As identity-based attacks become more prevalent, the ability to fine-tune access at a granular level is not just an advantage — it's a necessity. Duo has been born at the forefront of this shift, offering SAML support since 2015 and OIDC since 2023, which has helped many of our customers secure applications with Duo’s best-in-class identity security controls. Now, we're refining our approach even further with the integration of OAuth Client Credentials, now Generally Available, to provide even more precise control mechanisms within our security suite.

Understanding OAuth Client Credentials

Before delving into how Duo Single Sign-On (SSO) leverages OAuth Client Credentials, let's clarify what this protocol entails. OAuth Client Credentials is a part of the OAuth 2.0 specification, which is a widely adopted industry standard for authorization. Unlike other OAuth 2.0 flows designed for end-user approval, the Client Credentials grant type is specifically tailored for server-to-server authentication, where no user interaction is involved.

In this flow, a client application can directly request an access token from the Authorization Server using its own credentials. Once the Authorization Server authenticates the client, it issues an access token. This token then grants the client application access to the protected resources hosted by the resource server. It's a streamlined process designed for efficiency and security, ideal for scenarios where applications must perform automated tasks without manual user intervention.

See the video at the blog post.

See the video at the blog post.

Secure segmentation by default

Duo SSO's implementation of OAuth Client Credentials is akin to a master key maker crafting unique keys for each room in a building. Just as a key maker can design a master key system with individual keys that provide access to specific areas while maintaining overall security, Duo SSO creates separate Authorization Servers for each OAuth client. This architecture allows for multiple clients to be associated with each Authorization Server, enabling secure segmentation by default — each client operates within its own compartmentalized space, much like rooms in a secure facility.

For applications that require broader access — like having passageways between rooms — we've developed Global Token Introspection. This feature is like installing viewports in doors, allowing one room to verify if a keyholder from another room should be granted access, all while keeping the doors locked and the integrity of each room intact. Global Token Introspection ensures that clients can check the validity of tokens from other Authorization Servers within the Duo SSO ecosystem, maintaining a secure boundary even as information is shared.

To enable Global Token Introspection and effectively manage the flow of access within your organization's infrastructure, we encourage you to reach out to Duo Support.

The integration of OAuth Client Credentials into Duo SSO's offerings shows Duo’s commitment to providing advanced, adaptable, and precise security solutions. It's a testament to our dedication to evolving with the needs of our customers and to our vision of a secure, controlled enterprise environment. As we continue to refine and expand our capabilities, we invite you to explore the benefits of this granular security approach and join us in our mission to safeguard the identity perimeter with unmatched precision.

Next steps

OAuth Client Credentials support in Duo SSO is available for customers on Essentials, Advantage and Premier today! Check out the documentation for how you can start protecting your applications. 

For more on what we’re doing to revolutionize Continuous Identity Security, follow along in our Release Notes. If you’re an Essentials customer or a prospect interested in learning more about the power of Duo and our recently announced Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

Here’s to the future of secure Identity with Duo!

Multi-factor authentication (MFA) has become a security staple, almost as ubiquitous in our daily lives as a morning cup of coffee. In the last year, more than 16 billion authentications have been handled by Duo. MFA is an important security tool to combat unauthorized account access. However, it is not foolproof. Traditional hardware-based MFA is high friction and imposes limitations that can be frustrating at best and increase risk surface at worst, such as through MFA fatigue and account recovery processes. We are excited to share with you a new Duo Technology Partner Badge, and Badge’s unique integration with Duo that provides the first-hardware independent roaming MFA.

Many Duo authentications are for securing virtual infrastructures like cloud environments, or remote access systems, workstation hopping and restricting unknown and out-of-date devices from accessing applications and networks. Requesting access multiple times a day is commonplace in the day-to-day workflow of users, including billions of frontline workers worldwide. Some MFA methods can disrupt operations, and the resulting employee workarounds significantly increase the opportunity for security breaches during the authentication process. Worse, when users are in device-not-present situations — like when a mobile phone required for an MFA push is lost, broken, or unavailable — the fallback is usually a phishable, high-friction account recovery process. Not only is this bad for the user experience, but it’s bad for security too, since account recovery is increasingly becoming the front door for attackers and phishing. We’ve seen this fallback to account recovery as an increasing vector for fraud, such as with recent high-profile attacks in healthcare and entertainment targeting large companies

Badge's novel, privacy-preserving authentication enables Duo users to authenticate passwordlessly from any device without requiring the user to have previously registered on that device. This eliminates the need for Duo users to fallback to account recovery or redirect to a phone or token each time they need to authenticate. Badge seamlessly enables enterprise authentication across applications from multiple devices, all from a single enrollment. Badge helps Duo strengthen its security posture with a seamless MFA experience that's both portable and resistant to phishing, while also enabling a truly passwordless user experience.

“Badge not only streamlines access across applications and devices but crucially reduces the risk of phishing attacks or credential exposure, making it an indispensable tool for maintaining the integrity of secure environments. Badge is excited to partner with Cisco Duo to bring this important security and user experience benefit to Duo users.” — Dr. Tina P. Srivastava, Co-Founder of Badge

Moving the trust anchor

MFA works by relying on a device or a token as the trust anchor, which means that users need to have their device or token with them — and in working order — at all times to authenticate. This reliance on specific hardware, called device dependency, is a pain for user experience and impacts security when users are forced into fallback authentication flows. With Badge, the device dependency is gone — people are their own roots of trust, rather than just a device or token.

Badge offers a cost-saving solution to help reduce friction and enable seamless, passwordless enrollment using verified credentials (VCs). Badge leverages the initial Identity Verification (IDV) enrollment, and from there the user can authenticate to access this credential anywhere, anytime, on any device. No need for repeat IDVs throughout the user lifetime journey. This saves money and user frustration.

In addition to simplifying the enrollment process, Duo can also operate as a certified passkey provider leveraging Badge, extending the passwordless capabilities of Duo. Unlike other passkey models, the Badge integration with Duo does not require users to cede trust of their key trees or login credentials to a centralized authority. Instead, Duo users leveraging the Badge passkey implementation benefit from a trust model where users can establish key provenance and maintain control over their authentication keys, enhancing security and privacy. Again, with Badge, users enroll once, and may access their passkeys on any device (including across Apple, Microsoft and Google ecosystems).

By addressing the dual challenges of security and user experience, while reducing costs to the enterprise, Duo and Badge are setting new standards for what’s possible in secure, efficient, and user-friendly identity and authentication solutions.

To learn more about Badge’s integration with Duo, check out our technology partners page or watch a short demo.

Want to learn more about Badge? Contact the Badge sales team today.

As MFA fatigue attacks continue to wreak havoc on organizations of all sizes, security teams are left with difficult choices about how best to secure their workforces. More stringent security requirements often come with a large user experience cost, which can frustrate employees and reduce productivity. Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA  requirements based on the level of risk an individual login attempt poses to an organization. Our algorithm considers the user’s authentication history, their location, and device to assess whether the user appears to be who they say they are, or whether their login is anomalous enough to resemble a potential attack. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor.

Organizations are sometimes hesitant to deploy policies that use artificial intelligence and machine learning because it is inherently difficult to predict what will happen. Will users get blocked? How many step-up authentications will a user have to do every week? Is the help desk going to be inundated with tickets? We heard these questions from our customers repeatedly, which is why we are thrilled to announce the launch of Risk-Based Authentication Preview Mode.

Now, Advantage and Premier customers can see the impact of Risk-Based Factor Selection before they turn on the policy. When Duo’s algorithm sees an authentication that would have been stepped-up with RBA, we will present a banner in the Authentication log to show administrators more information about why this authentication looked risky. The Preview Insights window will also show information about how many step-up authentications would have been required in the past 30 days and how many of those users would require assistance from the help desk (e.g., if the user does not have a more secure factor enrolled).

Our goal with these new features is to open the black box of RBA. AI is a powerful tool that can help us solve many different problems. But when it comes to security, we know how important it is to trust how access decisions are being made. We want to make sure customers feel confident that their users are protected against the most prevalent MFA attacks when they use Duo’s Risk-Based Authentication.

Preview Mode will be on by default for all Advantage and Premier customers and can easily be toggled off, should customers not wish to see banners with detection information. We hope this helps customers feel prepared to strengthen their authentication policy and enable Risk-Based Authentication.

Duo has a long history of protecting students across universities and higher education institutions. From personally identifiable information to federal grants and loans, students and schools are a regular target for attackers. Because Duo has such a large presence in the world of education, we can also spot trends in attack tactics and learn how to better secure your organization.

