Multi-tenant security can be complex, but it doesn’t have to be. We’re excited to announce that Role-Based Access Control (RBAC) for subaccounts has been rolled out to all Duo Managed Service Providers (MSPs) at each Duo edition, including a way to manage granular access in bulk. Duo RBAC makes your Admin Panel experience more secure—without compromising productivity. What does that mean? Let’s dive in.

RBAC is the practice of granting or restricting access to users based on their specific responsibilities. RBAC works by assigning permissions to roles and then assigning roles to users, allowing organizations to easily manage access to systems and resources.

Clients count on their MSPs to be secure. The focus on MSP security has heightened due to advanced cyber-attacks and even recent ransomware campaigns specifically targeting MSPs.

However, managing admin permissions in a multi-tenant structure can be complex, with stronger security often coming at the expense of ease of use.

To scale operations securely, role-based access helps MSPs and other multi-tenant accounts easily ensure proper access controls and reduce the potential for security incidents or unauthorized access to sensitive information.

There are two new RBAC additions to the Duo Admin Panel that work together to keep the engine moving smoothly:

1. Subaccount Roles: Establish granular admin permissions and least-privilege access practices within your organization. Non-Owner admins can be assigned distinct roles at the parent (main) account and subaccount levels.

2. Access Tags: Non-owner admins can be given access to specific subaccounts and denied access to others—without having to manage multiple logins. Manage account access with security, usability, and client privacy top-of-mind. Manage Access Tags using the new Access Tags page.

Let’s say that Kit, an IT administrator at Acme MSP, wants to ensure that Stef, Acme MSP’s helpdesk specialist, can properly support clients. Stef works with clients in the financial industry and needs the ability to view and modify their user information but should not be able to create or delete users. Stef should not be able to edit any other accounts that Acme MSP serves in other industries.

• With access tags, all administrators with the tag “ACME Financial” can access any subaccounts associated with that tag, but admins without it will not. Kit can add the “ACME Financial” tag to Stef’s admin profile to grant Stef access to client accounts with this tag.

• With subaccount roles, Kit can assign Stef ‘Help Desk’ access to subaccounts but limited ‘Read Only’ access to the “Acme MSP” account. Stef now has ‘Help Desk’ access only to all “ACME Financial”-tagged subaccount and no access to other tagged subaccounts.

Duo’s MSP RBAC allow Stef to do their job and Kit to deploy and manage at scale for multiple customers, all without compromising on the security efficacy of Acme MSP and their clients.

RBAC plays a crucial part in simplifying operations, strengthening security and driving productivity for MSPs and the customers they protect. With new subaccount roles and easy access tagging, Duo MSPs can easily onboard new clients with appropriate admin privileges, simplifying security management and increasing client trust and faster time to revenue.

Instead of needing to set up RBAC through dozens of pages and clicks, MSPs can use Duo’s Access Tags page to set up RBAC in one spot, as well as use the Admin API to modify subaccount role.

“RBAC is a huge step to make my Duo experience easier.”

Beyond MSPs, Duo’s RBAC can benefit multi-tenant customers using Duo subaccounts, such as universities segmented by campus and enterprises segmented by department.

“I love it…Just a day after I got the email from Duo that this feature had launched, we had a situation… where utilizing the tags saved our day.”
- Duo MSP partner, EMEA

Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management.

The Duo MSP program makes it easy to:

• Scale your business with pay-as-you-go pricing with no complex pricing tiers or minimums.

• Manage all customers in one console with Duo RBAC.

• Succeed with technical and marketing support from our team and access to an extensive documentation library and 50 NFR licenses.

Visit the Duo MSP page or reach out to msp@cisco.com to start your Duo MSP partnership today.

Duo is a offers a comprehensive identity and access management solution, with a user directory, SSO, phishing-resistant MFA, dynamic identity threat detection, strong, frictionless authentication, and device trust. With RBAC for subaccounts, administrators gain fine-grained control over ensuring the right people have the right administrative permissions, strengthening security, streamlining role assignments, enabling scale with confidence.

Adopting Duo RBAC can lead to improved security hygiene, a more scalable admin experience, and improved client trust. The best part is – it doesn’t have to be all or nothing – start by protecting your most sensitive accounts today while you build your organization’s permissions structure over time.

Learn more about how Duo RBAC makes it easy to manage and grow with Duo’s leading access management solution:

• See the RBAC infographic!

• Already an MSP? Set up and start using RBAC today with the Duo RBAC Admin Guide. Learn about access tags on Duo Docs.

• Learn about Duo’s program with the Duo MSP At-A-Glance

Basics is no longer cutting it. Free is not stacking up. Even with multi-factor authentication (MFA) patrolling security’s new identity-based perimeter, phishing attacks remain one of threat actors’ favorite tools and demand stronger protection in identity and access management (IAM). MFA may make it harder to simply log into enterprise environments using lost, leaked, bought, weak, or stolen user credentials, but it’s clearly not impossible either.

That’s because user training and even basic MFA are not enough to ensure phishing resistance against modern campaigns that use new techniques to subvert or sidestep authentication:

• AI-led campaigns use large language model (LLM) tools like ChatGPT to craft convincing emails that look and sound like trusted entities

• Adversary-in-the-Middle (AiTM) attacks bait users into clicking fraudulent links that take them to proxy servers controlled by the bad actors

• New multi-stage MFA fatigue campaigns are designed to capitalize on repeated user authentications to bypass and exploit weaker forms of MFA

• Gaps in protections reveal themselves as attackers target supply chain and third-party access permissions, remote desktop protocol (RDP), or legacy applications

And that’s not all. Modern phishing attacks like the ones listed above now stretch beyond authentication, threatening session cookies and bypassing traditional defenses, making comprehensive phishing resistance essential—even for trained help desk pros.

If all of that makes achieving end-to-end phishing resistance sound like a pipe dream, identity security leaders can take heart. In a new guide from Cisco Duo, you’ll learn what tools and strategies you can use to push your organization toward modern phishing resistance.

Ready to strengthen your organization's phishing resistance?

Download the free Guide to Building End-to-End Phishing Resistance now.

Let’s talk about what makes defending against modern phishing attacks so challenging.

There’s a lot more to consider when it comes to phish-proofing your organization, and new and existing regulations are not shy about pushing standards higher. To mitigate the risk from modern phishing attacks, regulators, zero trust guidelines, and cyber insurance companies now emphasize phishing-resistant MFA and robust identity security. Forward-looking regulations like Memorandum 22-09, from the Office of Management & Budget (OMB) in the US and the NIS2 directive in Europe now specifically prescribe “phishing-resistant MFA” as a best-practice strategy for safeguarding identity.

These evolving mandates concentrate on the strength of the factor, but IAM leaders already know their defenses must extend beyond the conventional app login. With more threat actors expecting to run into traditional SMS, and even push-based MFA, phishing-prevention strategies must illuminate exploitable blind spots throughout the entire identity lifecycle. That means starting at enrollment—where new, enthusiastic employees are susceptible to false HR emails—through critical points like help desk interactions, remote connections, and deprovisioning.

With headlines of AI-enabled deepfake and vishing (voice phishing), social engineering tactics grow trickier to detect. In many situations, organizations may revert to using passwords or basic security questions as a fallback option for verifying identity. Today’s identity security practices must rise to meet new challenges. For example, using an integrated identity verification service creates a more secure fallback option that equips help desk technicians to establish trust on the fly.

Many organizations use cookies to extend trust throughout a user’s entire working session. But if intruders can find a way to log in using active credentials, they can sometimes steal those “remember me” cookies to hijack active sessions and authenticate into other applications. Or, change or escalate privileges without triggering detection.

Attackers have become adept at stealing cookies through malicious JavaScript, infostealers like Redline and Emotet, or adversary-in-the-middle attacks. Once they have the session tokens, they can take over digital identities, bypassing passwords, MFA, and other security controls. Typical precautions like making sessions shorter and asking users to reauthenticate more often only add to productivity complaints and user frustration.

Security often comes at the cost of increased friction—especially challenging when end-users must interact with it several times a day for each of their applications. What if we removed the very thing that makes a session stealable? Duo’s patent-pending authentication without cookies paves the path for a dramatic reduction in user friction, delivers platform-agnostic protection (Windows and macOS) with no vendor lock-in or ecosystem limitations, and provides built-in hardware-backed phishing resistance.

Security only works if people use it, which they won’t do if MFA gets too complicated. Asking users to keep track of multiple passwords, rotations, authenticator apps, and physical tokens is a recipe for disaster and that new digital malady, MFA fatigue.

Overly complex controls also burden IT. According to the Cisco Duo 2025 State of Identity Security report, nearly 60% of security leaders cited token management as the biggest hurdle to phishing resistance. Most security and IAM leaders would like to make their MFA more phishing resistant but believe it might not warrant the time and effort.

Rolling out new methods of authentication (like biometrics and smart cards), buying and shipping hardware tokens to remote users, and fielding support calls all consume endless IT cycles that offset the value of IAM investments.

IAM strategies must overcome leaders’ top obstacles to deploying phishing-resistant MFA:

• Cost and ongoing management of hardware tokens

• Training and support

• System compatibility

Resistance stems from operational burdens, not lack of demand. At the core of improving phishing resistance is making stronger security feasible to deploy for every user. After all, “if a security control isn’t deployable; it’s not usable. And if it’s not usable, it’s not protecting anyone.” For Duo, the breakthrough was adding the same proximity-based verification that hardware tokens provide on top of our familiar interfaces. No shipping hassle, no complex configurations, no added cost.

It’s not uncommon to hear of passwordless authentication as an option to go phishing resistant and improve user experience at the same time. The pitch to go password-free is typically accompanied by plenty of caveats and challenges, yet many organizations committed to strengthening their identity security are already moving forward—streamlining authentications with single sign-on, enforcing device hygiene standards, and leveraging risk-based authentication (RBA) to cut down on repeated logins.

With the past several years of innovation, regulators, cyber insurance companies, partners, and prospective customers are also headed towards passwordless, and for good reason: without credentials there’s nothing to phish. Even AI can’t steal passwords that no longer exist.

Is “complete passwordless” just another pipe dream? After all, complexities arise in the form of legacy applications, working with existing infrastructures, and initial directory enrollment. The new guide details how you can make the elimination of passwords—typically considered a ‘stretch goal’—a near-term reality (versus a “roadmap item”) at every stage of the identity lifecycle: enrollment, application and operating system logins, help desk support, and secure fallback.

1. Securely verify and onboard new users

2. Strengthen user authentication at every access point

3. Prevent session stealing even after users log in with cookie-free protections

4. Secure the "edge" cases like fallback, Help Desk calls, and deprovisioning

5. Move towards eliminating passwords completely

Stronger security is achieved in phases. Implementing end-to-end phishing resistance with identity verification, session theft protection, and phishing-resistant MFA ensures your organization is protected now and in the future.

Duo makes it easy to get started on the journey to complete end-to-end phishing without the high price tags and hidden costs. Download the guide now to learn how you can build seamless, reliable identity security and deliver a world-class end-user experience at the same time.

Get the free guide to achieving end-to-end phishing resistance today!

“Comprehensive security should be built in or enabled by default” — a statement implored by Patrick Optet, CISO at JP Morgan Chase. In an open letter to their third-party providers, Optet points out an erosion of strong authentication and authorization practices as software providers prioritize speed of development over security.

