<![CDATA[The Duo Blog]]> https://duo.com/ Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. Mon, 10 May 2021 00:00:00 -0400 en-us info@duosecurity.com (Amy Vazquez) Copyright 2021 3600 <![CDATA[Incremental Deliverables From a Quality Perspective]]> dnew@duosecurity.com (Daniel New) https://duo.com/blog/incremental-deliverables-from-a-quality-perspective https://duo.com/blog/incremental-deliverables-from-a-quality-perspective Industry News Mon, 10 May 2021 00:00:00 -0400

The Journey to Testing Improvements

Pass or Fail. That is the world most people in the software quality domain live in. Things are either broken or not. Sometimes they are in between those states, however they almost always lean either to being broken or not broken and just simply misunderstood. So testing by nature has a bias towards a binary perspective. 

At Duo we have a very healthy testing culture where the testing process is shared, agreed upon, and executed by the Engineering department as a whole. This healthy environment pushes most testing projects to the realm of improving the testing process rather than execution. This can prove challenging because testing in general has that binary component to it (remember pass or fail?). However using Duo engineering principles we worked to improve the quality of our Windows integration through incremental changes. 

I hope after reading this example you will take to heart the challenge: When looking to improve quality, the temptation to deliver perfect testing must not inhibit the delivery of better testing. In many ways this project (like countless others in quality) was quite the journey, and every journey has a beginning so let’s look at the start.

What Was Our Destination?

To improve testing we really needed to know two things to get started. What was the current state of testing and what was the future state of testing that we desired? During our project to improve the testing of our Windows integration, we analyzed the existing testing which was, as expected, very good. The product had a healthy amount of automated tests that covered several key features. There were also plenty of thorough manual tests that covered the remaining set of features for this product. In addition there were scripts to create environments and resources to test all of the Windows Operating Systems that Duo supported with this integration. 

There were of course a few key areas that we identified needing improvement. We needed to convert approximately 67 manual tests to automated tests to reduce testing time and increase the speed of release for new features. We needed to consolidate the automated test execution. Initially the automated tests required multiple manual actions to run the tests. 

Ultimately we needed to get these tests executing more often in our continuous integration (CI) pipeline. If we only focused on the ultimate goal of having these tests executing in our pipeline, I don’t think we would have been able to accomplish that in any sort of reasonable timeline. Instead we decided to do it the Duo way.

How Did We Get There?

One of the principles of Duo’s engineering culture is “Don’t let perfect get in the way of the good.” 

This principle is based on concepts similar to the idea of Minimum Viable Product (read more about that here). If we focused solely on delivering the ultimate goal of automated test execution in our CI pipeline we would have done just the opposite of that. It was tempting too because we knew what passing (or accomplished) looked like. 

From the quality perspective we had to create stages of passing in order not to be caught in the snare of a waterfall delivery that waited for the ultimate goal to be achieved. First things first, we wanted to get automated test coverage to a better spot. 

Prioritizing Existing Manual Tests

Collaborating with the Local Authentication Engineering team we prioritized existing manual tests based on the following criteria: risk for bug introduction, ease of automation, and execution time for manual version of the test. 

Let’s look at each of these briefly.

Risk of bug introduction: simply put let’s make sure we test our potential vulnerabilities early and often. Areas of the integration that could fail and lead to false or unprotected authentication were prioritized. By automating these tests we are able to efficiently and consistently test the major purpose of integration, namely the authentication portion. 

Ease of automation: automating some features can be more difficult than others. Rather than tackling the hardest problems first, we decided to focus on easy wins, but only after vetting them through the risk of bug introduction assessment. This allowed us to make an impact early, build momentum and product knowledge as we moved forward to tackle the more difficult test scenarios. 

Execution time for manual version of the test: The final factor we considered as we worked to convert existing manual tests to automated tests was the execution time of the manual test. One of the goals of converting these tests from manual to automated was to free up our development teams and engineers to focus more on feature work. One of the challenges our engineers were facing was extensive test setup and execution time for manual tests. Thankfully our engineers were diligent to record execution time for some of the more lengthy manual tests so we had data to reference when determining which tests were the longest. 

