Where the Federal government goes, other parts of the private sector follow. So it was good to see that in response to last May’s Executive Order 14028, the Office of Management and Budget (OMB) released a memo Wednesday outlining a new strategy for moving the federal government toward a zero trust cybersecurity posture.

(Check out Lindsey O’Donnell-Welch’s coverage of the news in Decipher.)

What’s the Vision?

The vision being set forth by OMB is ambitious — but vital. Imagine a shift away from logging into a “network” to having security seamlessly built into the network, and multi-factor authentication and authorization continuously performed at the application level on the fly — without users typing passwords.

This will require a shift away from “perimeter-based networks” with validation done at the point of entry and exit towards intelligent, intuitive networks that are capable of assessing and addressing threats in real time.

What’s in the Strategy?

The memo requires agencies to adopt security strategies for five asset classes, including:

• Employees — governed by a single enterprise identity, and use phishing resistant multi-factor authentication solutions
• Devices — agencies maintain a complete inventory of devices, which are tracked and monitored, including use of endpoint detection and response devices
• Networks — encrypt all DNS, HTTP and email traffic, and provide isolation for federal assets. This includes the use of cloud based infrastructure
• Applications — tested internally and externally
• Data — categorized and tagged using cloud security services and enterprise logging capabilities

What’s Notable in the Memo?

The strategy places significant emphasis on what Duo Security, now part of Cisco Secure, calls “workforce zero trust” — the combination of users and devices, managed using multi-factor authentication and device health evaluations. This, in combination with network encryption, will lay a strong foundation against phishing and other common attack vectors.

The memo emphasizes the importance of including cloud-based platforms, applications and systems in the agency zero trust strategy. The move to a zero trust model allows for secure use of cloud, and OMB is requiring use of zero trust to facilitate the modernization of federal technologies.

Although not part of a typical zero trust strategy, the memo also requires agencies to leverage internal and external testing and scrutiny of federal systems, to ensure the health and efficacy of federal controls. Combined with a coordinated vulnerability disclosure program, overall these requirements will ensure federal assets are better protected, and that agency vulnerability findings can be shared with the broader public, as necessary.

The memo suggests that immutable (unchanging) workloads are more likely to occur when the principle of “least privilege” (of developers and other operational personnel) is in place. OMB is promoting “Modern software development lifecycle practices, including Continuous Integration/Continuous Deployment (CI/CD) and Infrastructure as Code (IaC)” in order to ensure immutability, particularly in cloud environments.

In addition to detailing the “what” of the strategy, OMB also details the “how.” The requirements suggest taking an iterative approach: “Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet” and “without relying on a virtual private network (VPN) or other network tunnel.”

The OMB notes that an agency will need to “put in place minimum viable monitoring infrastructure, denial of service protections, and an enforced access-control policy. While implementing those elements, the agency should integrate this internet-facing system into an enterprise identity management system… Agencies will likely find it beneficial to gain confidence in their controls and processes by performing this shift first on a FISMA Low system before attempting to meet the requirement of doing so for a FISMA Moderate system.”

Piloting a new architecture using a low-risk system is a prudent way to implement a new strategy, but it suggests the agency strategies may take some time to deploy. 

What’s Next?

The OMB is to be applauded for encouraging collaborative efforts “to capture best practices, lessons learned, and additional agency guidance” across the agencies via OMB and the Cybersecurity and Infrastructure Security Agency (CISA) website, zerotrust.cyber.gov.

Agencies have 60 days to submit a plan to CISA and OMB, and 30 days to identify an agency lead for the effort.

Related Resources

• Duo’s Zero Trust Solutions for Government Workforces
• Duo FedRAMP Authorized Authentication: Duo Federal MFA and Duo Federal Access Editions
• Documentation: Guide to Duo’s Federal Editions
• Webinar: From MFA to Zero Trust: A Five Phase Journey to Securing the Federal Workforce
• Duo Blog: Advisory CISO Helen Patton's Observations on May 2021 Executive Order on Improving the Nation’s Cybersecurity

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

Not all multi-factor authentication (MFA) solutions are equal. There are some extra features on some and hidden costs in others. The total cost of ownership includes all direct and indirect costs of owning a product. For a two-factor authentication solution, that may include hidden costs, such as upfront, capital, licensing, support, maintenance, and operating costs. Don’t forget the many other unforeseen expenses like professional services and ongoing operation and administration costs that accumulate over time.

“With Duo, we were able to bring consistent security controls across all of our apps by streamlining to one MFA and SSO solution at a much lower total cost of ownership…. Our clients are able to easily self-enroll, deploy 2FA and SSO against their own applications, regardless of where they’re hosted, and Duo nearly halved our 2FA-related support workload.” —John Bryant, Chief Technology Officer, Options Technology Ltd.

How can you be sure you’re getting the best security return on your investment?

Upfront Costs

See if your vendor’s purchasing model requires that you pay per device, user or integration – this is important if your company plans to scale and add new applications or services in the future. Many hosted services provide a per-user license model, with a flat monthly or annual cost for each enrolled user. When investigating licensing costs, make sure to confirm whether licenses are named (locked to a single user ID) or transferable, whether there are add-on charges for additional devices or integrations configured, or delivery charges for different factor methods. Estimate and plan for how much it will cost to deploy multi-factor authentication to all of your apps and users. 

Administrative Software/Hardware Requirements 

Are these included in the software license? Additional management software is often required for some companies – without this, customers can’t deploy MFA. Does the service require the purchase and configuration of hardware within your environment? Confirm the initial and recurring costs for this equipment, and research the typical time and labor commitment necessary to set up these tools. For administrative access with tiered permissions based on license version, confirm all functionality you depend on is available or collect a complete list of necessary upcharges.

Authenticators 

Will you need to purchase hardware authentication devices? Physical tokens add inventory, management, and shipping costs to consider. For mobile authenticators, confirm if there is any per-device cost for soft tokens, or if an unlimited number of enrolled devices is permitted for each user license.

“You just feel like you’re constantly being nickeled and dimed with RSA. There’s the extra cost of re-upping the tokens on a three year interval, as well as add-ons and extra features. If you need to replace any of the broken tokens, you’re talking about another added cost. The whole program gets very, very expensive. We just weren’t comfortable with that at all.” —Security Analyst, Enterprise Retail Company

Vendor Consolidation

While network environments with a traditional perimeter defense model rely on a handful of key services to maintain visibility and enforce security standards, the growth of SaaS adoption has resulted in many piecemeal solutions to cover the expanded needs of securing cloud-based data and assets. Consider the hidden costs of complex integrations. A multi-functional MFA platform/portfolio player like Duo-Cisco helps you avoid these costs.

Secure access includes strong authentication through MFA to validate users, and may also include: 

• Endpoint management or mobile device management tools for defending against device compromise threats
• Single sign-on portals to centralize and simplify login workflows for users
• Log analysis tools to identify and escalate potential security threats
• Multiple dashboards to manage disparate services and cover unsupported applications, and more

Along with the redundant costs that can accrue from these overlapping services, each added tool increases complexity and the chances of human error or oversight. Finding a solution with comprehensive utility for secure access can reduce both initial and ongoing management labor costs.

Data Center Costs 

Do you have to purchase servers? Server hosting costs can add up: power, HVAC (heating, cooling and air conditioning), physical security, personnel, etc. A cloud-based solution will typically build these costs into the licensing model. 

High Availability Configuration 

Is this also included in your software license? Setting up duplicate instances of your software and connecting a load balancer with the primary instance, you can end up tripling your software costs. Deploying a redundant or disaster recovery configuration can also increase costs significantly. In fact, some vendors charge additional licensing fees for business continuity.

“The simple subscription-based pricing is easy to manage and we know exactly what we are getting.” —Wayne Keatts, Assistant Vice President & Information Security Officer Methodist Health System

Tip: Look for vendors with simple subscription models, priced per user, with flexible contract times.

Deployment Fees

Deployment & Configuration 

Find out if you can deploy the solution using your in-house resources, or if it will require professional services support and time to install, test and troubleshoot all necessary integrations. 

End-User Enrollment 

Estimate how long it will take each user to enroll, and if it requires any additional administrative training and helpdesk time. Discuss with your vendor the typical deployment timeframe expected with your use case, and seek feedback from peers to validate how this aligns with their experience. Look for an intuitive end user experience and simple enrollment process that doesn’t require extensive training. Keep in mind: token-based solutions are often more expensive to distribute and manage than they are to buy. 

Administrator Support 

To make it easy on your administrators, look for drop-in integrations for major apps, to cut time and resources needed for implementation. Also confirm the availability of general-purpose integrations for the most common authentication protocols to cover edge use cases, along with APIs to simplify integration for web applications. See if you can set up a pilot program for testing and user feedback – simple integrations should take no longer than 15 minutes. 

Patches, Maintenance & Upgrades

Annual maintenance can raise software and hardware costs, as customers must pay for ongoing upgrades, patches and support, and even search for new patches from the vendor and apply them. Look for a vendor that automatically installs software and updates the software for security and other critical updates, saving the cost of hiring a team. 

One of the perpetual benefits of SaaS and cloud-hosted services is that servers, maintenance and monitoring are covered by the provider’s network and security engineers, lightening the load for your team. Depending on your solution, you may have to manually upgrade to the latest version. 

You should also consider the frequency of updates c some vendors may only update a few times a year, which can leave you susceptible to new vulnerabilities and exploits. Choose a vendor that updates often, and ideally rolls out automatic updates without any assistance from your team.

Administrative Maintenance 

Consider the costs of employing full-time personnel to maintain your multi-factor solution. Does your provider maintain the solution in-house, or is it up to you to hire experts to manage it? Estimate how long it takes to complete routine administrative tasks. Is it easy to add new users, revoke credentials or replace tokens? Routine tasks, like managing users, should be simple. Sign up for a trial and take it for a test run before deploying it to all of your users. 

“Connectria Hosting reduced the number of help requests by more than 75% since deploying Duo.” —Steve Grzybinski, Director of Security and Compliance, Connectria Hosting

Support & Helpdesk 

Live support via email, chat and/or phone should also be included in your vendor’s service – but sometimes support costs extra. Consider how much time is required to support your end users and helpdesk staff, including troubleshooting time. 

Gartner estimates that password reset inquiries comprise anywhere between 30% to 50% of all helpdesk calls. And according to Forrester, 25% to 40% of all helpdesk calls are due to password problems or resets. Forrester Research determined that large organizations spend up to $1 million per year on staffing and infrastructure to handle password resets alone, with labor cost for a single password reset averaging $70.