Complexity is the reality for organizations of all sizes. With an ever-distributed supply chain and increasingly modern software demands, security controls expand to defend a new perimeter: identities, from trusted employees to partner external accounts to experimental AI agents. Change is hard and adds pressure on traditional systems that prevent organizations from moving forward with even the most obvious decisions, like taking a “security first” approach to identity and access management (IAM). It’s simply challenging to justify ripping out what’s in place and start over.

Change is hard and adds pressure on traditional systems that prevent organizations from moving forward

Check out our latest guide to security-first IAM to see how Duo is restoring trust in identity.

Cisco Duo aims to eliminate the performance and compliance tradeoffs that drive up the cost and complexity of other solutions—like gaps in visibility and strong authentication coverage. Evolving to security-first IAM should be easy. With roots in both deep security research and exceptional user experience, Duo makes world-class identity security available by default, not as an add-on. To level-set, here’s what business and IT leaders can expect to gain and how they can jumpstart the process to putting security first.

Modern cybersecurity strategies know that identity is the new perimeter, but many traditional IAM solutions don’t adequately protect those identities with security until later. As a result, organizations are forced to seek incremental control layers to protect their core directory solution and stretch to cover their edge cases. Between additional budgets and deployment hours, that’s too late.

When companies treat security as an afterthought, adding important protections drives up the basic cost and complexity of IAM solutions exponentially with deployment, maintenance, and upgrades. Security-critical upgrades may slide to the back burner, or worse yet, never get done at all.

Security-minded organizations have rolled out multi-factor authentication (MFA) to validate and protect identities as users log into their desktops, single sign-on (SSO) portals, SaaS and online applications. That’s a great start but leaves business-critical legacy, custom and remote applications unprotected. Because converting those systems to work with other MFA solutions is a heavy lift, companies continue to—perhaps unknowingly—rely on incomplete protections.

Duo gives businesses an easy, affordable way to protect all applications for all users against sophisticated phishing attacks out of the box with industry-leading MFA and SSO included by default.

Even with SSO, threat actors continue to log—versus “hack”—their way into systems with leaked or stolen credentials. Duo gives organizations a reliable way to validate trust in devices as well as users.

From day one, Duo helps organizations control which devices get access to which resources in your environment whether managed or unmanaged. Duo Device Trust avoids risk by gathering health and security posture before allowing devices to connect to organizational resources. If an accessing device fails to meet health requirements, the request is blocked—and the user is prompted to self-remediate with step-by-step costs. Enforce baseline device health at the access management level, extending protections without device-level agents.

Remote identity-based attacks have learned to take advantage of push-based MFA with repeated, annoying push-bombing. Proximity verification that confirms the device being used to log in is in the same physical location as the system being accessed acts a strong defense against remote phishing attacks. But for many organizations, requiring hardware tokens.

Organizations can’t stop phishing attacks while still relying on passwords. Duo’s advanced, end-to-end phishing-resistance includes complete passwordless authentication—even for MFA enrollment, fallback, and on-the-fly help desk calls—to meet modern requirements and deadlines for protecting identities.

Putting security first means recognizing the reality that security teams want to step up protections but have too few dollars in the budget, and not enough hours in the day. Duo makes it easier to make security first a top priority by overcoming the main objections: that the pain of making a change outweighs the business benefits.

Nothing could be farther from the truth, and IAM teams can prove it by phasing in security-first IAM in three powerful use cases:

With the addition of powerful user directory capabilities and deployable end-to-end phishing-resistance, Duo creates “security-first” IAM that achieves forward-looking identity security at enrollment.

Duo offers the broadest possible MFA coverage with flexible options for every user, and no exceptions. Use Duo to quickly achieve 100% MFA, SSO, and device trust coverage and meet the needs of “edge” cases like first responders in healthcare and seasonal workers in retail. Duo works with legacy and custom applications adding visibility and protections that strengthen security and compliance quickly. With hundreds of integrations out-of-the-box, Duo delivers on speed to security that ensures your bases are covered for audits, compliance, and insurance.

Accelerate workforce consolidation during mergers and acquisitions (M&A) and other strategic initiatives using Duo’s IdP and routing rules capabilities to broker between them. Over time, Duo Directory streamlines the transition to a single identity provider (IdP) to centralize and unify operations or makes it easy and affordable to manage multiple directories seamlessly for as long as IT chooses.

A key part of Cisco’s broader cybersecurity solutions, Duo leverages Cisco Identity Intelligence (CII) to streamline detection, response, forensics and reporting on identity-led attacks. Identity security posture management (ISPM) is another key function that helps make self-auditing habits easier. Identity Posture Scoring in CII detects gaps across your entire identity ecosystem and provides prioritized, actionable recommendations to help you effortlessly identify and address gaps in your organization's identity security hygiene. For example, see your distribution of enabled MFA methods or pull a list of identities that are dormant, shared, or missing from HR systems. Take the ISPM product tour.

According to Verizon’s 2025 Data Breach Investigations Report, 30% of all breaches involve a third party. To minimize risks originating in your supply chain, manage vendor, customer and other third-party identities in a separate Duo Directory that comes with MFA and device trust out-of-the-box. A modern, secure storage for external identities, Duo gives admins visibility into whether devices are managed or unmanaged and applies the same security checks to third-party devices before allowing them to connect.

Solutions that demand full rip-and-replace fail to recognize the complex nature of identity in modern organizations. Hidden fees, from incremental feature upgrades to operational costs, add up for already-stretched IT teams.

Duo believes that securing IAM should not be an afterthought but a default. That translates into stronger protections against modern threats, better, faster performance with less friction for users, and an administrative experience built for IT teams to deploy, manage, and grow with ease.

See how Duo is restoring trust in identity with our latest guide to security-first IAM.

Try Duo for free with a 30-day free trial today.

Have you ever wished managing policies was … easier?

Maybe you’ve wanted to restrict access for a certain group of users across all applications—but found yourself stuck clicking through every single application to make it happen. Or maybe you wanted to pilot a new control with a small set of users — but the setup felt more like a marathon than a test run.

If either of those scenarios sound familiar, we have some good news. We’re introducing two new capabilities designed to give you more flexibility and control while cutting down on repetitive work: User-Group Policy and Bulk Apply.

Until now, custom policies could only be applied at two levels: Application and Application- Group. That works, but sometimes the real question isn’t what application they are logging into—it’s who’s logging in at all.

With User-Group Policy, you can now apply policies directly to specific user groups—no matter which applications those users log into. That means:

• Apply restrictions globally to specific user groups.

• Pilot new security controls with small test groups before rolling out to everyone.

• Simplify management when your policies map more naturally to people than to applications.

Here’s how it works:

• Policies applied at the Application or Application-Group level will always take precedence.

• User-Group policies apply underneath those layers, ensuring you can still set broad rules for specific user groups without undoing stricter application-level rules.

Think of it like adding new gear to a bike. You don’t have to relearn how to ride — you just get another option when you need it.

And remember: if you ever want to see which policies apply when a user logs into an application, use the Policy Calculator. It’s there to show you the final outcome so you can test and verify with confidence.

Creating policies is only half the story—the other half is rolling them out without spending your afternoon buried in app settings. That’s where Bulk Apply and Unassign come in.

With Bulk Apply and Unassign, you can:

• Apply a policy to multiple applications, groups, or application-groups all at once.

• Unassign a policy when one or more applications or groups no longer need it.

• Save time and reduce errors that come from repetitive, click-heavy work.

With Bulk Apply, rolling out a policy is simple and clear—and you do it all right from the Policy page.

You’ll see exactly where you can apply a policy—whether to Applications, Application-Groups, or User-Groups—so there’s no guesswork. Selecting targets is quick, with search and filters to help you narrow things down.

If there are pre-existing policies, you can order policies to control which one applies first, giving you even more flexibility.

Before anything is applied, a clear summary gives you visibility into what will change. It’s designed to give you confidence and help prevent mistakes.

Once applied, tags on the Policy page show where and how the policy is deployed. And if you need to undo something, Unassign makes rolling it back just as easy.

Want the full, step-by-step breakdown? Check out our Policy documentation for all the details.

With User-Group Policy you get people-focused controls. With Bulk Apply you get the power to deploy those controls quickly and consistently. And with the Policy Calculator always available, you can preview exactly how those layers combine—so you never have to guess.

Both features are now Generally Available. Head to your Policy page and start using them today—or dive into the documentation for the full step-by-step guide.

Several vendors talk about “identity-first security,” which is another way of saying, “identity is the new perimeter,” or that zero trust security starts with confirming someone’s identity before giving them access to your company’s resources. Spot-on advice.

But making identity a priority for security is only half the story. To propel a business forward, companies also must make security a priority for identity and access management. IAM emerged to do just what the name says: manage users’ access and privileges to make their lives easier and more productive. With most solutions, strong security controls get added later with a hefty upcharge. Security is literally an “afterthought.”

Duo turns this equation inside-out by making built-in security foundational to IAM, or “security-first IAM”—all with unmatched ease-of-use, proven speed to security, and at no added cost to properly protect the identity perimeter. Let’s break down what this means.

We’ve seen time and time again that, despite checking the box for “has MFA,” a majority of successful cyberattacks still involve valid credentials identities. Organizations and compliance firms alike play Wack-a-Mole, solving for unique use cases and crafty attack methods with an increasing list of disparate and expensive identity tools. On average, it takes IT teams five different tools to solve any given identity-related issues. A modern IAM solution is secure by default with top-notch security controls built into the architecture and base pricing.

An IAM solution should not only store identities, but it must also protect them. In addition to being a flexible user directory, the three foundational capabilities of security-first IAM are:

• "MFA Everywhere" by default — World-class security starts with making sure you have MFA available and enabled everywhere, not just for some users or use cases but for every user and every use—cloud and SaaS services, legacy systems on-prem, remote or hybrid work, first responders, and third-party contractors connecting to your company’s resources.

• Device trust out of the box — Most IAM solutions charge extra to add and manage device trust. In zero trust environments, we avoid risk by verifying every endpoint before granting access. Additional adaptive security policies block threats before they reach the network, stopping risky devices in their tracks to keep businesses safe. These policies should be easy to set up, manage, and adjust.

• Building for phishing resistance — To address the weakest links in the identity lifecycle, IAM-driven phishing resistance begins from the minute you start onboarding users through their initial enrollment in MFA, fallback, and account recovery. Protect against remote phishing with a proximity-based authentication. Additionally, the ability to start passwordless without added costs also promotes compliance with evolving mandates for phishing resistance and zero trust strategies.

Treating security like a “nice to have” leads to some obvious bad outcomes starting with greater odds of encountering a data breach. Compromised credentials and unauthorized or undetected access allow attackers to gain access to systems and escalate privileges or take over accounts. Well-known breaches like the attacks on Target, SolarWinds, and Colonial Pipeline all involved identity compromise as an initial access vector.

IAM failures can have a high blast radius that leads to excessive financial and reputational losses from operational downtime and service disruptions. And according to a 2024 Microsoft report, poorly managed identities and access controls still play a role in more than 90% of successful ransomware attacks. Subpar security also damages the bottom line through the high costs of reputational damage, regulatory audits and fines for non-compliance, and increased cyber insurance premiums.

Putting security first doesn’t mean user experience should take a backseat, either. To avoid dangerous workarounds or low enrollment, it’s important not to make accessing resources too complicated or to ask users to authenticate over and over once they’re logged in. Single sign-on (SSO) for as many applications as possible helps minimize logins, especially if the user doesn’t have to re-authenticate for their different browsers, thick clients, desktop apps, and VPN connection.

