Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.

Today: Simon Sing – a science author and journalist who explores mathematics, cryptography, and cosmology – digs into the pre-computing history of passwords, the evolution of cryptography, and how they enabled today’s information revolution.

Why we encrypt

Chrysta: As a little bit of context for the audience, can you define a code and a cipher and what’s different between those two ideas or those two methods?

Simon: When we talk about secret communication, we use words like “encryption” and “encipher” and “encode,” and all of these things are kind of used interchangeably.

There are some technical definitions. So for example, a code is where one word is always replaced with a certain symbol, for example, and that’s always the case. One word, one symbol. And encipherment tends to mean that the word is jumbled up and it can be jumbled up in different ways on different occasions.

What human need drove the creation of codes and ciphers and secret communication?

As soon as people start writing things down, as soon as we have the invention of writing, we have the need to make sure that what we’re writing down can be secret, can be protected. So we might be writing down military plans, we might be writing down recipes for a pottery glaze, we might be writing down love letters. Whatever it is, we might not want prying eyes to know what we’re documenting.

In terms of the situations where these techniques would be used, was it always sort of a martial life or death situation, or was encryption used in more mundane scenarios as well?

When we think of encryption, we often think of military generals. Julius Caesar wrote a book, a little book on encryption and was quite familiar with how to use it. And we think of the second world war, we think of modern warfare and the information age and the information war. But also school kids like to keep their diaries encoded sometimes for very good reasons. So there are more mundane uses of encryption as well.

Early encryption: The Caesar and Vigènere Ciphers

Chrysta: One of the things that’s really interesting in your book is that you show this leapfrogging advancement, where code makers innovated new techniques, code breakers would develop their own techniques to try and reverse that method, and that kind of back and forth built more complex iterations on these basic techniques. What would you say some of the biggest or the earliest innovations in the development of codes and ciphers were?

Simon: The one we might all have used in school is to replace every letter with a symbol, okay? So “A” might be a diamond. “B” might be a cross, “C” might be a circle, okay? Every letter with a different symbol. And people used this for centuries. It was a very strong form of encryption.

And then people realized something called frequency analysis. Now, frequency analysis was first documented in Baghdad by a mathematician philosopher called Al-Kindi. And he wrote the first-ever document on code breaking. And what Al-Kindi said was that if a letter is very common — so in English “E” is very common, and let’s say we replace E with a triangle — well then, triangles are going to be very common. So the code breaker latches on to the frequency of triangles says, “Hey, triangles must be ‘E’s,” and then the next most common symbol will be “T” the next most common symbol will be “A” and so on. So by applying this frequency analysis, you can break what we call the simple substitution cipher.

So then you have this battle that the code maker wants to get ahead of the code breaker. So the code maker comes up with something a bit cleverer. So for example, what we can now do is if we have a letter like “E,” which accounts for 13% of all letters in English, we replace “E” with 13 different symbols, okay? So now all of these symbols that represent E appear only 1% of the time in the cipher text, as we call it. A rarer letter like “Q” might only be replaced by one symbol, a diamond, and that might appear only 1% of the time in the text. And so our distribution of frequencies is flat and therefore the code breaker has a much tougher problem.

Now, there are ways around that, and eventually code breakers figured out how to crack this more complicated cipher. And so the code makers had to do it all over again, they had to come up with an even better encryption system. So you have this constant battle between code makers cracking codes and coming up with even better code.

"So you have this constant battle between code makers, cracking codes and coming up with even better code." - Simon Singh

One of the earliest algorithms, or one that a lot of our viewers may be familiar with in some form is a Caesar cipher. Can you describe for us briefly what a Caesar cipher is and how it works?

A Caesar cipher is a type of simple substitution cipher, and we don’t just replace the letter A with any old symbol or any old letter, we replace A by shifting it down the alphabet. Now a classic Caesar cipher shifts by three places so A becomes B, C, D, A becomes D. B becomes C, D, E, B becomes E. And that’s all you do; you just shift every letter down three places.

Overall, this is not a great way to send secret messages because if I’m a code breaker, I’ve only got 25, 26 different shifts that I need to check.

And continuing from that, one of the next major leaps that we saw in an evolution of that approach was the Vigenère. Can you briefly describe how that cipher differed or what the advantage was that it provided?

See the video at the blog post.

Overall, this is not a great way to send secret messages. Because, if I’m a codebreaker, I’ve only got 25, 26 different shifts that I need to check. But you can make the Caesar cipher absolutely, brutally strong. You can transform it into something called the Vigenère cipher, invented by a French chap called Vigenère.

The way the Vigenère cipher works is you pick a code word. I’m going to pick the code word B-A-D. So you have your message, “Hello Fred” and above it you just write the word B-A-D over and over again. Now you can start encrypting.

To encrypt the H, well there’s a B above it and B is the second letter of the alphabet. So we shift H two places, the H becomes J. E has an A above it, so we only move the E by one place: E becomes F. The L? There’s a D above that, and that’s the fourth letter of the alphabet. L becomes P.

Now this is where it gets interesting. We’ve got another L. But this time, there’s not a D above the L, there’s a B and the B tells us to shift only two places. So the L becomes an N.

And that’s why the Vigenère cipher is so secure. You have the same letter being encrypted in different ways. It became known as le chiffrage indéchiffrable, the cipher that’s indecipherable. For decades, perhaps even centuries, it was unbroken.

Can you tell us a bit about who cracked the cipher and why?

Vigenère invents the Vigenère cipher in the 16th century. In fact, a couple of people had got there a little bit before him, but anyway, it was invented in the 16th century. In the Victorian era, the Vigenère cipher is eventually broken, and it was broken by Friedrich Kasiski, or at least that’s what we thought. It turns out that it was actually broken a decade earlier by a chap called Charles Babbage who’s famous today for being the kind of pioneer of mechanical computing, as well as many other things.

Mechanical encryption: Cracking the Enigma Cipher

Let’s talk about the pressures or the factors that drove the development of mechanical or proto computing approaches like Enigma. How did Enigma work and what made the Enigma codes harder to crack?

See the video at the blog post.

In the 20th century, we start having radio being used, particularly in warfare, particularly in the battlefield. The problem with radio is that anybody can tune into your radio frequency and hear what you are saying. So you then need to have a form of encryption that is rapid and secure, and that’s why you have the development of mechanical encryption devices, most famously of all the Enigma cipher machine.

Now, the reason why the Enigma cipher was considered so unbreakable is because it had so many what we call keys. The keys are the number of ways you can set up an encryption system.

So if we go back to the Caesar cipher, Caesar cipher is all about shifting and there are only really 25 ways you can shift the alphabet to get a different type of Caesar cipher.

With the Enigma machine, there are so many different ways to set up that machine. You can pick different rotors, different wheels to go into the machine. You can put them in different places, in different orders. You can orientate them in different ways. Each wheel kicks over the neighboring wheel when it does a full revolution, you can change that kick over point. There’s a plug board at the beginning, which allows you to swap letters around.

So if I type an A, it’s as if I typed in D. And when you have all of these possibilities, there are so many possible keys. I can’t remember the number of keys, frankly, but there are so many possible keys that it’s impractical for a code breaker to go away and check every possible permutation.

Ultimately, how did the Allies ultimately actually break Enigma?

The first people to break the Enigma — and this is a story that’s becoming better known now — were the Poles. Poland had the first people to realize that in the 20th century, you didn’t need linguists anymore, you needed mathematicians. You need people with a scientific mind to break a very scientific piece of equipment.

The Poles knew they were going to be invaded sooner or later. So they said, “We must try to do even the impossible. We must try and break the Enigma.” And they made some important breakthroughs and they managed to smuggle out those breakthroughs to London before the war started so that gave the British a huge head start.

People may have heard of Bletchley Park; this was the British code break center north of London. It was secluded, had good communication links. And during the course of the war, more and more code breakers gathered there at Bletchley Park to think of more and more ways to break the Enigma.

They broke the Enigma in several different ways, but let me just explain one of them. One of the quirks of the Enigma machine is that if you type in an A, it never encrypts A as A, it never encrypts a letter as itself. Now that seems completely fine because I don’t want to encrypt A as A, I’ve got 25 other letters that I can encrypt A into, okay? But nevertheless, it was an old quirk of the Enigma machine. No letter could be encrypted as itself.

One day, one of the codebreakers at Bletchley, a woman called Mavis Batey, was looking through some encrypted messages that had been intercepted. And she looked at this message, it was full of just gibberish. It seemed to be a random list of letters. But it wasn’t random because in the whole message, there wasn’t a single W. I don’t know how many characters there were, there may be 200, 300 characters. There should have been a dozen or so Ws, but there were no Ws at all. And Mavis thought to herself, “Well, look, the only way you can have an encrypted message which is devoid of Ws is if your input is entirely made of Ws. If you type W 300 times, your output will be everything except W.” And she’d crack the message, the message was just W 300 times.

Once she knew the input — all these Ws — and once she knew the output — the encrypted message she had in her hand — she could then work out the settings of the Enigma machine for that day. She and her colleagues could decipher all the other messages sent in that communications network that day. They gathered information about an impending attack on the British fleet in the Mediterranean, the British fleet was ready, and it led to the first allied victory in the Mediterranean.

You might wonder, why would somebody send a message of 300 Ws? Say I’ve got an unbreakable code and I’m sending my messages and you’ve got no hope of reading my messages, because I’ve got an unbreakable code. What you can do is what’s called traffic analysis, that means you can count the number of messages I’m sending each day. And if I send one on Monday, one on Tuesday, one on Wednesday and five on Thursday, then you know that maybe on Friday, something big is going to happen. So what I do to combat that is I send five messages every single day, and then my traffic is flat, and then you can’t gain any information. So the 300 Ws were probably sent as somebody’s effort to fulfill a quota for that day.

Modern encryption: Encrypting and decrypting without keys

The conversation so far has really brought us up to about World War II and the use of the Enigma machine. We now have most of a century of history between then and the present day. What would you say are sort of those landmark moments or evolution of cryptography between the end of the war, the postwar era and the present day?

See the video at the blog post.

Yeah, so one of the big changes in our lifetimes is that encryption used to be about governments and the military, and now encryption is about our everyday lives. It’s about encrypting our medical records, it’s about encrypting video streams, it’s about encryption of our bank details. And every day the devices we’re using are using encryption.

So it’s very, very much part of our day to day lives. It’s not just back in kind of Bletchley Park specialist government code breaking rooms or code making rooms. And I think the biggest change in our lifetimes again...or I would say one of the biggest changes in recent decades, is that if you imagine with Enigma, and this is Enigma, or in fact, any kind of code, I scramble up a message and I send it to you.

Now, you can only unscramble that message if I sent you the scrambling recipe, because if you know the scrambling recipe, you are going to know the unscrambling recipe. So before I sent you that message, I would’ve had to have given you that scrambling and unscrambling recipe, okay?

So with Enigma, for example, every month there was a sheet of paper and the sheet of paper had on every single day, had a list of instructions of how to scramble up using the Enigma for that day. Remember the Enigma has lots of settings and it would tell you the settings for that day. So the person sending the message would have actually the paper and the person receiving the message would have that piece of paper and dispatch riders on motorbikes would be riding over the Sahara delivering these bits of paper. New boats will be coming back into port to collect these bits of paper. And so nobody can have secure encryption unless they have access to this complicated and secure distribution network, okay?

Now that doesn’t work today. If I want to buy something online, I can’t get a dispatch rider to drive over to the online company and give them my scrambling recipe so that I can encrypt my credit card details, that doesn’t work. So the biggest revolution in the last few decades has been a form of encryption - in fact a couple forms of encryption - that mean that I can send you a secret message and I can scramble it up and even though we’ve never met, even though we’ve never exchanged any other information, you can still unscramble my message.

It sounds impossible. For centuries, for millennia, people thought it would be impossible, but it turns out you can do it. And that’s what’s enabled the revolution of online e-commerce and many of the other things that we live with today, there are only possible because of something called public key cryptography. Bottom line is I’ve never met you before in my life, I can send you a secret message and you can still read it. Okay, that’s the bottom line.

"Bottom line is, I've never met you before in my life, I can still send you a secret message and you can still read it." - Simon Singh

How does it work? Well, public key encryption involves some clever mathematics. It’s not the most complicated mathematics in the world and if you wanted to go in and Google it, you could probably try and figure it out and see how it works.

But I’ll give you an analogy, which is probably easier to explain in this kind of situation. I have a precious object that I want to send to you and I put the object in a box and I close the lid and I padlock the box and I send the box to you. Now, you can’t open it because I haven’t given you the key. Yeah, that’s our problem. That’s our key distribution problem.