If a solution requires extensive support from your IT or infrastructure teams, will you get charged for the time spent supporting your on-premises two-factor solution? Estimate that cost and factor it into your budget.

Token-related helpdesk tickets can account for 25% of the IT support workload. You should look for a provider that offers:

• Modern solutions with high value, upfront costs 
  
• Simple subscription model 
• Free authentication mobile app 
• No fees to add new apps or devices 
• No data center/server maintenance 
• High availability configuration 
• Automatic security and app updates 
• Administrative panel included 
• User self-service portal included 
• User, device and application access policies and controls
• Device health and posture assessments
• Device context from third-party security solutions
• Passwordless authentication 
• User behavior analytics 
• Single sign-on (SSO) and cloud support

Traditional solutions potentially have low upfront costs, but not much value. 

Lots of Hidden Costs: 

• Additional cost to add new apps or users 
• Administrative software/hardware 
• Authenticators – tokens, USB, etc.
• Data center and server maintenance 
• High availability configuration 
• Administrative support 
• Patches, maintenance and upgrades 
• Helpdesk support

Time to Value

Time to value, or speed to security, refers to the time spent implementing, deploying and adapting to the solution. Determine how long it takes before your company can start realizing the security benefits of a multi-factor authentication solution. This is particularly important after a recent breach or security incident.

Proof of Concept 

Setting up a two-factor authentication pilot program lets you test your solution across a small group of users, giving you the ability to gather valuable feedback on what works and what doesn’t before deploying it to your entire organization. 

Deployment 

• Implementation scenarios: Walk through likely implementation scenarios so you can estimate the time and costs associated with provisioning your user base. Cloud-based services provide the fastest deployment times since they don’t require hardware or software installation, while on-premises solutions tend to take more time and resources to get up and running. 
• Drop-in integrations: Most security professionals don’t have time to write their own integration code. Choose a vendor that supplies drop-in integrations for all major cloud apps, VPNs, Unix and MS remote access points. You’ll also want to look for a vendor that enables you to automate functionality and export logs in real time. Also, to save on single sign-on (SSO) integration time, check that your multi-factor solution supports the Security Assertion Markup Language (SAML) authentication standard that delegates authentication from a service provider or application to an identity provider. 

Onboarding & Training Users 

• Optimize efficiencies: A vendor’s enrollment process is often a major time sink for IT administrators. Make sure you walk through the entire process to identify any potential issues. For enterprises, bulk enrollment may be a more time-efficient way to sign up a large number of users. To support your cloud apps, ensuring your two-factor solution lets you quickly provision new users for cloud apps by using existing on-premises credentials. 
• Empower users: See if the solution requires hardware or software for each user, or time-consuming user training. Token deployment can require a dedicated resource, but easy self-enrollment eliminates the need to manually provision tokens. With a mobile cloud-based solution, users can quickly download the app themselves onto their devices. A solution that allows your users to download, enroll and manage their own authentication devices using only a web browser can also save your deployment team’s time.

Cloud-based services deploy faster because they don’t require hardware or software installation.

Required Resources

Consider the time, personnel and other resources required to integrate your applications, manage users and devices and maintain/monitor your solution. Ask your provider what they cover and where you need to fill in the gaps.

Application Support

Some multi-factor authentication solutions require more time and personnel to integrate with your applications, whether on-premises or cloud-based. Check that they provide extensive documentation, as well as APIs and SDKs so you can easily implement the solution into every application that your organization relies on. 

User & Device Management 

Like any good security tool, your multi-factor authentication solution should give administrators the power they need to support users and devices with minimal hassle. Look for a solution with a centralized administrative dashboard for a consolidated view of your multi-factor deployments. 

Your solution should also enable admins to:  

• Easily generate bypass codes for users that forget or lose their phones 
• Add and revoke credentials as needed, without the need to provision and manage physical tokens. 

Ask your provider if they offer a self-service portal that allows users to manage their own accounts, add or delete devices, and perform other simple tasks. 

Maintenance

Make sure that your solution requires minimal ongoing maintenance and management for lower operating costs. Cloud-hosted solutions are ideal since the vendor handles infrastructure, upgrades and maintenance. Can you use your existing staff to deploy and maintain this solution, or will you need to hire more personnel or contractors to do the job? Ask your vendor if monitoring or logging is included in the solution. 

A solution that requires many additional resources to adapt and scale may not be worth the cost and time. Evaluate whether your solution allows you to easily add new applications or change security policies as your company needs evolve. 

Can your staff deploy and maintain the solution, or will you need to hire more personnel or contractors?

High-Availability Architecture for Duo

Duo has maintained uptime of greater than 99.99%, with a hard service level guarantee backed by SLA. Duo’s servers are hosted across independent PCI DSS, ISO 27001-certified, and SSAE 16-audited service providers with strong physical security. We provide a high-availability service split across multiple geographic regions, providers and power grids for seamless failover, and our multiple offsite backups of customer data are encrypted.

This is important because if an outage occurs on the vendor side, there are business costs assumed with that, for example employees are unable to access critical work resources. 

Administrator

Deployment Costs

Traditional MFA solutions require physical equipment that must be purchased, racked, configured and integrated with existing IT equipment. Additionally, there are costs associated with purchasing and managing hard or soft tokens.

Duo is cloud-based and comes with hundreds of out-of-the-box integrations, making deployment quick and easy. Duo supports VPNs, RDP, Microsoft OWA and cloud apps such as Salesforce, Box and Office 365.

Ongoing Costs

To keep your security solution free of vulnerabilities, MFA patches need to be installed on a timely basis. Traditional solutions require in-house IT support, which can be time and resource-consuming.

Duo doesn’t require any IT support. New updates are pushed every two weeks to ensure your MFA is updated to protect against new threats. Duo also allows your users to self-enroll and manage their own devices, effectively reducing IT helpdesk requests.

End Users

Deployment Costs

Traditional MFA solutions require a significant amount of administrator time to roll out tokens, educate and train users to use tokens.

With Duo, users enroll themselves when they sign into applications. Users can use their smartphone for authentication. IT needs fewer resources to deploy MFA solutions to users.

Ongoing Costs

Traditional 2FA solutions use SMS and soft or hard tokens to authenticate users, which requires users to manually type OTP codes into browsers.

Duo’s mobile app sends push notifications to users’ phones, allowing them to log in quickly by tapping an Approve button — increasing productivity and security

Duo has an upfront value without hidden fees in the future. Duo is more than MFA. Duo MFA, Duo Device Trust, Duo Network Gateway (DNG) and Duo Trust Monitor combine into one trusted access solution and can secure remote access to on-premises infrastructure and prevent breaches from easily getting access in the first place.

Device Trust checks the health of a device, managed or unmanaged, before granting access to the network and can block untrustworthy devices.

The Duo Network Gateway allows your users to access your on-premises websites, web applications, and SSH servers without having to worry about managing VPN credentials, while also adding login security with the Duo Prompt and Duo SSO. 

Trust Monitor is machine learning software that continuously monitors your authentications looking for anomalies and flags them with an alert when found. 

Choosing vendors is always a bit of a challenge. Knowing upfront what you're buying and any restrictions makes it easier to make an informed decision. At Duo, we provide not only upfront MFA, but also extra strong security, with more security features to protect your credentials and authentications, and we grow with you.

“Duo provides fast deployment without complicated applications to roll-out or educate end users to use.” —Sean McElroy, Chief Technology Officer Alkami Technology, Inc.

Last fall, we shared the exciting news that customers would soon be able to customize the look and feel of the Duo Prompt as part of the Universal Prompt project. Now, one year later, we are excited to announce the General Availability of custom branding for Universal Prompt, Duo Single Sign-On and Duo Passwordless. The best part? We’ve made it super simple to set up, and we’ve taken the guesswork out of how the new experience will look to your end users.

An Improved Settings Page

Branding lives on our Settings page in the Duo Admin Panel. You can now select an accent color and background image or color in addition to your logo. We’ve also expanded our image dimensions to accommodate horizontal logos in addition to squares. 

Mirroring the look and feel of your organization when they hit the Duo prompt or SSO login is key to making users feel like they are in the right place. Our side-by-side branding editor compares what the prompt currently looks like to users against the new look and feel, so you can be sure your logo, color and background are just right before pushing any changes out to end users. 

See the video at the blog post.

You can continue editing your branded Duo experience as long as you like. We know that there might be multiple stakeholders who want to approve the updated Duo branding before it goes live, so we’ve included options to save drafts and preview the branding with a select set of users. If you choose to test with some users, you can select individual Duo users and only they will see your draft branding for Universal Prompt. You can rest easy that you won’t accidentally change the whole Duo experience for your organization without ample warning for your users.

Publishing Is as Easy as 1-2-3

Once you are ready, simply click “Publish to everyone,” and your branding will be live. You’ll notice that what was once your Draft branding has now become your Current branding. As soon as you start a new draft, you’ll see it appear to the right of the current branding.

Help Users Help Themselves

There are all sorts of reasons an end user might have trouble with 2FA. Maybe they got a new phone or left a device at home. We want to ensure they can get to their applications as quickly as possible. Coming soon, you’ll be able to provide localized help text to let users know which Slack channel to pop into or who to email so that they can quickly get the help they need.

Salesforce is putting new policies in place next month to better protect their customers and keep their data secure. Starting February 1, the leading customer relationship management company will require all customers to use multi-factor authentication (MFA) — and Duo is among the top solutions they recommend.

“On their own, usernames and passwords no longer provide sufficient protection against cyberattacks. ... With threats like phishing attacks, credential stuffing, and account takeovers on the rise, MFA is one of the most effective ways to prevent unauthorized account access.” —Salesforce Multi-Factor Authentication FAQ

So what exactly counts as MFA? While some companies use SMS or email to share a one-time passcode to log in, this simple two-factor authentication (2FA) method will not satisfy the new requirements. VPNs, password managers and trusted devices, (all great security measures) will not count towards compliance either. Salesforce is very explicit about what is and is not MFA and has provided an MFA Requirement Checker to ensure your company has satisfied the requirement.

For companies that do not comply, there are significant consequences, including legal liability for cyberattacks and potentially blocking access to Salesforce in the future. However, Salesforce is providing multiple options to make sure all organizations have the support and resources they need to take action. 

One potential solution is the Salesforce Authenticator app. This free app works on all Salesforce products and is an option to ensure all organizations have access to MFA. While the Authenticator app is a good backup, Salesforce recommends using MFA delivered via third-party single sign-on (SSO). Fortunately, Duo’s SSO and Duo’s MFA solutions can easily address these concerns.