With all of these factors in consideration we began working to replace existing manual tests with automated tests. As the need would arise, we wrote automated tests to cover new features currently being developed. In all, with this strategy and a ton of collaborative effort we were able to convert 62% of manual tests to automated tests when compared to a previous release test plan.

Staying the Path

Once we reached our first stage of passing (getting our test automation coverage up), we moved to improving test execution. Without the plan to incrementally improve testing the temptation would have been to move directly to the endgame of folding these tests in our existing CI pipeline. However that would have let perfect get in the way of good. 

So instead we shored up the test execution by running our tests in all of our supported environments and tackling any flakiness or errors with the existing tests. This involved improvements to older existing tests by finding new ways to interact with the application. We also performed massive refactors to better utilize the Pytest (the testing tool we were primarily using) library to reduce code duplication and make our tests easier run and more clear in what they were doing. 

After we were able to get our tests passing and stable within our existing environments, we moved forward consolidating the scripts that actually ran the tests. We worked to ensure that our tests could be launched from a central location with a single script and trigger execution on all of our supported environments. We leveraged an existing PowerShell script to organize, execute, and report our tests. The idea was that once we implemented these tests in our CI pipeline, we could have a fair amount of confidence in their reporting and execution. Consolidation of test execution also laid the groundwork for what would be independent test execution on each environment we supported testing on, when these tests ultimately made it into the CI pipeline. 

Reaching the Destination… for Now

With all these improvements in place the final goal was in sight. Now came the task of getting these tests running and executing in our CI pipeline. Thankfully another core principle in Duo’s engineering department is collaboration. We were able to partner with our Build and Tools team to identify and setup all of the necessary infrastructure to have our pipelines connected to these environments we were testing in. We also leaned heavily on our Cloud Security team to advise and support us in order to make sure that our soon to be integrated tests would be done so in the most secure way. Both of these teams provided insight and expertise that helped make this project possible. Finally we collaborated with the Local Authentication engineering team (the people who build and test features for the integration regularly) to gain insight on how often these tests should run. 

It was agreed upon that running a subset of tests that could identify critical failures early in the development process would be helpful. So we set up a scheduled pipeline job to run the tests every weekday morning and have results reported at the beginning of the day. We were able to store these results in a long term database to maintain historical record and use that data to identify testing trends in the future. 

The last leg of our journey to testing improvement was the information hand-off. Over the course of two weeks we collected information, documented processes, and presented findings to our Local Authentication Team in order to better prepare them to handle the maintenance and further improvements of their testing. 

Bumps in the Road

No project would be complete without some lessons learned, and most journeys can have few detours. One of the many lessons we learned during this project was to lean on expertise, particularly when it came to our CI pipeline. Thankfully we have wonderful teams (the ‘Build and Tools’ team and the Cloud Security team) that were able to assist us with the setup and securing the integration of our automated tests into the existing CI pipeline. Involving these experts earlier would have been to our advantage. 

Another major lesson we learned was that your first idea and at times your second and third idea may not be the best idea. When implementing the test execution changes we tried three different approaches before we were able to get tests executing stably with a single script. However, we didn’t just throw away what we attempted the first two attempts. We used those failures and challenges as learning moments and built off of the issues found with both of those implementations. 

What allowed us to be successful in this automated transformation was doing things the Duo way, highlighted by two core principles: collaborate often and don’t let the perfect get in the way of the good. Those two guiding principles helped us push back against a pass/fail mentality and ultimately helped us deliver incremental improvements that added value along the way. 

Collaboration and iteration helped us bring in the right voices and insights to guide our project and helped us know how to parcel out the work needed in order to be successful. 

For your next testing overhaul or major feature change don’t think about the project as a point A to point B journey, but rather as a journey with multiple signposts along the way and tons of helpful guides to assist you getting there. Or to put simply, do it the Duo way. 