Historically, increased security often comes at the tradeoff of user friction and frustration. But really, balance is key. Modern IAM intelligently reduces the number and complexity of logins while accommodating users’ individual working styles. For example, once a user on a known, trusted device completes MFA, you can grant them longer session times before prompting the user to authenticate again.

Risk-based authentication dynamically steps-up MFA when risk is detected based on known threat patterns, user and entity behavior analytics (UEBA), and continuous security research that keeps up with evolving attacks. Continuous evaluation of trust is important. It’s a cornerstone of improving security without impeding on productivity. If everything looks good, why should users have to re-authenticate?

We’ve already outlined a few foundational tenets of security-first IAM:

• Ensure MFA is truly everywhere and plug the often-overlooked holes in your security perimeter.

• Establish and set policies based on device trust. Be able to block or step up MFA controls for unknown and under-secured endpoints.

• Enable with proximity-based phishing-resistant authentication and get started with moving toward a fully passwordless future.

How do we get from a vision of stronger security and frictionless productivity from where we are today?

Does your current provider put identity or security first? If they lead with identity, do they look to “nickel and dime” you just to add basic security capabilities?

Can you trust the provider’s own security posture to protect your identity data? Has the company suffered breaches before? If so (it happens!), how did they handle the aftermath? Did they communicate effectively and take steps to better prevent future disasters?

The road to better security doesn’t have to be a rip-and-replace story. Choose an IAM solution that includes practical, forward-looking innovations like identity provider (IdP) brokering capabilities to streamline directory management and identity intelligence to self-assess your security posture.

Next week, we’ll outline an easy progression to start where you are and phase in security-first IAM without disrupting your current operations:

• Find gaps in MFA coverage and enrollment

• Identify unmanaged devices

• Detect long gaps between user logins and review privileges

In the meantime, check out Duo's learning hub to read more about fundamental (or advanced) identity concepts, and see how Duo is restoring trust in identity with our latest guide to security-first IAM.

Duo’s AI and Security Research team takes on security cases from customers digging into telemetry data to find actionable anomalies that can be searched for, alerted on, and remediated sometimes with AI and machine learning.

A user picks up their phone and sees a Duo Push they didn’t request. They think this is strange and deny the Push request. Their account is safe now but unbeknownst to them, the attacker will discover another avenue of attack and successfully compromise their account. In this blog, we’ll explore what happened in a peculiar case of SMS compromise.

Frequently, when the AI and Security Research Team receive a case, the customer requests to know more about how Duo products work or about follow-up actions and recommendations after an incident. In this case, a customer employee received a push to their mobile device, which they then denied. However, according to the customer, two successful authentication attempts followed, one of which used an SMS passcode.

The administrator requested that the user change their password and wanted to know how these authentications could have been successful after being denied by the user.

In the customer submission, a username was provided—this account was a service account that could have multiple devices tied to it. When service accounts are involved, the severity of the incident can go up drastically; there are increased permissions and therefore more opportunities for lateral movement into other accounts and systems. This case needed a closer eye to halt any further compromise.

Something notable occurred a month before the incident. According to logs, an administrator had unlocked the account after a few failed authentications, then added in a set of user authentication bypass policies.

When we looked back at the incident timeline, we saw that several new phone identifiers were created after the likely start of the incident. These new phone identifiers could be an attempt by an attacker to create a backup access method if their initial phone was removed from the account—an example of persistence.

Our first dive is to understand which devices authenticated to that account. Searching through phone models and versions, we learn that there are two associated devices with the same phone identifier. This is of note—two phone models associated with one identifier means that the account’s device was replaced in the self-service portal.

Finally, two separate locations with two different IPs were seen accessing the account, seemingly in tandem. This is where things get interesting...

Recall that our user reported that they denied the initial 2FA prompts received. Therefore, looking for prompts that received a ‘user denied’ response may lead to the action that caused the compromise. Sure enough, there were several denied responses from the primary phone tied to the account. But shortly after those denied responses were a set of successes...on a different phone key, from a different IP in a different state.

Looking back at this new phone key, it appears it was created and left alone- no activity occurred using it for months after its creation. This device could be the initial access point used by the attacker, or it could've been added later if the attacker compromised the original device's phone number.

These IPs duel for about a day—a login was initiated from devices in one state, followed by the legitimate user’s denial. Finally, an authentication is initiated by the attacker and responded to by the dormant device on the account, likely controlled by the attacker— this granted the attacker access.

After the attacker gained full access to the user’s Duo account, they took steps to fortify their position. By changing the user’s default phone identifier to their own phone and adding several more phone identifiers, the attacker takes hold of the account.

Thankfully, there wasn’t any lateral movement off of the account—none of the associated phone identifiers had attempted to access any other user account.

Some cleanup activity was seen after the authentications and phone changes above. An administrator removed one of the phones from the account but didn’t successfully remove the others. For this reason, the response to the customer included a recommendation to change the user password and remove all devices from the account—this should lock the attacker out for good.

Additionally, the user authentication bypasses were placed a month before the incident but never removed. When a Duo Bypass is put into place, the user is not required to use Duo two-factor authentication at log on and is not subject to any policy settings that restrict access.

While this bypass was still in place and didn’t have anything to do with the initial access to the account, it could have made the attacker’s takeover significantly easier if they had taken advantage of it.

We also recommended that the customer perform a regular audit of devices on Duo accounts and of bypasses placed on them and turn off lower-level factors (like SMS and phone calls) if feasible.

In today’s day and age, the commonality of attacks on phone numbers and misconfigurations has drastically increased. The ‘SIM card swapping’ technique, in which attackers social engineer or bribe carriers into providing access to a phone number is used in a lot of attacks of varying complexity (including large-scale cybercriminal groups). Other attacks take advantage of user error, like those targeting common device vulnerabilities to find gaps in MFA.

Careful device management, including removal of stale/unused devices after a delay period, can remove the attack vector that becomes the downfall of your organization’s defenses.

Once the workday begins, most employees log into a wide range of tools. For the average knowledge worker, this can be as many as 11 different applications, nearly double that of 2019. These apps could span multiple identity providers creating a fragmented identity ecosystem. For many companies, keeping track of who has access to what is almost impossible and that lack of visibility leaves blind spots.

Cisco Talos threat intelligence found that, in 2024, 60% of all attacks were identity-based. Nearly half of those targeted Active Directory. Rather than cybersecurity incidents beginning with malware or exploiting vulnerabilities, adversaries often look to simply login.

This makes securing identity vital, but doing so can be messy. Organizations understand identity is a target but are less aware of how to take hold of the situation. Enter…the MSP opportunity.

Customers often look to MSPs to operationalize security through Identity and Access Management (IAM), streamlining onboarding, provisioning and deprovisioning, and managing workforce access day to day. Done well, IAM reduces friction, drives efficiency, and delivers measurable cost savings. It’s an essential foundation that is expected.

But IAM alone only locks the front door. MSPs can stand out by also offering advisory services that help customers prepare for tomorrow’s threats. This is where Cisco Identity Intelligence comes in. Identity Intelligence continuously analyzes identity activity across users, devices, and applications to spot risks and unusual behavior that IAM alone cannot see.

While IAM mainly covers the Identify and Protect functions, making sure the right keys go to the right people, Identity Intelligence extends coverage to Detect, Respond, and Recover. It acts like the surveillance system, spotting suspicious activity, alerting when someone tries the wrong door, and guiding recovery if a breach occurs. Together, IAM and Identity Intelligence provide a more complete approach to identity security that MSPs can deliver.

You can’t detect what you can’t see. Most organizations rely on multiple identity providers (IDPs), HR systems, and SaaS apps. Correlating that data becomes overwhelming especially for MSPs managing many tenants. Manual investigations and siloed tools slow response times and create blind spots that attackers can exploit.

The first step is visibility. MSPs need a single source of truth to identify risks early, filter out the noise and act with confidence. Identity Intelligence gives MSPs that visibility. It answers questions like “Are you sure MFA is configured everywhere?” by pulling together users, apps and device data across environments. But visibility alone isn’t enough. Identities are a constant target. Continuous monitoring, posture scoring, and trust checks ensure protection stays current, threats are flagged, and risks are remediated before they escalate.

To operationalize this approach, MSPs can follow a proven identity security blueprint built around five widely recognized security functions:

• Identify — Understand who your customer’s users are and what they have access to by building a user and device inventory. Use IAM to manage onboarding and provisioning and Identity Intelligence to get a holistic view.

• Protect — Enforce strong access controls with IAM, and pair posture scoring from Identity Intelligence with Duo policies to secure endpoints, strengthen authentication, and maintain compliance at scale.

• Detect — Monitor continuously for anomalies, such as multiple failed login attempts or unusual locations. Identity Intelligence applies cross-platform analytics to surface patterns and outliers quickly, giving MSPs an early warning system.

• Respond — Use high fidelity insights to guide incident response. Identity Intelligence helps MSPs prioritize, escalate, and act quickly. With playbooks or SIEM/SOAR integrations, they can contain threats, adjust policies, and document every action.

• Recover — Ensure customers bounce back quickly. MSPs can help organizations learn from incidents, close gaps, and harden policies. By reviewing Identity Intelligence insights alongside response playbooks, they guide recovery, demonstrate resilience, and build long-term trust.

Many organizations assume they know their identity environment, that is, until evidence shows otherwise. That’s why assessments matter. With Duo’s Identity Security Posture Management, MSPs can surface blind spots customers didn't realize they had such as dormant or “never logged into” accounts, weak MFA adoption, and devices slipping through compliance checks. The results come back in a clear, actionable report. For MSPs, these insights aren’t just findings; they are conversation starters that build trust, open the door to ongoing advisory services and create opportunities to expand your footprint.

Want to see it in action? Check out the interactive demo.

Ready to become a partner? Sign up here to uncover hidden risks, demonstrate immediate value and lay the foundation for long-term identity security partnerships.

Imagine a world where your most tedious tasks are no longer “your” tasks. They vanish from your day-to-day life. No more manually copying data from a spreadsheet, pasting it into your CRM, and then toggling to another app to create a support ticket.

This is the promise of AI agents: a seamless, intelligent workforce that handles tedious tasks automatically, freeing up your team for more meaningful work. This future is arriving faster than we think, powered by technologies like Model Context Protocol (MCP) servers that act as bridges, allowing AI to securely interact with your company’s applications and data. The potential is immense.

The excitement around AI agents can obscure a simple truth. While we dream of revolutionary gains, the most immediate risks aren’t a rogue Skynet, but something far more mundane: lack of visibility and unmanaged permissions. This is where, as your friendly security advisor, I’d suggest we pause and take our vitamins. The agentic future will be incredible, but only if we build it on a foundation of trust and visibility.

While your security team diligently manages human identities, a new workforce is quietly materializing in the shadows. A marketer streamlining a campaign or a developer experimenting with a new tool can now spin up a powerful AI agent in minutes.

The problem? These agents are often built for speed, not security, creating a chaotic and unsupervised digital workforce. At Cisco Security, we’re seeing a pattern of significant risks emerge:

1. A New Identity Blind Spot: Every one of these agents is a Non-Human Identity (NHI) that needs a “registered home.” It’s impossible to protect or secure what you can’t see, which is why without a proper inventory of agents – security teams are left in the dark.

2. Too Many Permissions: In the rush to innovate, many agents are built with hard-coded admin credentials, giving them—and by extension, their users—far more access than they need. It's the digital equivalent of giving a new intern a master key to every room in the building.