“If your company is already using an MFA solution like Duo™, we recommend integrating your Salesforce products with that system instead of enabling a Salesforce product's MFA functionality. Integrating with an existing solution may reduce your timeline and costs for implementing MFA. And it can minimize friction and change management needs because your users are already familiar with your existing system.” —Salesforce

With Duo, you can protect unlimited applications in addition to Salesforce and make it easy for your employees to securely access their accounts. Duo also offers flexible authentication options that you can implement based on your unique users and needs. Additionally, it can take a few hours (or often even less!) to deploy across your workforce, making it the ideal solution for security teams that are concerned about the February 1 deadline sneaking up on them. 

Ultimately, Salesforce is hoping that this new policy is not just another security box that the company has to check, but part of a long-term strategic vision. “Our goal in requiring MFA is to give you the incentives and tools to prioritize strengthening the security of your Salesforce environments. We encourage you to work with your Security and IT teams to align the MFA requirement with your company’s overall security objectives.”

To learn more about how Duo can help you comply with the new requirement, read about our Top 5 Considerations When Enabling MFA for Tableau Online and Other Salesforce Products. To get started right away, sign up for a free 30-day trial.

It’s a new ending to a familiar story of frustration for users trying to access internal company resources. 

The Remote Desktop Protocol (RDP) feature for the Duo Network Gateway prompts users to authenticate only when necessary, instead of first having them try and fail, forcing them to try again after logging into the company’s virtual private network (VPN).

Now that this friction-reducing feature is in public preview, we wanted to share some inside perspective on how it works and what informed our design.

A Familiar Story

We are all very familiar with the current state of remote access with a VPN:

• Try to access internal company website
• Fail to access internal company website
• Wonder why it’s failing for a moment
• Log in to the VPN
• Try to access internal company website again and hopefully succeed

The Duo Network Gateway (DNG), a VPN-less remote access proxy gateway, elegantly solves this problem for websites, streamlining the end user’s experience:

• Try to access internal company website
• Get prompted for authentication with your identity provider (IdP)
• Get prompted for multi-factor authentication (MFA) with Duo
• Proceed to internal company website

End users are only re-prompted to authenticate if their session expires or is terminated by an administrator.

A User-Centered Flow

We love this flow: Users do the thing they want to do, and they might get prompted to authenticate if necessary. We don’t love this flow: Users do the thing they want to do, but, if it fails, they have to think about what to do next. 

For SSH connections, the DNG and DuoConnect (our lightweight client for remote access) can leverage the SSH client’s “ProxyCommand” capability, which allows administrators to modify SSH configurations and specify that certain connections should be using DuoConnect with some specific arguments.

With the DNG, connecting to an SSH server is as simple and frictionless as accessing a web server: after initiating the SSH connection the user will be asked to authenticate through a web page if needed. Otherwise, the DNG stays out of the way.

Unfortunately, other protocols — and RDP in particular — don’t have a comparable “proxy” option to specify a relay and a host (like SSH), and they don’t carry enough information to allow DuoConnect and the DNG to infer the destination and state of authentication for an incoming request (like HTTP(s)/web).

We’ve worked hard to replicate this seamless experience for RDP connections. With the new architecture, if a user (for example, Sally) wants to connect to their desktop (for example, sallys-desktop.example.local), which is inside the corporate network, they simply open their RDP client and connect to sallys-desktop.rdp.example.com. If they need to authenticate, a browser will pop up and ask them to do so. Otherwise, the connection is seamless. Notice that the hostnames used to connect here are different, which we’ll explain in the next few paragraphs.

How it Works

The DNG uses two components to make this work: relays and subdomains.

Similar to SSH relays, RDP relays serve as a point to relay traffic to the internal network and a point of authentication. You can protect multiple RDP servers behind one RDP relay, and the relay would have its own hostname (for example, rdp-relay.example.com).

Due to the absence of a “proxy” configuration, we rely on a subdomain being delegated to the DNG. You configure the DNG with an external/internal pair of subdomains, where the external subdomain is delegated by your main domain to the DNG, and the internal subdomain is one that is resolvable within the corporate network.

For instance, if the company name is “Example, Inc.” and it owns example.com, the domain administrator can delegate rdp.example.com to the DNG (via public DNS), and configure the DNG subdomains configuration to make rdp.example.com correspond to example.local. 

When Sally attempts to connect to sallys-desktop.rdp.example.com, the DNG will receive the request, correlate it with the existing relay configuration and Subdomains configuration, assign a random temporary IP address to the name sallys-desktop.rdp.example.com, and send it back to the RDP client.

The user’s machine initiating a connection to RDP Server. Actual request path may differ.

When the temporary IP assignment is received, the connection is internally routed to the installed DuoConnect. Upon receiving the connection, DuoConnect will contact the configured DNG to start the authentication process (if necessary) and tunnel the connection through the RDP Relay at rdp-relay.example.com.

If you’ve purchased Duo Beyond, you can participate in the public preview of RDP support for the Duo Network Gateway.

The holiday season is critical for the retail industry in the U.S., which has increasingly been facing cybersecurity challenges. Earlier this year, the Biden Administration’s Executive Order on Improving the Nation’s Cybersecurity aimed at improving efforts to “identify, deter, protect against, detect, and respond to these actions and actors.”

American consumers lost $56 billion to identity theft last year with an average of 49 million consumer victims, according to a CNBC News report. The 2021 Identity Fraud Study by Javelin Strategy & Research reports the identity fraud resulted from stolen personally identifiable information (PII) and data breaches. Retailers have to protect consumer PII and stay compliant to PCI DSS, GDPR, CPPA and more. The breaches could easily be prevented by leveraging a zero trust security posture and implementing multi-factor authentication (MFA). 

The 2021 Executive Order from the White House in conjunction with the Federal Trade Commission outlined MFA as a security requirement for all federal contracts to apply to manufacturers of retail Internet of Things (IoT) devices and software. This indicates that the software systems retailers use will soon follow stricter cybersecurity hygiene practices detailed in the Executive Order. PCI DSS already requires MFA as a standard to protect PII of consumers for multi-layered protection.

“A secure authentication experience is a foundational security control for any organization. It is also the control that every employee, contractor and partner sees. Using continuous trusted access policies to manage authentication means their systems and data is protected.” —Helen Patton, Advisory CISO, Duo

Breaches don’t just impact retail consumers — retail and corporate employees also suffer consequences. Retail is critical to the U.S. economy; it added $3.9 trillion to the annual gross domestic product in 2021 and is the largest private-sector employer. With 52 million Americans working in retail, one in four U.S. jobs are in the industry, according to the National Retail Federation. As a result, there are many opportunities for bad actors to benefit from hacking campaigns that rely on the human element.

The federal government has recognized that adopting a zero trust approach, including strong MFA and device trust, is the best way to thwart ransomware and cyber attacks. With the directive including guidance for creating a consumer label law for software and mandatory reporting of breaches, there is a strong possibility that today’s guidance will become tomorrow’s regulations. MFA requires multiple factors in order to establish trusted access, including something you have (a device), something you know (a password) and something you are (a biometric). It’s virtually impossible for a hacker to have a combination of all three factors. By providing this additional layer of security, MFA can be 99.9% effective in preventing account compromise.

Retail has been hit hard over the years, from the famous Target breach to the Home Depot malware attack and TJ Maxx’s credit card breach. Retail stores have been struggling as more shoppers go online, and the pandemic knocked many out of the playing field altogether. Resources for security are not top-of-mind, but focusing on online orders and getting workers remote access is. As shoppers are starting to spend more and return to retail, security needs to be front and center not only to meet the requirements of the Executive Order, but also most compliance laws and cyber liability insurance requirements. 

Duo is more than just MFA. Our trusted access platform monitors and prevents unauthorized devices from logging into your applications and continuously monitors with adaptive access, giving permission to those who need it and blocking those who don’t. Security can be complicated, but Duo makes it easy to roll out and install for employees at all levels of access. Even if a breach occurs, Duo can contain it by preventing lateral movement to other critical applications and data. Retailers can focus on running their business and let Duo’s strong protection do the rest. 

Further Reading About Securing Retail

• Duo’s Retail Industry Solutions
• How Sonic Automotive Reduced Risk of Breach and Improved Productivity With Duo
• How Threadless Simplified MFA and Met PCI DSS Compliance With Duo
• Why an Enterprise Retail Company Upgraded from Traditional 2FA to Duo

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

Passwordless is a sea change in authentication. We’ve spent the last 60 years relying on shared secrets to access digital resources and moving away from that is no small task. However, the transition will be worth the effort. Passwordless authentication provides the rare opportunity to increase our access security drastically while simultaneously improving the user experience — a compelling prospect!

However, as someone researching this new technology, you might be overwhelmed with all of the buzz — asking questions like “How do I even get started?” or “Does everything have to change?!” 

We’re excited to announce a public preview for Duo Passwordless using our Duo Single Sign-On solution — with a core focus on making this new technology as easy as possible to adopt in your organization. 

See the video at the blog post.

We adhered to a few simple principles as we developed the product. It needed to: 

• work for any user, on any device 
• integrate with existing infrastructure
• and minimize setup time for both admins and end users.

Therefore, we’ve built out our feature set with each of these themes in mind. 

To enable any user on any device, we’ve made sure that our passwordless solution supports platform biometrics on Mac, Windows, iOS, and Android. For users that don’t have access to a device with built-in biometrics, we’ve added support for FIDO2 security keys that can verify users. Users can also enroll multiple passwordless authenticators. By offering several passwordless device options, we’re hoping to make it easy for users to get up and running with this new technology. 

In order to flexibly fit into existing infrastructure, we’re offering several set-up options. We recommend using Duo SSO. It’s a cloud-delivered SSO solution that includes all of our deep security features. And for customers leveraging an existing SSO solution, we’ve built easy integrations so that you can use our passwordless functionality in those cases as well. 

Finally, and this is key to our offering, we’ve made things easy to set up and use. For administrators, configuring passwordless authentication in their Duo environment takes minutes instead of hours. Administrators can also set policy around which applications and user groups should get passwordless as an option, making it simple to phase the roll out of the new authentication method. On the end user side, we’ve made enrollment simple, with intelligent prompts that suggest available passwordless options while providing important information about biometric security and privacy.

For those of you intrigued by passwordless authentication, and who’d like to learn more before diving in, our Administrator’s Guide to Passwordless provides an incredibly in-depth look at this new technology. Start there, and come back!

Why Did We Start With SSO? 