One threat pattern Duo has seen targeting higher education within the last year includes a mixture of MFA-targeted attacks including passcode phishing and MFA fatigue. If successful, the bad actor register malicious devices on the student’s account for continued access to the student’s account and the university’s VPN. Duo Data Scientist, Becca Lynch, wrote about these attacks in the blog, Identity Threat Trends for Higher Education.

Duo has continued monitoring and responding to these attacks, while working with many of the higher education targets to secure their environments. But Duo hasn’t stopped there, as we have a unique ability to respond and establish scalable, structured product enhancements to our threat detection and response capabilities.

How Duo can help

When users set up Duo mobile, Duo takes a device fingerprint of that phone that is stored securely in our database. A typical device might be linked to a small number of Duo accounts. For example, a user might use their personal cell phone to protect their school account and when they graduate, they use it at their new job to protect their corporate account.

However, it is extremely rare for one device to be paired with hundreds of accounts, and that’s what the attackers are doing. They’re pairing the same device to all user accounts they’ve breached. One device being used to authenticate the account of 27 students across 5 schools? That’s phishy.

With Duo’s new feature, we can now block those malicious devices from continuing to access Duo-protected applications and the Duo admin panel. In the Duo admin panel, the logs now present when a device is blocked and why. This can also trigger an email to any configured administrator to provide immediate and up-to-date alerts on what is going on in their environment.

Duo can help protect every organization, not just universities, from these threats through improved threat detection and response capabilities. But the importance of secure policies should not be ignored.

We encourage all Duo customers, especially schools and other educational institutions, to ensure that they set up their policies to better protect their users, students and faculty alike. That means using secure authentication factors, implementing risk-based authentication to respond to change in user context, and pairing authentication with device trust policies through Duo’s Trusted Endpoints. It also means using an observability tool, like Duo Trust Monitor, to provide a view of all user events, including registrations and authentications, across your environment.

If you are not a current Duo customer but are interested in learning more, sign-up for a free trial today.

When reading the title of this blog, you might be wondering to yourself why RADIUS is being highlighted as a subject — especially amidst all of the advancements of modern authentication we see taking place recently. The truth is, for as old as RADIUS is, it is still (to this day) a vital protocol used in virtually every network infrastructure. Although it has many functions within the network itself, the purpose of this article is to show how RADIUS can be used when protecting applications with Duo, the benefits/drawbacks of the protocol, and why it deserves our attention.

Also, customers who subscribe to Duo Care have access to a Customer Success Manager (CSM) and a Customer Solutions Engineer (CSE). This dynamic duo provides solution architecture consulting, best practices, and overall security strategy when it comes to using RADIUS in conjunction with Duo’s services — and can help you navigate the pros and cons of the protocol relative to your organization’s specific environment and end-user needs.

What is RADIUS?

First, let's level-set on what we are talking about. RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. It is commonly used for network access into VPNs, wireless access points, and other devices (more on this later). 

RADIUS itself is a protocol that defines a method for passing authentication information between the network service and the AAA server, but it doesn't define the actual authentication methods. Instead, it supports a variety of authentication protocols, including EAP, PAP, CHAP, and others. Here are the differences between some of these protocols:

1. Extensible Authentication Protocol (EAP)

• EAP is a framework that supports multiple authentication methods.

• It’s very flexible and can work with a range of authentication mechanisms, including certificates and public key infrastructure (PKI).

• EAP itself isn’t a specific authentication mechanism, but a way to encapsulate the authentication process.

• EAP can be used in conjunction with RADIUS to authenticate users in more secure and complex scenarios.

• It’s commonly used with wireless networks and Point-to-Point connections, but it’s also used for a specific VPN integration with Duo.

• The only officially supported Duo integration that makes use of EAP is NetMotion Mobility.

• Does the Duo Authentication Proxy support EAP or PEAP?

• Protected EAP (PEAP) allows for TLS inside of RADIUS. Note that this is different from RadSec, which is TLS encryption of RADIUS over TCP. 

2. Password Authentication Protocol (PAP)

• PAP is a simple authentication protocol where usernames and passwords are sent to the server as plain text.

• Credentials are not encrypted using this protocol, but they can be obfuscated by the use of a shared secret, which is required when using the Duo Authentication Proxy.

• Learn more about how Duo protects PAP authentication.

3. Challenge-Handshake Authentication Protocol (CHAP)

• CHAP is more secure than PAP as it uses a challenge-response mechanism where the server sends a challenge to the client, the client responds with a value obtained by using a one-way hash function and the server checks this value.

• The password itself is never actually sent over the network.

• Periodic challenges can be sent to ensure that the password hasn’t been compromised and that the connection is still being managed by the same client.

• The Duo Authentication Proxy does not support CHAP.

4. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP

• MS-CHAP is a Microsoft version of CHAP that includes additional features, such as a different method for hashing and an additional authentication response designed to support Microsoft clients and servers.

• MS-CHAP v2 is an improvement over the original MS-CHAP and provides better security by using stronger cryptographic keys and a two-way authentication (mutual authentication).

• Does the Duo Authentication Proxy support MS-CHAPv2 or EAP-MSCHAPv2?

In practice, the choice of which authentication protocol to use with RADIUS depends on the required level of security, the capabilities of the client and server equipment, and the specific use case.

Anatomy of a RADIUS packet (with Duo MFA)

The flow of a RADIUS packet through the RADIUS protocol involves several steps and typically follows this sequence:

1. Access Request — The flow begins when a client device (known as a RADIUS client, usually a network access server or NAS) sends an Access-Request packet to a RADIUS server. This request includes credentials provided by the user, such as a username and password, along with other attributes like the IP address and port number. The application that Duo is protecting is acting as the RADIUS client device.

2. Processing the Request — Upon receiving the Access-Request, the RADIUS server processes the request by verifying the user's credentials against a user database, typically by way of the Duo Authentication Proxy. This might involve checking Active Directory (via LDAP) or another downstream RADIUS server, such as Microsoft NPS.

3. Challenges (Optional) — If additional information is required from the user (in the case of challenge-response authentication), the RADIUS server sends back an Access-Challenge packet to the RADIUS client. The client then prompts the user for additional information, which is sent back to the RADIUS server in another Access-Request packet. A typical example of this is when using the radius_server_challenege configuration of the Authentication Proxy.

4. Duo Multi-Factor Authentication — Once the Authentication Proxy receives a successful message from the user database (AD, NPS, etc.), it will send an HTTPS request to Duo’s cloud service to perform MFA. The results of that authentication will determine which RADIUS message is sent next.

5. Access-Accept or Access Reject — After processing the request, the RADIUS server will respond to the NAS with one of the following:

6. If Access-Accept — The user's credentials are valid, and the server provides authorization attributes that inform the NAS of any specific conditions for access. The user is permitted to access the application.

7. If Access-Reject — The user's credentials are not valid or the user is not authorized for access. No further attributes are needed or sent. The user is not permitted to access the application.

Fig. 1: Example network diagram of a RADIUS packet flow with Duo

We won’t delve into Accounting workflows since Duo does not support this part of the RADIUS protocol. When Duo MFA is invoked, record-keeping data is tracked in the Authentication Log.

• What do the RADIUS response codes generated by the Duo Authentication Proxy mean?

Throughout the entire process, RADIUS communication uses UDP as the transport protocol, with port 1812 being used by default. The RADIUS packets are also usually encrypted between the client and server to maintain security of sensitive information, such as passwords. It's important to note that RADIUS itself does not define encryption methods for the data payload; instead, it relies on a shared secret between the RADIUS client and server for obfuscating passwords and certain attributes. Learn how to protect the shared RADIUS secret and other passwords that reside on the Duo Authentication Proxy.

Is RADIUS still relevant?

RADIUS is typically viewed as a legacy network protocol since it cannot take advantage of modern security benefits that would normally be available when using WebAuthn, such as phishing-resistant MFA, enhanced device telemetry, biometrics, and Passwordless. We typically see RADIUS deployed (to this day) in a network appliance ecosystem because (along with TACACS+) it is one of the protocols of choice for logging into routers, switches, wireless access points, and VPNs. Robust identity platforms such as Cisco Identity Services Engine (ISE) can enhance the agility, automation, and visibility of the RADIUS protocol. Although it is recommended that end-user facing applications be migrated over to a modern authentication protocol such as browser-based SAML or OIDC (that leverage Single Sign-On), the need for RADIUS-based client/server authentication is still prevalent today. For example, consider the following points:

1. Widespread Adoption: RADIUS has been implemented in a wide range of network devices and services. Many vendors support RADIUS in their networking equipment, making it a de facto standard for network access control.