But what you can do is you can put your padlock on the box and send it back to me. Now that just seems to make things worse. I’ve now got a box that’s doubly padlocked, but what I can now do is I can take my padlock off and send the box with your padlock on back to you. And now you can undo your padlock because it’s your padlock and you’ve had the key all the time, you can open the box and you can access the precious object, okay?

So at no time did we distribute a key, at no time was the box insecure or unsecured. And at the end of the day, you could access the precious object. So it is possible to send something in secret to somebody you’ve never met before, and the mathematical implementation of that kind of concept is what’s enabled the information revolution that we have today.

Want to learn more about the history of passwords and encryption?

Next in our extended interview series: Wolfgang Goerlich, advisory CISO at Cisco Secure, reflects on the history of passwords, the limitations of human memory and what we can learn from the eternal nature of security.

Our upcoming documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.

Today: Our panel of experts share what excites them about a passwordless future, the technical milestones to get us there, and whether we’ll truly say goodbye to passwords.

The Passwordless Tipping Point

What is helping to move passwordless from more of an enterprise-level solution to something that an average person uses regularly?

As a senior software engineer on the Duo Single Sign-On platform at Cisco Secure, Christi Volny’s work plays an important role in getting to this point:

“If we look at the history of multi-factor authentication for cloud services, what we see as we’ve moved toward is more of a single sign-on model or social login being the new popular item. You’ll start to see that services that previously would’ve been difficult to implement passwordless or multi-factor or some other non username- and password-based authentication (on), they can now rely on third-party authenticators that can enable them to adopt passwordless multi-factor. So in the same way that switching to logging in with your Twitter or Google account allows you to introduce MFA into your login process, switching to services that provide passwordless single sign-on will also empower adoption for more services.”

How does passwordless play with legacy use cases?

Ted Kietzman, a product marketing manager with expertise in bringing passwordless to market, considers how something like virtual private networks fit into a passwordless paradigm: “Most people have logged onto a virtual private network for work. It’s a way that remote access has traditionally worked, and VPNs are now starting to support SAML, which is a protocol that federates the credentials. (...) So you could say, ‘Do we go back and do a lot of work on all these legacy use cases to make passwordless fit those? Or do we expect some of those use cases to start supporting modern protocols and we just optimize passwordless for the modern protocols?

I think you have to look to the future and try to engender adoption of the newer protocols, modern protocols, and really serve those well so it makes the experience really good. And in cases that are really fundamental, maybe you need to support legacy use cases here and there. You build backwards a little bit, but I would say as far as those gaps go, I’m hopeful that those gaps will be filled by those legacy applications or other use cases starting to support modern protocols versus building backwards into the gaps.”

What other milestones are helping evolve passwordless from aspirational to implementable?

Christi Volny emphasizes the importance of standardization, both technically and interpersonally, in helping enable wider adoption: “What started in 2008 as mobile transactions with your fingerprint later were ratified into specs such as FIDO and FIDO2. This gives device vendors, service providers, identity providers, a model to be able to communicate between one another. So rather than every vendor coming up with their own solution of how to perform passwordless, we now have tools like WebAuthn that standardized how you’re going to do passwordless authentication. These are the sort of controls and requirements that are put in place that say, ‘Yeah, I can trust this hardware token to be unbreakable or intractably hard to break into.’ I think like any other time, humans need to talk to other humans or systems to other systems. We need to develop a common framework and language to be able to communicate. And specifications are the ways that we do that in computer technology.”

Who will be most impacted by passwordless?

Nick Steele, Research Lead at Superlunar and co-chair of the WebAuthn Adoption Community Group shares why organizations will be affected first, followed by consumers:

“A lot of new technology seems to go this way. But organizations are already making use of WebAuthn, and there’s already a lot of use in the consumer space. If you use login.gov, which is one of the biggest login portals for the US government right now, they’ve actually begun to use WebAuthn for handling second factor authentication.

More and more consumer-side companies are making it available, because it doesn’t only help the user to have passwordless authentication. It also is compelling for your bank to have better authentications. It’s compelling for services where you losing money will erode trust or prevent you from using their service again. So it’s really a two-way street, right? It doesn’t just benefit the user to have no passwords. It benefits the organization that they’re doing business with to provide better security as well.”

Visions of a Passwordless Future

Wolfgang Goerlich, advisory CISO at Cisco Secure, is excited at the possibility of being the bearer of good news:

“As a security professional, very rarely have I been able to show up and say, ‘Hey, I’m going to make your life better.” Usually I show up and people scramble. Sometimes I hide under desks. It’s a little uncomfortable for them. It's a little uncomfortable for me. But with passwordless, we really are able to do more for them as we’re doing more for the security of the environment.

Now we have to do it in a way that is not just passwordless. It’s not just dropping the password but is also at the same time bolstering the entire authentication, building more trust in the entire authentication. What is glorious about all that is, it’s transparent and invisible to the end user. So we can do more, we can serve people better by the same time, increasing these security properties.”

Ted Kietzman eagerly awaits the passwordless login experience:

“I’m excited about not having to remember passwords anymore. (...) It’s a really annoying thing to feel like I have these passwords, and even me as a security professional, I reuse or add on a word. Maybe I know not to just add on one number at the end, so I’ll add on a phrase or something like that, but my memory only works so well, and I know I'm flawed that way. So not having to remember passwords, not having to have one for here and one for here and then rotate this one and I’ve forgotten and resetting them because I've forgotten. I'm really excited about that.”

Christi Volny imagines how passwordless will allow him to make a bigger impact as a system designer and developer:

“I’m interested in building a safer internet, and this is one of the easy wins that we can accomplish that through. As we know from [the Verizon 2022 Data Breach Investigations Report], over 80% of all computer breaches, passwords are responsible for in part. And so if we can attack that low-hanging fruit and replace it with something more robust, that’s a big win for all of us.”
Parting Ways with Passwords

Our experts agree that passwords aren’t going anywhere for now, but adoption will continue to grow and user experience among a hybrid environment will continue to improve:

Wolfgang Goerlich highlights that there’s a lot of infrastructure and use cases that still require passwords:

“In an ideal world, we say goodbye to passwords altogether. They don’t work. We’ve got six decades of proof of that. But along that way in six decades, we’ve built up a lot of systems, a lot of systems that have passwords, a lot of infrastructure. When organizations go through modernization, they don’t replace everything. There are use cases that will still need passwords into the near future — such as shared accounts, system accounts, service accounts — and so for a variety of reasons, a password is going to persist.

So in the next couple years, what we want to do is look for customer-facing, look for workforce-facing use cases, where we can replace that password, give them a better experience, and reduce the risk of those credentials being stolen while we maintain the hybrid environment into the future.”

Nick Steele reminds us passwordless isn’t necessary for every use case, and rather that passwords can come in handy:

“Local passwords are still fairly secure. And there’s a lot of use cases where having a shared key is actually pretty, pretty useful. I don’t see them going away really anytime soon, especially given the long tail of technology on the internet. But I definitely see more and more people and organizations getting comfortable with the adoption and inclusion of passwordless.”

Ted Kietzman has heard from plenty of customers who are eager to move beyond passwords but acknowledges we need better solutions first:

“The answer today is you can’t (get rid of passwords fully) because there are all these use cases that we don't have great solutions for. In order to get fully rid of passwords, we’re going to need solutions that help us register, transfer trust between devices, and make all of that happen without a password being used to bootstrap trust. Right now, in a lot of cases, you still need a password to bootstrap trust to create a new passwordless credential.

Once you have a new solution that says I can create a passwordless credential from scratch without this trust that was born out of having a password, that will be one key method that will get us to know passwords ever. Another one is if these legacy use cases start supporting modern protocols so that everything speaks SAML, or OIDC, or these cases where passwordless can be used really easily. Until those use cases move into this modern protocol era, or we have a really good solution for the bootstrapping of trust and transferring of trust in the passwordless world, passwords will still be around.”

A nurse goes to login to Epic but gets an error message instead that says the patient files are being held for ransom. A hacker accessed the network using a stolen credential and now equipment has stopped working and patient health is in jeopardy. Healthcare has coveted private medical records and data that is easy to monetize on the black market, making the industry one of the most targeted by hackers. Duo offers a trusted access solution that can help prevent healthcare industry ransomware attacks.

In this eBook “Healthcare Shifts in Cybersecurity” we will look into the security challenges and trends facing healthcare and make practical recommendations for keeping your healthcare workforce secure and productive.

In this guide you will learn:

• About how healthcare is adopting to new cybersecurity requirements

• About how healthcare’s hybrid model requires strong modern cybersecurity

• How adopting MFA technology can protect patient information and personal data  

• Why embracing passwordless technology via tokens and biometrics is more secure

• How to manage and track e-prescriptions for controlled substances via EPCS integration

• Why using single sign-on (SSO) for a consistent, powerful, hassle-free login experience

• How to create security resilience to bounce back faster and plan based on risk.

Learn more about how Duo protects thousands of healthcare organizations against malware at Duo.com or start your free trial.

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With it's release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.

Today: Our panel of experts share their password-related pain points, from the challenges of remembering and rotating them to unequal access to technology slowing passwordless adoption.

Problem 1: From Physical to Digital Space

Christi Volny, a senior software engineer on the Duo Single Sign-On platform at Cisco Secure: “The primary difference between password and passwordless authentication is that password authentication is based on the user remembering some secret. And then that’s something that they know, and that’s what grants them access to the system. As we’ve taken that system, we’ve brought it online and made it computerized, that doesn’t really keep up with the ability of computers to try to break into those systems.

Passwords rely on something that the user knows, and that worked really well in a physical space. So to be able to enter a room, knowing the passphrase to enter that. As soon as we digitize that, how users interact with these systems is through a computer. And so these are all machine-to-machine communications, ultimately. By enabling that, what we’ve done is allowed machines to be able to impersonate humans and try to crack passwords.

And they can do that much faster than ever previously done in history, which means that we’ve had to increase our password complexity, which pushes past the limits of what humans can actually remember, a meaningful passphrase.”

Problem 2: The Human Element

Passwords Are a Pain

Ted Kietzman, a product marketing manager with expertise in bringing passwordless to market, puts us in the average user’s shoes: “Passwords have a bunch of problems from a user perspective. They’re really annoying to remember; you have to keep them in your brain, which ends up being a pain. And over time, it’s been a requirement that they have to get more and more complex, or you have to rotate them more often, because as they've been seen as the security vulnerability, you have to lengthen them and rotate them. In both of those cases, they become harder to remember. And so from a user perspective, I have to remember a bunch, I have to rotate them, I have to keep making them longer, more complicated. All those things make it harder for me. And then I also just don’t like to type them. It's annoying for my fingers.”

People Create Predictable Passwords

Nick Steele, Research Lead at Superlunar and co-chair of the WebAuthn Adoption Community Group: “Humans are really bad at creating randomness. So when it comes to creating passwords and remembering passwords, they’re generally, if they’re made by humans, not very strong. And humans also tend to use heuristics and elements that they can reuse over and over. So even passwords that are created by humans that are slightly different, still tend to be pretty easy to crack.”

Wolfgang Goerlich, advisory CISO at Cisco Secure, adds: “We tell stories with our passwords. That means it's a loved one. That means it’s a pet. That means it’s a favorite hobby. You look at Ken Thompson’s early password, which was a chess move. We look at Eric Schmidt’s early password, which was his wife’s name. We create things that are easy for us to remember — and in doing so, those are things that are easy for adversaries to guess, and once they're out there, easy for criminals to use again and again, to log into other systems.”

Users Need Security Education

Jayson E. Street, a self-described “hacker-helper-human,” emphasizes the importance of making sure that people are informed about security hygiene and the potential risks of not following best practices: “We keep relying on technology to protect the users instead of teaching properly the users to protect the technology and then having the technology there as a failsafe and a safety net for when mistakes inevitably happen. [When you make] technology the bulwark of your protection from the user, it’s always going to fail because the user is never going to understand what they are in control of or what they’re in charge of.

A person who has a delivery van, they know exactly what the responsibilities are and what damages they can incur and job penalties they can incur if they are in an accident, if they operate the vehicle unsafely. But if you’re a person on a computer, you can operate the laptop or the device as unsafely as you want and there's really not that many repercussions that you're not really told exactly what the security controls are or your responsibilities on operating that equipment.”

Problem 3: Challenges Around Passwordless Methods

Remember, Passwordless Is More Than Removing the Password

Ted Kietzman: “One [myth about passwordless] would be that it just removes the password and doesn’t add anything else to it. That’s a problem with the name [...] passwordless is much more than just removing a password from the flow. It’s actually adding in that cryptographic key and the secondary factor of the biometric or pin.