When thinking about how to implement passwordless technology, you really have two problems to grapple with. The first is an integration problem — how do I insert passwordless technology into my user flows? The second is an authentication problem — what technology do I use to verify identities without relying on a password? 

Both of these are hard problems! The integration problem however, aligns with an overall push towards consolidating application access to single sign-on technologies that has been years in the making. When you evaluate authentication use cases in your environment, there’s a decision to be made. You can integrate a passwordless solution directly into older applications or you can upgrade that application to support SAML. 

For Duo, most customers we spoke with are already embarking on projects to move away from legacy authentication types for a variety of reasons. Passwordless is simply another incentive to move that RADIUS-based VPN to SAML. Our goal is to help you go passwordless with the broadest amount of use cases possible and starting with SSO first lets you do that!

We definitely recognize there are some legacy use cases that aren’t going away anytime soon (like that vendor-owned software that hasn’t updated in 10 years that’s definitely not adding SAML support anytime soon). Thankfully, Duo can already help you provide MFA for all sorts of integrations, and we plan to help you support these with passwordless authentication in the long-run as we continue to evolve the product. 

What’s Next? 

We’re pretty excited about the future of biometrics for authentication. In user research we’ve conducted, we’ve found users are pretty excited too! It’s common for end users to be well acclimated to biometrics from consumer use cases and in research we’ve done, more than 70% of users tell us they’re interested in using biometrics in the workplace as well. 

We’ve also heard from customers however, that there are plenty of use cases where you might not be ready for biometrics yet. Older hardware, regulatory compliance, or simple end user preference means having a variety of authentication options is critical. As such, we’re working hard to enable Duo Mobile as a passwordless authenticator as a next step before we make the product generally available.  

How Do I Sign Up?

Passwordless authentication is rolling out as an early-access preview to customers over the next week; the feature will be available in MFA, Access, and Beyond editions. It will show up in your Duo Admin Panel under Single Sign-On > Passwordless. Note, however, there are some restrictions on the public preview. Initially, Duo Passwordless will roll out to customers on our U.S. and Ireland deployments. If outside of those regions, Duo Passwordless will deploy on a rolling basis as we approach General Availability. 

To get started with passwordless authentication in your environment, check out our passwordless documentation.

We’re excited to be a part of this authentication revolution and help folks on their journey to a passwordless future. Please reach out to sales@duo.com with questions, comments, and feedback.

Learn More About Duo’s Passwordless Solution

See the video at the blog post.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

The “great supply chain disruption” is causing chaos around the world for everyone from farmers to automakers to consumers. What is less appreciated is that supply chain changes can pose new challenges not just for logistics, but for IT security as well.  

New ways of working can increase the resilience of an organization, but they require additional levels of disclosure and uberrimae fides — utmost good faith — between security teams, and not just a tick-box approach.

For the last few years, one of the main topics in the cybersecurity world has been the dissolving perimeter, which increasingly places resources and assets outside our immediate sphere of control. Critical applications are now held within other computers in the cloud or accessed by remote users on their personal devices.

The response has been an evolution in security, where checks and balances are performed by a variety of controls that authenticate the user, their devices and the data stores at the point of access.

One key area that affects an organization’s security posture is its business relationships with third-party suppliers who provide the parts and content to produce an organization’s products.

In simple terms, there are two main strategies: relying on a small group of critical specialist suppliers or on multiple suppliers. The latter reduces the risk of a single point of failure to production, as if one supplier fails then an alternative can be used to ensure production resilience. Alternatively, an organization may adopt a strategy to focus on a close relationship to reduce costs or simply because there are limited suppliers producing that particular item. Disruption to this element of the supply chain may impact the resilience of the organization severely.

This risk will ebb and flow as the nature of the supply chain changes. For example, when faced with volatile changes in shipping rates, some firms have decided to onshore production to new partners. With closer technology dependencies between organizations and suppliers, security teams need to be able to react swiftly to these changes.

Meanwhile, how we view these third-party relationships from a security perspective should also change to match the business strategic need. The further along the chain and the further away from the organization, the more difficult it is to understand the risk posed with the third parties. As one CISO said to me, “With immediate suppliers you can learn how to trust; beyond them you need to learn how to pray.”

How IT Teams Can Respond

A typical approach involves third-party assessments in which the status of controls is requested. This is generally designed to make sure that core frameworks such as NIST, ISO 27001, or CIS are followed. These assessments can be time consuming for all concerned.

The next step should be a more proactive approach with joint activities to ensure that there is alignment and understanding between the security teams in the supply chain. One of the characteristics is the willingness to collaborate. Greater communication, backed up contractually if necessary, is needed. These CISO-to-CISO conversations may feel awkward, but they are necessary, the authors of a recent McKinsey.com article stressed.

In fact, more than just conversations are needed. Already CISOs often chat offline. However, more concrete steps might be necessary with key suppliers. These might include:

• Running joint exercises to understand when, where and how incidents may occur.
• Joint penetration testing with shared results to identify potential issues.
• Creating response plans so that coordination activities can be implemented instantly.
• Developing close links between security operations centers so that any potential attack is identified amongst the teams.
• Setting up communications links between teams looking at intelligence feeds so that they can compare notes and alerts.

It can be argued that these approaches may occur through industry bodies already, but a more proactive stance will require more specific actions with key third parties and not just audits and assessment.

This change in thinking also requires gaining buy-in from the business colleagues who may be reluctant to share sensitive information.

The risks and the mitigation need to be clearly communicated along with the business benefit of increased resilience. Within the governance model executives will need to be briefed on the systemic risk of third parties from the security aspect, and an evaluation of third-party risk should be promoted as part of board responsibility.

So, while supply chain disruptions present new IT challenges and risks, those risks are not insurmountable with thoughtful, strategic cooperation within organizations and between partners.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

One of our core tenets at Duo is to help organizations provide workforce users with a seamless authentication experience while reducing the administrative burden on IT and helpdesk teams. We continue to enhance our secure access capabilities while centering an easy, effective user experience. 

Active Directory is the most popular authentication source connected to Duo Single Sign-On (SSO), accounting for almost 80% of all Duo SSO setups. Today, we’re excited to announce a new feature that will make that setup even better: expired password resets!

Let’s take a step back and look at how applications, of all sorts, have handled authentication for as long as we can remember. Most commonly, these applications communicate directly with Active Directory over Lightweight Directory Access Protocol (LDAP). With that authentication flow in place, and with a handful of Microsoft prerequisites, many applications added the ability for users to reset their expired password through the site or client so that users could access their application without needing to take up crucial helpdesk time. 

Over time, customers are increasingly moving toward a federated authentication workflow where their applications no longer communicate directly to Active Directory and instead communicate to a third-party identity provider. This often means that all of the benefits of native in-line password reset is lost and that users are often blocked. With our new Expired Password Resets feature in Duo SSO, we want to provide the easiest experience for users and let them quickly reset their expired password, log into their application, and get on with their day.

In the 90 days leading up to this release, more than 60,000 users have been blocked due to expired passwords among customers running updated versions of our Duo Authentication Proxy. 

Expired password resets with Duo SSO allow users to reset their expired Active Directory passwords while authenticating through Duo SSO. After a user attempts to log into Duo SSO, they’ll be informed that their password has expired and may change their password after completing multi-factor authentication (MFA).

Once the user successfully completes MFA they’ll be prompted with a page similar to this, which will show them your Active Directory password requirements:

They’ll be asked to type in their currently Active Directory password, followed by a new password that would be typed in twice.

To use Expired Password Resets for Duo SSO, make sure that the following settings are set for your SSO Active Directory Authentication Source: 

• Must be using LDAPS or STARTTLS
• Cannot be using the Global Catalog
• Must be running Duo Authentication Proxy version 5.5.0 or higher

That’s it! If you already meet the requirements above, you’re one radio button away from giving your users a more streamlined authentication experience!

Learn about Duo SSO Active Directory Expired Password Resets, and read the guides for Duo SSO and Expired Password Resets that can be shared with your users.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

The Windows Remote Desktop Protocol (RDP) is often used for working remotely and providing IT support. Nearly 4.5 million RDP servers are exposed to the internet alone. The protocol is also, unfortunately, a common cyberattack vector. In 2020, attacks against Windows RDP grew by an incredible 768%! Additionally, the rapid shift to work from home resulted in thousands of RDP users and RDP-enabled machines connecting from outside the traditional network perimeter, thereby increasing the risk of cyber threats and data exposure. 

As a result of the ever-growing threat that RDP presents, it becomes crucial to ensure secure connections to hosts that are being accessed via RDP. Strong multi-factor authentication (MFA) is a fantastic step forward with features like device posture assessments and access control. Given the threats surrounding a machine that is accessible via RDP through the internet, we can instead place those machines behind a front-end, such as the Duo Network Gateway (DNG), without foregoing the streamlined end user experience people have grown accustomed to. 

End users do not have to launch a VPN client as the traditional extra step when gating access to RDP hosts. Instead, they simply launch their RDP client of choice and connect to the resources they require. During the initial connection to an RDP resource, the default Web browser launches to perform primary authentication against the organization’s SAML 2.0 Identity Provider and then MFA is performed with Duo. After this in-line authentication, the secure RDP connection is established, and the end user is ready to go. 

Public Preview Available Now 

Duo has been testing out RDP with Duo Network Gateway, and during the private preview we received positive feedback. One administrator stated that they “upgraded Duo Network Gateway and everything is working as expected. Client side is super easy.” We’re eager to hear your feedback to inform our next steps.

Today, we’re happy to share that RDP protocol support for Duo Network Gateway is in public preview for Duo Beyond customers. The DNG will allow users to securely and easily access on-premises applications and desktops via RDP, without requiring a VPN connection. 

Adding RDP support to the Duo Network Gateway has been a highly requested capability among Duo customers, so we’re especially excited to bring this to the market. Better yet, we’ve developed an architecture for the Duo Network Gateway that allows for protecting RDP today and more Transmission Control Protocol (TCP) services over time. In the coming months, as we continue to learn from our customers about the applications that they are most interested in protecting with the Duo Network Gateway, we will support additional protocols. 

If you’ve purchased Duo Beyond, you can participate in the public preview of RDP support for the Duo Network Gateway. For more information, reach out to your Duo contact.

One of the worst outcomes of a lack of a strong zero trust security foundation is a ransomware attack. The modernization of ransomware, coupled with Ransomware-as-a-Service (RaaS), has made it incredibly easy for attackers to launch a ransomware attack, which becomes an incredibly difficult problem to solve. Human error underlies the success of most attacks. In our guide, Protecting Against Ransomware: Zero Trust Security for a Modern Workforce, we walk you through the anatomy of an attack and how you can protect your organization. 