2. Centralized Authentication: RADIUS allows for centralized management of authentication credentials. This means that users can be authenticated across various network services and devices from a single point of control, which simplifies administration.

3. Support for Multiple Authentication Methods: RADIUS supports a variety of authentication methods, including PAP, CHAP, MS-CHAP, EAP, and more. This flexibility allows it to integrate with various types of user databases and authentication mechanisms, including modern multi-factor authentication (MFA) systems, such as Duo.

4. Interoperability: RADIUS works across different types of networks, including wired, wireless, and VPN connections. Its ability to function in diverse environments makes it a versatile tool for network administrators.

5. Scalability: It can handle a large number of authentication requests, making it suitable for organizations of all sizes, from small businesses to large enterprises and ISPs. Compared to LDAP, RADIUS has less overhead when processing requests via the Authentication Proxy.

6. Security: Although it has some limitations in terms of encryption, RADIUS does offer a level of security that is sufficient for many scenarios. The use of shared secrets and attribute obfuscation helps protect sensitive information as it travels across the network.

7. Compatibility With Legacy Systems: Many organizations have legacy systems and infrastructure that already integrate with RADIUS. Switching to a new system using SAML or OIDC may not be (yet) feasible for an organization or the application vendor, so RADIUS remains relevant for ensuring compatibility and protecting existing technology investments.

Should I use RADIUS with Duo?

Duo supports many named integrations via RADIUS as well as a generic integration that can be used to protect virtually any RADIUS-based application. When determining when to use RADIUS, you might be at the mercy of the application to only use RADIUS (and perhaps even a specific authentication protocol, such as MSCHAPv2). Or you might have the option to choose between RADIUS and another protocol such as LDAP or SAML when integrating with Duo. For example, Cisco ASA for AnyConnect has multiple integration options as seen in the ‘What are the differences between the various Cisco ASA configurations?’ knowledge base article.

To help you choose the best option for protecting your application with Duo, note some of the key differences between RADIUS and other protocols:

• RADIUS can send the IP address of the client (user) by way of an attribute, typically when using calling-station-id or NAS-IP-Address. However, not all RADIUS devices send the IP address by default or may be able to send the address at all. Check your RADIUS application’s documentation for details.

• LDAP cannot send the IP address of a client/user to Duo, so this makes RADIUS a better choice if you plan to use the IP address to make contextual decisions regarding your user’s location at the time of logon.

• Using web-based applications and authentication methods such as WebAuthn (via SAML or OIDC) are even better because they can obtain the IP address (and other system information) directly from the user’s browser via the User-Agent string.

• RADIUS supports Append Mode (concatenation), but only when using non-MS-CHAPv2 authentication protocols.

• RADIUS supports inline password reset with the Duo Authentication Proxy but only with MS-CHAPv2.

• As mentioned earlier, Cisco ISE can add more functionality to the RADIUS protocol. When ISE is integrated with Duo, you can easily add MFA to all RADIUS (and TACACS+) devices that use ISE as their downstream authentication server. See the solution overviews for Cisco ISE Auth API and Cisco ISE RADIUS. 

• RADIUS does not support phishing-resistant MFA methods such as Roaming Authenticators, Platform Authenticators, and Duo Passwordless as these all require use of the WebAuthn API. You can learn more about the WebAuthn specification.

Conclusion

No matter what authentication method or protocol you choose to integrate with Duo, there will always be differences in security, useability, and compatibility that should be carefully considered. RADIUS remains an integral part of most network ecosystems and has enough use today to warrant serious consideration. As applications move toward modern protocols such as OIDC and WebAuthn, we should see a reduction in overall RADIUS usage — but there will likely remain critical use cases to support for the foreseeable future.

Access-Accept!

Duo’s Self-Service Portal (SSP), which lets users manage their own authentication devices, saves time for both Duo users and admins. However, it can also be a target for cyberattacks. Often the first step for an attacker with stolen credentials is to try to fraudulently register an MFA device, giving persistent access to the user’s account.

In a recent blog, we discussed best practices for user enrollment, including how to prevent malicious device registration when users self-enroll. In this blog we’ll share best practices for Duo admins to continue reap the benefits of self-service after enrollment while keeping their user accounts secure.

Why use the Self-Service Portal?

What’s the risk?

Self-service device management presents a similar risk to new user self-enrollment: a bad actor with stolen user credentials can attempt to access the SSP and register their own device. Once they do so, they gain persistent access to the account.

Unlike new user enrollment workflows, the SSP is protected by MFA. However, actors may try to circumvent MFA using techniques such as passcode phishing or MFA fatigue attacks. If one of these techniques succeeds against the SSP, the actor's newly registered device lets them circumvent MFA protections for future logins to other applications.

How to protect the SSP

Protecting the SSP follows the same principles as any other resource. However, secure posture exists on a spectrum and often has tradeoffs with end-user friction. A critical resource like the SSP should lean toward the secure end of that spectrum. Fortunately, users should need to access the SSP infrequently, so lockdown access controls won’t be too much of a burden.

Duo by default overrides configuration settings that allow users to bypass MFA, such as remembered device and authorized network policies and user bypass status, for SSP access. We further recommend setting custom policies for the SSP to ensure a strong posture. Specifically:

• Restrict authentication methods to the most secure one accessible by your users, such as Verified Push or WebAuthn-based methods

• Deny access from anonymous networks and from countries not typically frequented by users

• Disallow the use of tampered devices

• Consider adopting security-enhancing features such as Trusted Endpoints and Risk-Based Authentication

In addition to these application policy settings, admins can elect global settings to guard against device registration attacks.

• Attackers may target inactive accounts for takeover; to prevent this, elect to delete inactive users after a period of time

• Turn on user notifications so that users can report suspicious device registration activity

• Monitor suspicious device registrations using Duo Trust Monitor

With some or all of these safeguards in place, the SSP can be an effective way for users to manage their devices.

In Social Engineering 101, we shared the story of John, the well-meaning employee who fell victim to a phishing attack. In this scenario, John was tricked into resetting his password by a bad actor pretending to be the IT team, which gave away access to his account. In that blog, we also discussed the many ways Duo protects John, from strong authentication methods to pairing authentication with device trust policies.

But what if the email never reached John, or the phishing link was blocked? That’s why most organizations do not rely on a single security solution but layer defenses around users and sensitive resources to ensure there isn’t a single point of failure. However, the disparate security solutions meant to protect against particular threats can lead to visibility and administration challenges for organizations.

That’s why Cisco protects users from the top attack vectors targeting organizations with the User Protection Suite, which includes Duo. The User Protection Suite defends all users, devices and access to applications to reduce gaps in the attack surface.

Now, let's rethink the story of John when he is protected by the suite.

In this new story, let's assume that email protection was not in place and the malicious email made it to John. When he clicked on the bad link, Cisco Secure Access would step in and block the user from accessing the malicious destination. Cisco sees 1 million malicious domains every hour, and all that data means we have a good idea when a website should be blocked. In this new scenario, we know John could only click the link on his managed laptop because Duo’s Trusted Endpoints would block email access on unknown or unmanaged devices.

We’ve now seen John’s credentials protected by Duo and his access protected by Secure Access. But now let’s consider if John never received the attacker’s email because Email Threat Defense recognized signs of malicious intent: there was an urgent request, from an unknown sender, with a malicious link. Email Threat Defense uses multiple AI detection engines to determine the difference between true threats and false positives. It would block the email from reaching the end user and quarantine the link to provide the organization’s administrators with the context to better understand the nature of the threats targeting their organization.

When protecting users against threats, we can never assume there is one silver bullet or singular solution. Attackers are constantly finding new ways to target users and get access to an organization’s resources and data. This is not a new story. However, when Cisco security solutions bring email, web, endpoint and authentication to work together to layer the defenses around the user, that makes our users, and organizations, safer.

To learn more about how the User Protection Suite can protect your organization today, see the Cisco User Protection Suite webpage and connect with an expert today.

Identity remains a key target of attackers. Breaches leveraging identity for initial access or even privilege escalation and lateral movement are on the rise. The increased complexity of modern identity systems only intensifies the challenge of securing the identity perimeter. Organizations are grappling with a stark reality: Without contextual insights into their multi-vendor identity ecosystems, they are often blind to gaps in their defenses.