Wolfgang Goerlich offers this analogy: “We are defining authentication by what it’s not. I like to compare this to the horseless carriage. A hundred years ago in my hometown of Detroit, what was high tech was a horseless carriage. It’s a carriage without a horse. That belies all the improvements in speed safety and the culture change that came with the automobile. In a similar way, if we only think of authentication as removing the password, we are going to miss out on a lot of the improvements that we can make in authentication. When we do adopt passwordless authentication, it cannot only be to remove the password, but it also has to be to add additional risk-based authentication mechanisms to increase overall security at the same time.”

Access to Equipment Is Not Created Equal

Jayson E. Street: “The biggest hurdle slowing the adoption of passwordless and adaptive authentication is predominantly access to the equipment. We still have a significant part of the world that doesn’t have access to smartphones. The idea of asking users to carry around a key fob that contains security tokens is still something that’s difficult and really only prevalent in the enterprise space.”

Rest Assured Your Biometrics and Credentials Are Secure

Wolfgang Goerlich: “Bruce Schneier once famously said that security has two parts. There’s the feeling of security and the reality of security. For passwordless to be successful, we have to address both. And there are some very real concerns about biometrics. There’s some very real concerns about people’s data. What I like about most passwordless technologies is that they keep that data in people’'s pockets. They keep that data in people’s hands. They don’t create conditions where the data can be shared out.”

Ted Kietzman agrees: “The authentication provider never needs to see your biometric. We don’t store any of them. And the reason for that is it’s performed locally at the device you're using as an authenticator.”

Nick Steele elaborates: “People always really assume that the biometrics that are being used to unlock their device or being used to log into their website via WebAuthn, or other passwordless services, they tend to think the biometrics are being sent elsewhere. And in the vast majority of cases, your biometrics are never sent anywhere. They’re only being used by the local authenticator to release a credential. The other big misconception with passwordless is that credentials can still be stolen, which is totally outside of biometrics. I feel like this it’s two separate things, right? Because if people think their biometrics can be stolen, then their biometrics can be used on multiple websites. This is really not how that kind of cryptography can work. And in a similar way, the credentials that you produce for passwordless services also also can’t be reproduced and reused across multiple sites.”

Next in our series on passwordless history: Our panel of experts share what excites them about a passwordless future, the technical milestones to get us there, and whether we’ll truly say goodbye to passwords.

Customer Data Experience Engineering Leader Amy Vazquez’s cybersecurity career path began with photography. From there, Vazquez has sought out companies whose professional values align with her own — including autonomy and psychological safety — particularly as a woman in technology.

Read on to learn Vazquez’s advice for identifying good company culture and how she’s grown as a leader. If you’re interested in learning more about our culture, check out our open opportunities.

How did you develop a passion for engineering?

Amy Vazquez: How I initially got into coding was I actually dropped out of college the first time around and had gotten into doing some photography with friends. This was a long time ago, so there was no social media and the web was still relatively new to most people. But we wanted to create a website for our photography and so I just went to a local college and took an evening class on web development. That was my first experience finding something creative that I could turn into a career that I enjoyed.

What do you like most about working at Cisco on Duo?

Amy Vazquez: For me, what separates Duo and Cisco is really the culture. There’s a really great alignment with some of my own professional values, such as autonomy. I like being able to determine what I do with my time and own my schedule, and to be able to make decisions. Part of it is being someone who likes to take initiative and carve out my own path.

It’s also a culture where it feels like a safe space. I think a lot of the teams have a pretty high degree of psychological safety and trust. Leaders are very intentional about growing the skills on their teams. I’ve seen quite a few people get promoted and have a lot of success in their roles. As a lifelong learner, I also love learning new things and being able to evolve and help others evolve in their careers as well.

What distinguishes your experience on this team, at this company, doing this work compared to other places that you've worked?

Amy Vazquez: What's really such a good fit for me with this team, and even a previous team that I worked with, is everybody is kind — and not just when it’s easy to do so. That really speaks to a shared value, that it’s just organic on the team.

Everybody is a helper and everyone’s very genuine in that desire to help other people out. Everyone is also a lifelong learner and excited to grow their skills. Folks have an idea of where they want to go, and we talk about those areas where folks might want more development. There also seems to be a lot of self-reflection going on.

I’m kind of stunned at my luck of joining a team like this. That’s a lot of who I am as well. I’m a helper. I like to be behind the scenes and support other people and watch other people have success, and help guide them towards that, whether I’m reflecting back to them their strengths and maybe skill gaps. Part of what distinguishes Duo as being different is creating a space for folks to grow their skills and realize their career aspirations.

How do you grow as a leader?

Amy Vazquez: For my career, I’ve always been focused on trying to do my job well. So initially it was coding and advancing with those skills. But as a leader, it’s studying that as a discipline, reading about it and trying to evolve those skills and figure out how to become the best leader for the team I’m leading.

It took me a long time to understand that being a high performer is great, and that can definitely get you far, but relationships are also super important. It’s not enough to just be good at what you do. You also need to – people always say “network,” and I don’t like that - but you have to build relationships. One thing I try to think of in the beginning of a project is, what relationships need to be in place for this work to be successful, or what relationships do we need to nurture?

How do you find a company with good culture?

For people whose identities are underrepresented in tech and cybersecurity, what advice do you have for entering the field?

Amy Vazquez: Everyone is different, so I’m not sure that I have advice that’s going to apply to everyone. But for folks who are underrepresented in tech and in the infosec industry, I think it’s important to learn to prioritize company values and culture. A company’s culture and values are going to affect your experience there. It’ll also impact what the company sees as valuable.

“What I’ve learned in my experience as a woman and someone who is neurodivergent is that an organization’s culture and values impact pretty much every aspect of how that company operates.” – Amy Vazquez

What I’ve learned in my experience as a woman and someone who is neurodivergent is that an organization’s culture and values impact pretty much every aspect of how that company operates. Gravitate towards those companies whose values align with your own professional values, or at least there’s some overlap there. You might not find alignment in all the things, but if you know what your professional values are and you know which ones are really important to you, try to find companies that share those values as well.

How do you find companies whose values align with your own as a woman in technology?

Amy Vazquez: Figure out what companies are actually seeking and celebrating differences in their teammates. At Cisco, I think the way that we grow and build our teams reflects our values of lifelong learning, and also seeking out and celebrating the diversity in our teams. When you really know yourself, and what type of environment and culture you can thrive in, that’s what you’re trying to find.

How do you determine your professional values and company culture needs?

Amy Vazquez: It’s definitely self-reflection and being able to look at your past experiences. Look at a past success and consider what else was going on there in that environment. How was I able to have this success?

You also learn by experience. Reflecting on past companies that you’ve worked for ask: What did you like about that company? What didn’t you like? What felt off? Was there something about the company or how it was run that gave you anxiety?

Pay attention to what your experiences are, and keep note of that. It’s kind of hard to sit down and examine what it was like working at those places over the last several years. It’s easier if you keep tabs on that from time to time as it’s happening.

Also, be as true to yourself as you can. I know that that’s not maybe an option for everybody 100%, but I think that’s where success comes from. It’s having an interest in your work. And for me, I like being around people who are good to work with and do good work.

Come join our team!

We’re seeing attacks on the identity layer rise to prominence amongst active cybersecurity threats in 2023. As the world of corporate IT has consolidated around access management, so too have attack techniques. Identity Threat Detection and Response (IDTR), a newly coined term from Gartner, aligns with the work that our algorithm research team focuses on.

Here at Duo, we’ve been very focused on these patterns as we work to secure our customers’ environments, meeting you where you’re at. We encourage you to follow best practices, including adopting FIDO2 wherever possible.

We also recognize that prevention is just one side of the coin, and that many security teams rely on strong detections to protect their environment. We know our customers have a lot of different environments and integrations, but all want to improve their defenses and visibility into the latest threats.

We’ve put together some discussions below about specific threats we’ve seen in the wild, along with some pseudo-code detectors that are environment-agnostic to use with your Duo logs and improve your security team’s operations.

1. Device Registration

This technique – which MITRE refers to as Account Manipulation: Device Registration (T1098.005) - is used by  attackers to gain persistence after gaining initial access via another technique like MFA Fatigue. Persistence is often a critical piece of an attack chain as malicious actors work towards impact, such as ransomware, data exfiltration, or other harmful activities.

At Duo, we’ve prioritized the development of features to help detect it in your environment.

Authentication device registration happens significantly less frequently than authentication events. It’s also a high-impact situation: The trust you extend to all future authentication events from that device is predicated on it being controlled by the legitimate user. Due to the elevated risk from these rare events, we’ve spoken with several security teams who err on the side of recall (seeing all events that might indicate this threat type) over precision (seeing only those events that are definitely this threat type). We’ve spoken with some customers who manually review every registration event, and others who find this impossible.

Depending on where you fall in this spectrum, you may want to combine some of these detectors, implement them selectively, or add conditions unique to your environment. If you’re interested in getting access to the robust set of detections that our research team has developed, look into Registration Threat Detection within Trust Monitor.

Detector Logic

If a phone number has not been previously used by the user, alert.

If a user registers an authentication device with a laptop or device they have not used before, alert.

Pseudocode

#Alerting rule for a phone number that has not been used previously by a user

Function unknownphonenumber(user, phone):

    if phone.number not in user.previous_numbers:

        alert_siem()

#Alerting rule for a user using a different device or laptop

Function userchangesdevice(user, device):

    if device.os not in user.previous_os:

        alert_siem(user, device.os)

    if device.browser not in user.previous_browser:

        alert_siem(user, device.browser)

Duo Logs

Retrieve Phones by User ID

Possible False Positive Causes

These two detections are relatively limited and based on the assumption that a user who upgrades their personal device will keep the same phone number and use the same computer to perform the registration that they’ve used previously. There are plenty of benign reasons to change one’s number or change phone platforms, all of which would produce false positives.

This month, we’re launching General Availability of Registration Threat Detection which takes a much broader and deeper look into known attacks, allowing us to create a much higher-fidelity alerting signal for this threat type.

2. Cookie Theft

The identity layer doesn’t exist in a vacuum - it works together with the endpoint, network, and cloud layers of your environment. We’ve seen examples in the wild of malware slipping past endpoint defenses and being used to target session cookies for exfiltration, allowing attackers to jump from a user’s endpoint to their cloud accounts. MITRE refers to these techniques as Steal Web Session Cookie (T1539).

If you’ve combined detectors from your XDR or MDM to use with your identity solutions, we’d love to talk with you.

Detector Logic

If an authentication cookie is used from an IP address that it was not issued to, alert.

Pseudocode

#Alerting rule for a remembered session changing IPs

def IPchangedwithin_session():

     for txid:

          if reason = ‘remembereddevice’ and ip not in historicuser_ips:

               alert_siem()

Duo Logs

Authentication Logs

Possible False Positive Causes

Unfortunately, there are a huge number of benign reasons that a user’s IP address might change within a session. Employees work in and out of the office, ISPs regularly rotate IP ranges, routers are reset. We’ve gotten significant customer feedback that naively ending sessions based on this signal alone is too noisy for our customers.

This is one of the reasons that we’ve implemented techniques like Wi-Fi Fingerprint in Risk-Based Authentication, which is very difficult for attackers to mimic and give Duo a strong signal that the user is in the same location they’ve authenticated from before.

3. MFA Fatigue

MITRE refers to this technique as Multi-Factor Authentication Request Generation (T1621). However, you may have heard these attacks referred to by a couple of different names: MFA fatigue, push fatigue, push harassment, push grief, etc.  

Whatever you call it, after primary credentials have been compromised, the attacker repeatedly prompts the legitimate account holder with authentication requests until they accept. We’ll focus on one way that this has presented itself in the wild, where an attacker is targeting one user in specific.

Detector Logic

If there are more than ten authentication attempt failures within ten minutes for a specific user, alert.

Pseudocode

#Alerting rule for a series of unsuccessful authentication attempts

def repeatedauthenticationfailures():

     for txid:

          if count(txidforuser) in range(timestamp, timestamp-10m) and result != success > 10:

               alert_siem()

Duo Logs

Authentication Logs

Possible False Positive Causes

We’ve documented a number of benign situations that can trip some of these more-naive detectors. Sometimes a user is unaware that one of their applications has reset itself and engaged some auto-authentication protocol, either because it’s in the background or because the user is away from their workstation.

This is why we’ve implemented a broad set of detections, as well as sophisticated tamping mechanisms, into Risk-Based Authentication to improve its accuracy, reducing false positives while improving performance against known attack patterns.