3. Uncontrolled Activity: An AI agent has no hesitation. It will execute its programming at a machine-driven pace, potentially racking up enormous API costs from services like Salesforce or Snowflake before anyone even notices.

We wouldn't hire a human employee without an identity, a defined role, and clear access rules. The principles that govern human identity and access management (IAM) must be adapted for this new, non-human workforce. The first and most critical step is visibility.

This is why we’re enhancing Cisco Identity Intelligence to shine a light on this new shadow workforce. Our goal is to provide the foundational visibility needed to securely enable AI innovation. We help you:

1. Discover Agents: We actively identify AI agents and MCP servers across your environment, turning unknown entities into a known inventory.

2. Map Their Activities: We connect the dots between agents, the credentials they use, and the applications they access, creating a clear picture of your NHI landscape.

3. Bridge the Gap to Governance: Once discovered, these NHIs can be brought into your identity governance and administration (IGA) program. This allows you to treat an agent like any other privileged identity—subject to access reviews and fine-grained controls.

The age of AI agents is here, and it will transform your business for the better. By prioritizing visibility, you can ensure this transformation is not only powerful but also secure. To learn more about our approach to agent visibility, check out Cisco Identity Intelligence or reach out to an identity expert.

Security Operations Centers (SOCs) rely heavily on Splunk for its powerful capabilities in collecting, indexing, and analyzing vast amounts of security data from diverse sources. Splunk excels in processing logs and security events but achieving comprehensive correlation across today’s diverse and sometimes fragmented enterprise identity landscape has always been a difficult task. That’s why several new integrations bringing relevant and timely identity information into Splunk are true game changers for security teams.

A quick example of this type of identity enrichment is the new Cisco Duo Suspicious Activity analytic story in Splunk ESCU 5.10, with 14 Duo based detections for identifying risky admin behavior and insecure Duo policy settings.

However, the core theme of this blog is the power of a new integration between Cisco Identity Intelligence and Splunk. For the unfamiliar, Cisco Identity Intelligence is a multi-sourced, vendor-agnostic solution that works across your existing identity stack and brings together authentication and access insights. This integration is facilitated through the Cisco Security Cloud, enabling you to effectively mitigate posture and threat-based risks within diverse, multi-vendor identity environments. For Splunk customers, this means enhanced operational integrity, prioritized efforts based on severity, and granular user-specific insights that drive faster, more accurate security decisions.

Here’s how this integration accelerates your security operations:

• Risk-Based Prioritization: This integration surfaces the most critical identity risks and anomalies, enabling security teams to focus on high-priority threats that pose the greatest risk to the organization, and highlighting the risks that may arise due to weak identity security posture.

• Unified Identity Timeline: The data from Identity Intelligence provides you with a unified view in Splunk, highlighting event volume, user activity, and failures by check ID across multi-vendor identity environments. By correlating this data with other sources such as firewall logs and endpoint data, you can gain deeper insights and enriched context—enabling more effective detection, investigation, and response to sophisticated threats like lateral movement, privilege escalation, and insider misuse.

• Seamless Workflow Integration: To enhance SOC efficiency, analysts are equipped with a streamlined workflow experience that boosts productivity. Security analysts can use Splunk Enterprise Security, Mission Control to create unified workflows based on insights from the Cisco Identity Intelligence that provide the foundation to unify detection, investigation, and response to identity-based security risks.

This powerful combination transforms security operations from a reactive, fragmented approach into a proactive, context-rich defense. It empowers security teams to work smarter, not harder, by providing deep identity insights that enhance detection, investigation, and response—ultimately protecting your organization more effectively against today’s evolving threat landscape.

Cisco Identity Intelligence is available for Duo customers at both the Duo Advantage and Duo Premier tiers.

Want to learn more? Head to Splunkbase or check out the integration documentation.

Year after year, the headlines tell the same story: Identity-based threats continue to plague organizations of every size. According to <insert effectively any industry report>, identity is at the center of the majority of breaches.

Why? Too often, it's because security infrastructure is built on a cracked foundation of identity systems that are too old, too inadequate—or just don’t prioritize security. Many organizations are running outdated identity tools that are inherently vulnerable, or they're working with vendors who treat robust security as an expensive, optional add-on rather than a core requirement. In today's threat landscape, you need a partner who knows how to defend against sophisticated attacks, not one who isn't paying attention.

For years, Duo has been synonymous with best-in-class multi-factor authentication (MFA) and seamless single sign-on (SSO). We're proud of the trust we've built helping organizations implement access controls like MFA. But the security landscape doesn't stand still, and neither do we. In response to the persistent rise of identity-based attacks, we've evolved to provide the foundational identity services your organization needs with the new Duo Directory.

Duo Directory enables organizations to use Duo for all core components of their identity strategy. As a modern, cloud-native service, the new directory functionality:

• Syncs effortlessly with your existing identity systems

• Ingests custom attributes on the fly

• Automates user provisioning to necessary applications

And, of course, it gives Duo the last (satisfying to place) piece of the puzzle required to provide core IAM.

Crucially, this isn't just about adding a new component. When you build on Duo Directory, you instantly unlock the powerful and robust security controls Duo has developed over the years to effectively address identity-based attacks from the ground up.

We hear this question a lot, and it’s a fair one. Ripping out and replacing core identity infrastructure is a massive undertaking, and we would never ask you to do it overnight – or at all. That's why we designed Duo Directory for flexibility.

Duo Directory can be deployed standalone, acting as the primary identity directory for an organization - but it also easily integrates with other identity providers in a complementary fashion. When integrating with current identity infrastructure, Duo Directory can sit as a security layer unlocking advanced functionality like phishing-resistant MFA.

Unconvinced? Why not start by migrating some users who need tighter security controls, like system administrators or third-party contractors? This allows you to experience the security benefits in a controlled way.

Let’s address some reasons you may want to consider Duo IAM:

1. If you're running on older infrastructure or freemium infrastructure with limited functionality, introducing Duo Directory offers the perfect opportunity to modernize with a cloud-native solution that provides flexibility, granularity, and simplicity in identity management.

2. If you wish your current identity provider didn’t charge extra for security, Duo is the clear choice. We ensure robust security controls like strong MFA, Device Trust, and a path to Passwordless are not just available, but are foundational parts of the platform.

3. If you want the most future-proofed defenses on the market today, Duo's security-first approach culminates in what every organization needs: end-to-end phishing resistance. It's the industry's leading defense against the most sophisticated identity threats, and it's at the core of Duo's IAM philosophy.

By building on Duo Directory, you're not just managing identities—you're securing them with a new foundation of trust.

Ready to put security first? Reach out to one of our identity experts.

The digital world has exploded, and with it, the complexity of managing who accesses what. Today's workforce expands beyond just "employees"—it's a dynamic mix of contractors, partners, and even unique groups like alumni and retirement beneficiaries. Each has distinct access needs. Add to this the sprawl of identity providers (IdPs) and directories from mergers and acquisitions (M&A) or organic growth, and you're left with a tangled web of Active Directory, Okta, Entra ID, and more. It's like trying to conduct an orchestra where every section is playing from a different score.

This sprawling infrastructure creates a constant security headache. How do you set consistent, secure policies when identities are scattered across various systems, each with different security capabilities?

The result for many: Identity management leads to security gaps and administrative burnout. A recent survey even found that 73% of IT and security leaders feel security is an afterthought in identity infrastructure decisions, and 75% cite complexity as a key security challenge. Admins on the ground are no stranger to complexity—the average enterprise identity stack is now spread across nearly five separate systems, introducing friction and increasing the attack surface.

The challenge organizations face is that traditional identity and access management (IAM) vendors prioritize their own roadmap (not integration or orchestration) and never seem to make time for security features—relegating it to expensive add-ons for limited functionality. This trend leaves glaring security gaps in identity environments.

At Duo, we believe security and simplicity should be foundational. It’s why we recently announced our Duo IAM platform—the security-first approach to IAM. As a part of that offering, we developed Duo Directory, our cloud-native identity provider, and Routing Rules for Duo Single Sign-On (SSO). These innovations enable Duo to act as a powerful, secure orchestration layer atop your existing identity investments. Think of Duo as a uniting score across the orchestra. Now administrators, your conductors, can bring harmony to the identity symphony, ensuring every authentication is delivered to the right source, with the right security, at the right moment with the least amount of friction possible.

What is an identity broker?

An identity broker complements heterogenous identity systems by implementing secure, consistent policy for any identity regardless of source system and target resource.

This "identity broker” layer is crucial because it ensures every identity, from every provider, is routed to the right place with the most effective security policy and controls in place.

Take, for example, securing contractors and third parties. Organizations often struggle to apply consistent security to these transient identities that require faster identity lifecycles and higher access scrutiny. With Duo as your identity broker, you can easily separate employee and contractor access:

• Place contractor identities directly into Duo Directory using an easy external directory sync to pull attributes from your existing IdPs.

• Enforce powerful controls like Risk-Based Authentication and phishing-resistant MFA on third parties and contractors to enhance security posture.

• Your employees remain on their existing IdP, with the option to apply Duo's powerful security functionality for them if desired.

• Routing Rules intelligently directs traffic: Contractors authenticate via Duo Directory, while employees are routed to their established source. This extends Duo's best-in-class security to all identities.

As another example, consider Mergers and Acquisitions (M&A). When two companies merge, you face distinct infrastructures and multiple IdPs. The complexity slows down integrations, delays onboarding and drives up operating costs. Routing Rules intelligently directs users based on email domain, network, or application. For example, acquired users accessing Workday might go to Okta to establish authentication, while existing employees use Active Directory. Duo ensures everyone gets the correct, secure experience.

In each of these cases, seamless access is coupled with robust security functionality.

This is security-first IAM in action: providing powerful controls like phishing-resistant MFA, Risk-Based Authentication, and Device Trust—but at the same time prioritizing simplicity and flexibility for administrators and end-users.

The identity landscape remains complex. But with Duo as your secure identity broker, you can finally make sense of the noise and untangle the mess. Our flexible, security-first approach ensures all identity types securely access corporate resources. It's time to bring harmony back to your identity infrastructure.

In the music mood? Watch all the ways Duo Directory can secure your environment in our on-demand webinar “Protecting Here, There, and Everywhere with Duo IAM” and see a cheeky way to put the “fun” in AI functionality.

Or, jump straight in and reach out to an identity expert.

At Duo, we know that managing who accesses what, from where, and on which device is not just a daily challenge—it’s a strategic imperative.

The security industry is facing an identity crisis. As AI-driven threats surge, security leaders are confronting alarming confidence gaps, fragmented visibility, and additional hurdles to adopt essential identity security measures.

To explore how companies are navigating this complex environment, we surveyed 650 IT and security leaders across North America and Europe. Our latest report, the 2025 State of Identity Security, reveals the urgent identity challenges cybersecurity professionals face today.

The findings expose a stark reality: While leaders acknowledge the vital role of identity security, glaring gaps in confidence and execution leave many organizations dangerously vulnerable.

Leaders face significant challenges as identity threats escalate and security gaps widen. Only a third (33%) of leaders are confident that their current identity provider (IdP) can prevent identity-based attacks. This lack of confidence is heightened by complex identity systems and concerns about limited visibility into potential weaknesses. A significant 94% of leaders believe that complexity in identity infrastructure decreases their overall security. Additionally, 75% of leaders admit they lack full insight into identity vulnerabilities across their organizations. Identity and tool sprawl also hinder unified security and visibility. On average, IT and security teams use five tools to resolve a single identity issue.