As a part of Duo’s new Continuous Identity Security solution, our deep integration with Cisco Identity Intelligence is here to bridge these gaps and deliver a new standard of protection. In the current climate of diverse Identity Providers (IdPs), hybrid workforces, and a mix of managed and unmanaged devices, Duo and Cisco Identity Intelligence organize identity perimeter data and make it easier to defend and protect.

Here's the essence of the solution: Cisco Identity Intelligence amplifies the value of your identity and security tools, including industry standbys Microsoft Entra and Okta. By integrating data from various sources, including HR systems like Workday and customer relationship platforms like Salesforce, Cisco Identity Intelligence constructs a comprehensive identity landscape. With this enriched data, Cisco Identity Intelligence organizes identity-related activity, encompassing all accounts and devices across your IdPs. This panoramic view can then be leveraged by Duo to inform enforcement points, perform Identity Threat Detection & Response (ITDR), and proactively harden your Identity and Access Management (IAM) posture.

The advantages are clear and twofold. First, you receive actionable intelligence on IAM posture gaps, enabling proactive fortification against identity-based attacks. Second, access decisions are enriched with multi-vendor identity context.

Consider the practical implications: Cisco Identity Intelligence enables administrators to significantly enhance their organization’s identity posture through critical insights into dormant accounts, gaps and vulnerabilities in MFA deployment, admin activities, and more. By coupling these insights with Duo's robust access management capabilities, organizations can modify access experiences — stepping requirements up or down – based on identity enrichment. For example, if Cisco Identity Intelligence detects a compromised session — it can seamlessly pass that information to Duo to provide enforcement like stepping up authentication requirements or revoking a session.

A CISO from a leading healthcare company expressed the tangible benefits of the integrated solution: "Cisco Identity Intelligence provides us with precise insights into identity threats. We're able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo."

“Cisco Identity Intelligence provides us with precise insights into identity threats. We’re able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo.”

Next steps

The most exciting news is that Duo’s integration with Cisco Identity Intelligence is available in Public Preview to most customers today. For Duo Advantage and Premier customers, follow the documentation here to activate your integration today.

If you’re an Essentials customer or a prospect interested in learning more about the power of Duo + Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

This is just the beginning. The integration between Duo and Cisco Identity Intelligence will only improve over time — so stay tuned for product updates. Here’s to helping defend the identity perimeter!

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now in Private Preview!

See the video at the blog post.

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

How does this improve the proverbial front door?

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Stronger

Useable

Where won’t Passwordless for Windows logon work yet?

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.
Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

How can I try Duo Passwordless for Windows logon?

For an opportunity to participate in the Private Preview this summer, please reach out to us here! And if you are interested in trying Duo, signup for a free 30-day trial.

Duo has long been the most loved company in security. But here’s the thing: That’s despite MFA being the most grumbled-about part of many end-users’ day. While our customers love us for our ease of use, flexibility and focus on security, a lot of end users think of Duo the way they think of floss, bike helmets and low-sodium foods. Secure authentication isn’t fun, but you put up with it as part of your day because you know it’s keeping you safer.

At Duo, we are constantly pushing the envelope — how can we deliver the security that our customers need, with less inconvenience for end users? Can we make secure access a positive experience for our end users? That’s why we’re so excited to bring to market Duo Passport — a new capability that drives secure, seamless access to all the permitted applications with just one interactive authentication.

Over the past decade, MFA adoption has increased across organizations of all sizes. This is a great thing and a huge achievement for the security teams. However, it’s led to an unfortunate side effect: lots of workers, through no fault of their own and without presenting any particular risk, end up authenticating again, and again and again throughout their day. It’s normal to use an email client, a VPN, a browser, and maybe a handful of other apps in your to-do list; so why do authentication vendors put up so many walls for you?

Duo Passport reduced end-user authentication by more than 65% in one customer, who tested it over several months.

Enter Duo Passport: A better way forward

When Duo Passport is enabled, a user’s authentication is remembered for a specified time period by Duo’s cloud services across all of their applications. It leverages device binding, facilitated by Duo Desktop, to deliver a Remembered Device experience, even as the end user moves across web applications and client-based applications. Unlike other solutions, Passport does not rely on just the cookie store in the browser, or each application’s settings, to deliver a seamless experience for end-users and minimize repeated authentication requests.

Duo meets the user wherever their day starts and works behind the scenes as they move through their tasks.

Here’s where Passport gets cool: it’s customizable to your environment and compatible with all other strong security features that Duo offers. Let’s look at some examples!

One of the customers in our private preview program is an enterprise electronics company. They protect Windows Logon in their environment, as well as hundreds of applications. Some of these applications are browser-based SaaS applications, and many of them have their own clients. By rolling out Passport to more than a thousand users in their trial, they’ve saved tens of thousands of authentications that their end users didn’t have to complete interactively, while resting assured that Duo was still enforcing security through these integrations. This customer plans to roll Passport out to more than 18,000 users, and had this to say:

“The experience with Duo Passport has been really good and the feedback from all 1300 pilot users has been extremely positive. In the past, our use of MFA has been very strict and this has eased up on the end user friction that we were inadvertently putting on users.”

In another example, let’s look at Cisco’s own implementation of Duo. Cisco has deployed Passwordless widely, uses Risk-Based Authentication, and enforces Trusted Endpoints as well as Device Posture using Duo Desktop. Passport works seamlessly with all of these features! Passport adoption here is well under way, with plans for a company-wide rollout.

“With Duo, we are able to strike the right balance between User Experience and Security. It is rare that these words are used together in one statement when it comes to security related enforcements. Our User Experience satisfaction score is increasing every quarter and at the same time our security team is happy with the enforcements we are able to implement.” — Sarabjeet Rana, Information Security Architect at Cisco

A great litmus test for any balance of security and end user experience is understanding how Managed Service Providers feel about it. We’ve had a great partnership throughout our preview program with several MSPs, which speaks to the improved end user experience that Passport delivers.

“Duo Passport is an essential step on our road to making secure access the default for our customers. We selected Duo as our partner because of their attention to ease of use and their expertise across platforms. We are accelerating our deployment of Duo Passport to maximize the strength of our customers’ defenses while we keep interruptions of their workflows to the minimum.” — JustWorks, a pure play MSP founded in 1996

Duo Passport is available today, to all Duo Advantage and Premier customers. You can enable it yourself now.

We’re really excited to get this in your hands and are already hard at work on what’s next. We’re bringing Passport to multi-user scenarios, which has been requested by all our healthcare customers in preview. And if you thought that we didn’t like too many authentications…just wait until we tell you about our thoughts on passwords and remember-me cookies!

User experience and security protocols have historically been at odds. To improve security outcomes, users are forced to jump through more hoops to gain access to sensitive resources. Duo is rethinking this paradigm with the launch of Session Trust’s continuous policy.

Challenge with sessions

When a user logs in to a new application, the website sends a cookie that is stored in the browser. This enables the website to remember you. Without these cookies, users would have to re-login with every click. Imagine if you had to enter your username and password for your account every time you added a new item to your shopping cart or clicked on a new webpage.

That's why sessions are so important. However, a lot can change over the course of a session. At the beginning, session trust is high because the application can verify it’s the right user accessing the right resources. But over time, that trust might degrade as users move locations, devices become infected with malware, or new signals show that the current user is not the same one that initially logged in. Despite changing risks, access today is binary: it’s granted once at the start of a session and never re-evaluated until hours, or even days, later when the session expires.

So how can we enable organizations to evaluate risk throughout the session and take action beyond the point of authentication? What other tools can we provide organizations beyond setting session length?

Introducing continuous policy with Session Trust

Session Trust now makes access safer by continuously evaluating device health policy over the entire lifecycle of the session. There are three parts to this new functionality — device posture heartbeats that are collected continuously, ongoing evaluation of posture against the organization’s policy and web session enforcement to terminate an incompliant session.

Whereas device health policy was previously evaluated once at the time of login, continuous policy now leverages Duo Desktop heartbeats to evaluate posture constantly. Once a change is detected, a heartbeat is sent to Duo. If the device no longer complies with policy, the Duo browser extension revokes the session by removing the login cookie, prompting users to remediate device issues and re-establish trust.

By protecting sessions throughout their lifecycle, administrators can confidently increase session time, knowing that sessions can be revoked the moment risk levels change. End users can stay logged in longer, and administrators no longer need to face the hard choice of frustrating end users or attackers.

Duo’s vision for Continuous Identity Security

The Session Trust continuous policy feature is an important milestone for Duo as we seek to achieve our goal of providing Continuous Identity Security for our users and organizations. We see a world where trust is neither binary nor permanent, where Duo works continuously so you don’t have to.