4. Account Takeover

Account takeover, which MITRE refers to as Valid Accounts: Cloud Accounts (T108.004), can be a catch-all. It's used for some types of attacks that don’t fit nicely into one of the other MITRE techniques, or where attribution can’t be confirmed, or when forensic investigation hasn’t established what happened yet.

In our context, it can help to look at behaviors that are sometimes consistent with malicious account access. One of the simpler detections you can apply without referring to external sources is alerts for when a user is accessing from a new location.

Detector Logic

If an authentication occurs from a location that the user has not authenticated from before, alert.

Pseudocode

#Alerting rule for novel location

def novel_location():

     for txid:

          if accessdevice:location not in historicuser_locations:

               alert_siem()

               historicuserlocations.append(‘location’)

Duo Logs

Authentication Logs

Possible False Positive Causes

Users routinely travel for legitimate reasons, and this is a very context-dependent detector. Some environments imply that a user should be in a static location or IP range, while others expect end users to regularly jump to new locations.

Going a step further, we’ve had geo-improbable detectors implemented at scale for several years, and we’ve learned a lot about ways to implement these detections better in Trust Monitor. Some of the false positive alerts are caused by end users jumping onto and off of a VPN, or between a Wi-Fi network and a cellular network. Some are caused by ISPs rotating through their IP address ranges. And others fall into an assortment of other benign, routine reasons.

5. Disabling or Modifying MFA

Attacks on administrative controls have been around as long as administrative controls. MITRE refers to techniques that modify (or even eliminate) MFA requirements as Modify Authentication Process: Multi-Factor Authentication (T1556.006). Many professionals find that protecting these controls, such as limiting access to specific networks, devices, and accounts, is useful in a defense-in-depth strategy. Monitoring and establishing detection and response rules to this threat vector can improve your standing.

Detector Logic

If a new administrator account is created, alert.

If a bypass code is created for an end user, alert.

If an authentication policy is changed, alert.

Pseudocode

#Alerting rule for new administrator account

def new_admin():

     for action in /admin/v1/logs/administrator:

          if action = admincreate or action = adminupdate:

               alert_siem()

#Alerting rule for bypass code creation

def new_bypass():

     for action in /admin/v1/logs/administrator:

          if action = bypass_create:

               alert_siem()

#Alerting rule for policy changes

def new_policy():

     for action in /admin/v1/logs/administrator:

          if action = policydelete or action = policyupdate:

               alert_siem()

Duo Logs

Administrator Logs

Possible False Positive Causes

There are a number of legitimate reasons that administrators need to modify authentication processes. Customers may prefer to audit some subsets of these actions due to their sensitivity.

Responding to these cyber threats

We’ve found that customers benefit from a variety of remediations. Some customers develop a specific ‘quarantine group’ within their environment, to which they can move users, which has limited or no access, while they investigate and remediate the situation. Others prefer to complete the entire remediation process out-of-band, directly through their directory.

We’d love to hear more about your experience and preferences as we work to improve your workflows.

Duo Logs

Modify User

Duo's work continues

If you’re interested in these attack types and detection, we want to work with you. Many of our offerings - including Trust Monitor, with its new Registration Threat Detection, and Risk-Based Authentication, which is generally available as of this month - are based on these kinds of detections. We continue the work to research the most high-impact threats in the identity world and bring you solutions that work for your environment.

These detectors just scratch the surface of identity threats, and we want to continue the conversation. Do you have thoughts on how to apply detections across your stack? Do you have concerns you want us to address? Want to talk about Identity Threat Detection and Response?

Please reach out via the feedback form to the product team with your thoughts, requests, or feedback.

If you’re a cybersecurity analyst, suspicious logins aren’t anything new. You see them all the time. Identifying suspicious logins probably feels something like playing Spot the Difference. For the uninitiated, Spot the Difference is a puzzle game that presents you with two similar images, one of which has been altered slightly, and challenges you to pick out the differences between the two. Finding the differences can be a real test of one’s patience and ability to concentrate on details.

This can be fun if you’re taking a brain break. It’s less fun if there’s a real threat you need to find. Why? Because searching through mountains of log data to find something different that could be a potential threat to your organization can be tedious and time-consuming. To illustrate the point, we’ll focus on a particular type of event that generates logs: user authentications (aka “logins”). Every time one of your employees logs into the network or an application, an auth log is created. Depending on the size of your organization this could result in thousands of new logs each day. There goes your break time.

If you prefer to spend your time on other pursuits, Duo Trust Monitor can help. Trust Monitor gives you back your break time by surfacing suspicious logins. And, we’re continuing to add new features like "Registration Threat Detection," which alerts administrators when a new enrollment event matches attack patterns seen in the wild.

Read on to learn more about this new feature, and about how Duo Trust Monitor can help you identify suspicious logins.

Identifying “different” authentications

Searching through auth logs to identify a login that looks suspicious is one thing. But how do you know if it’s truly different and poses a threat? To understand that, you need visibility into both normal and anomalous authentications. If you don’t know what a normal, or “expected,” login looks like, it’s hard to spot the difference between them. This requires creating a baseline authentication profile against which other logins are compared. Doing so will help you spot the difference(s) between the two and identify suspicious auths that could spell trouble.

But what happens if you don’t have the time to search through log data for atypical access attempts? Well, bad things possibly. One is account takeover using compromised credentials where the cybercriminal has stolen someone’s username and password. Based on responses in the IBM Security Cost of a Data Breach Report 2022, stolen or compromised credentials are the most common vector for a data breach, responsible for 19% of breaches with an average cost of US $4.5M.

Another is insider access abuse, or privilege misuse. Findings from the Verizon 2022 Data Breach Investigations Report indicate the attacker is typically an employee who uses their legitimate credentials to access a privileged account to steal data, often for financial gain. While this doesn’t paint a pretty picture, the signs for identifying anomalous logins that could lead to a data breach are there. You just need the right tool to surface them.

See the signs with Duo Trust Monitor

So, what are the signs to look for? Here are a few along with some questions to consider:

• The User – Is the person a current employee? Are they part of a group with privileged access?

• The Auth Location – Do we have employees working in this country?

• The Auth Time – Do we expect people to be accessing data or applications at 3:00am?

• The Device – Is the authentication from a Windows device but our employees use Macs?

• The Application – Does the user need access to this app to do their job?

Duo provides a tool to help you see the signs and “spot the difference” between authentication attempts. Duo Trust Monitor is an advanced anomaly detection feature that does all the work of searching for risky authentications for you. It ingests all the authentication logs in your environment and runs them through proprietary machine learning algorithms.

The algorithms set a baseline of normal user and device activity. Using this baseline, Trust Monitor compares future authentication attempts against it and highlights anomalous or risky login attempts in the form of a security event. With just a few clicks, administrators can create a Risk Profile for the organization that prioritizes and surfaces security events that match profile elements. For example, you may want to keep a closer eye on authentications related to certain Duo-protected apps, specific user groups or countries. Security events that deviate from the Risk Profile are given more weight and appear at the top of the Security Events board with a yellow shield designation that provides an explanation of the connection between the event and the Risk Profile.

Can I get some context here please?

I’ve touched a bit on the “What” and “How” of Trust Monitor and its ability to surface atypical logins, but let’s take a closer look at the “Why.” Why is a particular authentication considered anomalous? The answer has to do with context. While there are other risk analytics tools on the market, many focus on a single model like novelty which looks for a variable that’s new such as a new device or application that’s being accessed for the first time. This approach is simplistic and doesn’t offer much context into the access attempt. Basing a decision on just one model alone can lead to an increase in false positives.

Trust Monitor on the other hand takes a more holistic view of each authentication using contextual analysis. By analyzing historical login data across multiple models and variables, Trust Monitor is able to provide a much richer picture of the access attempt, enabling administrators to make a more informed decision as to whether it is legitimate or suspicious and requires action. Let’s take a look at some examples:

• Security Event: The VP of Sales is accessing the company’s CRM app at 4:00 a.m.

• Analysis: In this case Trust Monitor analyzes the application being accessed and the timestamp. Is it unusual for the VP of Sales to access customer information? No. Is the timing unexpected? Hopefully. A solution focused on Rarity would flag this event as risky.

• Security Event: Someone is requesting access to a sensitive app from a Windows device using an unusual multifactor authentication method (SMS).

• Analysis: Here we have three variables flagged. The organization uses macOS devices, not Windows. Also, the user has not accessed the app for six months and a push notification is their preferred authentication method, not an SMS text. These three together are a strong indication that this is a fraudulent authentication attempt.

• Security Event: A Marketing manager is traveling to an event in another country and needs to access email.

• Analysis: Without the right context, this access attempt could be marked as suspicious based on location, timestamp and a new device IP. However we know there is a big event happening overseas so it’s not unusual to see these three variables associated with this user and therefore we can dismiss the event.

The goal of any risk analytics tool is to surface potential threats so that organizations can step up or step down their security policies to shore up any gaps. By providing contextual analysis, Duo Trust Monitor helps you spot the difference between legitimate and fraudulent access attempts while limiting false positives. Trust Monitor is included in our Access and Beyond edition subscriptions. It’s also integrated into the Cisco SecureX ecosystem so that you can access Trust Monitor telemetry data from the SecureX dashboard for enhanced threat intelligence. And, if you already have a SIEM (Security Incident and Event Management) solution, you can export Trust Monitor security event data directly to your favorite SIEM via API.

What's new with Duo Trust Monitor?

Security events are very useful for highlighting suspicious logins that may pose a threat. Adding context around why an access attempt was denied (or allowed) makes Trust Monitor even more powerful.

But even powerful tools need to adapt as the cyberthreat landscape changes. A recent threat scenario we’ve been monitoring begins with an attacker stealing a user’s credentials and taking over the account. This is often referred to as initial access. Once the account has been compromised the attacker will use persistence techniques to maintain their presence without alerting the victim by interrupting their access. One technique used is to register a new authentication device in order to bypass multi-factor authentication (MFA). This fraudulent device registration typically goes undetected leaving the threat actor free to gain access to critical applications and data on the network. Given the large amount of legitimate registration activity that takes place in any given organization as employees replace their personal phones and change roles, monitoring for this kind of activity is challenging.

In response to this account manipulation via new device registration, we’ve enhanced Trust Monitor by adding a new feature called “Registration Threat Detection.” This feature uses the unique telemetry available when a new device is registered to alert administrators to enrollment events that fit attack patterns we’ve seen in the wild, while also reducing alert fatigue.

Duo has a large body of data including analysis of real-life attacks using this methodology. We’ve also partnered with outside data sources to improve our ability to detect these events with greater precision than most organizations are capable of using proprietary detection algorithms. The algorithms in Trust Monitor can detect certain MITRE attack techniques. For example:

• Registration Threat Detection in Trust Monitor aligns with T1098.005

• Trust Monitor authentication security events align with T1078.004

• Bypass code security alerts in Trust Monitor align with a subset of T1556.006

“New Device Registration” has been added as a category of security event within Trust Monitor, and we’ve made it available to all Duo Access and Beyond customers without any additional configuration requirements or cost.

Start flagging suspicious logins

If you’d like to try Trust Monitor and experience how Duo can help you spot the difference between legitimate and suspicious logins that could be potential threats, sign up for a free 30-day trial.

*This content has been updated after its original publication date in November 2022.

Duo Care sees our relationship with our with customers as true partnerships where we work with organizations to develop an ongoing security strategy. Executive business reviews (EBR) are a key part of that ongoing relationship, in addition to recurring meetings to discuss current projects, top-of-mind questions, or recent events.

You might recognize the term executive business review. You might have heard it called Health Check, Account Review, Quarterly Business Review, Report Card, or something else. Customer Success teams at different SaaS companies have called these meetings any number of things - but what do the meetings actually entail? And are they really worth your team’s time?

In this post, we will break down the WHAT / HOW, the WHO, the WHERE / WHEN, and the WHY of executive business reviews. We discuss how Duo Care approaches these EBR conversations and what we include/prepare, who typically attends an EBR, where/when Duo Care facilitates these meetings, and why we love them so much…plus why you should too!

What is an executive business review?

Each Customer Success Manager (CSM) and Customer Solutions Engineer (CSE) puts their own special twist on the EBR meetings, and the content is customized to the specifics of the individual organization. But the goal is always the same: To help organizations review the work they’ve done to date, analyze their data, and examine the Duo feature set available to them in order to make more informed security decisions.

If you ask any CSM or CSE team member what they really want to get out of an executive business review, the answer is a really great and productive conversation. We prepare some slides with the analyzed data, best practices or recommendations, and the product roadmap. But we always start the meetings off by saying that we don’t want it to just be a presentation, we want it to be a back-and-forth conversation.