The consequences can be costly: Over half (51%) of organizations have suffered financial losses due to identity-related breaches. Recognizing the high stakes, companies are proactively responding to these risks. In fact, 82% of financial decision-makers have increased investments in identity security for 2025. This signals a clear commitment to strengthening defenses and closing critical gaps.

“94% of leaders believe that complexity in identity infrastructure decreases their overall security.”

The rise of artificial intelligence (AI) presents both new threats and a powerful impetus for change in identity security. AI-driven phishing is one of the top identity threats for 2025 according to 44% of leaders, alongside insider threats and supply chain attacks. Traditional defenses are no match for the sophistication of AI-powered attacks, especially when combined with complex supply chain networks and identity ecosystems.

“44% of leaders consider AI-driven phishing one of the top identity threats for 2025.”

However, AI is also modernizing identity systems. 85% of companies are adopting security-first identity practices to counter AI-driven threats. AI is a powerful catalyst, driving organizations to address long-standing gaps in their identity security strategies and to leverage data processing through AI as a tool.

Phishing remains a perennial issue, driving the need for stronger authentication and complete deployment of multi-factor authentication (MFA). While 87% of leaders believe phishing-resistant MFA is critical to their security strategies, only 30% are highly confident in their phishing controls.

Even foundational MFA defenses are not universally applied. The top causes of identity breaches include: weak or missing MFA (36%), coverage gaps (34%), and one-time passcode failures (29%). Cisco Talos’ recent Year in Review also listed missing, incomplete, or weak coverage of MFA as top vectors for identity-based attacks.

Further, only 19% of companies have deployed FIDO2 tokens, the gold standard in phishing-resistant MFA. Often, these hardware tokens are reserved for privileged users. The rest are held back by token management (57%), training needs (53%) and hardware cost (47%).

Upgrading to more secure authentication methods is top-of-mind. Sixty-one percent of leaders want to adopt passwordless access but expect deployment challenges.

“61% of leaders want their organizations to go passwordless”

Amid identity sprawl, shadow IT, and irregular identity lifecycles, today’s unpredictable security landscape presents significant challenges—but companies also have valuable opportunities to strengthen their defenses and take proactive steps to address these issues.

Many IT leaders acknowledge that identity security is added after a compliance issue or breach, rather than built-in from the start. A significant 74% of IT leaders admit identity security is often an afterthought in infrastructure planning.

Treating security as an add-on can result in additional costs, complexity, and misalignment that decreases overall visibility. In response to tool sprawl and complexity, 79% of teams are actively exploring vendor consolidation to improve identity security visibility.

Only 52% of organizations believe they have fully integrated identity and device telemetry. Without real-time visibility into identity behaviors, security and IT teams can’t make consistent, informed decisions.

Further, a significant 86% of leaders expressed concern about inadequate controls for contractors and third-party access. This extended perimeter often lacks the robust oversight applied to internal users, with the added challenges of unmanaged devices and timely deprovisioning.

As organizations shift to a security-first IAM strategy, unified visibility is critical for bridging gaps across complex environments. 87% of leaders believe that having identity threat detection and response (ITDR) is crucial. Meanwhile, only 32% of IT teams have Identity Security Posture Management (ISPM) solutions deployed.

Organizations need identity solutions that prioritize security without compromising usability. Security-first IAM makes strong identity defenses the default.

Duo and Cisco Identity Intelligence help global teams make sense of the complex identity landscape by offering simplified security-first identity management, frictionless phishing-resistant MFA, and unified identity telemetry.

Get in front of identity security challenges and leap ahead in resilience and readiness. Download Cisco Duo’s report the 2025 State of Identity Security: Challenges and Strategies from IT and Security Leaders to dive deeper into the findings and actionable insights.

• How AI poses new threats to identity

• How you can detect and respond to attacks on identity faster

• How Duo helps defenders use AI to fight AI

Successful cybersecurity always comes down to time: Can your tools and defenders find and respond to threats before they impact your business? With more threat actors using artificial intelligence (AI) to amplify attacks, CISOs and identity and access management (IAM) leaders need multi-layered, AI-led strategies to stop AI-led threats.

A new ebook from the Cisco Duo team, Identity Security in the Age of AI, looks at the impact of AI on the identity threat landscape and outlines a 5-step plan for defending against modern risks.

We share some highlights from that discussion here, starting with an update on risk.

AI equips adversaries to launch high-scale phishing campaigns and other identity-based attacks faster than ever. It introduces new attack techniques as well as modern twists on the classics:

Powered by AI, phishing attacks have morphed from simple email scams to sophisticated multi-stage campaigns. AI equips threat actors to:

• Automate and orchestrate rapid or multi-stage phishing campaigns

• Create more convincing phishing campaigns

• Target a broader audience

• Increase the scale and sophistication of attacks

• Resend exploits quickly and more frequently

Large language model (LLM) tools like ChatGPT and Microsoft Copilot help take phishing and social engineering to new heights. With a few simple prompts, AI tools like ChatGPT do the legwork of gathering information that can be used to impersonate or trick someone into revealing sensitive information, write convincing phishing emails with better spelling and grammar, and include deepfake videos impersonating trusted entities like CEOs, IT technicians, and vendors.

Modern campaigns combine email, social media, and mobile platforms to fool users and evade detection. LLMs help threat actors automate and scale campaigns making it harder for defenders to detect threats before they progress to lateral movement, account takeover (ATO), or outbound attacks against your supply chain.

Emerging agentic AI tools like Computer-Using Agents (CUAs) interact with technology just like humans do—which spells the start of a whole new ballgame. AI agents might be used to take over the grunt work from human hackers and perpetrate attacks faster by:

• Scanning systems for vulnerabilities

• Deploying malware

• Impersonating humans in chatbots

• Harvesting credentials by logging keystrokes or scraping auto-filled passwords from browsers

• Copying and sneaking sensitive data out through email

Security experts predict CUAs can accelerate and scale tried-and-true credential-stuffing attacks by entering massive volumes of username/password combinations instantaneously. Widespread adoption of CUAs will necessitate new defensive strategies like developing and investing in more discerning ways of authenticating and authorizing AI agents themselves.

While the potential for threat actors to wield AI against enterprises seems limitless, the same holds true for cyber defenses. The new ebook from Duo AI experts goes on to outline a plan for swinging the AI pendulum back onto defenders’ side.

As a foundational step, your IAM and security experts need 100% visibility into your identity security and attack surface so they can keep track of AI in your environment. Like the unauthorized use of cloud, using AI tools without going through the proper channels creates ‘shadow AI.’ Part of Cisco’s comprehensive AI Defense portfolio, the Cisco AI Access solution reduces risk from shadow AI by inspecting traffic to discover and manage applications, tools, and functionality with clear context around risk.

Once you establish visibility and define policies to regulate employees’ use of AI, start building up security at every critical attack vector, beginning with a proactive 5-step plan to bolster security for the age of AI:

Zero trust security journeys start with safeguarding identity, now seen as the modern perimeter of security. IAM effectively becomes the foundation, the new front line of defense.

ISPM takes a proactive approach to validating your company’s identity security—versus identity itself (that job belongs to MFA)—to find vulnerabilities and enhance defenses against identity-based attacks. ISPM tools proactively analyze data and ensure organizations have proper authentication and security policies in place. ISPM improves identity data hygiene to ensure authentication strategies like MFA and authorization policies like least-privilege access do not get bypassed.

Cisco Identity Intelligence assesses and generates an identity security score that reflects the maturity and strength of your organization’s identity security posture. Identity Intelligence also proposes ways to strengthen your defenses based on impact, priority, and risk. Learn more about ISPM.

Regulators, cyber insurance providers, would-be partners and customers increasingly make decisions about compliance, premium increases, and whether to work with your company based on your security posture. Recognizing the importance of identity, many industry, federal, and state data privacy regulations now specify phishing-resistant MFA.

What they don’t specify is how to go about it. But thanks in part to AI, end-to-end phishing prevention is now well within reach. Cisco Duo adds powerful capabilities like:

• Proximity verification that uses Bluetooth Low Energy (BLE) to confirm the authentication device and system being accessed are in the same place—great added protection against remote and third-party attacks.

• Complete passwordless that takes away the bait phishing attacks try to capture. Passwordless MFA replaces vulnerable credentials using a flexible mix of tokens, push notifications and biometrics to validate identity, even during MFA enrollment, Help Desk calls, and fallback

• Secure transfer of trust through Duo Passport with Session Theft Protection. Passport seamlessly completes multiple authentication sessions without asking users to log in repeatedly.

With AI finding new ways to confuse recognition scanners, companies need policies and tools to establish trust in the devices being used to interact with resources. That means extending trust to devices as well as people, including personal and third-party endpoints your IT department doesn’t control.

Duo’s Device Trust capabilities assess and validate the health of any device to make sure it has the right security controls in place and working, up to date and configured correctly. Learn more about Device Trust.

CISA recently highlighted the rise of attacks in which attackers contact an organization’s Help Desk requesting or demanding help to reset a password or MFA workflow. AI helps power these attacks with social engineering campaigns that enable threat actors to impersonate employees.

Companies can take several steps to prevent dedicated, responsive Help Desk technicians from complying with urgent requests to reset logins for adversaries impersonating executives and remote workers:

• Monitor and update policies for resetting credentials

• Train technicians to recognize Help Desk scams

• Create contingency plans for verifying identity when users can't produce valid credentials or devices used to receive push notifications or complete MFA

Cisco Identity Intelligence helps IT build on-the-fly contingency plans by generating reliable data that can be used to verify identity—for example, which applications users accessed the day before and from where. Read more about preventing Help Desk attacks.

In addition to Identity Intelligence, the introduction of Duo Identity Verification powered by Persona helps organizations avoid social engineering threats and eliminate trade-offs between strong security and responsive service. A verifying user gets redirected to Persona and asked to provide a snapshot of their government-issued ID along with a selfie photograph. Persona conducts a variety of verification checks such as matching the selfie to the photo in the government-issued ID and performing liveness detection on the selfie to detect AI-powered deepfakes.

Identity Threat Detection & Response (ITDR) systems protect your identity management infrastructure by verifying admin credentials and detecting and blocking identity-based threats like phishing and account takeover. Cisco Identity Intelligence supports ITDR by correlating identity data from various sources and calculating trust level scores—complete with explanations—for individual users based on their activity. Identity Intelligence even recommends response actions that can be implemented manually or automated within existing workflows, like configuring a system to send an alert to SOC analysts upon detecting anomalies.

There’s no such thing as a “simple” login. Incorporating AI into your IAM practices can help security teams get to the bottom of login issues quickly and accurately. Cisco’s AI Assistant lets admins see the full trail of events in context. The tool facilitates investigation by bringing together logs, knowledge base articles and product documentation resources in one place, and one single conversation. Learn more about AI Assistant.

Cisco's proprietary machine learning models (ML) provide superior threat detection, safeguarding against data exposure and protecting against novel attack vectors. With full visibility and control over the traffic on your network, Duo helps identity security leaders uncover and block malicious use of AI without impeding productivity.

Flexible strategies, and the right solutions, equip organizations to fight AI with AI by:

• Adapting continuously as AI tools evolve and pose new threats

• Keeping security and user experience (UX) in balance with security-first IAM

• Enabling end-to-end phishing resistance and identity threat detection and automated response at machine speed and scale

Download the full ebook to learn more about securing and fully leveraging your investments in AI.

