solution that gives visibility of all devices that are accessing systems and applications, viewed via the IT admin’s dashboard, can provide a comprehensive, global view on all end user devices from a single dashboard: managed devices; unmanaged devices; Windows; Mac; iOS; Android; ChromeOS and more.

2. Develop the Policy

Next, address questions that clarify and communicate responsibilities from both the organizational and employee perspectives. Identify what employees can or can’t do on their own devices, the services and data within those services that will be exposed to personal devices, and how much control you’re willing to grant/how much control you need. 

A key consideration here: Once the policy has been created and developed, firms need to enforce those policies with technical controls, which we will address further under Deployment Approaches. 

3. Understand Additional Costs and Implications

Here, the NCSC flags the additional costs and implications associated with a BYOD policy, including increased support costs, increased reliance on procedural controls, potential legal issues, and potential data loss. This action point then details how strong user authentication methods, risk-based authentication and access control are two of the most effective ways to curb the risk of this data loss taking place. You can learn more about this topic in Duo’s Two-Factor Authentication Evaluation Guide

Another way you can manage additional costs is by taking advantage of a self-remediation function as part of a BYOD solution. For example, rather than giving one single button for a user to push to update their operating system, they receive a prompt to ensure their device is up-to-date. This has two advantages: by allowing users to take matters into their own hands, rather than relying on your helpdesk, you can reduce total cost of ownership; and this approach puts emphasis on individual security hygiene, which helps your whole team adopt a security mindset. 

4. Deployment Approaches

There are several approaches to BYOD, and in this action point the NCSC gives a comprehensive overview and assessment of the strengths and weaknesses of each, including: 

  • ​​Web Browsers: Simple access to corporate data through a web browser. There is thorough guidance around this “Simple and versatile access option” on the NCSC website, but we would also add that if you follow this deployment method, you should also consider incorporating a trusted endpoints feature. This will help distinguish between unmanaged endpoints and managed endpoints that access browser-based applications and allows firms to apply policies such as blocking access to various applications from systems that aren't managed.

  • Virtual Desktop Infrastructure (VDI)/Remote Desktop/Remote Apps: Users are provided an interactive view of a corporate desktop environment with a suite of applications defined and managed by the organization. 

  • Bootable OS: Bootable managed corporate environment.

  • Mobile Device Management (MDM): A user grants the enterprise a degree of control and management over the device and its settings.

  • Mobile Application Management (MAM): A user manages all aspects of the device except for work applications, which are held in a container on the device and managed by the organization.

  • Hybrid Approaches: Some vendors provide a hybrid of MDM and MAM. Typically, these have become a part of an MDM, Unified Endpoint Management or Endpoint Mobility Management suite of tools.

We would also add two more deployment approaches that are not included on the NCSC’s list: 

  • Web Browsers + Single Sign-On (SSO): Secure SSO to corporate defined applications through an SSO portal, providing access only to applications relevant to job roles and minimizing multiple user logins.

  • VPN-less Access: Secure peer-to-peer segmented access to corporate defined applications via reverse proxy controlled by policy.

5. Put Technical Controls in Place

The NCSC’s action points are rounded off with comprehensive advice to ensure whichever deployment approach you take is the right tool for the job. In support of the two additional deployment options we mentioned, we offer guidance to help ensure they’re put in place as effectively as possible.

If your company pursues the Web Browsers + SSO or VPN-Less Access deployment approach, you should factor in the following control measures: 

  • Strong authentication, at least MFA.

  • Provide access only to applications based on roles and privileges.

  • Control device security posture with policy and behavior based access controls. Track versions of operating systems, browsers and plug-ins, as well as information about tampered devices, encryption and malware protection. 

  • Block access to corporate applications on compromise detection.

However you deploy BYOD, there are several fundamental controls that you should implement as a baseline, like strong authentication (MFA), device posture control, least privilege role-based access to applications, and the ability to correctly identify trusted devices.

If you would like more advice on how to comply with the NCSC Cyber Essentials scheme, or any more information on cybersecurity concerns, please contact us.

<![CDATA[Updating the Universal Prompt: Collaboration, Simplification and Democratizing Security]]> mkschmermund@duo.com (Mary Kate) https://duo.com/blog/updating-the-universal-prompt-collaboration-simplification-and-democratizing-security https://duo.com/blog/updating-the-universal-prompt-collaboration-simplification-and-democratizing-security Product & Engineering

Aaron McConnell, an Engineering Technical Lead at Duo, is driven by our mission to make security more accessible for everyone. The Duo Universal Prompt aims to do that by making multi-factor authentication as easy for users as it is effective. Every Duo team has been part of this innovative initiative meant to modernize technology and ensure more users can customize Duo to their needs. Aaron spoke about the technical side of this enterprise and how collaboration, proactive problem solving, and Duo’s culture contributed to this upgrade.