Duo Care loves carving out this specific time to have a strategic planning session together - combining each organization's internal security priorities with the Duo feature set in order to make any adjustments and outline future plans and projects together.

Why does Duo Care enable EBRs?

The Customer Success Managers and Customer Solutions Engineers who make up the dedicated Duo Care teams are here to help organizations maximize their investment in Duo.

The Duo Care Premium Support Program was created because we really do care – about your Duo rollout, about your end-users’ experience, and about your continued satisfaction with Duo.

Duo Care works with many organizations who are just getting started with Duo - we are happy to help make an initial Duo multi-factor authentication (MFA) deployment smooth for both admins and end users - but what we really love about our jobs is getting to develop long term partnerships with our customers. EBRs are a large part of that.

Who will attend the executive business review?

Each EBR is different - especially since the make-up of organizations and their security priorities can be so different - but below are the most common attendees during these meetings.

Duo and Cisco Participants

Some organizations work with Duo individually while others work with both Duo and Cisco. The Duo Care team will always attend and lead the executive business review conversations. But depending on the customer’s contract structure and product usage, other members from Cisco may join as well.

• Customer Success Manager

  • CSMs are trusted advisors in areas like admin training, user enrollment plans, product updates, project requests and assist with strategic future planning.

  • The CSM & CSE will jointly lead the EBR after having analyzed the customer’s data and Duo set-up to provide an overview, health check, as well as any security posture recommendations. The CSM will also walk through a review of any previously outlined project goals or conduct an application inventory.

• Customer Solutions Engineer

  • CSEs are technical experts on the Duo product who offer consulting on architectural strategies, security policy development, and best practices.

  • The CSE & CSM will jointly lead the EBR conversation after having analyzed the customer’s data and Duo set-up to provide an overview and any security posture recommendations. The CSE will also provide a preview of the product roadmap.

• Account Executive (AE)

  • AEs are the sales contacts who help organizations choose Duo - as well as help true-up any license expansion or trial any features as part of an edition upgrade.

  • The AE joins the EBR conversation in case there are questions about features that are part of an edition upgrade or any questions about the contract/licenses.

• Optional: Account Manager (AM)

  • AMs are the main point of contact for all Cisco products and services - advising what might best fit a customer’s needs and assisting with overall strategy. 

  • The AM joins the executive business review conversation to provide any insight on how Duo fits into the larger Cisco world or discuss additional security strategy and suggestions. 

• Optional: Cybersecurity Sales Specialist (CSS)

  • CSS are technical experts on all Cisco products - coordinating any necessary troubleshooting or advising on the best way to configure in environments.

  • The CSS joins the EBR conversation in case there are any technical questions on how various Cisco products work together in a customer environment.

• Optional: Customer Success Executive

• Optional: Product Manager

Customer Participants

Every organization manages Duo a bit differently - especially depending on the size of the organization - so the makeup of attendees at each executive business review varies. Typically, it is a combination of whoever manages Duo most directly, whoever sets the security strategy, and executive leaders.

• Chief Information Security Officer (CISO)

• Director of Information Security

• IT Administrator

• Security Analyst

• Help Desk / User Support Specialist

• Endpoint Administrator

• Network Administrator

• IT Operations Manager

• Systems Architect

• Security Analyst

When and where will the executive business review happen?

In years past, Duo Care teams used to travel on-site to visit our partner customers in their offices and cities to deepen the relationship and have these EBR meetings in-person. Since the onset of the COVID-19 pandemic, Duo Care has been able to shift to having these strategic conversations virtually - thanks in no small part to our colleagues over at Webex.

Typically, these meetings will be scheduled for one hour. Duo Care knows that everyone has busy work schedules - especially in the world of security - so we want to make the most of everyone’s time and keep these meetings concise while still having impactful conversation.

If a customer is new to Duo, an EBR will likely happen a few months after the initial MFA deployment and will include a retrospective review of the initial phase of the project.

For customers who have worked with Duo for a while, these EBRs typically happen quarterly or twice a year, depending on how often the teams prefer to connect on these topics.

Why is an executive business review important?

As with everything - especially your security set-up - it is important to continually review and re-evaluate. The EBR meetings allow you that opportunity to do that with trusted advisors in the room to help you think through your environment and current protections, share best practices and lessons learned from other peer organizations, plus discuss what Duo features and policies might match your internal security priorities. While a Duo Care EBR is not a third-party audit or PEN testing evaluation, it is still a review of your Duo usage and security planning conversation.

Additionally, the EBR is a great way for Duo Care customers to learn about what the Duo product team is working on, get early access to features in active development or private beta programs, and generally plan for the future. While there are a number of ways to learn about recent releases (Duo Community Release Notes) or upcoming features (like all the posts here on the Duo Blog) you will get to see the product roadmap in its entirety during these meetings.

Lastly, while “alignment” can often be used as a corporate buzzword, it is actually an important value for the Duo Care team. We want to make sure that we clearly understand the security priorities of our customers so that we can work together towards those shared goals.

Schedule your EBR today!

So, there you have it … the WHAT / HOW, the WHO, the WHERE / WHEN, and the WHY of executive business reviews. We hope you leave reading this article understanding a bit more about why Duo Care loves these conversations.

If you have any questions, you can reach out to your Customer Success Manager by email to schedule your next EBR or reach out to your Account Executive if you are not currently partnering with a dedicated Duo Care team and want to learn more.

If you are brand new to Duo, please contact us to start the conversation!

It just takes on lackadaisical click by an employee to install malware that results in ransomware. Ransomware has gone up 150% since the pandemic, and the U.S. government has deemed ransomware a form of cyber terrorism. That’s why ransomware mitigation is so important, and MFA plays an important role in any ransomware prevention and response strategy.

In this post, we’ll talk about how ransomware attacks work and how you can use MFA to help interrupt an attack. And for more information on protecting against ransomware, be sure to check out our ebook: Protecting Against Ransomware: Zero Trust Security for a Modern Workforce.

What is ransomware?

Simply put, ransomware uses a variety of tactics to target victims predominately through malware infections, usually beginning with email phishing, a stolen password or a brute force attack. A ransomware attack can be achieved by encrypting files or folders, preventing system access to the hard drive, and manipulating the master boot record to interrupt the system’s boot process. Once the malware has been installed and spread, hackers can gain access to sensitive data and backup data, which they encrypt to hold the information hostage. Hackers can either move quickly during a ransomware attack or spend months poking around undetected to understand the network infrastructure before launching an attack.

The data hijack is meant to elicit fear and urgency from victims. Their information is inaccessible until payment (primarily in Bitcoin) can be made. Even then, companies may not get back all their data.

There are many ransomware variants, but for the most part, cryptoransomware dominates the field today. However, due to polymorphism (malware that constantly changes), there are many variants that can avoid detection.

Ransomware is big business run by professional crime organizations and cyber gangs

Bad actors have established ransomware-as-a-service (RaaS), a fully integrated out-of-the-box solution, allowing anyone to deploy a ransomware attack without knowing how to code. Just like Software-as-a-Service (SaaS) products, RaaS gives relatively cheap and easy access to these types of malicious programs for a fee smaller than the cost of creating your own. RaaS providers generally take a 20%-30% cut of the ransomware profit generated. There are now subscription and affiliate models to help complete successful attacks.

Mitigating ransomware attacks using MFA

Multi-factor authentication (MFA) is very effective at protecting credentials and limiting attackers’ access to company resources. Stealing credentials is the number-one way hackers can gain access to your systems and install ransomware. Protecting credentials is a top priority and MFA is a simple solution offering maximum protection

What’s more, more and more compliance regulations are requiring MFA to combat ransomware. The Department of Justice (DOJ), Cybersecurity and Infrastructure Security Agency (CISA) and Homeland Security are moving towards mandatory MFA.​ Electronic Prescriptions for Controlled Substances (EPCS), National Institute of Standards and Technology (NIST), Payment Card Industry Data Security Standards (PCI-DSS) 4.0 and the Federal Trade Commission (FTC) are requiring MFA.​

More regulations will require MFA in the future because it is a strong cybersecurity solution that works to mitigate the threat of ransomware attacks.​ It makes sense to get ahead of the upcoming regulations by implementing MFA now. MFA is also a mandatory requirement by insurers to qualify for cyber liability insurance.

Why Duo MFA is better MFA

Duo is easy to use and install, it scales up or down and it works with both on-prem and cloud applications. It's also vendor agnostic and you can deploy quickly to meet compliance regulations fast.

Additionally, here are three reasons why enterprises commonly choose Duo MFA:

1. Duo MFA offers flexible, strong authentication methods to establish trusted access

MFA requires:

• Something you have, like a device

• Something you know, like a password

• Something you are, like a biometric​

Duo MFA takes many forms, including Push, Verified Push, One-Time Password, Soft and Hard Tokens, Biometrics and Passwordless, SMS, Phone Calls, U2F and Wearables. This gives your workers flexible MFA options.

2. Duo offers opportunities to update your defenses beyond MFA

Verify users’ identities with secure and flexible multi-factor authentication methods.​ ​Then, deliver a consistent login experience with Duo's Free Single Sign-On, providing centralized access to both on-premises and cloud applications. ​​Finally, gain visibility into every device and maintain a detailed inventory of all devices that access corporate applications.

3. Duo is positioned to help mitigate ransomware attacks on multiple fronts

Preventing ransomware attacks requires overlapping security coverage. Luckily, Duo can help protect organizations from ransomware on three fronts:

• Preventing ransomware from getting an initial foothold in an environment

• Preventing or slowing down the spread of ransomware if it manages to infiltrate an organization

• Protecting critical assets and parts of the organization while an attacker still has a presence in the environment and until full remediation is achieved

Stop compromise before it starts with Duo MFA

Download our free ebook, Protecting Against Ransomware: Zero Trust Security for a Modern Workforce, today to learn more about how a zero-trust posture and Duo MFA can help lower your risk of ransomware attacks.

Want to try Duo for yourself? Sign up for a 30-day free trial!

In September 2022, we announced our public preview of Risk-Based Authentication: a set of adaptive policies that both improves security for the riskiest authentications and reduces end user friction for high-trust scenarios. Now, we are excited to announce the general availability of Risk-Based Authentication, a cornerstone of our Continuous Trusted Access offering.

What is Risk-Based Authentication?

Our Risk-Based Authentication policies address two core problems:

1. Attackers have figured out how to get around multi-factor authentication (MFA)

2. Users are tired of alerts, and their push fatigue can create security vulnerabilities

To address the ways in which attackers have evolved, we assess user and device telemetry to make decisions about which logins are most suspicious and present credible risk to an organization. Known attack patterns such as push spray, unrealistic travel, and push harassment flag only the highest risk authentications without causing undue friction for users.

When a high-risk login attempt is detected, Duo increases security by requiring a more secure factor, such as a FIDO2 authenticator or Verified Duo Push. The security properties of these factors confer additional confidence that the user is who they say they are, making the extra time and friction worth it.

These authentications are costly for users, however, and Risk-Based Authentication takes that into consideration. That’s why we focus on known attack patterns, rather than on the employee who decides to work from a new coffee shop. We leverage users’ individual authentication histories, typical behavior within an organization, and an exciting new signal called a Wi-Fi Fingerprint to make more sophisticated and better decisions about risk.

Until now, IP address has been the best we can do when it comes to user location. In a remote or hybrid work world, IP addresses have become increasingly noisy as users connect to VPN and work outside of the corporate network. With Wi-Fi Fingerprint, we can tamp down on false positives by using anonymized Wi-Fi network information to reasonably determine that the user is still sitting in their living room, not attempting to login from three states away. Wi-Fi Fingerprint protects user privacy while also reducing friction and saving them time.

To address user push fatigue, Risk-Based Authentication also builds on our Remembered Devices policy by removing the interactive component of low-risk authentications. When we recognize a user’s device and IP address, we allow the user to skip their authentication, though we log it and collect the telemetry in the Duo Admin Panel. In other words, the authentication becomes invisible to the user if the location and device context stays the same.

Unlike our regular Remembered Devices policy, once enabled, users do not have to opt-in to Risk-Based Remembered Devices. More time saved for end users!

What we learned from customers

During public preview, hundreds of customers tested both Risk-Based Factor Selection (our “step up authentication” policy) and Risk-Based Remembered Devices (our low friction policy). As one Duo administrator put it, Risk-Based Factor Selection helps him “stay one step ahead. MFA is not the silver bullet it used to be. Everyone’s using it. I need protection beyond regular MFA.” A hospital system told us that they calculated a 50% reduction in MFA requests once they enabled both policies. That is a huge amount of time saved for end users.