As we look to the future, we are working to expand the signals that Duo can collect and process—providing a more cohesive view of risk — and giving organizations more tools to better protect their users. Additionally, we are working to make Session Trust available for more application types, ensuring that every session maximizes user experience and security.

To learn more, sign up for a free trial of Duo or reach out to your sales rep to sign up for private preview today.

Cisco Duo plays pivotal role in safeguarding identities for organizations of all sizes and industries, providing a simple way to defend against identity-based attacks. However, challenges to zero trust security still exist; organizations must maintain strong security in mixed-IT environments while balancing increases in staffing, spending and agent fatigue.

In collaboration with Google Chrome Enterprise, Cisco Duo is excited to introduce the general availability of Duo's native Device Trust integration with Chrome Enterprise and ChromeOS to address these concerns, empowering organizations through agent-free device trust across all three major platforms: Windows, Mac and ChromeOS. Want to learn more? Check out the end-user demo!

Announcing Duo Device Trust Connector for Chrome Enterprise and Chrome OS

According to Duo’s 2024 Trusted Access Report, 62% of desktop authentications were made from Chrome. With many users already utilizing Chrome browser to get work done, Duo’s partnership with Chrome Enterprise strikes a balance of security and user experience.

With a Chrome Enterprise-managed browser, the browser itself provides device posture signals. Traditionally, establishing device trust often involved deploying and managing endpoint agents, a process that could slow down onboarding and add administrative overhead. Duo’s Device Trust integration with Chrome Enterprise eliminates this pain point with an out-of-the-box, cloud-delivered integration. Duo's integration with Chrome Enterprise provides attestation of the device identity using Duo Trusted Endpoints policy before enabling access. This is Duo’s second Chrome Enterprise Recommended solution and an updated solution of Google Verified Access.

“Traditionally, establishing device trust often involved deploying and managing endpoint agents, a process that could slow down onboarding and add administrative overhead. Duo’s Device Trust integration with Chrome Enterprise eliminates this pain point with an out-of-the-box, cloud-delivered integration.”

Let’s take a look at how it works!

How Duo’s Device Trust integration protects your organization

As enterprises continue to become more reliant on the browser, more sensitive data is being stored in the cloud. It is more important than ever to protect your user identities and ensure your resources are only being accessed by managed devices.

Advantages of Duo and Google Chrome Enterprise

• Agentless Deployment — Simplify deployment and reduce risks of transitional downtime through tested cloud delivery.

• Stronger Security — Verify device trust at every login attempt, and limit access to only known devices and browsers.

• Enhanced User Experience — Streamline user experience and boost productivity with an integration that secures access from any location.

• Wide OS Support — Deploy Duo Device Trust across Windows, MacOS and ChromeOS from a single Google Admin panel (Chrome Enterprise).

• Ease of Management — Less to manage in a centralized Duo dashboard, with granular policy adjustments for organizations of any size.

Duo Trusted Endpoints with DTC offers a powerful, agentless approach to device trust. Start customizing your zero trust strategy by enforcing device trust on your most sensitive application(s) or a particular group of users with Duo’s granular policies. Leverage Google Chrome Enterprise Core to effortlessly configure your devices, and manage access for your Windows, Mac and ChromeOS devices centrally through Duo's intuitive Admin Panel.

Read our documentation page to get started setting up Duo with DTC or check out the end-user demo. And to see additional ways Duo customers can secure their users across Google’s ecosystem, please visit our Cisco Duo + Google partner page.

Want to learn more about additional Cisco Security Chrome Enterprise Recommended solutions?

• Splunk’s Chrome Enterprise Recommended Chrome Security & Reporting connector provides additional security insights.

• Cisco Security for Chromebook — part of Cisco Umbrella and Cisco’s Security Service Edge (SSE) product family — provides DNS-layer security for the entire ChromeOS and secure web gateway (SWG) protection for the Chrome browser.

The security industry has diligently battled compromised credentials, evolving from passwords to multifactor authentication (MFA) to passwordless — our most secure and phishing-resistant method to date — and one that is fully supported in Duo. Despite these advancements, we still see many identity-based breaches year over year. Why?

For one, MFA coverage is still vastly incomplete, with weaker forms of MFA now easily bypassed by attackers. And second, organizations still face practical challenges deploying passwordless solutions. Despite their remarkable security value, our 2024 Trusted Access Report reveals that passwordless methods still account for less than 5% of authentications.

This means there are serious holes in our authentication armor today. To duct tape over these gaps, we’ve often demanded our users repeatedly prove their trustworthiness — a cumbersome and frustrating experience.

To simultaneously address the increase in identity-based attacks and ease the frustration of repeated authentication, Cisco Duo is proud to announce our new solution: Continuous Identity Security. Continuous Identity Security minimizes these gaps today in chaotic real-world environments with multiple identity providers (IdPs), hybrid workforces, unmanaged devices and legacy applications. With Continuous Identity Security, you can be safer while working towards a passwordless future.

“Continuous Identity Security minimizes these gaps today in chaotic, real-world environments with multiple identity providers (IdPs), hybrid workforces, unmanaged devices and legacy applications. With Continuous Identity Security, you can be safer while working towards a passwordless future.”

To deliver Continuous Identity Security, Duo has developed two new pieces of functionality: deep integration with Cisco Identity Intelligence and a seamless new access experience, Duo Passport.

Our integration with Cisco Identity Intelligence adds value on top of your identity and security investments like Microsoft Entra and Okta. It uses AI to analyze all identity-related activity across all accounts, all devices and IdPs to provide deep visibility into identity infrastructure and continuously inform Cisco Duo enforcement points.

The benefit is twofold. Organizations get a strong understanding of what’s happening in their identity environments, enabling them to improve posture by increasing MFA coverage, decreasing dormant accounts and controlling administrator privileges more concisely. Additionally, Duo access decisions are now enriched with identity data. For example, if an administrator takes a risky action or a dormant account attempts access after months, Duo can increase authentication requirements.  

If Cisco Identity Intelligence enhances security, Duo Passport dramatically enhances user experience. Passport takes the promise of traditional Single Sign-On (SSO) solutions (i.e. one login, many use cases) and expands it beyond SaaS apps to multiple browsers, operating systems and thick clients. Now, a user can login securely to their laptop and that trust will be seamlessly brokered to the web, but also to thick client logins like a VPN. The experience is seamless and secure for end users, drastically reducing the repeated authentication requests they face daily.  In fact, a preview customer reduced authentications by 66% in their environment.

“In fact, a preview customer reduced authentications by 66% in their environment.”

However, the expedited experience only persists in trusted scenarios. Duo will continuously assess the risk throughout the user’s session — before, during, and after login. In suspicious situations, Duo will dynamically increase authentication requirements, or even block a user.

With Continuous Identity Security, organizations can protect themselves against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for their end users. Security is better because organizations now have deep visibility into identity environments and access decisions are enriched with both device and identity context. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.

While the ultimate goal is a fully passwordless landscape, the journey there is complex. Duo offers a powerful new solution for today's security challenges. With Continuous Identity Security, we make a large step forward in our commitment to frustrating attackers while delighting users. If you’d like to learn more about Continuous Identity Security, register for our webinar, read more at our solution page, or just drop us a line.

If you’ve been wondering what the plan for Microsoft Custom Controls is, wait no more! We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, now in Public Preview!

External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set. We know our customers love using the power of Duo’s identity security solution together with Microsoft Entra ID (previously Azure AD) to make it easy to set-up SSO, deploy passwordless, or create and manage granular access policies and ensure that only trusted users and devices are given access to their applications. Duo is now a fully integrated MFA and advanced identity security provider within Entra ID.

Want to learn more about this integration? Check out our end-user demo!

“At Microsoft Security, we're always looking for ways to help our customers stay ahead of the curve when it comes to security. The integration of Entra ID External Authentication Methods with Duo is a prime example of this commitment, as it allows our customers to leverage the MFA solution they already have in place to protect against increasingly sophisticated phishing attacks.” — Natee Pretikul, Principal Product Management Lead, Microsoft Security

Benefits of Duo and Microsoft Entra ID EAM

Heterogenous infrastructure and mixed-vendor IT environment add complexity to managing policies, users, and devices. This can lead to confusing sign-in processes or security loopholes. Switching between multiple MFA providers can cause confusion for organizations and friction for their users. Duo’s new integration with Entra ID through EAM enables authentications through Duo to be recognized by Entra ID as a strong security factor that meets MFA requirements. Now, Duo works even more seamlessly across all Microsoft and non-Microsoft workflows, allowing customers to consolidate their identity security and MFA while delivering a consistent and frictionless experience to end users.