Duo Universal Prompt then and now

Question: What was the state of the Universal Prompt before the recent update? What problems did you want to solve or customer feedback did you want to address? 

Aaron McConnell: These conversations began years ago. We had a number of problems that we wanted to solve, and some customer problems as well. The old style of prompt didn’t work for a lot of customers because it was in an iFrame. It’s a kind of technology where you embed pieces of a web application inside a different web application, and that’s an area rife with security problems. A lot of internet browsers are getting restrictive about what you can do with it.

Customers also found the prompt more burdensome than we wanted. They wanted to customize it in various ways, in terms of visuals or language, that it wasn’t well-suited to do.

At Duo, we also wanted to improve the security and use the most up-to-date protocols and procedures. There were also new mechanisms that were becoming popular, like Open ID Connect (OIDC). We wanted to support these modern and standardized processes in our application because we had our own custom homegrown protocol that didn’t interact with anything else well. There were also concerns about vulnerabilities if customers didn’t keep their secret keys as secure as we wanted them to.

For all those reasons, we wanted to do a technical refresh of the prompt and provide the latest and most interoperable security mechanisms. At the same time, our Duo Mobile team wanted to do a visual and software refresh to update the look and feel of the application, make it more usable for our customers, and solve some of these security problems. 

Collaboration was key to the Universal Prompt update.

Question: How did collaboration play into Universal Prompt? 

Aaron McConnell: At one point, it involved basically every team at Duo working simultaneously on some aspect of it. Because we had our core team that owns the authentication piece of Duo, they were the front leaders on this. 

Our mobile teams got pulled in because their mobile application was getting refreshed and had to look consistent across everything. So that involved our design teams working together on: how is this going to look on desktop? On mobile? How’s it going to look embedded in another thing?

We’re Duo, we’re Cisco. Our security teams were heavily involved and asked, “How are we going to make sure this new way to authenticate is secure?” Our Product teams needed to make sure this is solving customer problems, that they’re going to be able to use it, and that it has the features our customers want.

Our teams that work with our Device Health application got involved because this new prompt needs to be able to check the security hygiene of devices, just like our old prompt did. My team got involved because we own the software we publish on our GitHub page so that customers can embed the prompt in their application. So, we needed to make sure that it worked well with being able to publish these Web SDK clients to customers to actually use this because if nobody can use it, that doesn’t do us any good.

Also, our site reliability engineers, who keep the website up and running, had to be sure this wasn’t causing too much traffic in one area causing outages. Our Customer Success team communicated to customers, “Hey, this is coming down the pike. This is going to change, it’s going to look like this. When do you want to turn it on? How’s it going to look? How’s it going to affect your users?”

There were challenges keeping everything going, but we did a really great job.

Question: How did you overcome unexpected challenges? 

Aaron McConnell: Big picture, we didn’t have a lot of setbacks because we had a lot of discussion and kept everybody in the loop and saw problems before they happened. Small picture, lots of day-to-day challenges, but that happens everywhere and to everyone and you get past it. 

“That’s why we do what we do: to solve day-to-day problems. We knew where we wanted to go, we validated what we were going to do. We saw the problems before they happened at the high level and got ahead of them and solved them.”

Question: What discoveries did you find most surprising?

Aaron McConnell: I was surprised with how little people wanted to have to deal with, with the prompt. Our Product Design team kept coming back and saying, “No, it’s got to be simpler.” And I was like, “Really? There’s not much left.” It’s at the point now where it’s basically one big button to log in, though you can add more if you need to. 

Another thing I found surprising was how many teams got involved. I would think of a team and be like, “Oh, they don’t really have anything to do with Universal Prompt.” But no, they did. For instance, our Data Science team got involved because we wanted to know how many people are using this new feature. And how many people are using this type of policy? What’s the breakdown of Mac users versus PC users? They helped us make decisions such as, if we know 90% of our users are using Push, we optimize the Prompt for the Push experience.

We had the market research and user validation going in ahead of time so that we didn’t get surprised. We got ahead by getting customers involved really early. 

Question: What else did you learn that will stick with you?

Aaron McConnell: I got to know more about that OIDC protocol than I ever wanted to before. So, I’m pretty sure I can deal with that for the rest of my life. It was also interesting seeing how the project was organized not with a top-down approach of, “This is how you’re going to do the thing,” but working out who had to be the leaders in an area. Everyone needed to be kept in the loop about what was happening and when it was happening, but they didn’t necessarily need to be the ones who called the shots.

For instance, Customer Success needed to know when things were happening so they could communicate with customers. When it was time to roll it out to customers, they stepped to the forefront and took a bit more control about how the actual rollout would happen to make sure it went successfully. That was a really impressive thing that I can take forward, of who is going to lead and be the driver at various parts of this feature rollout and who needs to be kept in the loop so that they can take charge later.