MFA is not the silver bullet it used to be. Everyone’s using it. I need protection beyond regular MFA.

Since the launch of public preview this fall, we have added two new detectors to our algorithm to monitor impossible travel between authentication attempts and risky attempts where the access and authentication device are in two different countries. We’ve also validated that Risk-Based Authentication step-ups are not too onerous for end users. On average, a step-up with a more secure factor is required about twice in every 1000 authentication attempts.

What is coming next?

We are thrilled to be launching Risk-Based Authentication today, and we continue to evolve our threat detection capabilities with many exciting enhancements planned for the coming months.

Continuous trusted access is all about assessing and responding to risk at different points in the user journey, from enrollment and beyond, and even within a user’s day. Risk-based Authentication will play a key role in continuously evaluating and adapting to a user’s behavior as they go about their workday. Specifically, we will work to detect new attack patterns, blocking the riskiest authentications in the case of a suspected first factor compromise, and responding to more threats at the network, rather than user level.

We are excited for you to try Risk-Based Authentication today! Sign up for a free, 30-day trial of Duo. And be sure to check out the other enhancements we’re making to the Cisco Security Cloud.

At Duo Security, we’re on a mission to secure user access to applications while lightening the load on IT teams. So today, we are announcing that Duo Single Sign-On (SSO) support for OpenID Connect is going to be generally available, so that organizations that require users to use these applications can seamlessly and securely do so.

Though it’s currently in public preview, once OIDC support is in general availability this spring, we will support three grant types: OIDC Authorization Code, OAuth 2.0 Client Credentials and Authorization Code with PKCE, and add more over time. You can also expect to see more out-of-the-box SAML 2.0 application integrations and on-demand, self-service password resets.

Configure SSO for OpenID Connect (OIDC) applications for seamless, secure access

With applications becoming commonplace in the workplace including cloud and mobile apps, validating the identity of users trying to access those apps is critically important. Many of the applications organization use today have been developed based on the Security Assertion Markup Language (SAML) v2.0 authentication standard, but OpenID Connect (OIDC) is also becoming popular because it is ideal for use with mobile apps and single-page web apps. 

Some of the applications we’ve seen customers protect so far include:

• AWS Verified Access

• Epic’s Haiku, Canto, and Rover mobile apps

• Grafana

• IBM Spectrum Virtualize

• IFS Cloud Datto

• Salesforce

• Datto

• Autotask

“It is great to see the Duo Single Sign-On product mature over just a short period of time to meet Enterprise-scale deployments,” says Sarabjeet Rana, Enterprise Security Architect, Cisco, “Our team started rolling out cloud-based Duo Single Sign-On in 2021 and so far, we have over 1,000 application integrations in Production. We are migrating about 3,000 applications from our legacy IAM solution to this modern Duo SSO platform enabling our users to enjoy Passwordless authentication and Zero Trust borderless access to the applications.”

We are migrating about 3,000 applications from our legacy IAM solution to this modern Duo SSO platform enabling our users to enjoy Passwordless authentication and Zero Trust borderless access to the applications.

“We are also very excited to use the Duo SSO OpenID Connect capability which allows us to secure more applications on modern Duo SSO along with existing SAML 2.0 support," says Ankit Mittal, Information Security Technical Leader, "The simple and intuitive UI allows us to modernize web apps within a few minutes." Sarabjeet adds, "Plus, the Passwordless future is upon us, and Duo SSO capabilities have brought us closer to realizing that future.”

Easily configure SAML 2.0 applications that your users depend on

IT teams continue to tell us that they want to easily onboard applications to Duo SSO. Hence, we are extending the library of applications available out-of-the-box. We have added SSO connectors for the following enterprise cloud applications, with more coming soon:

• Cisco Meraki Secure Client

• Cisco Umbrella End User Logins

• BambooHR

• Datadog

• Freshdesk

• ServiceNow

• Splunk

• Sumo Logic

Enable users to reset expired Active Directory passwords to lighten the burden on IT teams

Expand protection with Duo SSO, now supporting OpenID Connect

Enable your users to access apps securely and help IT teams save time and money with Duo SSO. Sign up for a free 30-day trial today!

And while you’re at it, check out some of the other updates we’re making at Cisco Secure, including updates to Duo's enterprise readiness features.

For Site Reliability Engineering (SRE) Manager Stacey Young, a passion for engineering sprouted early in life. With the support of a teacher who recognized Young’s promise, she’s paved her own path as an engineer and leader. Young’s commitment to empowering her team to grow while appreciating a workplace in which she can bring her full, authentic self to work matters most.

If you also value having your voice heard, learning, and collaboration, check out our open positions.

How did you become a site reliability engineer?

When did you first develop a passion for engineering?

Stacy Young: I’ve always liked mechanical things, putting things together, taking them apart. Seeing how things worked has always, always, always intrigued me. My sixth-grade teacher, Patricia Glorfield, decided that I was going to be her student before I got to sixth grade. I believe she was a chemist then a science teacher turned elementary school teacher. She looked for kids like me who were interested in the sciences in any way, and she pushed us to hone our skills, to learn new things, to dive into things that were a little different.

I was very mechanically minded, and she pushed that in me. We did science fairs and lots of projects above and beyond regular schoolwork. She pushed me to do things that were different for me and different for someone like me in my community.

It was a blast and I never got away from it. I never forgot her, and I don’t think I ever will. That was a big turning point in my life when the things that I liked made sense to someone other than me.

What brought to you Duo and Cisco Secure, and how have you found working here?

Stacy Young: In my technical career it’s always been fun to see how things worked, figure out how I can make them better and see how I can automate. I’m trained in databases and mostly been a Linux Unix system admin.

“The interview process was pretty awesome, and I never thought that that was a thing.” – Stacy Young

Coming in, the interview process was pretty awesome, and I never thought that that was a thing. I interviewed with several different engineering managers and a couple of directors, but I’d never been through an interview process like that. It was honest. I felt like what I should be showing was my whole self, my real self, not something contrived for this interview. That made my introduction to the company awesome.

What are your goals and what lights you up about your work?

Stacey Young: My goals and what I love about my work go hand in hand. I see myself in general as a helper, someone who can help or who would at least like to help others achieve their goals. That applies both up through my management structure and down through to my direct reports — I want to help.

I want to help my direct reports become the best versions of themselves. I want to help them achieve the goals that they have for themselves, whether that is talking about barbecuing a steak or setting up your desk at home. We talk about, "Hey, what classes would be relevant to the things that you want to learn, and how can they help you with work?"

I don’t see it as everything is work, work, work. We’re whole people and we have to address our whole selves. Any of the people that work with me know that a lot of my references are about my six grandkids. Their personalities literally span the spectrum so it’s easy to use that in talking about things that we do.

What makes good company culture?

What makes working on this team, at this company, and doing this work different from other places you’ve worked?

Stacey Young: One of the things that I’ve learned is that I as an individual can absolutely affect change. How I handle the changes that come to me, how I portray them to my team and how we go about addressing them are all things that can be changed by a single person. I’ve also learned how to push changes that we wanted to see.

“I didn’t think that I would be allowed to have a voice like this at this point in my career and this quickly after coming on board here.”- Stacey Young

I can see the individuals on my team growing. I can see myself and my peers growing, too, which is why it’s so exciting to be here. I can see that the ideas that I have and the discussions that I have with my peers, with my leadership, are making a difference. And not just on my team, but above as well; I never imagined that it would be as simple as having conversations. I didn’t think that I would be allowed to have a voice like this at this point in my career and this quickly after coming on board here.

What qualities do you look for when hiring for your team?

Stacey Young: A willingness to learn and to grow is imperative. You can’t move forward without it. You’re going to have some stumbling blocks and we all know that growth is two steps forward, one step back. And so knowing that, yeah, I’m going to stumble, I’m going to fall, I’m going to make mistakes, I’m going to misstep. I’m probably going to say some things that are plain and simply wrong or just taken wrong.

But I can learn. There’s no time where I can’t learn. I like the adage, “I never lose.” I'm either winning or growing and learning, but I don’t lose. If I can learn, if I can grow, then whatever mishap or mistake that I had or made, it’s just a growth opportunity. It’s just helping me to get better. So far, it’s working.

What advice do you have for people who want to enter this field?

Stacey Young: If we can keep an open mind about things that are different from us, different to what we’ve learned in the past, different to what we've experienced so far, we’ll go a lot farther. We will achieve things that we never imagined.

“I don’t like to limit myself to anything that’s going to exclude me from something else that might be really cool.” – Stacey Young

I’m like any other person. I’m an onion with tons and tons and tons of layers. I like keeping labels off of things as much as possible, because labels push us to close our minds. I don't like feeling boxed into a label. I can only do this thing or I’m an SRE manager. No, not really. I’m a manager in the SRE space, but I don’t like to limit myself to anything that’s going to exclude me from something else that might be really cool.

Interested in joining the Cisco team?

If you share a passion for innovating collaboratively, visit our open roles.

Last year, Duo Security announced the General Availability of the Duo Universal Prompt and many customers have happily upgraded to it from the Duo Traditional Prompt. For our customers who have not yet migrated, we would like you to be aware of a few key reasons that ONLY Universal Prompt provides Duo customers with better protection and improved user experience!

What is Duo Universal Prompt?

The Universal Prompt is Duo's next-generation authentication experience that delivers an easier, more secure, and more accessible authentication for every user. Universal Prompt is Duo's answer to modern security based on zero-trust principles. The Universal Prompt is inherently more secure, as it has updated web-based technology and allows for features that provide "step-up security" such as Verified Duo Push, silent push, Risk-Based Authentication, passwordless, and more.

Upgrading to Universal Prompts helps organizations:

• Modernize authentication – Universal Prompt paves the way for customers to modernize their infrastructure and benefit from the latest technologies. For example, updating corporate applications to use SAML (Security Assertion Markup Language) and WebAuth(the Web Authentication API) for authentication mitigates vulnerabilities posed by legacy protocols (RADIUS, LDAP) and weak authentication factors like one-time passcodes. This also helps organizations get started on a journey towards a passwordless future.

• Simplify secure access – The move to modernizing and strengthening your IT security infrastructure can be disruptive for end users, but Universal Prompt minimizes user friction with a simple authentication experience and intuitive web-based design.

• Strengthen security – Bad actors continue to develop more sophisticated means of social engineering attacks to bypass security controls. Universal Prompt minimizes the risks those attacks pose by enabling Duo customers to implement advanced security measures.

A few key reasons Duo Universal Prompt strengthens security

Our Self-Service Portal, Verified Duo Push, and Risk-Based Authentication functionality is ONLY available using the Duo Universal Prompt. We will also continue to rapidly deliver new functionality built specifically on the Universal Prompt.

1. Verified Duo Push  - Asking users to verify push requests and using number matching mitigates the risk of push harassment and MFA fatigue attacks.

2. Self Service Portal – Admins can securely enable the new Duo-hosted self-service portal and require strong authentication while empowering users to self-enroll and manage their authentication devices.

3. Risk-Based Authentication – Reduce user friction and improve security by analyzing risk signals and automatically step up authentication only when necessary.

The benefits of Verified Duo Push

Verified Duo Push makes MFA more secure by mitigating the risk of push harassment and MFA fatigue attacks by requiring additional input to complete authentication. These popular attacks involve bad actors with stolen credentials to an app or service repeatedly submit push verification requests until the confused and weary user unintentionally accepts thinking it was for a session renewal or something similar.

The new verification step included in Verified Duo Push - known generically as number matching - asks the user to enter a set of numbers displayed on their “authentication device” into the authentication prompt on their “access device” in addition to accepting this push. By doing so, the user is protected against inadvertently accepting a fraudulent push request with minimal additional friction. Admins can configure the length of the match code required, from 3-6 numbers, based on their security posture.

For more implementation information see Verified Duo Push documentation.

The benefits of Duo Self-Service Portal

The new cloud-hosted Self-Service Portal provides an optimal way for end users to manage their devices and complete enrollment. Users can add, edit, and remove secure authentication methods from the Universal Prompt while logging into protected applications.

After passing primary authentication, the “Manage Devices” option is shown at the bottom of the current authenticator list. Duo authentication with a previously added authentication method is needed to gain access.

Users can rename or remove existing devices with the “Edit” options, or use “Add a device” to register another authentication device.

The benefits of Duo Risk-Based Authentication

Duo Risk-Based Authentication dynamically challenges users with stronger authentication methods based on risk signals. It complements Verified Duo Push well, as Verified Duo Push is one of those strong authentication methods Risk-Based Authentication uses when it’s deemed necessary based on a risk signal.