Officially classified as cyber terrorism, we’ve now seen large-scale ransomware attacks on everything from government, to healthcare, to supply chains, education and financial institutions. The reality is that ransomware is not going away any time soon, and the best offense is a good defense — and the best defense begins with trusted access based on zero trust principles. 

Companies that have not strengthened their security posture for this change or fortified their internal security education create an easy way in for bad actors. Gartner reports that 57% of breaches involve employee/third-party negligence. According to ZDNet, Remote Desktop Protocol (RDP) is the number one exploit that threat actors leverage to gain access to Windows computers and install ransomware and other malware, followed by email phishing and VPN bug exploits. 

The good news is that Gartner reports 90% of ransomware is preventable. Multi-factor authentication (MFA) is the key to preventing password credentials from being stolen and unwanted access from being granted, and the first step to achieving a zero trust framework.

In this guide you will learn:

• Why remote work has colluded with the increase of ransomware attacks
• A step-by-step look at how ransomware attacks work
• The history and rise of ransomware gangs
• How ransomware has matured into a full-fledged business
• How to adopt zero trust principles through trusted access and MFA as protection against ransomware

Zero trust assumes a breach will happen. The modern workforce is more mobile than ever before. Users and devices can connect from anywhere — so companies must protect them everywhere. A zero trust security model establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application.

Download the guide Protecting Against Ransomware: Zero Trust Security for a Modern Workforce, and learn how zero trust can help stop ransomware before it ever starts. 

Why You Need Single Sign-On (SSO)

Today’s workforce leverages many applications. The average employee has access to 35 unique apps, while some organizations manage hundreds. Organizations of all sizes must manage multiple usernames and passwords due to the widespread usage of Software as a Service (SaaS) applications. This can be frustrating for employees and taxing on Information Technology (IT) teams. 

According to a recent global survey Duo conducted of IT professionals and end users spanning thousands of respondents, 51% of end users forget or reset a password every week, 57% respondents noted that they reuse passwords across multiple sites, and 78% of respondents create new passwords by adding a number or symbol to the end of an old password. Each of these password-related challenges can exacerbate the security risk of compromised credentials which play a role in the majority of breaches, according to the Verizon Data Breach Investigations Report.

SSO can help users and IT teams work more efficiently. It not only reduces the burden placed on the end user to create and manage multiple passwords, but also alleviates the hassle of remembering and resetting passwords for all the apps being accessed for work. Essentially, SSO reduces password fatigue.

Users only need one set of credentials, such as their corporate email and password, to log in the first time (during a session) to the SSO portal and subsequently gain access to internal applications as policy permits. Security admins can create flexible security policies for any app. Plus, helpdesk teams can significantly reduce time spent helping users reset passwords as often, or at all, for many apps. This saves IT departments time and money and allows them to focus on other high-priority business initiatives. 

5 Things To Look For in a SSO Solution

There are five key factors you should consider when researching and evaluating single sign-on solutions:

Security Focused 

In addition to enabling an easy login experience for users, SSO serves as a key point for enforcing security policies. The security administrator should be able to build and enforce application access policies based on user group, location and device trust (whether the device is managed or unmanaged, certain security features enabled or disabled, etc.) from a simple, intuitive administrative dashboard. The administrator should also be able to generate reports and analytics of anomalous user behavior. Furthermore, the SSO application dashboard for end users should be protected with multi-factor authentication (MFA) to reduce risks of phishing and other identity attacks that could compromise credentials.

Fast and Easy to Deploy, Administer and Manage

SSO must be fast and easy to deploy so that organizations can rapidly and constantly reap the benefits of user productivity and cost savings. Because users no longer have to manage multiple passwords and get help resetting them, the help desk should save time or at least be contacted less frequently. As a result, SSO can also contribute to lower help desk costs. If the solution is easy to administer and manage whenever new applications are onboarded, and if there are self-service options such as Active Directory (AD) password reset, it saves time and reduces administrative burden.

Works with Various Identity Providers and Applications

The SSO service should integrate with any Identity Provider (IdP) that the organization has invested across their user base, such as Microsoft, Okta and Ping. Organizations are very unlikely to switch their IdP just to adopt SSO. As such, SSO should work seamlessly with any existing IdP.

Many organizations also have environments with more than one independent user directory (also known as a forest). This can be for a variety of reasons, including the result of a merger or

acquisition. The SSO solution should support multiple untrusted forests so that organizations can deploy SSO to all users while improving the security posture.

Because the modern workforce relies on many different web applications (e.g., Microsoft 365, Google Workspace, Workday, Box, Salesforce, etc.), homegrown and customer apps, on-premise apps and virtual desktops, the SSO should work with them either through native integration or a custom configuration by the administrator. In particular, Security Assertion Markup Language (SAML) is one of the most widely adopted protocols used to perform federated SSO from the IdP to the application service provider. It’s optimal that your SSO solution supports any application that follows the SAML version 2.0 standard and others such as OpenID Connect.

Provides the Best User Experience and Customization

SSO should be easy to use. There should be a centralized application dashboard (web-based portal) with icons and names of the applications that users can simply navigate — no time wasted trying to remember or search for individual web site links. Also, SSO should integrate with remote access solutions for simplified, secure access to sensitive internal applications.

End users (employees, contractors, and vendors) expect that any time they interact with their company’s website, internal apps and services, and web portals, each entity’s look and feel will be familiar and trustworthy. Therefore, the SSO solution should allow the administrator to customize the SSO login page and application dashboard that users see.

Builds Toward the Future 

The SSO solution must also keep pace as new cyber threats emerge and adversary tactics evolve. When migrating applications to SSO, you should expect to see continuous improvements in support and capabilities. SaaS offerings are meant to be easy and seamlessly provide more value to any application already integrated through granular access policies, adaptive authentication, or a truly passwordless experience.

Simple, Secure Single Sign-on from Duo

In 2015, Duo launched an on-premises SSO solution, Duo Access Gateway, used by thousands of organizations to enable secure access to on-premises and cloud-based applications. In 2020, we launched Duo Single Sign-On (SSO), a cloud-hosted SAML identity provider (IdP) that provides users with an easy and consistent login experience for any and every application (on-premises or cloud-based). Duo SSO is easy to set up and manage and enables users to log in to a single, MFA-protected dashboard, Duo Central, to gain access to all their apps. Furthermore, Duo SSO integrates seamlessly with Duo Network Gateway, a VPN-less solution for zero-trust access to on-premise internal applications. Duo SSO is used by thousands of large and small organizations globally. Learn more about Duo Single Sign-On.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

One challenge for IT departments across organizations has remained the same for decades: “How do we balance security and productivity while allowing our employees access to corporate resources?”

Due to cloud adoption, Bring Your Own Device (BYOD) and remote work, this challenge has only increased in complexity. IT departments strive to provide employees the best possible access experience to boost productivity. At the same time, security professionals want to ensure that sufficient access security controls are in place to safeguard corporate data. 

To maintain security while minimizing user friction, IT administrators should consider three key factors: 

1. Making authentication more intuitive and accessible for all users
2. Reducing the number of times users need to authenticate based on trust signals
3. Decreasing the time and effort it takes for users to enroll and authenticate

Duo’s multi-factor authentication has the reputation of being as easy to use as it is effective. But in the world of technology, change is the only constant. New web frameworks and evolving UX standards have created room for improvement. And Duo is marching ahead with its mission to democratize security by making it easy and effective for organizations of all sizes to secure workforce access. 

A Radically Simple New Look and Feel

The new Universal Prompt radically simplifies the authentication experience by displaying a modern and clean UI. The prompt minimizes user friction when performing multi-factor authentication. To facilitate a faster, easier and smoother secure authentication, the new UI displays only the most relevant and imperative information to users. Along with the new authentication prompt, we’ve improved the user enrollment experience, creating a more intuitive new self-service portal experience.

“80% of users say the new authentication experience with Universal Prompt is faster and easier.” —Duo UX Research Team

And that’s not all — accompanying this new prompt experience is the new Duo mobile app to enhance end-to-end authentication workflows. Check out what’s new in the redesigned mobile app.

See the video at the blog post.

Duo’s new authentication with the Universal Prompt is currently available as public preview for all paying customers. We currently have more than 2,200 customers who have enabled the new prompt experience and processed more than 6.5 million authentications in the last month alone.

Then and now: Duo Universal Prompt at a glance

Why Upgrade to the New Authentication Experience?

Streamlined Authentication

Consider the number of times a user has to interact with a security tool such as MFA. This security becomes an annoyance and impedes productivity as the frequency of user interaction increases. Yes we are aware of “MFA Fatigue.” Now, imagine if you could perform a strong authentication that's resilient against phishing and man-in-the-middle attacks with minimal user interaction, once a day and you can get on with your work? 

That’s the experience the Universal Prompt delivers. The prompt now remembers the last used authentication method, and if the authentication method used was Duo Push the prompt then automatically sends a push notification to the user's registered device. These enhancements reduce the number of actions needed to perform multi-factor authentication and users can verify their identity in one seamless workflow.

Informed by Modern Protocols

WebAuthn, a FIDO2 standard, has emerged as the new benchmark for modern strong authentication. Duo already supports WebAuthn as an authentication method for browser-based applications. With the new MFA prompt, Duo extends that support to a wider variety of browsers and even thick client applications that support modern authentication.  

In addition, OIDC has been gaining popularity as an open standard, decentralized authentication protocol. We’ve introduced new WebSDK (v4) and authentication APIs that add support for the OIDC authentication standard that developers love. Adopting the OIDC standard for application integration enhances the overall security of MFA deployments.

Driven by Inclusivity

With a strong focus on human-centered design principles, Duo Universal Prompt delivers an inclusive authentication experience that minimizes friction for all users. The Universal Prompt is easy to read, with big action buttons and the ability to be controlled by voice or other assistive technologies. The prompt respects user settings (moving images, animations) and provides an improved color contrast. Through these features, Duo helps organizations comply with accessibility requirements by meeting the Web Content Accessibility Guidelines (WCAG) 2.1 standards at the AA level. Learn more about Duo’s commitment to accessibility.

Security Your Way

Organizations today have global workforces. The IT departments for these organizations need to ensure that employees get a consistent authentication experience among all regional language needs and accessibility requirements.