Question: At Duo we’re driven by values: being kinder than necessary; learning together; engineering the business; and building for the future. How did these values impact your work?

Aaron McConnell: Building for the future was fairly obvious. One of the main drivers for this whole project was to update the prompt experience to be more modern and forward-facing and get rid of some of these older mechanisms that weren’t working for us anymore.

“The main driver always was, ‘This needs to serve our customers better in the future. How are we going to get there?’. Learning together, we were constantly sharing our knowledge and our thoughts about how this was going, keeping everybody in the loop.”

Early on, engineers tried experimental stuff. Some groups would get together and say, “I’m going to try this approach and see if it’s going to work.” They would figure out what was good about it, what wasn’t good about it, what was going to work, what wasn’t going to work, and share that with the rest of us to help make decisions about which approach to go with technologically.

Engineering the business. This involved every team at Duo. We had to figure out mechanisms to keep people in the loop. How are they going to know when they have things to get done? How are they going to get feedback on how that went? So, we introduced new mechanisms to keep everybody on the same page.

Kinder than necessary. That’s how we do everything at Duo. We wanted to be kinder than necessary to our users by giving them a prompt experience they could actually use. But it flavors every interaction we have at Duo. If somebody was having a problem or made a mistake, they never got scolded for it. They never got negative feedback for trying something new because that’s not what we do at Duo. When people were having a tough time getting something to work, they got a lot of support from their team. But that’s not unique to this project — that happens on everything at Duo.

Question: What do you find most exciting about Universal Prompt?

Aaron McConnell: I like that we made it usable for our customers to integrate into their applications. I enjoy getting the tools to the people who take the product and work on the code, architecture and design of their applications to add Duo. With Universal Prompt, we’ve put out clients for it in a variety of languages. I’ve been involved in every single one of them. I hand-wrote one of them.

I am absolutely super happy that we finally got out of the iFrame, because that was causing all kinds of headaches for our customers and us. It was really cool getting to a more modern technology stack and more modern authentication processes in order to make it easier for people to integrate with us. 

See the video at the blog post.

Question: What’s next for Universal Prompt? 

Aaron McConnell: We have a couple big pushes going on right now. We’re moving away from U2F — a lot of browsers are dropping support for it because WebAuthn is more flexible and better supports a variety of use cases.

We’re also integrating Universal Prompt with our new Passwordless product. We need to think behind the scenes: Is there anything the Prompt needs to do that it’s not currently doing to support that use case? Where’s the future of passwordless going? Are there new mechanisms that we need to make sure we can support?

Some work just went out to improve the customization features so our customers who want to integrate it with their applications can have it look more natural to their users. We’re always adding language support and new internationalization and localization features to support more and more countries that want to use Duo.

See the video at the blog post.

Accessibility is another priority. We have somebody who’s constantly evaluating the accessibility of the Prompt for people who are blind, low-vision, deaf or hard of hearing. As new standards in accessibility come out, we make sure the Prompt addresses them. And we’re evaluating what else we need to do so customers can actually consume this. Are there additional computer languages that we need to support? Are there additional computer frameworks or browsers that we need to make sure this works in?

Question: What else would you like to share about Universal Prompt?

Aaron McConnell: We can make the coolest Prompt on the planet with the most functionality and the simplest and the easiest to use — but if no one actually uses it, it doesn’t do anybody any good. If there are folks who want to use Duo but can’t for some reason, we want to hear from you so that we can make it work for you. If you need the Duo client in a new computer language, we need to hear about that.

If you run a company and your users can’t use Duo, or the Prompt doesn’t work for you, we need to know that you need more functionality on the Prompt. That’s the most important message I want to get across about the Universal Prompt right now.

Duo’s mission is democratizing security. If you can’t use Duo, we have not democratized security. If it’s not accessible to you, we failed in our mission, so we need to know about that so that we can make it happen.

Come Build With Us

Solving security challenges through our focus on simplicity and effectiveness is what inspires us every day. Want to make the world more secure? We’re seeking top talent.

<![CDATA[How to Prevent Cyber Actors from Bypassing Two-Factor Authentication Implementation]]> ivablazi@duo.com (Iva Blazina) https://duo.com/blog/how-to-prevent-cyber-actors-from-bypassing-two-factor-authentication-implementation https://duo.com/blog/how-to-prevent-cyber-actors-from-bypassing-two-factor-authentication-implementation Industry News

On March 15, 2022, a US government flash bulletin was published describing how state-sponsored cyber actors were able to exploit certain authentication workflows in combination with PrintNightmare vulnerability (CVE-2021-34527) to gain administrative access to Windows domain controllers. Once administrative access was established, the attacker was able to change two-factor authentication (2FA) configurations and eventually bypass 2FA to gain access to cloud storage services. 