Duo and Microsoft for Managed Service Providers

“Duo and Microsoft EAM is a killer combination. Using them together allows Tigunia to have a single MFA system for all protected applications, while still satisfying the MFA requirement in Microsoft 365. Previously with Custom Controls, we would have to switch to MS Authenticator to perform DAP/GDAP operations or Verify Apps, but with EAM and Duo we can use a single system to require MFA for everything. The efficiency, user experience, and security gains of using EAM with Duo are incredible.” — Martin Twerski, Director of Internal Systems at Tignunia

Get started with Duo as a Microsoft Entra ID External Authentication Method

Microsoft Entra ID External Authentication Methods is available now in Public Preview, and you can dive in, begin testing and plan your migration from Custom Controls to EAM. Stay tuned, as we'll be providing further updates and support to assist customers in the transition to External Authentication Methods, like self-service password resets.

Without having to worry about transitional downtime risks, customers can experience seamless cloud delivery and set-up of Duo’s stronger access security solution. Start integrating Duo with Microsoft Entra ID External Authentication Methods for an even better security experience!

Read Microsoft’s announcement for more to learn more about this integration. And check out Duo’s technical documentation for guidance on making the switch.

Want to see what it looks like in action? Be sure to check out our EAM end-user demo!

Duo is a Microsoft Intelligent Security Association partner (MISA) and continues to strengthen our commitment to providing customers with best-in-class security experiences. See Duo on Azure Marketplace.

Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. In this blog we’ll discuss enrollment options and best security practices for Duo admins, whether they are rolling out MFA for the first time or maintaining enrollment for their users.

Enrollment basics

Enrollment is the process by which users are added to a Duo account and enabled to use MFA. To be enrolled, a username must exist in Duo (i.e., be visible under the Users page in the Duo Admin Panel) and the user must have registered at least one MFA device.

Enrollment methods

Administrators have several methods to choose from for enrolling users.

• In automatic enrollment, user information is uploaded in CSV format or synced from a directory service.

• In self-enrollment, users enroll themselves either from an enrollment email or inline as they attempt to access a Duo-protected application.

• In manual enrollment, admins enter information for users one at a time.

Automatic enrollment might seem easier for users, but they still must follow up to add their authentication devices. Even when a phone number is included with automatic enrollment, enabling SMS and phone call authentication out of the gate, we recommend that users add additional methods that are more secure against attacks.

To reduce helpdesk calls and encourage the use of secure authentication methods, Duo recommends that users be allowed to self-enroll and to manage their own devices after enrollment.

New User Policy

Prior to enrollment, users’ access to Duo-protected resources is governed by the New User Policy. Like all Duo policies, this can be set globally or for specific applications and user groups.

The New User Policy has three options. The default is “Require Enrollment,” which prompts users for inline enrollment the first time they try to gain access. “Allow access” exempts new users from MFA and should be used with caution. “Deny Access” provides the tightest security control but can lead to friction for new users. For example, admins should be careful not to deny access to email accounts where users are sent self-enrollment links.

Self-enrollment risks

Duo recommends enabling users to self-enroll when possible, but there are some risks. An attacker with stolen credentials may attempt to enroll on the legitimate user’s behalf, either by stealing an emailed self-enrollment link or by initiating inline self-enrollment when attempting to access a resource. They can then register their own device, gaining persistent access to the user’s account.

Admins must weigh these risks when choosing enrollment methods and setting New User Policy. On balance, self-enrollment still can be an effective option if admins follow best practices.

Secure enrollment best practices

Organizations’ primary goal with enrollment should be to get as many users using MFA as possible, as quickly as possible. However, they must also be careful not to leave the door open to bad actors. This section will outline best practices for keeping enrollment secure.

Practice #1: Eliminate bypass access

Enrolling users is no help if an organization’s resources do not require MFA by policy. Duo Admins can exempt applications, user groups, network addresses or locations from MFA and can place individual users in bypass status. These options are powerful tools when used appropriately but can leave resources vulnerable if organizations aren’t careful.

When users can bypass MFA and inline self-enrollment is enabled, they may never encounter the enrollment prompt and will remain unenrolled or partially enrolled indefinitely. These users’ accounts are “sitting ducks” for bad actors to steal credentials and initiate the enrollment prompt themselves.

To reduce bypass access, admins can review the access policies set in the Duo admin panel. They can also check their organization’s authentication logs to gain visibility into authentications in their environment that bypass MFA.

Practice #2: Resolve inactive and overprovisioned accounts

Inactive accounts are a risk to any organization, since bad actors can take over these accounts and use them to enroll with Duo and gain persistent access. Active accounts that are provisioned to access Duo-protected resources, but where users do not access the resources and have not enrolled with Duo, are similarly risky.

To address these risks, admins should look for user accounts with access to Duo-protected resources that are not enrolled with Duo. Tools like Cisco Identity Intelligence can help with this task by bringing together user information from multiple sources.

Practice #3: Monitor partial enrollment

Users who exist in Duo but who do not have any authentication devices registered are considered partially enrolled. Partial enrollment results when no phone number is provided during automatic or manual enrollment, or when a user fails to follow up from a self-enrollment email. Admins can also return a user to this state by deleting all their authentication devices.

Partially enrolled users are a problem because, depending on the New User Policy, they may be denied access to resources or may be at risk for self-enrollment attacks. They also consume a license and contribute to the organization’s costs.

Duo provides several tools for addressing partial enrollment. Admins can view these cases in the Admin Panel’s Users table under the heading “Not Enrolled” and can send out enrollment emails. Users who were sent an enrollment email (including through automatic enrollment) can be further reviewed in the Pending Enrollments table. As a safeguard against partially enrolled user accounts persisting indefinitely, admins can elect to lock out users who have not registered a device for a period of time after appearing in Duo.

Practice #4: Detect suspicious activity

Even the best security posture does not provide 100% protection against malicious actors. Organizations should monitor for suspicious device registrations and authentication activity, which could indicate access by a malicious actor.

Duo Trust Monitor, available on Duo’s Advantage and Premier editions, detects and notifies admins about suspicious activity in their accounts, including device registrations. Activity and authentication logs can also be imported into a third-party monitoring and detection tool using the Duo Admin API.

Conclusion

Duo’s policy and configuration options give administrators lots of ways to ensure that users are broadly enrolled in MFA across their organization. The choice of enrollment method and New User Policy ultimately come down to each organization’s individual needs. Regardless of which options they choose, admins can keep the enrollment process secure by following the best practices above.

To learn more about setting up your organization’s Duo account, check out our Liftoff Guide.

It is a well-known and established point that a password alone is not enough to secure an account. That’s where multi-factor authentication (MFA) comes in. Typically, a user confirms their identity using an application on their phone and accepts a push notification. But what if an attacker can just send that authentication request to their own personal phone? Now MFA can no longer stop the cybercriminal from gaining unlimited access.

This type of attack is known as Account Manipulation: Device Registration. This is when a bad actor gains access to a user’s account through compromised credentials and push bombing or phishing a one-time passcode to get past the MFA requirement. Then, the attacker enrolls a new device to bypass MFA and gain unlimited access to an organization’s resources and data.

Mike Moran, Duo data scientist, threat researcher, and co-contributor of this MITRE ATT&CK® technique wants customers to understand how important it is to be aware of and protect against this type of attack.

“An adversary attempting to or successfully registering their own MFA device has become much more common over the last few years, yet it is still an aspect of zero trust systems that is often overlooked. This reality highlights the need for security enhancements to the enrollment process that provide real-time detection and remediation while maintaining scalable usability.”

Protecting against fraudulent device registration requires fully understanding the device enrollment process within your organization and increasing your defenses against this specific action. In addition, it is important to continuously audit and monitor your environment to detect potentially risky registrations. With Duo, there are a few different approaches to harden your defenses. You can also check out this Duo help article that provides policy recommendations and directions for how to secure your accounts.

Proactive Protection:

• Self-Service Portal Authentication: To enroll a new device on your Duo account, set up the policies in the self-service portal to limit authentication to more secure factors, like WebAuthn or Verified Duo Push.

• Trusted Endpoints: Duo’s Trusted Endpoints feature allows an organization to block all unknown or unmanaged devices from accessing your organization’s resources, preventing the trusted user from getting fraudulent push or enrollment requests in the first place.