If you’d like to go further, get in touch with a Duo identity security expert for a targeted assessment of your organization’s potential risk from AI and strategies tailored to keep time on your side.

Over the last five years, enterprise work models have continuously evolved, shifting from COVID-era work-from-home policies to return-to-office initiatives. During this period, over 215,000 global mergers and acquisitions have been announced, complicating identity management and security as no two environments are identical.

In the age of AI, humans are still the weakest link, especially when bulk lists of credentials only cost $10-$15 dollars on the dark web according to Talos’ 2024 Year in Review. Companies around the world are formalizing the future of work and there is no time like the present to start securing your user identities with Cisco Duo and Google.

Aligned with Duo’s most recent announcement, we have collaborated with Google to release three new integrations to protect all enterprise identities in your environments.

• Duo Directory Sync from Google for Duo Users and Admins

• Device Data Sources by Chrome Enterprise

• Universal Enrollment Connector by Chrome Enterprise for Duo

With identity at the core of Universal Zero Trust Network Architecture, start protecting Google Cloud, Workspace, and Chrome Enterprise users with Duo Identity and Access Management (IAM), Duo’s security-first IAM solution. Whether an administrator is working within the Duo Admin Panel or the Google Admin console, you can reduce security risks caused by manual errors through bi-directional sync. With Duo Directory, you can easily sync users and attributes with external sources and then leverage our popular SSO and MFA capabilities to provide seamless access management. Create a more seamless login experience by utilizing Google’s or Duo’s Single Sign-on (SSO).

Building on our current Chrome Enterprise integration from RSA 2024 for managed devices, we are pleased to announce the expansion of support to include the additional context-aware signals for device trust:

• Minimum OS Version

• Screen Lock Password

• Disk Encryption

• Host Firewall

• Chrome Browser Version

• Device Enrollment Domain

Cisco Duo's new integration with the Chrome Enterprise browser empowers organizations using Duo as their identity provider to quickly and seamlessly manage Chrome profiles and apply consistent security policies across both managed and unmanaged devices. This makes it easy for enterprises to get critical security insights, apply granular browser controls and configure data loss prevention right in the browser already used by employees. Duo's additional integrations with Chrome Enterprise also enable organizations to leverage a wide range of signals and telemetry from Chrome to enforce device trust and deny access from devices, even those owned by partners or contractors, all without requiring the deployment of additional Duo agents or extensions. In collaboration with Chrome Enterprise, Duo is excited to announce Duo Single Sign-On for Chrome Enterprise.

Duo SSO functions as an OpenID Provider, authenticating your users with an existing on-premises Active Directory or SAML 2.0 IdP. It also prompts for multifactor or passwordless authentication before permitting access to resources protected by Chrome Enterprise.

To use these features, devices must be enrolled or have managed Chrome user accounts leveraging Chrome Enterprise Core, which unlocks cloud-based management and reporting for $0. Organizations looking for these features plus more advanced security and data protections can upgrade to Chrome Enterprise Premium.

For more information, check out this setup guide.

As the modern workplace continues to evolve, so do the challenges of securely managing access across diverse user groups, devices, and scenarios. Even on fully managed devices, enterprises might want end users to only access their work resources from corporate-managed profiles. With Duo and the Chrome Enterprise browser you can easily encourage or enforce users to utilize their work profiles when accessing work websites and not their personal profiles. With Duo and Chrome Enterprise, organizations can unlock a variety of new use cases, ensuring seamless and secure access for every identity.

• BYOD & Unmanaged Devices: Duo and Chrome Enterprise make it easy to extend enterprise-grade security to Bring Your Own Device (BYOD) and unmanaged devices, giving employees the flexibility they want without compromising the safety of corporate resources.

• Partners, Contractors, and Third-Party Identities: With Duo’s robust identity security platform and Chrome Enterprise Premium’s enhanced data leak protection, organizations can now secure third-party identities as effectively as they do their internal teams, extending and fostering collaboration without sacrificing security.

• New Corporate Identities from Mergers & Acquisitions: Mergers and acquisitions bring a wave of new corporate identities, systems, and processes. Duo and Chrome Enterprise simplify the integration process, enabling fast and secure onboarding for new users while maintaining strict access control policies.

• Disaster Recovery Scenarios: Unforeseen disruptions can be as simple as bad weather delaying the delivery of a managed device. With Duo’s adaptive access policies and Chrome Enterprise’s familiar browser interface, administrators have the flexibility to quickly adapt, ensuring that users can securely access corporate systems regardless of their location or device, even in the most challenging circumstances.

• Contextual Access Control & Device Trust: Ensure only trusted, managed, and compliant devices running secure Chrome browsers can access sensitive Saas applications.

• Data Loss Prevention: Apply browser-level data security policies such as watermarking, screenshot protection, URL filtering, upload, download, copy-paste and print restrictions based on sensitivity of data to your Duo-protected SaaS apps.

• Comprehensive Visibility: Gain real-time insights into user activity, device posture, and security events, enabling proactive threat management.

In conclusion, the collaboration between Cisco Duo and Google Chrome Enterprise significantly strengthens identity security for modern organizations. Our joint solutions address the complexities of evolving work models by providing robust protection and contextual access control across diverse user groups and devices to stay ahead of the curve - delivering the perfect balance of security, flexibility, and user experience. With enhanced visibility and data loss prevention capabilities, organizations can confidently manage access for employees, contractors, and other third parties, even during M&A transitions. Ultimately, this partnership empowers enterprises to secure their critical resources and embrace the future of work with greater confidence and resilience.

Get started by reading more about Duo’s new security-first IAM solution or start using Duo as an identity broker or secondary identity provider. Simplify enrollment with Duo’s Single Sign-on integration with Chrome Enterprise and stop phishing attacks with the Cisco Device Trust Connector.

Looking to learn more about additional Cisco Security + Chrome Enterprise Recommended solutions?

• Cisco Secure Access and Chrome Enterprise Solution Guide - This joint solution offers a secure way to access private web apps via the browser using Chrome Enterprise.

• Splunk’s Chrome Enterprise Recommended Chrome Security & Reporting connector provides additional security insights.

• Cisco Security for Chromebook — part of Cisco Umbrella and Cisco’s Security Service Edge (SSE) product family — provides DNS-layer security for the entire ChromeOS and secure web gateway (SWG) protection for the Chrome browser.

The smartest cybersecurity investments don’t just help businesses avoid losses, they increase productivity and satisfaction at the same time. To measure the value achieved through strong identity security, Cisco commissioned Forrester Consulting to conduct a Total Economic Impact™ (TEI) study for Cisco Duo.

Forrester consultants interviewed seven decision-makers about their experiences with Duo and the benefits, costs, risks, and flexibility of their investments. Following these sessions, Forrester aggregated the results and conducted an in-depth financial analysis for a composite global organization with annual revenues of $2.5B and 10k full-time employees (FTEs).

The resulting TEI study that published in July 2025 showed the composite organization achieved substantial value over a three-year period by investing in Duo.

The bottom line? Duo represents a smart investment.

Forrester writes in the study: “A positive project NPV normally indicates that the investment should be made unless other projects have higher NPVs.” Duo’s 198% ROI and $4.4M net present value (NPV) point to a sound and rewarding investment.

The commissioned study conducted by Forrester Consulting on behalf of Cisco highlights the fact that Duo delivers transformative benefits on three critical fronts: stronger security, higher productivity, and greater operational efficiency.

Without a centralized identity and access management (IAM) solution, interviewees told Forrester their organizations struggled with security gaps, compliance challenges, and operational complexity. Some reported applying weak MFA processes for critical systems like VPNs, leaving users reliant on vulnerable passwords as their primary method of authentication.

Companies that do not have strong identity security face higher risk from phishing attacks, credential theft, and brute-force intrusions. A single compromised password could give adversaries access to multiple systems and pave the way for lateral movement leading to devastating breaches.

With its official expansion into the IAM market, Duo overcomes the limitations of traditional IAM solutions that emphasize business enablement over—and at the cost of—robust security. In the study, Forrester notes that Duo is:

A leading IAM solution that takes a security-first approach to address modern identity-based threats without compromising usability. It delivers comprehensive protection through security-first identity, end-to-end phishing resistance, and unified identity intelligence.

After investing to make Duo the cornerstone of their identity strategies, organizations strengthened security by closing visibility gaps and controlling who logs in from where using what devices.

The TEI calculated the overall value of Duo’s cyber risk reduction to the composite organization at $1.6 million citing measurable improvements in breach prevention, identity security, and threat detection. The TEI notes that Duo combines user and device authentication to create layered protection against unauthorized access to resources that includes strong MFA, end-to-end phishing resistance, device verification, and unified identity intelligence. This layered approach helps the composite reduce the likelihood of unauthorized access leading to a breach and minimize breach-related costs such as legal fees, data recovery, and reputational damage if one did occur.

Duo improves security through:

• Best-practice logins

• Visibility across applications

• Threat detection powered by machine learning

• Disruption of the attack chain to block lateral movement toward sensitive systems

But while the “killer app” for multi-factor authentication (MFA) is still improving defenses against identity-led attacks, Duo’s ability to enhance productivity has even greater financial impact.

Interviewees told Forrester consultants that Duo reduces the time it takes to log in, simplifies access across all applications, and minimizes disruptions throughout the workday.

The CISO at a technology services company noted:

"[Prior to Duo,] it was not uncommon [to have] a dozen logins a day . . . If you were using a password manager, hopefully it [worked in] a couple of clicks. If you were not signed in to your password manager, at best you would have to hand-type out your password, [which would take] maybe 30 seconds, and then you would have differing degrees of MFA or login challenges."

With Duo helping to mitigate friction and streamline authentication, end-users save time and experience less frustration. Duo Passport and Session Theft Protection extend trust across multiple applications and throughout entire user sessions so employees don’t get interrupted while working to authenticate again.

The TEI calculated the accumulated three-year value of enhanced productivity achieved using Duo at $4.7 million based on improved user experience (UX) saving full-time employees (FTEs) 137,500 hours per year. Instead of managing multiple logins, the study says Duo lets users “get to work faster and stay productive with fewer interruptions.”

Duo’s straightforward, user-friendly MFA simplifies onboarding and reduces login friction with a consistent, simplified experience across all clients, web-based apps, and browsers.

Drivers to adopting Duo include a variety of operational benefits including:

• Streamlining identity operations to reduce complexity

• Seamless integration with SaaS and on-premises applications and VPNs

• Support for cloud and hybrid environments

• Agility and scale as organizations expand

• Out-of-the-box support for third-party tools

Without Duo, SecOps teams battled fragmented authentication systems with limited visibility. Disparate logs and platforms made anomaly detection and incident response (IR) even more challenging.

After investing, the TEI concludes:

Duo helps teams identify and address weak points in the authentication landscape and to scale and improve their security posture without overburdening internal teams. By offloading authentication and simplifying infrastructure, Duo enabled scalable protection with efficiencies for teams across security operations, IAM, and governance, risk, and compliance (GRC).

Highlights of Duo’s time-savings and workload reduction benefits include:

• IR improvements worth $276K — The TEI calculates Duo saves IR teams more than 5,000 hours per year by automating identity risk assessments, reducing false positives, and creating actionable visibility. Focusing on real threats faster reduces authentication-related IR efforts by 50%.

• IAM efficiency gains worth $205K — Duo simplifies provisioning and empowers IAM teams to scale securely while maintaining strong administrative oversight across the IAM lifecycle.