Universal Prompt also enables global organizations to deliver an on-brand experience for user authentication by allowing IT administrators to incorporate elements such as company logos, primary color, and custom background and customizable text into the prompt. This not only adds a layer of user-centric approach to security by allowing users to authenticate with greater confidence but also makes it easier to spot phishing attempts that lack consistency with the company’s visual brand. The prompt also allows organizations to localize in regional languages.

“As we onboard 50+ SaaS applications, we’re finding the Universal Prompt simplifies authentication options, while providing a consistent user experience across all SSO enabled applications. The screen pop notifying users to check their phone for push notification is helpful. The refreshed prompt is easy to follow, especially when users use multiple devices for secondary authentication.” —Kevin Rice, Senior Enterprise Architect, Kearney

So what are you waiting for? Browse the Universal Prompt Playbook to see how you can enable the new experience for your users now.

Getting K-12 schools online during a pandemic was difficult enough. To make it even harder, schools are dealing with rising volumes of cyberattacks. These incidents come from all directions: criminals targeting schools to make money from stolen personal information and compromised emails; insiders looking to disrupt classes and online meetings; and opportunistic attacks that take advantage of unprotected systems.

What’s the Current Threat Landscape?

The number of publicly disclosed cybersecurity incidents affecting K-12 school systems rose by 18% in 2020 over the previous year, according to The State of K-12 Cybersecurity: 2020 Year in Review report by the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange.

The top kinds of attacks were:

• 45% Denial of Service
• 36% Data Breach/Leak (75% of these involved vendors and other partners)
• 12% Ransomware, increasing in severity over previous years (including extortion)

K-12 schools also saw an increase in disruptive cyberattacks (most of which were conducted by those with legitimate access) which did not meet the definition of a breach, but nonetheless caused concern:

• Class invasions (Interrupting online class sessions)
• Meeting invasions (Interrupting online board meetings)
• Email invasions (For example, using email to bulk-share disturbing images)

These incidents are alarming, disruptive and costly. Some ways that they impact schools and their communities include:

• Disruption of teaching and other school activities
• Financial loss due to business email compromise
• Cost of ransomware payments, and related recovery activities
• Data theft of students and employees, leading to credit card fraud and identity theft
• Exposure of children to disturbing content

Why are K-12 Schools a Target?

K-12 schools are resource limited, particularly for up-to-date technology and security solutions. They rely on a small number of IT staff who wear multiple hats, often with limited security experience. These teams support large personal data repositories, including historical student records and personally identifiable information. Organization charts and contact information are often publicly available, which can be used to create realistic phishing campaigns and spear-phishing attacks. Not surprisingly, larger, urban/suburban and/or wealthier school systems are more at risk, as they manage more students, employees and devices. Smaller schools may also receive random attacks, but they’re less likely to report an incident.

Financial Resources for School Administrators

Funding specifically for cybersecurity is available for K-12, like CARES Act grants and other pandemic-related sources.

Additionally, there are several bills advancing through the U.S. federal government, including:

• President Biden recently enacted what is believed to be the first K-12 cybersecurity-focused law, the K-12 Cybersecurity Act (S. 1917). As GovTrack details, “This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to study the cybersecurity risks facing elementary and secondary schools and develop recommendations that include cybersecurity guidelines designed to assist schools in facing those risks. The use of such recommendations shall be voluntary.”
• State and Local Government Cybersecurity Improvement Act - To provide dedicated funding for the national infrastructure investment program and the capital investment grant program, and for other purposes.
  
• Build America Act of 2021 (Infrastructure) - To provide dedicated funding for the national infrastructure investment program and the capital investment grant program, and for other purposes.

How Can Zero Trust Security Help K-12?

Applying a zero trust philosophy to K-12 supports remote learning and working, protects data and systems, and allows for faster incident response.

• A zero trust architecture starts with having a multi-factor authentication (MFA) solution to ensure the person logging into a school system is a known, authorized user. Teachers and administrators can have a stronger authentication method while authentication methods for students can be age appropriate – and can be used to educate students on secure computing practices. Using MFA minimizes the impact of phishing attempts to steal and use credentials and can restrict a non-authorized user from accessing classroom and meeting online sessions.

• Using device trust applications or mobile management solutions as a second step toward a zero trust architecture ensures that devices used to access school systems use current software versions and are current in security patches and other security controls. This allows for the flexibility of using personal devices without sacrificing privacy, meaning that faculty, staff and students can manage the health of their own devices without significant IT or helpdesk support requirements, and reduce the likelihood of compromise due to outdated software and operating systems.

• By applying continuous trusted access policies which monitor user/device behaviors, schools comply with emerging compliance requirements while also allowing for faster detection of malware and other threats. A faster response leads to a lower impact when systems are compromised.

While the pandemic interrupted a lot of K-12 activities, it didn’t stand in the way of cyber threats impacting schools. Administrators now recognize the need to ensure systems, information and their communities are protected from ransomware, denial of service attacks and other threats. Zero trust architecture – focused on users and devices – is a place to start this work.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

Passwordless authentication is one of the biggest trends in security this year. From the largest of software providers to the smallest of startups, everyone is adding their voice to the chorus of passwordless converts. And we’ll admit, Duo is a convert as well. We truly believe that passwordless authentication will be a sea change that simultaneously enables stronger security while making it easier for users to login. That’s why we’ve committed to making the transition as easy as possible from a world filled with passwords to one with far fewer “password123”s.

However, headlines about passwordless typically read like this: “Company X Wants to Eliminate the Password” or “The Time for Passwordless Authentication Is Now.” The problem with these articles is that the pitch of passwordless is the easy part. These headlines basically state, “Horses are slower than cars” or “The time for the car is now.” While definitely true, it’s not particularly helpful in assessing whether a car is right for me as an individual. Whether a car is valuable depends on a few things: Do I travel over great distances or do I live in a city? Can I afford to pay for the car and the ongoing gas consumption? How do I choose which car is right for me?

As such, it’s high time that we start to get specific in describing current environments and how folks in those specific places can begin their passwordless journey. For example, let’s take higher education as a sector. To address whether a headline like “The Time for Passwordless Is Now” applies to higher education, begin with the lens of security. We know that higher education definitely has its fair share of security concerns. From the protection of research and intellectual property to the safeguarding of student data and financial information, the job of securing a university environment is a serious one. Hackers leveraging stolen credentials can target student loan dollars via student disbursement fraud, or administrators tasked with dispensing cash to vendors, speakers, or entertainers. 

Given the risks to a university associated with password weakness and credential theft, it’s fair to say that higher education environments fall firmly into the “would benefit from the technology” category when thinking about whether passwordless is a fit.

However, is the new technology valuable enough to make the transition from the status quo? Many universities have been successful in their adoption of multi-factor authentication and zero trust principles. So why move from MFA to passwordless? 

Naturally, at Duo we believe in the power of multi-factor authentication. It’s the simplest yet most potent control to put in place to improve security posture. By placing MFA protection in front of critical infrastructure and applications, IT and security professionals not only take great steps in preventing hacks and breaches, but can also see a drastic reduction in cyber liability insurance premiums. 

Over time, we’ve seen firsthand the ire of students frustrated by login processes. Though we’ve worked very hard to make the MFA experience as seamless as possible, there are certain academic use cases where accepting a second factor might be inconvenient, like in an exam setting where phones are not allowed. 

In many cases, passwordless authentication can help alleviate frustration with login experiences:

“Friction around the login process is one of the greatest sources of stress for students. Passwordless is a great way to improve their experience while simultaneously improving the security posture of the institution.” —Helen Patton, Advisory CISO, Duo / Former CISO, Ohio State University

Passwordless implementations often take advantage of advances in hardware technology to simplify authentication. For example, most passwordless solutions can leverage platform biometrics, like TouchID on a Mac or Windows Hello on a Windows device, to securely log on without a password. Don’t worry, passwordless still counts as MFA, with possession of the device being one factor and the biometric being the second. If a student could securely authenticate with a single gesture, without the need for a second device, wouldn’t that address both the security concerns addressed by MFA, but also provide the ease of use that students desire? We hope so.

But wait, you may now be asking yourself, how prevalent are biometrics among my student population? And are these students ready to start authenticating with biometrics like a fingerprint instead of a password? The answer may surprise you. In a recent survey conducted by Duo, spanning thousands of consumers aged 16-24, the results showed that 90% of respondents own at least one device with biometrics enabled. Furthermore, 70% of respondents said they’d feel comfortable using their fingerprint as a mechanism to login.

Given the growing prevalence of both biometric-enabled devices and comfort with their use, passwordless seems like a good fit for the higher education environment. However, the question now becomes how to implement this new technology. Does the university IT team take it on themselves to build an internal passwordless authentication solution? It’s possible. Stanford University has touted their Cardinal Key mechanism as a solution to the password problem. However, for many universities, taking on a homegrown passwordless project may be akin to building a car from scratch in the garage. This is a car that must start and must drive consistently.

Another consideration is the passwordless journey. Passwordless may be a great fit for the student population at a university, but professors and administrators will have different use cases or expectations. Perhaps they just got used to the idea of push-based multi-factor authentication and don’t want to transition to a new form of authentication, or maybe the prevalence of usable biometrics is lower on their set of devices.

In situations like these, it may be worthwhile to start a passwordless journey with a certain set of users while maintaining the security of MFA with others. Advisory CISO Helen Patton suggests, “Choosing a population that will not only embrace passwordless, but also help the rest of the institution see the benefits of it, is a great way to start on the passwordless journey.” Taking this approach, there’s no backward security motion as the environment progresses to passwordless. 

Duo is looking to help solve this use case. Our passwordless solution makes it easy to roll out passwordless to particular sets of users at a time, while maintaining the security of MFA for everyone else. We agree with the headline “Passwordless Is Here to Stay,” but we also know that highlighting particular use cases and sectors where implementation makes the most sense is key to passwordless adoption. After reviewing the specific needs of higher education, we find that colleges and universities are a great fit for exploring and benefitting from the passwordless future.

Related Reading

• EdTech Magazine: Higher Ed's New Approach to Pandemic Cybersecurity
• Google Blog: A Simpler and Safer Future — Without Passwords
• Secplicity: Security in Higher Ed - Trust, Student Experience, and Multi-Factor Authentication
• TechCrunch: How Startups Can Go Passwordless, Thanks to Zero Trust
• TechCrunch: Yubico’s New Hardware Key Features a Fingerprint Reader for Passwordless Logins
• Stanford University’s Cardinal Key

Duo’s Passwordless Authentication Resources

• Explore our Administrator's Guide to Passwordless blog series
• Learn more about our passwordless authentication solution
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Recently, while co-hosting a webinar that kicked off Cybersecurity Awareness Month, a panelist commented that cybersecurity and privacy are team sports on a campus, much like our athletic teams. We need to work with many different teammates on campus — risk management, legal, compliance and institutional review boards, to name a few — to effectively manage cybersecurity risk across our communities. We’re used to competing with each other on the field or in research and then collaborating on pretty much everything else. 