• Risk-Based Authentication: Risk-Based Authentication can detect patterns from attackers and step up the authentication requirements to more secure factors in unknown or risky situations.

Detection & Response:

• New Device User Notifications: Set up notifications so users are informed if a new device has been added to their account. If the user does not recognize the device or action, they can report the activity to the Duo administrator.

• Duo Trust Monitor: Duo Trust Monitor uses a combination of machine learning models and security heuristics to surface events that may be a risk or threat to your organization. For device registration events, we primarily use heuristics that are defined by threat researchers based on previously observed or theorized attacks against MFA systems. The product is currently being improved to surface registration events in real time, combine intelligence from multiple data sources when making an assessment, and more.

For more information, on best security practices to protect against identity-based attacks, check out Duo’s new eBook, Securing Organizations Against Identity-Based Threats.

At Duo, we know just how important the admin experience is. Without it, features don’t get used and customers don’t get their return on investment. It’s for this reason that we’re excited to release a new view of Duo policies designed specifically to solve customer complaints and help admins manage their policies.

Policy is at the heart of deploying and managing Duo. It’s how admins customize the security experience of users and manage risk during authentications. It’s how you block untrustworthy devices or require the latest operating system versions. However, it traditionally doesn’t let admins easily understand policies they have or quickly view the contents. Instead, customers have faced long scrolling, no built-in searching or sorting, and no high-level summaries.

We’re changing that.

What’s new?

The first thing you’ll notice when exploring this new view is how compact it is. Gone are the days of scrolling and scrolling. This new screen is designed to show about 5 policies, because 90% of customers have five or fewer policies. Want to know if you’ve got policies with the same name or applied in similar ways? It’s easy to see all in one screen.

What if you want to see a few details or a summary of that policy? It’s just a click away. Click on “rules” and you’ll see a drawer designed to highlight the most important information. You can see when a policy was created, when it was last modified, what rules are enabled and how it’s been applied.

See the video at the blog post.

Want to know which policies have been applied to an application or user group? Search is now built into the page. The days of command+f are gone. You can search and the list will filter to only show policies with matching results. The layout is designed to make it significantly easier to scan and see how any particular policy has been applied.

It’s not just visual changes that we’ve added. You now have the ability to duplicate a policy or bulk delete policies. We talked to users and saw admins painstakingly recreating complex policies from scratch only to discover typos days or months later. With duplication, admins can duplicate any policy (including global) as many times as they like.

See the video at the blog post.

The policy team is very excited to introduce this new view. It’s the first big change to this page in years and it’s just the beginning of new policy features in the works. 

Try it out

How can you experience this new view? Sign into the admin panel, head over to policies and click on the banner. And since we know change is hard, if you don’t like the new view, you can always switch back.

Negative Outcomes of Using Security Functionality From IT Tools Instead of Dedicated Security Controls

Vendor consolidation is gaining momentum in the IT space. CIO magazine reported that 95% of IT executives polled plan to consolidate software solutions due to “architecture consolidation” and “cost.” Hypothetically, consolidating vendors could seem appealing. After all, it could decrease spending and reduce silos in infrastructure, so what could go wrong?

When it comes to securing identities, the stakes are high; Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based. So, what really happens when you move to consolidate identity security from a best-of-breed identity security product like Duo to a bundled “identity management with security” solution?

Today, we’ll highlight key negative business outcomes to watch out for with the new software consolidation trend, and why Duo may be the best option for your organization’s identity security strategy.

Negative outcomes of migrating off best of breed

Bundled identity security licensing may have sticker price appeal, but customers find Duo more cost-effective to implement, maintain, and support. As stated in the Forrester Total Economic Impact™ of Cisco Duo blog, “customers saved $3.23 million net present value (NPV) and had a 159% ROI.”

On paper, the positive outcomes of decreased spending and reduced software infrastructure silos sound appealing. Still, if you decrease spending on the front end, and increase total cost of ownership, it could severely impact your return on investment.

In the long term, through complex deployment, ongoing maintenance, support, process changes and enablement, bundled identity solutions could severely reduce your return on investment and create negative outcomes for your identity security strategy.

Increased total cost of ownership

To move from a best-of-breed product like Duo to a bundled identity solution, the increase in cost of ownership begins with deployment and extends into ongoing life cycle management, support, and more.

Information technology and security leadership needs to be aware of the hidden costs and the burden of a “rip and replace” migration that impacts all users, administrators and contractors. This burden falls on your team's shoulders. Due to the impact of a project that touches the entire organization, this is the type of project with the potential impact of pushing back other projects. Your team must plan to disrupt the entire user population's access routines and prepare fellow directors and c-levels for their teams to experience disruptions and delays in response from support. Your attention must then turn to your admin teams as they secure, manage and support a new solution with a plan for an increase in support tickets and complications with advanced access policies, application gaps and other single-solution weaknesses.

Your super administrator accounts are now also a top attack vector and house both identity and security in one platform, so you need to make sure policy is as strict as possible for privileged access users and monitor abuse closely.

This also creates a lot of problems for your admins, analysts and help desk teams, as they’ll have to dedicate time to address testing and configuring new product technical prerequisites, access management policies, and new authentication configurations.

First, your team will need to test, configure, and deploy any new product technical prerequisites, access management policies, and change application configurations across your environment. Your team will then need to move any custom integrations — such as Duo software development kit (SDK) use cases, API use cases, and SIEM workflows —  and address any application, logging and policy gaps in the new solution. Your team will also need to update all existing administrator and user enablement while also informing, educating, and training administrators, users, and contractors on the new solutions. This includes policy, application configuration, troubleshooting tactics, log management, configuration documentation, diagrams and more while your organization grows comfortable with the new solution.

This brings me to user experience, which will be disrupted across the organization given the change in login experience. Users, contractors and partners will need to expect delays in help desk response time and support knoweldge of the new software. They’ll also need to take any new access management training and become familiar with new access management software. There will also be changes in experience, such as self-service device management policy limitations, mobile app experience and clear user messaging when logging in or remediating issues.

“User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately.”

User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately. If users do not remediate, you can enforce software policies across browsers and devices with access control policies. This allows organizations to lessen the help desk load by keeping devices up-to-date, healthy and able to meet corporate access requirements. Unlike other access policy engines, Duo manages software versions, so you don’t have to manually update.

Decreased security

Identity is the only perimeter left, and it’s a complex problem. It can be a game of whack-a-mole trying to plug every hole the identity journey creates. Identities are accessing both cloud and on-premises applications. They’re also working from anywhere, anytime, from any device, which creates an assortment of challenges that require strong, easy-to-use and deployable security. Without this kind of security, attackers simply find workarounds for existing security solutions and infiltrate.

CISA reported that “Weak Security Controls and Practices Routinely Exploited for Initial Access.” This means that advanced identity security access management policies are either being misconfigured or deliberately not configured, which allows attackers to attack gaps and weaknesses in access management policies. As highlighted by recent identity-based attacks, both scenarios are being exploited by attackers to the same effect.

Today's threat landscape requires the strongest levels of security on identities, applications and devices accessing sensitive, corporate applications. Artificial intelligence (AI) will continue to create more challenges as it continues to improve on impersonation and automatic attack generation.

With identity being the most attractive attack vector, your organization needs strong, easy-to-use and deployable identity security solutions to combat the evolving threat landscape. Bundled identity solutions have slower-to-deploy security tools with complex, strict technical prerequisites, security limitations, expensive licensing and reliance on expensive partner products to protect all workflows across identities, apps and devices. In addition, super admin account takeover attacks can have a higher impact, since identity management and access security are centralized under one login.

Once all identities, apps and devices are configured, inferior identity and device security policies and controls can lead to weak access requirements being put in place due to policy engine complexities and limitations. Reporting and logging tools typically lack security visibility and tailored usage insight, and it’s difficult to understand app, identities, and device activity over time across portals which makes it complicated to audit login issues and troubleshoot when issues arise.

Some upsold advanced security features, such as identity protection and risk-based authentication, are more reactive threat analysis tools than adaptive, real-time authentication security solutions that assess risk at the point of login and throughout the lifetime of the session. It’s also typically complex and/or expensive to protect workstations, legacy apps and servers such as SSH, RDP, RADIUS, and most do not have a software development kit or APIs like Duo.