This scenario did not leverage or reveal a vulnerability in Duo software or infrastructure but made use of a combination of configurations in 2FA (in this case Duo 2FA) and Windows native authentication workflows. This scenario can be mitigated through a policy configuration in Duo’s Admin Panel (details in the Recommendations section below). Duo recommends reviewing your configuration to make sure it meets your current business and security needs.   

How Could a Potential Compromise Take Place? 

According to the US government agency’s bulletin, cyber actors were able to obtain access to primary credentials for users that did not have an enrolled 2FA device. The actors were then able to enroll their own 2FA device. Once enrolled, they used the newly enrolled authentication device to compromise a Windows system with Duo Authentication for Windows Logon installed. Once logged into Windows, threat actors exploited an unpatched PrintNightmare vulnerability (CVE-2021-34527) to gain administrative privileges and redirect 2FA calls away from Duo’s cloud service, effectively bypassing 2FA in order to gain access to the victim’s files in the cloud service. 

What Is the Impact of the Compromise? 

The impact of the reported incident was the threat actor gaining access to the victim’s cloud storage and email environment.  

Allowing 2FA self-enrollment for new and returning users is an industry standard. All major 2FA providers allow enrollment of unenrolled users by default without any additional measures. The reason for this is to ensure security while also reducing friction for IT support and end users.  

We recommend customers check their account status immediately. Duo Administrators can log in to the Duo Admin Panel and run the Duo Authentication Log report which will show them all authentications, including new device enrollments, for the previous 180 days.  

In addition, we encourage customers to develop strategies and systems to maintain ready access to Authentication Logs beyond 180 days. Customers can use a SIEM connector or our Admin API to constantly ingest Authentication Logs into third-party systems. A more manual but less technical mechanism would be to set a calendar reminder to export 180 days' worth of logs to CSV/JSON via the Admin Panel on a regular basis. 

What Do You Need to Do to Prevent Being Compromised? 

The threat actor scenario took advantage of configurations that are industry-standard and have proven benefits for our customers and users. In that regard, there are several approaches to take when facing a situation like this. Below are several recommendations as well as links to the detailed steps on how implement those recommendations in accordance with what works best for you and your users.   

General Best Practices 

  • Require complex or strong primary user passwords 

  • Configure password lockout policies to thwart brute-force password attacks 

  • Ensure all your systems have up-to-date security patches 

  • Utilize file integrity monitoring and set alerts on any modification of files on the Domain Controller 

Specific Duo Recommendations 

<![CDATA[Duo Single Sign-On Now Supports Multiple Active Directory Forests]]> cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/duo-single-sign-on-now-supports-multiple-active-directory-forests https://duo.com/blog/duo-single-sign-on-now-supports-multiple-active-directory-forests Product & Engineering

We are happy to announce that Duo Single Sign-On (SSO) now supports Multiple Active Directory (AD) forests, allowing users in multiple domains without an Active Directory Trust created to connect to a shared set of applications. 

There are plenty of reasons why an organization would have more than one domain in their environment: Mergers and acquisitions. Corporate rebranding. A growing number of applications taking advantage of multi-tenancy. Any of these scenarios — and many more — present accessibility and security challenges to IT, sometimes even adding up to domain consolidation projects that never get completed. Consequently, over the lifetime of these migrations, users often experience friction when logging into a shared set of essential business applications, like Microsoft 365 or Dropbox.  

When we started developing support for multiple ADs, we worked through multiple iterations to ensure a frictionless end-user experience.  

We know that organizations want their end users to be able to log into applications quickly and easily, with access that doesn’t require intricate knowledge of the complexities of the IT infrastructure powering their day-to-day work. That’s why we built our support for multiple ADs without requiring users to pick (or know) what authentication source they are coming from. Duo SSO will search for the username across all configured AD authentication sources, and once it finds them, will continue on through the rest of the passwordless or multi-factor authentication flows. 

“We’ve been using Duo SSO since it launched, but due to the complexity of our environment, we had to pick and choose who used SSO and who had a different experience. It’s great to finally be able to have all of our users on the modern login flow and for us to be able to apply policy to all users.” —Senior Architect, Manufacturing Organization

Adding further Active Directory Authentication Sources to Duo SSO is easy. IT admins simply need to have a Duo Authentication Proxy (or cluster of Authentication Proxies) with a minimum version of 5.5.1 for each unique AD forest.

Once that’s complete, it’s as simple as standing up your preview authentication source. After adding the source, verifying the permitted domain, and running the enrollment command, your new authentication source is ready to go. 

Duo provides a modern, automated SSO solution that helps organizations scale both their accessibility and security quickly and easily. Long gone are the days of standing up and maintaining multiple on-premises servers for each domain.  

Duo SSO is only getting better with time. Want to follow along? Subscribe to our release notes.