One area where campuses have been collaborating recently are changes around cyber liability insurance for higher education, an opportunity for campus cybersecurity teams to combine forces with their risk management team. These groups are having lots of discussion around the fact that many campuses are required to use multi-factor authentication (MFA) for their cyber liability insurance.

In a recent Duo blog post, we gave an overview of cyber liability insurance. As part of National Cybersecurity Awareness Month and “Do Your Part. #BeCyberSmart,” with this post we’ll dig deeper on cyber liability insurance, MFA, and other cybersecurity trends impacting MFA usage in higher education to help campuses manage this aspect of cyber risk for their communities.

Cyber Liability Insurance Invests in MFA

Multi-factor authentication has been around longer than most current college students have been alive, but when it comes to strong authentication modern MFA changed the game. The use of phishing to take over user accounts as a first step to gain access to a campus for a ransomware attack has been making the headlines. MFA is core to implementing a zero trust stance to protect your campus. Many campuses have reported after deploying MFA extensively across their campuses that account compromises due to phishing have reduced significantly. Cyber insurance providers seem to have also noticed this from their ransomware incident response engagements for insurance claims, and in response they’re starting to require that their customers use MFA. They see the investment in MFA as critical to a campus cybersecurity program and managing risk for a campus. 

We’ve heard from campuses that haven’t widely implemented MFA yet that their cyber liability insurance providers are now requiring it. Some campuses have reported significant price increases in their cyber insurance premiums if they don’t check the MFA box, and some are even reporting that they couldn’t get insurance without checking that box. This puts them in an obvious bind, trying to figure out solutions in a short time period to meet their complex requirements across all of their integrations, different campus communities and significant budget constraints. 

Higher education campuses in the U.S. can leverage the NET+ Duo Security program, designed by Internet2 and Duo to make MFA more affordable with pricing based on the populations that campuses most frequently want to protect as part of their ransomware planning: faculty, staff and students. Campuses have integrated Duo into their SSO systems, applications, cloud services and even workstation security. Having this level of protection in place won’t stop all ransomware attacks, but some of the device security functionality can be used to assess where additional attention is needed for endpoint security to prevent ransomware attacks. This is part of protecting your campus and driving down information security risk for your campuses, but it also helps protect your faculty, staff, researchers and students from loss of productivity when a problem arises. 

“We have found at ODU that the addition of 2-factor authentication with Duo has been one of the key foundations of our information security program for managing risks and in raising assurance, along with endpoint protection, SIEM and an advanced firewall.” —Doug Streit, Executive Director & CISO, Old Dominion University

In addition, EDUCAUSE provides resources for higher education to help address other aspects of cyber liability insurance on campus.

Other Cybersecurity Trends Impacting MFA Usage on Campus

While cyber liability insurance and ransomware have been in the news, other developments in higher education over the last year have also been driving campuses to fine-tune their Duo deployments. We talked about expanding MFA deployments in the Multi-factor Authentication Deployment in Higher Education blog post from 2019, and little did we know the pandemic would come.

Duo explored the overall state of authentication in The 2021 State of the Auth report, and we’re seeing a significant rise in overall 2FA usage as well as adoption in the workplace  in higher education as well.

One of the biggest ongoing impacts from the pandemic has been moving everything online in higher education, where many campuses now need to protect resources they had previously made available only on-site. Some have moved computer labs online to make the software necessary for students to use in their classes available via remote desktops, which then required MFA to login to the systems. With helpdesks now virtual, campuses have reported liking the Help Desk Push functionality for remote identity proofing. It allows helpdesk teams to aid users without requesting sensitive information, and it helps protect privacy for the community.

As part of protecting accounts and campus resources, campuses started researching device security for laptops, smartphones, etc more and wanting to be able to use device security as part of risk-based authentication to secure access. This resulted in a Security Devices, Data, and Policy NET+ webinar, in which David Allen from Pacific Lutheran University and Duo discussed how to achieve this. Protecting access discussions have been active in the research community with the National Institutes of Health (NIH) deadline in September to implement MFA for all users accessing their electronic Research Administration. There are even some campuses that are deploying passwordless solutions, but more to come on that in the future. 

Conclusion

With what we’ve learned as a community over the last couple years, we’re well positioned to address just about any cybersecurity issue. Ransomware and cyber liability insurance will continue to pose challenges for the research and education community, but we have options to help manage this risk collectively. If you have any questions about the NET+ Duo Security program or how it can help your campus, please reach out to me. I’m happy to go over the program, community resources like a community call on the Duo Universal Prompt, and NET+ Duo community calls for you to get engaged with your peers or our campus to sign-up for the program. 

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

The remote work revolution is driving authentication toward a future that’s more efficient, effective and user-friendly. User experience is more important than ever, access security is expanding, and existing security workflows are becoming more streamlined.

In the 2021 Duo Trusted Access Report: The Road to a Passwordless Future, we examine how enterprises are leveraging lower-friction methods like biometrics and Webauthn to move away from passwords while protecting the hybrid workforce.

For this report, our researchers analyzed data from more than 36 million devices, more than 400 thousand unique applications and roughly 800 million monthly authentications from across our customer base, spanning North America, Western Europe and Asia-Pacific.

The data shows that organizations across all industries are increasingly enabling their workforces to work from home now, and potentially for an extended period of time, and they’re implementing the appropriate controls to ensure secure access to applications.

“Trusted access blends the topics of security, compliance and privacy in a way that affects all of us on a daily basis. Evolving this trusted access is a top priority for our digital future.”
—Wendy Nather, Head of Advisory CISOs, Duo

Five Key Findings

Here are five top trends from the 2021 Duo Trusted Access Report. Get the full report to explore all of the data.

Passwordless Adoption Rising: Users Move Toward Lower Friction Second Factors
Our data shows a fivefold increase in Webauthn usage since April 2019.  

Biometrics Press Forward
More than 71% of customer mobile phones have biometrics enabled, and total mobile phones with biometrics rose 12%.

Locations Blocked
Roughly 74% of Duo customers who implement device-based policies restrict access from China and Russia. 

Push Preferred
Duo Push is the most popular authentication method, accounting for 30% of all authentications.

Cloud Usage Floats On
Among enterprises, June 2020 through May 2021 saw more than a 65% increase in average daily authentications to cloud applications over the average from that same period from June 2019 through May 2020.

Summary

Hybrid work and hybrid business models are now the standard operating procedure for how we take care of business. As organizations quickly accommodated hybrid work at a massive scale in 2020, they realized productivity could happen in this environment, and in response many organizations have indicated that they’ll continue using this approach for the foreseeable future.

However, this rapid expansion presented new security challenges, key among them ensuring that employees can work securely and without introducing new risk to the business. The need to secure users and devices and their access to applications is central to an effective remote access strategy.

We need to provide support for businesses to improve their visibility, get a better understanding of policy management, and place more emphasis on automation to help security teams optimize their impact with the resources available to them. Strategies like zero trust and a passwordless approach help improve security while reducing risk, and by having a stronger focus on user experience they allow for greater democratization of security.

Try Duo For Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.

Customer trust is essential for businesses to succeed, which Salesforce is putting into practice with a future requirement for all customers to enable multi-factor authentication (MFA). Beginning February 1, 2022, Salesforce customers will be contractually required to use MFA when accessing Tableau Online (and many other Salesforce products).

What Does This Announcement Mean for Salesforce Customers?

With this announcement, Salesforce has recognized the importance and value of MFA when establishing and verifying trust every time a customer accesses their broad portfolio of cloud-based services. 

How Does Salesforce Recommend Customers Get Started to Enable MFA?

Salesforce’s announcement is very clear about what customers can do today to enable MFA as quickly as possible. According to the Salesforce Multi-Factor Authentication FAQ, “MFA is one of the simplest, most effective ways to prevent unauthorized account access and safeguard your data and your customers’ data. We’re requiring customers to implement MFA to help mitigate the risks stemming from threats like phishing attacks, credential stuffing, and compromised devices.”

Customers who already authenticate their users via single sign-on (SSO), or who want to move to SSO, can enable MFA for their SSO identity provider when accessing their Tableau Online sites. Additionally, TableauID with MFA is available for customers who do not use SSO or have admins or other site users hosted by TableauID.

“Deploying Duo is the easiest and fastest way to comply with the Salesforce MFA requirement to protect access to Tableau and other cloud-based applications.”

What Is the Most Efficient Way to Meet Compliance With This Requirement? 

Because the runway is rather short, time is of the essence. We recommend following these five tips to accelerate the rollout of MFA for Tableau (as well as any of your other applications):

1. Prioritize interoperability and ease of integration. Chances are, Tableau is just the first of several cloud-based applications you may want to protect with MFA. For example, you may have on-premises apps that could also benefit from MFA. Legacy MFA solutions traditionally fail to integrate across disparate applications in an on-premises and cloud environment, causing inconsistencies and user confusion. 
   
   Duo MFA protects apps wherever they are — on-premises or in the cloud.
   
   
2. Meet your users where they are, securely. Remote work has led to a rise in the usage of bring your own device (BYOD) and unmanaged devices, which increases the risk of compromised devices. And legacy MFA products often can’t accommodate broad sets of users located outside of the corporate network — including remote workers, third-party vendors, contractors and more. These limitations impact business resiliency and often lead to users bypassing any security controls that get in the way of their work. 
   
   Duo Device Trust protects access to apps from unmanaged devices as well as managed devices.
   
   
3. Avoid the need for additional form factors. Traditional MFA solutions require additional security tokens and hardware that don't support all use cases (offline, no cell service, etc.), which results in decreased user adoption and gaps in your organization’s security posture. 
   
   Duo Push does not require additional tokens or hardware, and it works within your existing ecosystem (especially the device you carry in your pocket). 
   
   
4. Make it easy for admins to roll out MFA quickly and for users to adopt quickly. Older MFA solutions often require extensive admin management to enroll users, manage authentication devices, and remediate lost or stolen devices. Because Duo MFA is Duo-hosted and delivered from the cloud, there’s no need to spin up servers. Automated sign-up options, such as user self-enrollment and Active Directory sync, allow for scalable user provisioning. Duo MFA easily integrates with thousands of applications, services and identity providers. With the easiest multi-factor authentication, users can tap a button to approve Duo Push, a push notification on their phones to verify their identity.
   