How Duo is different

Easy to use

To begin with, Duo makes things simple for our customers:

• Simple for users to enroll, authenticate and remediate issues

• Simple for administrators to configure, deploy, protect and manage

• Simple for security operations analysts to review and analyze threat data

Scalable and flexible

Duo can adapt to your customers’ needs as your organization evolves:

• Grows with your business as your security needs change

• Offers a broad range of authentication methods for every type of identity

• Flexible, deploy-ready policy controls

Faster speed to security

Duo also provides what we refer to as “faster speed to security”:

• Duo is fast and makes it easy to deploy advanced identity security controls across any size organization

• Thanks to Duo’s self-service and user self-remediation features, end-users can resolve issues using Duo very quickly without contacting IT

• Identity security in-depth; as threats change, we enable customers to respond and block threats rapidly

Broadest coverage

Finally, Duo delivers the broadest coverage across identities, devices and applications:

• Supports all identity types (employees, contractors and partners)

• All types of devices (corporate-issued and managed and personal unmanaged devices, plus most operating systems including macOS, Windows, Linux, iOS and Android)

• Integrates with virtually any application, whether it’s off-the-shelf or custom-built, and hosted on-premises or in the cloud

Duo is just getting started

While the allure of bundled identity may be tempting, it's essential to carefully weigh the potential risks and costs associated with migrating from Duo to alternative solutions. By considering factors such as weaker security policies, deployment and training expenses, hidden costs and the value of familiarity and reliability, businesses can make informed decisions that prioritize their security and operational efficiency in the long run. In the complex maze of cybersecurity, often the best path forward is the one you're already on.

Where Duo is headed next

To learn more about where Duo is heading, please check out the Duo blog: Announcing Identity Intelligence With Duo, which highlights Duo’s available customer preview of identity threat detection and response (ITDR) and identity security posture management (ISPM) functionality and more exciting identity security innovations.

Stay tuned!

If you would like to chat more with a sales or partner specialist about identity security, feel free to contact us!

Duo Security has been a long-time supporter of the FIDO Alliance, starting in 2014 with our adoption of U2F. We remain active through 2024 in many of FIDO's working groups and continue to support the FIDO Alliance's mission of reducing the world's reliance on passwords through passkeys.

Two years ago, work began to assess Duo's commitment to this mission and consider we might more actively participate in its evolution. We are happy to announce the following changes to this strategic partnership.

First, Duo Security has successfully migrated our FIDO Alliance membership to Cisco. This will let us extend access to the FIDO Alliance to other Cisco teams like Webex.

Second, we realized that for Duo to effectively push for the improvements and changes that our customer's desire (or even require), we needed to increase Cisco's membership within the FIDO Alliance to gain a seat on the Board. The Board drives the direction of the FIDO Alliance. Additionally, as the FIDO Alliance shifts its strategy to focus on passkeys adoption guidance, we felt now was the time to leverage our extensive experience as a Relying Party and add our voice to underrepresented passkeys use cases.

“We are pleased to announce that the FIDO Alliance has approved Cisco’s application to join the Board… This will allow us at Duo Security and greater Cisco to push for the changes we and our customers desire within the FIDO Alliance.”

After months of discussing this idea with internal and external parties, a formal written application, and virtual interviews, we are pleased to announce that the FIDO Alliance has approved Cisco's application to join the Board. Matthew Miller will be Cisco's delegate on the FIDO Alliance Board with Chris Anderson serving as his alternative. This will allow us at Duo Security and greater Cisco to push for the changes we and our customers desire within the FIDO Alliance as well as continue our thought leadership within the identity and authentication industry.

“We enthusiastically welcome Cisco to our board of directors,” said Andrew Shikiar, executive director and CEO of the FIDO Alliance. “Cisco has been a longtime and valuable contributor to FIDO Alliance and its authentication specifications first through Duo Security and now formally as Cisco.”

Shikiar continued, “We look forward to Cisco’s expertise and direction as a relying party at the board level, which is critical now as FIDO technology has matured and we’ve shifted our focus to the usability of passkeys and enabling relying parties to implement them effectively.”

Here's to passkeys in 2024 and beyond!

In cybersecurity, the constant emergence of new vulnerabilities keeps organizations on their toes. A recent development is the discovery of the Silver SAML attack, a sophisticated vulnerability that targets Security Assertion Markup Language (SAML)-based authentication systems. Let's delve into what this means for organizations and how solutions like Duo SSO are designed to mitigate such risks.

What is the Silver SAML vulnerability?

Cybersecurity researchers have uncovered a new attack method known as Silver SAML. This technique can exploit SAML-based single sign-on (SSO) services, even when measures against similar Golden SAML attacks are in place. The vulnerability centers on the use of self-signed or externally generated certificates for signing SAML responses. If attackers obtain the private key of an externally generated certificate, they can forge SAML responses and impersonate any user, gaining unauthorized access to applications and services.

Duo SSO’s mitigation approach

Duo SSO has a security architecture that inherently mitigates this type of vulnerability. Unlike some identity providers that allow the use of externally generated certificates for SAML response signing, Duo SSO exclusively uses self-signed certificates. This design choice significantly reduces the risk associated with the Silver SAML attack in the following ways:

• Controlled Certificate Lifecycle: Self-signed certificates are generated and managed internally within the Duo SSO ecosystem. This control over the certificate lifecycle minimizes the risk of private keys being compromised.

• Integration Segmentation: Each Duo SSO integration has a dedicated signing key that is only ever stored in encrypted form and backed by a Hardware Security Module (HSM). The HSM provides an additional layer of protection by managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

• No External Exposure: By not allowing externally generated certificates, Duo SSO ensures that the signing process is less susceptible to external threats. There's no risk of an attacker obtaining a private key from a certificate generated outside the protected environment.

• Regular Auditing and Monitoring: Duo SSO includes robust auditing and monitoring features that help detect and alert on any suspicious activities, including unauthorized changes to configurations that could indicate an attempted security breach.

• Best Practice Enforcement: Duo SSO encourages and enforces security best practices, such as strong authentication measures, which provide an additional layer of defense against various attack vectors, not just Silver SAML.

Remaining vigilant

While Duo SSO's approach to using self-signed certificates for SAML response signing effectively mitigates the specific risk presented by the Silver SAML attack, it's a stark reminder of the need for organizations to maintain constant vigilance. Cyber-based threats are constantly evolving, and defenses that are secure today may be challenged by the threats of tomorrow. To stay ahead of potential risks, it's crucial for organizations to target three essential processes:

• Implement comprehensive security strategies that go beyond reliance on a single mitigation technique. Remember, a multi-layered approach to security is essential in creating a resilient defense against a variety of threats.

• Stay up to date with the latest security advisories and updates. Keeping informed about new vulnerabilities and emerging attack vectors is the first step in a proactive defense.

• Educate users and IT teams on potential threats. Knowledge is power in cybersecurity. Regular training and awareness programs can empower users to recognize and respond to security incidents.

When thinking about a comprehensive security strategy, increased visibility and monitoring around the identity perimeter is indispensable. Solutions like Duo’s identity security capabilities powered by Cisco Identity Intelligence play a pivotal role in enhancing security posture. By offering continuous monitoring and advanced analytics, Duo equips organizations with the capabilities necessary to detect and respond to anomalous behavior and access patterns in real-time. This level of insight is critical for identifying and mitigating potential compromises before they escalate into more significant breaches.

With features such as endpoint visibility, anomaly detection, automated alerts, and dynamic policy enforcement, Duo serves as a steadfast guardian, safeguarding the identity perimeter. It's a robust layer of security that complements the inherent strengths of Duo SSO, creating a unified front against identity-based threats.

As we traverse the complexities of the security landscape, it's clear that the partnership with trusted and proactive security providers like Duo is more than a convenience—it's a strategic imperative. By leveraging advanced solutions like Duo’s identity security, organizations can achieve the heightened level of security vigilance required in today's digital age.

Conclusion

The Silver SAML vulnerability highlights a landscape where threats constantly evolve and demand agile and robust defenses. Duo SSO's use of self-signed certificates sets a strong defensive baseline against such threats. However, to truly stay ahead, organizations need to augment foundational security with advanced protections.

Duo’s identity security capabilities powered by Cisco Identity Intelligence offers this next level of defense, providing the necessary visibility and proactive monitoring to identify and thwart potential threats swiftly. By choosing Duo Advantage or Duo Premier plans, organizations gain access to these enhanced capabilities, reinforcing their security posture in the face of sophisticated attacks like Silver SAML.

Act now to fortify your organization's defenses. Duo SSO is available in all Duo editions, allowing you to securely protect your SAML, OIDC, and OAuth applications. Explore the Duo Advantage and Duo Premier plans to unlock the full potential of Cisco Identity Intelligence and ensure your organization's resilience against the ever-changing threat landscape.