• Cyber insurance premium reductions worth >$89K — Duo helps IAM leaders navigate complex compliance and cyber insurance requirements, streamlining workflows with audit-ready evidence for a 20% reduction in cyber insurance premiums.

• Help desk optimization worth $28K — Duo reduces calls to the help desk to reset passwords and unlock accounts, a substantial time savings for the IT team.

Duo has definitely improved our efficiency in security administration. The enhanced visibility provided by Duo, especially when combined with Cisco Identity Intelligence, allows us to identify and address security gaps proactively. This has led to a significant reduction in false positives and faster investigation times, freeing up our security operations center (SOC) analysts to focus on more critical threats.

As security and IAM converge, Duo offers the industry’s only security-first IAM solution that makes organizations safer, stronger, and more agile and efficient:

Along with putting security first and delivering a world-class user experience, participants in the TEI highlighted the value of powerful innovations like passwordless, verified Duo Push, Duo Passport, and the ability of Duo Desktop to verify a user’s identity and the security posture of their device before granting access. Since then, Duo has evolved to include end-to-end phishing resistance capabilities for even stronger identity security:

• Complete Passwordless Authentication including at initial onboarding and as a fallback

• Proximity Verification designed to protect against adversary-in-the-middle attacks

• Session Theft Protection that removes vulnerable “remember me” cookies from the authentication process leaving nothing for cybercriminals to steal

• Seamless Help Desk Verification enabling identity verification for help desks to guard against social engineering attacks

AI-led insights powered by Cisco Identity Intelligence (CII) help organizations unify IAM and security to build and maintain a fully secure identity infrastructure. Duo offers everything business and IT leaders need to manage and secure identity in one place and an achievable ROI of nearly 200%.

To learn more about potential return on investment your organization might achieve by deploying Duo, read the TEI study.

Organizations have put in a ton of work to ensure their data and resources are comprehensively protected with strong user authentication. In doing so, the goalpost has shifted, and attackers are now looking for another way in. According to Splunk, 98% of cyberattacks now rely on social engineering, the vast majority of which are directed towards compromising user identities.

Attacks commonly take place during vulnerable moments in workforce users’ lifecycles. These include:

• Calling the helpdesk — Organizations are relying on authenticator possession and/or knowledge-based verification questions to aid end-users and can be tricked into offering support to an attacker.

• Initial enrollment/onboarding — Organizations often send an enrollment link or temporary credentials to a user when they are onboarding. With these processes, organizations can become victims of intercepted credentials and/or entirely fraudulently hired employees. With the large shift to remote work, this is particularly impactful.

• Self-service — Many organizations offer self-service to provide a 24-hour way for end-users to self-remediate access issues. However, if phishing-resistant authenticators aren’t required for access, attackers could gain access and add their own authenticators for further access. Additionally, self-service is only effective at reducing load on the helpdesk if users have an authenticator to gain access to self-service in the first place.

These moments highlight the trade-off between ease-of-use and security. If organizations choose to be highly secure, they may also experience significantly increased IT costs and end-user friction. Choices made in an effort to operate in a highly secure manner could also have unintended consequences such as missing out on hiring top talent by requiring them to reside near an office.

Other consequences could be higher employee turnover due to the friction with the organization’s rigid security process for users to regain access. On the opposite end, many organizations are operating at the status quo and are therefore at risk of social engineering attacks. They may be aware of these risks but don’t have the proper tools to implement secure processes that can scale gracefully.

But what if your organization didn’t have to make that tradeoff? With the introduction of Duo Identity Verification, organizations can make these once-vulnerable moments resilient to social engineering attacks by ensuring the user who is attempting to gain access is who they say they are. We are giving customers the option to integrate with Persona to offer differentiated experiences that help provide this assurance at the helpdesk, during enrollment, and for self-service account recovery.

This solution allows end-users to quickly and easily verify their identity when contacting the helpdesk for assistance, whether it be identity and access management (IAM) related, or a call in to HR or payroll to update their direct deposit. This is a market-leading offering that integrates identity verification directly into Duo’s security-first IAM platform and is available via the Duo admin panel or Admin API. This functionality will be available to all customers in Beta starting in late July 2025.

This solution provides high identity-assurance during user enrollment, making enrollment codes or email links useless should they happen to fall into the wrong hands. This allows the best of both worlds; the ability to use any of Duo’s flexible end-user self-enrollment methods coupled with high assurance the intended user undergoes it. This functionality is expected to be in Alpha soon, with a wider Beta release expected in late summer 2025.

As mentioned before, self-service is only valuable if it is secure. You also need a credential to access self-service in the first place. Duo plans to add the ability for users to use their identity to regain access to the self-service portal so that they can add or reactivate an authenticator and then independently get back to work. This further reduces an organization’s helpdesk costs while providing the user with autonomy to self-solve. This functionality is expected to be in Alpha by fall 2025, with a wider Beta release expected by the end of 2025.

So how does Duo Identity Verification work? The solution does require a separate Persona account and licensing, but Duo and Persona provide an integration that makes configuration of this solution as simple as possible!

Once everything is set up in Duo and Persona, this is how IDV works.

When the verifying user is redirected to Persona, users will be asked to provide a snapshot of their government-issued ID and take selfie photos. Persona will perform a variety of verification checks depending on how the organization has configured things. Among them are:

• Various checks to the government ID, such as legitimacy, expiration date, and tampering

• Various checks to the selfie including liveness detection, deepfake detection, and matching of the selfie to the photo in the government ID

• Checks to see that the user in Duo matches the user who has undergone identity verification

Once the user successfully completes verification, the Duo admin will be informed of the result, or the user will be taken to the next step of the flow they originally entered. If your organization retains selfies within Persona, it can be used to enable an even faster selfie-only re-verification should the user verify themselves again later.

With these workflows now more resilient to social engineering, organizations can even more confidently support their users, near and far, and achieve deployable end-to-end phishing resistance.

Are you new to Duo? Sign up for a free trial today and learn more about Duo IAM!

Persona is a leading secure identity verification (IDV) platform trusted by organizations across industries. They empower companies to confirm user identities quickly and securely, so legitimate users can continue to do their important work with minimal interruption while stopping attackers in their tracks. Persona offers global support and has flexible options that can be catered to your organization’s unique needs. Learn more.

*Note: The features described above remain in varying stages of development and will be offered on a when-and-if-available basis. The delivery timeline is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.

At Duo, we've been obsessed with a growing threat that keeps security teams up at night: Session hijacking. Recently, we announced a patent-pending breakthrough that marks a fundamental shift in how we think about authentication security. According to the 2024 IBM X-Force Threat Intelligence Index, use of stolen credentials to access valid accounts surged 71% over the previous year and represented 30% of all incidents X-Force responded to, tied with phishing as the top infection vectors. Duo Passport, with its built-in Session Token Theft Protection, directly addresses these escalating threats.

In 2024 alone, sixty percent of all Cisco Talos incident response cases involved identity as a key attack vector, with session theft emerging as an attacker’s favorite shortcut around even the most sophisticated MFA implementations. We're facing an "identity crisis" where attackers no longer need to hack in, they simply log in using stolen credentials. At Duo, we knew we had to do more than incrementally improve existing defenses.

Session token theft exploits a fundamental weakness in how web authentication has worked for decades. When users authenticate, applications issue session cookies to maintain their logged-in state. Attackers have become increasingly sophisticated at stealing these tokens through malicious JavaScript, infostealers like Redline and Emotet, or adversary-in-the-middle attacks. Once they have your session token, they essentially have your digital identity which allows them to bypass passwords, MFA, and most security controls.

Existing solutions treat the symptoms while ignoring the core issue: session trust shouldn’t exist as a separate, portable entity (think cookies).

Duo Passport’s Session Token Theft Protection is a breakthrough in authentication security. It removes session cookies from the Duo authentication flow entirely, relying instead on the hardware security modules built into modern devices, like the Trusted Platform Module (TPM) 2.0 for Windows or the Secure Enclave for macOS. Although individual applications may still use their own session tokens after authentication, Duo Passport secures the critical foundation it controls, significantly reducing the risk of session hijacking. This enhanced protection is uniquely delivered while preserving Passport's premium user experience of seamless access without repetitive logins. Cisco successfully reduced weekly logins from 8 million to 450,000 by deploying Duo Passwordless, Risk-Based Authentication, and Duo Passport.

Core benefits we're delivering:

• Hardware-backed security that's phishing-resistant

• Dramatic reduction in authentication friction

• Platform-agnostic protection (Windows and macOS)

• Simple deployment through existing Duo infrastructure

• No vendor lock-in or ecosystem limitations

Duo Passport solves two seemingly opposing challenges: Reducing authentication fatigue while significantly strengthening security. Our customers often told us that constant MFA prompts wore down their users. Duo Passport streamlined this experience by allowing users to authenticate once and access multiple applications across browsers and desktop apps without interruption. Now, in addition to that, it includes built-in protection against session hijacking attacks. In fact, Cisco's own deployment of Duo Passport Session Theft Protection led to a remarkable 52% decrease in cookie-based authentications within 30 days, directly reducing the risk of session hijacking.

Looking at the competitive landscape, we see fundamental differences in approach. Microsoft's token protection works well…if you're all-in on Windows and their ecosystem. Okta focuses on adaptive MFA, which helps but doesn't address the root vulnerability. We've taken a different path: Platform-agnostic, hardware-backed protection that works across your entire enterprise environment.

Together with Cisco Identity Intelligence, Duo Passport creates a foundation for continuous identity verification that adapts to changing risk conditions. Your organization needs an identity infrastructure that grows stronger as attackers become more sophisticated, one that enhances user productivity while minimizing risk in an increasingly dangerous threat landscape. The real question isn't whether session theft attacks will target your organization; it's whether you'll be ready and protected when they do.

Duo Passport Session Theft Protection is currently in public preview. Read more on how Duo helps organizations secure end-to-end phishing resistance.

Start a free trial of Duo’s advanced identity security today.

Imagine you’re hanging out in front of the TV and your phone starts to ding. It’s a push notification for MFA, but you aren’t logging in. That’s worrisome. Now imagine it’s one of your workforce’s users in the recliner, and their attention is so divided, they hastily grab their phone and hit approve to silence it. Now a bad actor is in your environment. These are the types of attacks that are happening in the wild, and the types of real-world behaviors those in charge of security for their organizations face.

Customers using older Duo integrations with NetScaler are struggling to protect against modern-day identity attacks such as the one above. It’s time for something better. Guarding against increasingly sophisticated identity attacks is a must, but it often comes at the cost of usability. Certainly, no one wants to add complexity to NetScaler logins, or any application for that matter. What if easy implementation and a better user experience, all wrapped up in Duo’s most advanced capabilities that help protect against modern identity attacks, were available today? Well, we have great news for you. It is!

With a long existing partnership and integration, Duo has been protecting NetScaler logins with multi-factor authentication, device trust, and posture assessment for many years. Identity threats, growing in sophistication, convinced us it was time to step up our game. Duo laid the groundwork towards this in 2022 with the delivery of the Universal Prompt. Universal Prompt set out to build a platform that protects against modern attack techniques such as MFA phishing and session hijacking, all while improving the end user experience. Enter the Duo Web Integration for NetScaler complete with the Universal Prompt.