Those signals include:

• Device trust, including whether key systems are up to date

• Location, like access from a prohibited country

• Known attack patterns, such as suspicious activity with unusual patterns like repeated failures that can indicate attacks

• Wi-Fi fingerprint, which detects when a user roams to another network

Security needs to be easy for users, otherwise they will resist it. Duo Risk-Based Authentication effectively manages trust by presenting users with the right authentication method at the right time for the right risk.

For more implementation information see Risk-Based Authentication documentation.

How can you upgrade your environment to the new Universal Prompt?

Most on-premises applications require administrators to install a software update with the necessary changes to support the Universal Prompt on their web application servers. This software update may be supplied by Duo or by our technology partners, depending on who developed the integration. Cloud-hosted software-as-a-service (SaaS) may require limited account changes.

For more implementation information see Universal Prompt update guide.

Get to know Duo Universal Prompt

Now is a great time to upgrade from Duo Traditional Prompt to Duo Universal Prompt. Your users will have a better experience behind a better, more efficient design, along with a variety of experience-focused features. Also, admins will be able to better protect their environments with the rich set of security functionality that Universal Prompt enables.

Why is Action Required? Effective March 30, 2024, Duo will no longer support the traditional Duo Prompt! Get your plans started ASAP to benefit from the new functionality only available with Duo Universal Prompt!

For more information on Duo Universal Prompt see how in may be utilized in the Duo Guide to Two-Factor Authentication or for specifics on its implementation check out the Duo Universal Prompt Update Guide.

TLS 1.0 and 1.1 were deprecated in Mar 2021 with IETF RFC 8996. Today, the baseline TLS version used by most enterprises and businesses is 1.2. Many organizations, particularly those in highly regulated verticals and government agencies, also have to meet their respective compliance requirements. These requirements – like HIPAA, PCI-DSS, etc. – mandate the use of TLS 1.2 as a minimum version to meet the latest security standards. The consequences of not meeting compliance requirements could be huge, ranging from hefty fines to significant legal consequences. 

There are also real security risks of using TLS 1.0 or 1.1 in any IT infrastructure or solutions. Well-known attacks like BEAST (Browser Exploit Against SSL/TLS), POODLE (Padding Oracle On Downgraded Legacy Encryption), etc. target insecure TLS versions, increasing organizational risks in exposing both their own and their users’ valuable data, potentially incurring major financial penalties and legal liabilities.  The ever-evolving hacker landscape also means new cyberattacks will continue to emerge for any businesses that are not moving forward with secure technologies like TLS 1.2 or 1.3. 

What is the impact?

TLS 1.0 and 1.1 and generally weak ciphers will no longer be supported by June 30, 2023 for all existing and new Duo customers.  

This can affect connection requests from: 

• Duo Windows applications

• Duo Unix on a Unix/Linux system with OpenSSL version 1.0.0 or earlier

• Duo SDKs used by custom applications

• Third-party SDKs that connect to Duo APIs

• Duo LDAPS application for SSL VPN

• Duo Mobile still in use on older versions of Android

Duo's supported cipher suite will change on June 30, 2023.

The cipher suite will change from:

Beginning June 30, 2023, supported cipher suites will change to the following:

Note: There are some operating systems that only support specific ciphers that may be considered weak by industry standards. We are planning to deprecate them in the future when this OS dependency is no longer an issue.

Australia region cipher suites will remain unchanged on June 30, 2023, and will continue to support only the following ciphers:

What action do you need to take?

Please follow our guide to updating Duo for TLS version 1.2 and plan for the migration as soon as possible, as otherwise it may cause service disruption on June 30, 2023. 

We understand that there will be situations when legacy systems may not be able to upgrade to higher TLS versions in the near future. We want to ensure that we’re preventing service disruption for customers that have legacy systems in place. In order to make this possible, we are providing a feedback form for customers in this situation and we  will work with you to ensure that there will be a viable solution moving forward.

Last year, Duo announced the General Availability of Remote Desktop Protocol (RDP) for the Duo Network Gateway (DNG), and today we are happy to share that we’ve now extended transmission control protocol (TCP) support to the Server Message Block (SMB) protocol. This capability is generally available for Duo Beyond customers.

This means that the DNG now enables users to access on-premises shares, without requiring a full VPN connection.

What is Duo Network Gateway?

For those unfamiliar with DNG, it is a remote access proxy security solution that enables organizations to provide zero-trust remote access to a broad variety of applications hosted on premises. It includes support for Web Applications over HTTP or HTTPs, Remote Desktops over RDP, Secure Shell (SSH) servers, and now file sharing over the Server Messaging Block. It also eliminates the need for full VPN and avoids exposing those applications directly to the internet.

DNG is part of the Duo Beyond edition and includes many other capabilities to protect customer environments based on zero trust principles. It begins with a device posture check by verifying the health of key operating system services. Then it verifies user identity with advanced multi-factor authentication (MFA). It continues monitoring trust and logging potential anomalies with machine-learning (ML) driven trust monitoring.

Why do I need DNG?

The SMB protocol is a network file sharing protocol integrated in Microsoft Windows operating systems. SMB is an application layer protocol that is transported over TCP/IP. Domain joined clients on the corporate networks who have established trust can connect seamlessly to shares on Windows servers using SMB. Untrusted remote users need a secure way to navigate the internet and corporate firewalls to establish trust and gain access.

How does DNG for SMB work?

1.  On the Client: The user selects the Network Drive (for example, Windows Explorer)

2.  On the Client: The Duo Connect Plugin intercepts the call and resolves the network domain name (for example, smb://SMBsharename.company.com/shared/Files)

3.  The Company CNAM record directs “SMBsharename” to a DNG-hosted FQDN (for example, dngxyz.duo.com)

4.  DNG returns a “Carrier” public IP address

5.  On the Client: The Duo Connect Plugin sets up a secure TLS tunnel to the DNG

6.  On the Client: The Duo Connect Plugin passes a SMB file request to DNG

7.  DNG proxies request username and password, then initiates authentication with Duo SSO or other supported Security Assertion Markup Language (SAML) providers

8.  Duo Cloud validates the user and responds with a SAML assertion

9.  DNG resolves the server on Company Network and relays Client SMG commands

10. On the Client: The user is presented with the file (or pertinent SMB file operation output)

Who is using DNG?

Duo Network Gateway has already helped hundreds of organizations across multiple industries, including technology and IT services, education, finance, healthcare. It offers their workforces consistent and secure access to corporate resources from any device and location, and customers are already benefiting from adopting this solution.

“If you want to get rid of the VPN management burden, use the Duo Network Gateway to give access to your web and desktop applications. Users – and their access – are managed in the Duo Admin platform. No more firewall, no more AAA or whatsoever complicated thing. Once you go for DNG, you never go back.” – Antony Gallez, Operations Manager at Cameo Global, a New Era Technology Company

Where is DNG going?

Try Duo for Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

Multi-Factor Authentication (MFA) is a security tool used by various organizations to protect user credentials, or the username and password. MFA has been recommended, or required, by governments and has grown in popularity as a measure to quickly add a layer of security, especially if credentials are compromised as part of a phishing attack.

However, MFA has been in the news recently as attackers are finding new and creative ways to get around it. On the one hand, this means that MFA is such a common practice that attackers have had to get creative. On the other hand, it means that simply enabling MFA is not enough and organizations must follow secure MFA practices. Some examples of these attacks include one-time-passcodes intercepted by bad actors (MITRE ID T1111), adversaries registering a fraudulent device to a trusted account (MITRE ID T1098.005), or push phishing attacks that rely on a trusted user to grant access to an attacker (MITRE ID T1621).

What can organizations do?

There are best practices organizations should follow in order to make sure that MFA in their environment is secure against these new threats. As a first step, organizations need to modernize their authentication, moving away from RADIUS or LDAP protocols and moving towards SAML. Additionally, it is important to adopt FIDO2 compliant authentication, such as passwordless or security keys, wherever possible.

For Duo customers, we also recommend moving all authentications to the new Universal Prompt. The Universal Prompt unlocks important security measures that Duo is releasing to strengthen organizations against the new threat landscape. 

New secure features

In addition to Duo’s new broader solutions, like Passwordless and Risk-Based Authentication, Duo has released a number of additional features that organizations can deploy today to better protect their users. These include the following updates:

• Self-Service Portal: Step up authentication requirements for users when they are enrolling new devices

• API for User Activity Logs: Stay on top of user device enrollment threats through Duo’s API solution

• Enrollment Threat Detection: Use machine-learning to surface new enrollment threats that need the security team’s attention

• Verified Duo Push: Require users to enter a code in the Duo mobile application to better protect against push phishing attacks

• Policy Defaults: Duo has established new policy defaults based on research that enhance organizations’ secure access without adding unnecessary friction.

How to get started

For all new Duo customers, the Liftoff Guide walks through best practices of how to deploy and manage Duo. To highlight the newly available features, Duo has added the companion guide, New Duo Feature Guide: Strengthening Your MFA. This guide can walk customers through these new features and how to deploy and manage them.

Not a Duo customer but interested in trying out these features? Sign up for a free trial today to get started.

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.

Today: The arms race between code makers and code breakers ushers in the computing era, digital passwords are introduced (and quickly broken), and encryption fixes the security loophole of storing passwords in plaintext.

It wouldn’t be long after WWII when the burgeoning development of computer systems grew large enough that MIT had to solve a new problem: With limited computing power available and more researchers needing access than the system could handle at once, how could they divvy up a schedule that allowed all users a guaranteed window of access? This culminated in the Compatible Time-Sharing System (or just CTSS), a researcher access scheduling system which assigned each user a unique password and limited the number of accounts that could access the system at once.

But, as can often happen when security for users conflicts with what users need to get done, this new system didn’t function as intended for very long. Almost as soon as it was implemented, researchers began to swap passwords to share their access windows. Before long, one researcher discovered that all passwords were stored in plaintext on the mainframe, giving them a master key for unlimited access.

Over the following decades, further refinements were added to try and shore up the effectiveness of password security. Pioneering researchers Ken Thompson and Robert Morris fixed the security loophole presented by storing passwords in plaintext with the introduction of “hashing.” This used an algorithm to scramble the password into what looked like random characters, but which could be decrypted by the system when needed and checked against what a user entered. You can think of the hashing algorithm here much like the Caesar and Vigenère ciphers we just talked about: if the encryption works as intended, only the system with the set of rules used to encode the secret password should be able to decrypt it.

But just like many codes and ciphers fell flat in the face of frequency analysis, anything that can be predictably hidden can eventually be predictably found. And similarly to how null or dummy characters would be added to an encoded message to throw off prying eyes, Thompson and Morris improved their method with “salting”, which would add these padded characters to an encrypted password. Cracking passwords now required someone looking to reverse it to have both the algorithm AND salting pattern used.

Despite the dawning awareness among the population at large to the idea of computer security through pop culture media like the “WarGames” film series, through much of the ’80s the techniques of password security appeared to have outpaced most techniques for compromising them. While computing power grew by leaps and bounds, the time required and number-crunching necessary to crack most passwords could measure into decades, even centuries long.

That changed in 1988, when what many consider the first computer virus to spread through the internet appeared in the form of the Morris Worm. In a twist worthy of Shakespeare, security pioneer Robert Morris’ own son, Cornell University graduate student Robert Morris Jr., developed the worm as a research project. But thanks to a minor quirk in coding, this project spread much further and did far more damage than he intended, knocking 6,000 networked systems around the world offline. The novelty and dramatic family aspect of the story grabbed the public’s attention, and the younger Morris became the first person charged under the Computer Fraud and Abuse Act passed five years earlier. What made the Morris Worm so sophisticated was its combined methods of using a “dictionary attack” of the then-most common 900 passwords, along with a method that tried to search out a system’s password file to crack it if that didn’t work.

Before the Morris Worm, the general attitude towards computer security was lax. As a tool primarily used by government, academic, and large corporate organizations, most systems were built to allow minimal friction for users that might slow their work. They often relyed on standard or default passwords that would allow users to log in regardless of the machine they sat down at. After Morris Jr’s conviction, that attitude quickly changed, and organizations like the Department of Defense began to quickly lock down systems with stronger measures like multi-factor authentication.

The late ’80s and ’90s sped down the road towards ubiquitous computing access, as more and more homes brought home powerful desktop PCs that would have cost thousands of dollars just a few years before. The introduction of home internet services like Prodigy, CompuServe, and America Online saw the profile of the average computer user expand from employees and researchers to… well, just about anybody.