To learn more about the Duo approach to quality, check out our blog on Quality Metrics or if you would like to implement the Duo approach firsthand apply for the open position on our Platform Quality Engineering Team here. And if you want to learn more about the Windows integration we were testing, check out the documentation here.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.


<![CDATA[Cisco Secure Democratizes Extension Security for Firefox and Edge]]> jrickerd@duo.com (Jacob Rickerd) https://duo.com/blog/cisco-secure-democratizes-extension-security-for-firefox-and-edge https://duo.com/blog/cisco-secure-democratizes-extension-security-for-firefox-and-edge Duo Labs Wed, 05 May 2021 08:55:00 -0400

Two years ago, we released CRXcavator (pronounced crux-cavator), a free tool that examines the security hygiene and risks of Chrome extensions, looking at criteria such as permissions and security policy, and empowers users to make informed decisions about the extensions they use. Originally released as a Duo Labs project, CRXcavator is now provided by the same team within Cisco Secure

Over the last two years, CRXcavator has helped make the browser ecosystem safer and more transparent by providing developers, users, and organizations with consistent and consumable information regarding potential extension security risks. Security teams at organizations such as Lyft and Datadog have adopted the tool as part of their security strategies; researchers have used CRXcavator to help Google uncover and take down hundreds of malicious extensions; and hundreds of thousands of security conscious users have utilized the tool to in their personal and professional lives to improve their security posture. 

After democratizing extension security for Chrome, we are thrilled to announce a major update to CRXcavator that adds support for Mozilla Firefox and the beta version of Microsoft Edge Add-ons site. This addition greatly expands the scope and accessibility of the tool and more thoroughly secures users. CRXcavator will now continuously scan the Firefox add-on and Edge extension store as it does for Chrome, generating and updating CRXcavator reports for all extensions, as well as scanning for newly-added ones as they become available. 

This enables the tool to provide up-to-date security assessments with a potential risk score, alerting the user to possible red flags and risks that extensions may introduce. We’ve also updated the user interface to ensure consistency across reports. 

Why Extension Security? 

Browser extensions have an incredible amount of access to user data and, if not properly accounted for, can quickly become a security blindspot. Earlier this year, a browser extension used by millions of users was removed from the Chrome Web Store for containing malware. “The Great Suspender,” as it was named, had been recently sold by its old maintainer to an unknown third party with malicious intent; the new maintainers added potentially malicious code and a new permission. 

This prompted Chrome to ask users to accept the new permission which alerted the community and ultimately pressured the new maintainer to revert the change. The extension stayed under the new maintainer’s control over the extension until Google blocked and removed it from the Chrome Web Store in January. The downfall of this once-trustworthy extension and the risks it was able to introduce in a short amount of time demonstrates that browser extension security is an important issue in today’s evolving threat landscape, and that users and organizations must remain vigilant. 

We launched CRXcavator with this exact problem in mind. However, Chrome isn’t the only browser that allows extensions the option to access large amounts of user data. The Great Suspender was available on Microsoft Edge alongside Chrome, and in January 2020 Firefox was found to have potentially malicious add-ons.  

State of the Web Stores 

Back when we first launched, we scanned 120,463 Chrome extensions to see what unsafe practices might be exposing organizations to risk. This number has since increased to 165,365 Chrome extensions and apps. 

Chrome Ups and Downs 

Since we last compiled our metrics on the Chrome Web Store in 2019, Chrome has taken steps to improve the security of its extensions and encourage safer practices among creators. 

There have been a few particularly noteworthy changes that signal a positive shift in the Chrome extension safety. We’ve scanned around 42,000 new Chrome extensions over the past two years and found that overall, a smaller percentage of scanned extensions read your data on any site and cookies compared to 2019. Additionally, a larger percentage provide users with a privacy policy and a support site to contact.  

However, some areas did not improve. A significantly larger percentage of extensions use third-party javascript libraries with publicly known vulnerabilities as detected by RetireJS, and a slightly larger percentage have both publicly known vulnerabilities and can read your data from any site, as shown in the chart below. Although this may seem like a significant increase, it may just be a consequence of RetireJS finding new vulnerabilities in existing extensions over time and not a dramatic shift in the number of developers adding outdated third-party libraries to their extensions. 