NetScaler, in striving to provide a very flexible solution, offers support for many authentication standards such as SAML, which Duo supports with Duo SSO. There are some great reasons why you’d want to use SSO, however, integrating through SAML requires additional elements to be deployed to preserve single sign-on capabilities throughout the Citrix stack. If it’s preferred to preserve the architecture without those additional components, using RADIUS for MFA was a good option. The RADIUS integration between Duo and NetScaler allowed consumers to keep primary authentication in place and use Duo as secondary authentication, while preserving Citrix’s single sign-on capabilities. Remember that whole need for enhanced security though? RADIUS wasn’t providing it.

Duo strived not just to match, but to beat the simplicity of our original NetScaler integration when setting out to modernize and provide better security. Enter, OAuth. If you’re not familiar with OAuth, you can learn more here. With OAuth, Duo can implement a more flexible, secure, simpler integration. Our partners at NetScaler agreed and we all set to task integrating using OAuth, again allowing primary authentication to remain untouched while making the second factor integration easier and more secure. I’d be remiss not to mention OAuth is the native mechanism for integrating the Duo Universal Prompt with many applications, not just NetScaler.

Use of this new integration provides all Duo customers an easier way to integrate and simplifies their deployment by removing the requirement to use the Duo Authentication Proxy and RADIUS integration. This results in NetScaler talking directly to the Duo cloud service and customers keeping their current benefits of device trust and industry leading MFA. This is just the tip of the iceberg. Phishing? Reduced with the use of Duo verified and proximity push. The real magic comes when customers utilize the Duo Advantage or Premier tiers. What does this provide? It opens a myriad of security controls which are critical in protecting users from today’s advanced identity attacks. Use of the Universal prompt within Duo Advantage and Premier provide risk-based authentication, device health checks, user location controls and continuous identity protection with Cisco Identity Security. By combining identity visibility and protecting users from phishing, password spray attacks and so much more, NetScaler is turned into a force of identity protection just by integrating with Duo.

Plenty of customers have successfully used SAML to authenticate users into their Citrix environments. Using Duo as an IdP and the primary authentication source for NetScaler allows for additional benefits such as passwordless authentication or single sign-on with other applications. Should you have the appetite for or have already implemented Citrix infrastructure to support SAML with Citrix single sign-on, using Duo is a great option. If you have a different SAML IdP configured with Duo as the MFA, that’s another great way to protect your NetScaler users with the security benefits of Duo.

All existing customers can see immediate benefits by implementing the Duo Web Integration for NetScaler. For the ultimate in end user protection and defense from advanced identity attacks, customers can upgrade to Duo Advantage edition. For those who have not yet experienced Duo, start your trial today.

As security’s new front line of defense, user identities must be fully protected at all times. That’s why after rigorous, first-of-its-kind identity testing, SE Labs® awarded Universal Zero Trust Network Access (UZTNA) from Cisco its highest AAA rating for “Advanced Security IAM Protection.”

Universal ZTNA combines multiple products to deliver zero trust authentication and protection against identity-based attacks:

• Cisco Duo

• Cisco Secure Access

• Cisco Identity Intelligence (CII)

The solution achieved 100% detection and 100% protection against cyber threats, identifying and blocking every attempt to compromise security defenses. The report reads:

UZTNA detected and responded to every malicious access attempt without relying on traditional exploit signatures or simple traffic heuristics. As such, the combined solution achieves the SE Labs AAA award.

"Hackers don’t always need exploits, but they do always need access,” SE Labs Founder and CEO Simon Edwards points out, noting modern attackers target identity to break into critical cloud environments like Microsoft 365.

SE Labs security experts subjected Universal ZTNA to a rigorous round of attacks that proved Duo and the other offerings could handle a range of common threat actor tactics. Testing took place in a real network environment, targeting a Microsoft 365 deployment with privileged and non-privileged accounts. Security experts played the role of attackers, probing for weaknesses and adapting to security controls to see how systems would respond.

SE Labs’ landmark analysis mimicked techniques used recently by prominent threat groups like Scattered Spider, APT29, and APT28. Testing featured 30 attacks across three attack vectors:

• 12 attempts involved stolen credentials using valid, but compromised, usernames and passwords to gain access

• 8 tried to bypass MFA using techniques like MFA fatigue and credential stuffing

• 10 attacks attempted to hijack active user sessions without needing credentials of MFA

Variations ranged from attempting to log in from different geographic locations and devices at unusual hours to MFA flooding, a Scattered Spider go-to tactic and using stolen session cookies to impersonate users and compromise assets without re-authenticating.

SE Labs recognizes that not all MFA is created equal. Edwards writes, “While many people think multi-factor authentication is a silver bullet. It isn’t.” Enter the “new Duo” with a comprehensive solution that combines:

• Security-first IAM

• End-to-end phishing resistance

• Unified identity intelligence

• A world-class user experience

MFA shuts down stolen credentials: Duo MFA routinely blocks attacks that attempt to leverage stolen credentials by requiring users to confirm their identity using additional factors like their mobile phone or thumbprint.

Proximity Verification prevents MFA bypass: Businesses roll out MFA to stop phishing, but hackers attempt to bypass it with phishing and ‘MFA fatigue’ attacks that flood authentication systems with repeat login requests. Duo Proximity Verification leverages the user’s mobile phone to confirm the authentication device is physically close to the device they’re asking to access (e.g., their laptop). It’s a simple, seamless, and highly secure approach to detect and intercept attempts to bypass MFA without requiring expensive hardware tokens or complex configurations.

Session Hijacking Prevention protects mid-session: As part of its enhanced end-to-end phishing resistance capabilities, Duo now includes session theft prevention to stop one of the three tactics employed by the SE Labs testing of UZTNA. The report describes session hijacking as:

An attack in which an attacker takes control of a user’s active session, often by stealing a session token or ID. Attackers may exploit insecure cookies, public Wi-Fi networks and browser vulnerabilities. Once hijacked, the attacker can impersonate the user, access sensitive data and perform unauthorized actions. This threat bypasses normal authentication and is hard to detect.

Threat actors attempt to steal “Remember Me” session cookies used to keep people authenticated during active sessions. Duo removes these cookies and applies patent-pending technology to prevent session hijacking behind the scenes. Duo secures entire user sessions — without inconveniencing people to authenticate again and again.

“Attackers today have choices in overcoming perimeter controls,” Edwards says. “Cisco UZTNA is to be congratulated for its flawless performance at rebuffing our attacks in what is now a very complex environment.”

The SE Labs writeup notes, “Data needs to be accessible, at high speeds, but using strong security. And this security needs to be managed simply. and other modern staples of strong security and a rewarding user experience.”

Along with easy-to-use MFA, Duo features options like single sign-on (SSO), a user directory with lifecycle management (Duo Directory), device trust, and complete passwordless to raise the bar on flexibility, simplicity, and user satisfaction.

“Zero Trust Network Access is key to protecting organizations today, and we’re delighted that our first-of-its-kind Universal ZTNA from Cisco has been awarded the top accolade from SE Labs,” says Raj Chopra, SVP, CPO Cisco Security. “This rigorous benchmark underscores how Cisco’s unique integration of identity security and SASE delivers a true universal Zero Trust solution, providing unmatched protection for the workforce against the diverse and sophisticated attacks organizations face today.”

For more details about the tests and findings, download the full report.

Discover how Cisco Universal ZTNA and Cisco Duo can transform your organization’s security posture. Visit the following resources to explore our innovative approach:

• Product Page — Universal ZTNA from Cisco

• Product Page — Cisco Duo

• Product Page — Cisco Secure Access

• Product Page — Cisco Identity Intelligence

• Product Page — Cisco User Protection Suite

• Website — SE Labs

97% of Customers Would Recommend Cisco Duo

Cisco has been recognized as a Customers’ Choice in the Gartner® Peer Insights™ 2025 Voice of the Customer for User Authentication report. Cisco appears in the upper-righthand quadrant which denotes a Customers’ Choice distinction and received a 97% Willingness to Recommend score based on 130 customer reviews submitted as of February 2025.

The 2025 Voice of the Customer for User Authentication ratings reflect reviews submitted by verified customers during the 18-month period ending February 28, 2025. Overall, 122 Cisco customers rated Duo 4.7 out of 5 for “Deployment Experience” and 126 customers rated Duo 4.7 out of 5 for “Product Capabilities.” Read the Voice of the Customer report.

Where traditional identity and access management (IAM) solutions claim “identity-first security,” Cisco takes a “security-first” approach to identity. A comprehensive IAM solution, Duo provides everything organizations need to secure and manage user identities from day one including:

• Duo Directory

• Phishing-resistant MFA

• Single sign-on (SSO)

• Passwordless authentication

• Identity intelligence

Security-first IAM enables organizations to strengthen their security posture, minimize complexity, and modernize and scale their IAM environments. Duo verifies identity and validates trust—all while delivering a world-class experience for users and admins.

Gartner defines “peers” as “verified reviewers of a technology product or service, who not only rate the offering, but also provide valuable feedback to consider before making a purchase decision.” Cisco customers who reviewed Duo talked about the protection, simplicity, and support they gained:

• Experience Enhanced Security with Duo's Multi-Factor Authentication
  
  “Implementing Duo within our organization has really helped us become more confident about the security of accessing our data. A few of the many strengths of implementing Duo within our organization are as follows: Duo provides us with a detailed track record of employees' access to the assigned applications. Again, the Duo cloud-based architecture has allowed us to easily scale the solution to meet our growing security needs as per the requirements. Last but not least, Duo Multi-Factor Authentication capabilities have secured our organization’s data from unauthorized access.”

• Simplifying Security: MFA Services Made Easy with This Product
  
  "This product is the go-to for MFA services. It is simple to implement and configure, especially with the documentation base that is provided by Duo. Overall, Duo makes it easy to adhere to security requirements, while not interfering with a company's productivity."

• Security Made Simple: Cisco Duo's Multi-factor Authentication
  
  “Cisco Duo has been a wonderful experience for me. It's really user-friendly, both from an admin perspective and as someone who uses it daily. Setting it up was surprisingly simple and the multi-factor authentication is solid and gives me peace of mind knowing our accounts are secure."

• Best User Authentication Solution
  
  “Duo makes user authentication easy when accessing sensitive business information or when accessing devices. The 2-factor authentication ensures that only permissible users get access. It has been a great tool for boosting data privacy in our business. I like that Duo is very fast yet ensures secure access. With proper authentication, access to data/apps/devices is easy.”

• Cisco Duo: The Outstanding Multi-Factor Authentication Solution
  
  “After using various security solutions, Cisco Duo stands out as an exceptional multi-factor authentication (MFA) tool. it has features like fine-grained policies. Duo's overall performance and flexibility make it a good choice. it offers excellent reporting and monitoring features. As a user, the biggest benefit of Duo is its mobile app. Duo integrates well with a wide range of applications. Scalability is another advantage.” 

We invite you to visit Gartner Peer Insights to read more Duo customer reviews or share your own Duo story. We’re proud to say that Cisco has received the most peer review ratings of any vendor in the User Authentication category with 720+ Duo reviews submitted as of June 2025. Visit the Gartner Peer Insights page for this market to learn more about the User Authentication market.

Last but not least, we thank our customers who took the time to submit reviews online. Your feedback helps us innovate to keep your company ahead of evolving threats and reward your invaluable trust in Duo.

Gartner, Voice of the Customer for User Authentication, Peer Contributors, 30 May 2025 

Gartner and Peer Insights™ are trademarks of Gartner, Inc. and/or its affiliates. All rights reserved. Gartner Peer Insights content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner or its affiliates. Gartner does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.