With that seismic change, the security passwords provide and the encryption keeping those secrets safe went from important to vital:

See the video at the blog post.

Hearing all this, you might think that most password hacks look like they do in the media: a shadowy figure frantically types away while complex code scrolls past, as their nefarious software cracks someone’s password one character at a time.

But the truth is much more mundane, though no less concerning. In the last couple decades, the biggest driver of breached accounts have been either stealing user passwords through phishing and malware attacks, or finding re-used credentials available in the growing number of “password dumps” where MASSIVE quantities of previously-stolen passwords are bundled and shared with other attackers. Because most users repeat the same password for multiple accounts, this can often be as effective as finding an extra copy of someone’s house keys. And when we say “massive”, we mean it: the largest password dump to date, RockYou2021, included more than 8.4 BILLION passwords, which means there was more than one password for every human being on earth in this single release.

That brings us to today, where 2/3 of people in the US have experienced some form of data theft largely driven by compromised passwords, which are a factor in 85% of successful breaches. With numbers this daunting, what’s the good news? Are we doomed, or can we solve these password problems to help keep ourselves and our personal information safe?

To answer that, we’ll check in with our experts.

Next in our series on passwordless history: Our panel of experts share their password-related pain points, from the challenges of remembering and rotating them to unequal access to technology slowing passwordless adoption.

Determining the trustworthiness of company-owned devices is usually straightforward: We install a mobile device management (MDM) tool, then implement security policies that allow IT and SecOps teams to protect the device or remotely wipe the endpoint if it’s been compromised. But for organizations with a bring-your-own-device (BYOD) policy, improving security by establishing device trust is more challenging. What if it belongs to a contractor or seasonal worker we’ve hired? Or a partner we’re collaborating with on a project? On top of that, how do we handle our own employees’ personal devices?

In each case, the device needing access is not corporate owned and managed so we may not be allowed to, or the owner may not want us to, install the company’s management software on their device. While the contractor/employee needs access to apps and data on the network, we want that device to be in a healthy and trusted state before it’s granted access to our network. How do we balance providing unmanaged BYOD access with ensuring these endpoints are in a secure, healthy and trusted state?

Health as a component of device trust

For years it was assumed that once the user’s identity was verified, they were considered to be on the “inside.” Anyone on the inside was trusted and had access to everything the network had to offer. Little attention was given to the access device and its health status, however.

Eventually, cybercriminals figured out that if they could install malware on an endpoint there was a chance the infected device would pass undetected once the user’s identity was validated. It was like the early days of airport security where the passenger simply had to show a ticket and ID to pass through security. Once their identity was confirmed, it was assumed any luggage they had wasn’t carrying something illegal.

This “castle-and-moat” model led to some high-profile data breaches that cost the affected companies millions in financial and reputational damage. We now understand that trust in the user is no longer enough. Regardless of whether you’re securing unmanaged BYOD endpoints or company-issued managed devices, it’s essential to account for trust in the device used to access network applications. And a key component of that trust is the health of the device.

Duo device health as trusted

How does device trust help with BYOD security and trust?

Let’s go back for a minute to our contractors, seasonal workers, partners and employees with devices not under our management. While they may balk at installing management software, the Device Health app is a lightweight client app that is much less intrusive and controlling. Users can install the app quickly and easily without needing assistance from IT.

Once installed, the Device Health app collects unique device identifiers during authentication and compares them against a list of known devices stored by Duo. If those device identifiers are recognized, it means we trust that device. It’s part of the Duo Trusted Endpoints feature in Duo Beyond, which secures your sensitive applications by ensuring that only known devices can access Duo-protected services.

But here’s where it gets interesting for those non-managed devices. Organizations can use the DHA to extend trust to them as well.

In her blog, Shilpa Viswambharan discusses how a manual integration feature based on the Device Health app enables IT administrators to manage macOS, Windows and Linux endpoints that are not enrolled in a management system by adding them to their list of trusted devices. This includes contractor-owned, partner and employee personal devices. Once an unmanaged device is added to the list, it’s considered trusted just like devices enrolled in an MDM.

The feature offers other benefits that enable you to trust these devices beyond checking their health posture. For example, administrators can set a trust expiration date, perfect for short-term and seasonal hires. They can add devices individually or in groups using a CSV file. Information can be edited, descriptions can be added and devices can be removed altogether through the Duo Admin panel. Ultimately, administrators can use the Device Health app as a solution to accommodate BYOD in security policies instead of overruling or ignoring users’ aversion to conventional endpoint management software.

Is it time to trust unmanaged devices?

Device trust is a tricky concept. We know our full-time employees, contractors and partners need access to network resources using their devices. We’ve also seen firsthand the importance of establishing the health posture of any device before access is granted. But is it necessary for the device to have an MDM installed to be considered trusted?

Not too long ago we would have said yes. But now with Duo’s manual integration feature for Trusted Endpoints there’s an alternative. You can proclaim any unmanaged device to be trusted by adding it to your organization’s customized list of trusted devices. It’s all up to you.

To learn more about how Duo can help your organization establish trust in unmanaged devices, read “The Essential Guide to Device Trust in the Enterprise.”

With hybrid and fully remote work becoming more mainstream, more employees than ever are using both personal and corporate mobiles to access company data. This leaves security teams scrambling to implement best practices for mobile device security. Fortunately, Duo makes implementing mobile security policies simple.

In this post, we’ll talk about some impactful policies Duo Access and Beyond organizations can start enforcing today with minimal effort and high value to increase security posture. These policies are geared to protect your organization when access devices don't meet your security needs. We can help block those authentications and provide remediation steps that your users can use to make their devices much more secure before accessing your sensitive applications and data.

1. Require screen lock

Policies Available in: Duo Access and Duo Beyond

One of the more prevalent best practices for securing your mobile devices, whether it is a corporate device or a personal device, is to enable a screen lock in order to gain access to the device. However, we continue to see people not taking these steps to secure their devices either due to wanting more ease of use without having to enter a screen lock or some users forgetting or unknowingly skipping this step to secure their device. 

In previous years, we’ve seen research groups like Pew Research Center report that 28% of smartphone owners say they do not use a screen lock or other security features to access their device. In our own findings with a subset dataset, we found that 1 in 3 Android devices don't use passcodes on their lock screens, compared to 1 in 20 on Apple devices. Over the past two years, Duo has found that 5% of users do not have screenlock enabled and configured on their devices.

With the increase in development of more secure protocols and improved user experience with biometrics and pattern locks for devices is changing things. Consumers now have an avenue of a less scary and easy setup and usage regarding screen locks. Yet findings from Statista, a research company surveying 1,146 people globally, 1.6% or 18 people from this small group still have no screen lock enabled for their devices.

You can increase your security posture by enabling Screen Lock on your Duo Policy which will block these devices trying to access your applications until the user remediates their device by securing their device with a screen lock.

2. Shut out tampered devices

Policies Available in: Duo Access and Duo Beyond

People jailbreak their devices for different reasons, some legitimately due to research and development reasons and some due to ill intent.  Part of a bad actor's goal is to go through their attack undetected and unidentified. Having a jailbroken or rooted device helps bad actors conceal their identity and information about their device with false data. Regardless of the reason, once the device is jailbroken it means that the security model of the mobile device OS can no longer be acceptably trusted. 

Just like with screen lock, this is common with users around the world having a tampered device. It is difficult to determine an exact number of jailbroken devices. However, Pingdom reports a rough estimate of as many as 8.5% of all iOS devices are jailbroken. We know that jailbreaking iOS is also a very popular topic among users, as a subreddit for jailbreak consists of 658,000 members who provide tips and discussions on their jailbroken devices. 

For android devices, security experts from Verimatrix reported data that shows 36 out of every 1000 Android devices are rooted globally. That’s 3.6% Android devices being rooted but does not calculate all other types of tampered methods like code and memory tampering.

By enabling Tampered Devices policy, Duo can help verify if a device is jailbroken or rooted and prevent these devices from accessing your applications. Duo has developed a unique detection and algorithm to determine a jailbroken iOS device and also utilizes Google's SafetyNet device attestation to identify tampered-with Android devices.

3. Enable full-disk encryption

Policies Available in: Duo Access and Duo Beyond

Why should you care if mobile devices are full disk encrypted and why should you care if non-encrypted devices are accessing your applications? 

Data gets saved onto a device’s hard drive, whether automatically from apps or manually by a user. This means some of your organization's data could be stored on a device's hard drive. Leaving the device unencrypted opens the door for potential bad actors to gain access easily to that critical data if the device were to fall into the wrong hands. 

With the growing number of devices being used in organizations, there is now more risk as your critical data becomes more mobilized. More mobile devices lead to more security vulnerabilities occurring like lost or stolen devices which could go unreported. Verizon’s 2022 Data Breach Investigation reported that 82% of breaches involved the Human Element and there has been an increase in ransomware by 13% – more than in the last 5 years combined.

When a device has full-disk encryption enabled, it automatically encrypts the data on that hard drive to something that cannot be deciphered without the right authentication key. Instantly protecting the data on that device.

By turning on Full-Disk Encryption in your policy checks, you’re ensuring that only devices with full-disk encryption enabled are accessing your applications protecting your critical data.

More information on best practices for mobile device security

To review more policies to help protect your users, endpoints, and data even further please review our Duo Administration Policy & Control guide or read our series. 

Duo also provides dashboards that allow customers to monitor the status of mobile devices on their networks.

For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is  established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.

Today: The pre-computing history of passwords — codes and ciphers, the arms race between code makers and code breakers, the Enigma machine, and more.

Today we use passwords to “unlock” access to our most important private information, but even 2,000 years ago people needed a secure way to “lock” and “unlock” secret messages between one another. Since we use more modern methods of encryption for securing information today, understanding at least a tiny bit of how these ancient methods work can help us understand how passwords work today. And we’ve brought an expert along to guide us on this trip through the past.

Simon Singh is the author of “The Code Book,” an international bestseller which takes a deep dive into the history and evolution of secret communication. For starters, we’re going to be using specific terminology that often gets tossed around interchangeably, so we asked Simon to share some working definitions.

“When we talk about secret communication,” Simon explains, “We use words like encryption and encipher and encode, and all of these things are kind of used interchangeably […] a code is where one word is always replaced with a certain symbol, for example, and that’s always the case. One word, one symbol. And encipherment tends to mean that the word is jumbled up and it can be jumbled up in different ways on different occasions." 

For an early example of basic encryption, we go back to Rome during the reign of Julius Caesar, who provided one of the best-known ways of keeping communications secret.

As Simon puts it: “A Caesar cipher is a type of simple substitution cipher, and we don’t just replace the letter A with any old symbol or any old letter, we replace A by shifting it down the alphabet. Now a classic Caesar cipher shifts by three places so A becomes B, C, D, A becomes D. And that’s all you do, you just shift every letter down three places.”

Believe it or not, you can still find examples of Caesar ciphers today. If you ever found a decoder ring in your cereal box as a kid, odds are good that it used this method or a slight variation of it. Of course, early ciphers often had a short shelf life, which is why what once protected the battle plans of Caesar has been relegated to a puzzle for children.

See the video at the blog post.

Vigenère's cipher was far more complex than Caesar’s cipher, but by adding more randomness and possibilities for each letter’s actual meaning, it’s exponentially harder for a codebreaker to puzzle out what the message means. As a result, Vigenère’s method resisted all attempts to crack it for a very long time.

"Vigenère invents the Vigenère cipher in the 16th century. […] In the Victorian era, the Vigenère cipher is eventually broken and it was broken by Friedrich Kasiski, or at least that's what we thought. It turns out that it was actually broken a decade earlier by a chap called Charles Babbage who's famous today for being the kind of pioneer of mechanical computing, as well as many other things.” - Simon Singh

Almost 300 years — not a bad record. Babbage’s historic contributions to the development of mechanical helped to usher in the beginning of the computing age. And the need for better codes and codebreaking helped bring it even closer, thanks to a historic development known as the Enigma cipher.

See the video at the blog post.

In fact, the number of possible combinations provided by the Enigma machine are so large, even if a persistent codebreaker checked one possibility every minute, it would take longer than the age of the universe to check every possibility.

The Enigma machine proved to be a tipping point in encryption, a culmination leaps forward in complexity to the point that humans needed mechanical and, later, digital computers to keep track of and compute the complex algorithms involved in making and breaking these new encryption methods.

For our next stop in the rise and fall of passwords, we need to head to college – MIT, to be specific.

Next in our series on passwordless history: the arms race between code makers and code breakers ushers in the computing era, digital passwords are introduced (and quickly broken), and encryption fixes the security loophole of storing passwords in plaintext.