   Duo combines the best of both worlds: easy for admins and users; secure and scalable for businesses.
   
   
5. Consider a consolidated approach with a long-term view. This is a great time to evaluate long-term projects and requirements, such as ensuring support for new applications being onboarded, enabling SSO, and tightening access policies with a centralized access management tool. Duo is more than a leader in the MFA market — we also offer functionality that goes beyond authentication to protect and secure access to your business’ critical applications. For example, Duo Access edition enables our customers to verify device trust before gaining access to their applications, and empowers users to remediate device issues on their own. Plus, Duo SSO can ease the transition to MFA by providing a place for users to log in once to access all the apps they need to get business done.
   
   Duo simplifies trusted access by consolidating MFA, SSO, device trust and deep visibility into a single solution. With Duo’s Passwordless Authentication capabilities, it’s even easier to protect access to the apps that drive your business.

Deploying Duo is easy and fast to deploy. Whether you’re interested in protecting access to Salesforce, Tableau Online or other applications, each of our editions satisfies the MFA requirement. 

Resources

• Salesforce Multi-Factor Authentication FAQ
• Multi-Factor Authentication and Tableau Online
• Cisco - A Duo Customer Story: How Cisco onboarded more than 100,000 users with Duo MFA

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

The Promise of Passwordless

If you've been following the evolution of passwordless, you've likely read countless blog posts and whitepapers pondering the promise of this technology. The pitch is relatively simple: passwords are insecure and inconvenient, so let’s get rid of them. We shouldn’t necessarily trivialize this promise. Passwords are insecure. They provide a time-tested avenue for bad actors to compromise and gain unauthorized access. As the Verizon Data Breach perennially points out, compromised credentials play a role in the majority of breaches. Passwords are also inconvenient. Password length, complexity, and rotation requirements have only gotten more stringent in the past ten years - leading to headaches for end users and help desks alike.

Before continuing on, it should be noted that all passwordless is not the same. “Getting rid of the password” could be as simple as removing the password field and asking for username only — which is obviously highly insecure. While secure passwordless technology removes the password, it does so by replacing it with stronger factors like device identity or biometrics. If you’re interested in learning more about the technical ins and outs of passwordless, Duo’s own Jeremy Erickson has written an extensive Administrator’s Guide to Passwordless — a great resource for those looking to dive into passwordless in all its glory.

IT Administrators and End Users Are Intrigued by Passwordless

However, let’s return to the problem at hand. Just because industry thought leaders and security vendors agree on a premise (like the value of passwordless), that doesn’t mean IT decision makers or workforce end users feel ready or willing to transition to a new technology. To get to the bottom of this, Duo conducted a global survey of both IT professionals and end users to gauge their attitudes when it comes to passwords and a potential transition to passwordless. The survey covered ten countries worldwide and had thousands of respondents. The findings were quite interesting. 

See the video at the blog post.

To start, end users are largely in agreement that passwords are inconvenient. Fifty-one percent of respondents noted that they forget and reset a password at least once a week. Furthermore, they may not always practice the most secure habits. Fifty-seven percent of respondents noted that they reuse passwords across multiple sites, and 78% of respondents create new passwords by adding a number or symbol to the end of an old password. 

Perhaps more interestingly, users seem more ready for a passwordless future than you might expect. Sixty-nine percent of respondents noted that they felt comfortable using their fingerprint in place of a password to log on. Additionally, 78% of end users already use at least one device in their daily lives with biometrics enabled.

See the video at the blog post.

When it comes to IT decision makers, they too are officially tired of passwords. The IT respondents spent an average of an hour and 15 minutes each week dealing with password resets and issues. Nearly half of (46%) also noted compromised credentials were a top security priority for them.

It also turns out that IT decision makers eagerly await a passwordless future. Fifty-two percent of respondents are actively considering implementing passwordless in their environments today.

Chief Concerns: Deployment and End User Training

These findings clearly indicate that end users and IT decision makers are intrigued by the potential of passwordless. However, that doesn’t mean making passwordless a reality is a slam dunk. The survey also illuminated some serious concerns about transitioning away from passwords. 

End users did express anxiety around their biometrics being stored and housed by private companies. It’s also true that, while 78% of end users have a device with a biometric enabled, it may not be one they can use for authentication at work — and there are still about a quarter of folks who wouldn't be able to use a biometric-based passwordless solution at all. 

IT decision makers worry about the deployment of passwordless. Yes, there are potential benefits — but many have already encountered issues with passwordless authenticators integrating into their environments. Passwordless solutions that work for certain applications or devices, but not their entire environment, also posed challenges.

Passwordless Priorities at Duo

At Duo, we understand the promise and potential of passwordless to improve security and offer end users a streamlined experience. However, we’re also taking to heart the concerns of end users and IT decision makers as we develop our passwordless solution. We’re not positing that every company can go fully passwordless tomorrow — that would be a huge oversimplification — but we have prioritized making it easy to take the first step. 

First, we’ve ensured that our passwordless authentication is easy to set up and deploy. If passwordless is difficult or frustrating to enable, people won’t do it. It’s more than easy enough to continue with the status quo. Unless the passwordless path is relatively simple to start down and walk along, people won’t take it. At Duo, we’ve made sure that testing, deploying and maintaining passwordless in any environment is as easy as possible.

Second, we want to make it accessible for end users to understand and use. While folks may hate the idea of passwords, they’re definitely used to them. To make sure there’s minimal friction for end users, Duo will support many device types as passwordless authenticators. In addition, the enrollment process will provide easy-to-follow instructions as well as relevant information about the security and privacy properties of our passwordless solution. For example, to address concerns about companies storing fingerprints, we inform users that Duo will never store or keep a copy of their biometric. This way, end users feel comfortable making the transition to passwordless.

With each passing month, the promise of passwordless is becoming a reality. However, it’s important to remember that even though security professionals, IT administrators, and end users feel ready for passwordless, it’s our responsibility to make it easy to fulfill its promise. To learn more about Duo’s approach, explore our Passwordless solution page.

Duo’s Passwordless Authentication Resources

• Explore our Administrator's Guide to Passwordless blog series
• Learn more about our passwordless authentication solution
• Read our white paper, Passwordless: The Future of Authentication
• Watch our webinar, How Duo is Making Passwordless Progress Easier
• Watch a Threatwise TV video that discusses and demos Duo passwordless authentication
• Read a Cisco blog by Product Marketing Manager Ted Kietzman explaining why passwordless is just one part of a holistic security strategy

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.

Sarah McLachlan, a sage of our time, once opined, “I will remember you. Will you remember me?” and for the longest time Duo for Windows Logon replied, “No.” Today, weep not for the memories of what was, but rejoice because the answer will soon be, “Yes.”

We’re pleased to announce the general availability of Trusted Sessions for Windows laptops and desktops. Trusted Sessions brings the “Remember Me” feature from our browser prompt to Windows Logon, allowing you to trust your local logins with Duo and reduce the amount of times needed to MFA in the future, saving you lots of time, energy and defenestration of Windows endpoints.

Consider the use case that New Hampshire Ball Bearing, Inc. is looking to solve. The IT Security team of this specialized manufacturing producer uses Duo to comply with the DFARS regulation and enforce corporate security policies. They wanted to ensure that security policies do not create user friction and negatively impact productivity. With Duo’s Trusted Sessions feature, the team reduced multi-factor authentication (MFA) fatigue without compromising on security.

"We protect local device logon with Duo’s MFA to comply with DFARS, and our corporate security policy mandates inactivity screen lock of 5 minutes. This scenario increased user frustration, especially at a time when employees are unable to use FaceID to unlock their MFA device due to mask wearing. Duo’s trusted sessions feature for Windows Logon has greatly reduced our end user hesitancy during MFA deployment while increasing voluntary adoption rates. The majority of our users recognized and enabled the trusted sessions feature organically with no notification or instruction from IT. Now our user base finds Duo unobtrusive and we're able to comply with our MFA mandate without push back from users." —Clayton Girouard, Sr. Systems Engineer - Information Technology, New Hampshire Ball Bearing, Inc. (NHBB)

Enable Trusted Sessions in Just a Couple of Clicks

Reducing user friction has never been so easy for administrators. They can easily enable trusted sessions from the admin console under the “Remembered devices” policy section. 

“Remember Me” for Windows Logon

With the Remember Devices for Windows Logon policy enabled, the user will be offered a “Remember Me for X Time ” checkbox during login. When users check this box, they will not be challenged for secondary authentication when they log in again from that device for a set period of time unless something changes. Policy is available for a minimum of one hour with a maximum of 90 days, allowing you to find the optimal time frame to meet the security considerations for you and your organization. 

One of the core challenges in our research was that logging into an endpoint requires different security properties than logging into a web application. As a result, we had to develop a way to proactively revoke trust when we could no longer assert the user and the device were in a state where it was appropriate to continue trust.

To achieve this, we looked at three properties:

1. The operating session state. When invoking Duo, we determine whether the authentication attempt is an unlock or a new session. If it’s a new session, Duo will require MFA, and a subsequent unlock will honor the time duration set for “Remember Me.”
2. Network location. At each authentication attempt, Duo will snapshot and compare the network state of the user's device to determine whether it moved off of your network. If it has, we'll prompt for MFA.
3. User’s choice. Trusted Sessions give users the choice to end their remembered sessions early by clicking cancel while logging into a trusted session.

See the video at the blog post.

Now, a reality check. Duo is going to default to secure, so if there’s uncertainty about network location we’re going to prompt again. The idea is to streamline MFA attempts, not completely eliminate them. Additionally, we’re not delivering this feature for RDP sessions today. Our research highlighted the need for a robust way to assert the same user on the same device with trust, returning back to the same RDP session. That opened the door to a new round of research that was beyond our scope and would have seriously delayed delivery. And finally, Offline MFA sessions will not be remembered, because Duo cannot assert certain things about the device. We must assume it’s outside of normal administrative control and can’t be assumed to be in a trustworthy state. 

“Remember Me” Is Available Now to All Duo Customers

Trusted Sessions for Windows is available as part of all Duo product editions (Duo MFA, Duo Access and Duo Beyond) at no extra cost. Administrators decide which groups of users can use “Remember Me” and for how long.

For more information about Duo’s Windows login capability, read our documentation.

Try Duo for Free

Want to test it out before you buy? Try Duo for free using our 30-day trial and get used to being secure from anywhere at any time.