Firefox & Edge 

In addition to scanning 162,704 extensions for Chrome, we’ve scanned 20,520 Firefox Add-Ons and 4,373 Edge Extensions for similar problems. It is important to note that the Microsoft Edge add-on site is still in beta at the time of this report and we expect that Edge extensions will continue to evolve in ways that include management of extension security risks. Edge currently has a much smaller population of available extensions compared to Chrome and Firefox. This must be taken into consideration when comparing Edge with Chrome and Firefox as it is too early to identify comparable trends and it is more likely that actions taken by developers or Microsoft, such as waves of new extensions or removal of extensions due to abuse, will have an outsized effect on the overall percentages. 

Like Chrome, a majority of Firefox extensions have no privacy policy. However, of the Edge extensions scanned, ~80% of Edge extensions do have a privacy policy. Edge has far fewer extensions compared to Firefox and Chrome, many of which are from well-known developers and more likely to have a privacy policy. We will see if this continues to hold true as the Edge ecosystem expands and more smaller developers are added. 

While Edge beats Chrome and Firefox in extensions having privacy policies, a higher percentage of them contain known third-party vulnerabilities — twenty percentage points more than Chrome and more than twice as high a percentage as Firefox, which does the best of the three browsers in this category. It’s also interesting to note that of the Edge extensions that can read your data on any site, 82% of them also contain third-party vulnerabilities; this stands in comparison to Chrome where about two-thirds of the extensions that read all data contain vulnerabilities and Firefox where less than half do. 

Knowing and comparing these numbers can help users stay alert as they decide how they approach the use of extensions with their preferred browsers. 

New Look, Same CRXcavator 

In addition to adding support for Firefox and Edge extensions, we’ve made some changes to the UX. We’ve redesigned the style of various elements to modernize the look and feel and to improve thematic consistency, focusing many of the changes around enabling analysis of extensions for the Firefox and Edge browsers in addition to Chrome. 

We’ve also overhauled multiple pages, most notably the extension report. The report now presents the same data in fewer sections, making better use of available space and shortening the overall size of the report page, improving the experience on both desktop and mobile. Users can also more clearly see the extent to which various sources of risk in the extension contribute to the overall potential risk score.

These reports will mostly display the same or corresponding data that CRXcavator’s Chrome extension pages do — each store provides information differently. For example, Firefox and Edge do not provide permission warning data via their API as Chrome does, so we’ve redesigned and updated our UI to make reports across browsers more consistent, comparable, and accessible.

Users will be able to view Firefox and Edge extension reports, but will not be able to add extensions to their group’s explicit allow list; CRXcavator Gatherer, our browser extension on the Chrome Web Store that gathers the inventory of extensions installed across an organization, is not currently available on Firefox or Edge but may be added in the future based on demand.  

What Does the Future Hold? 

We look forward to seeing Google, Mozilla, and Microsoft continue to make strides towards securing their browser extension stores and encouraging better extension safety standards. We’ve spoken in the past about Google’s Manifest V3. Edge, which is based on Chromium, automatically inherits this standard, and Firefox is implementing their own version of Manifest V3. All of these new Manifest versions include provisions to prevent extensions from incorporating remotely hosted code which could be used to evade malware detection. 

Additionally, Google has implemented a new privacy requirement for their extensions. As of 2021, extension developers are required to list the type of data they collect from users. This information is displayed on the Chrome Web Store for users to see when deciding whether to install an extension. To help their users make more informed decisions when evaluating extensions, Firefox has published a great resource that guides people through the questions they should ask when deciding to install an extension. 

As Chrome works toward transparency in browser extension security and other browsers take their own steps to secure their web stores, CRXcavator will continue compiling this information and staying up-to-date to ensure that users have the most detailed information possible to make informed decisions about their browser’s extension security.  

While big strides have been made in browser extension security since CRXcavator was first developed in 2019, users must continue to audit their extensions and keep an eye on privacy concerns and policies to avoid potential security breaches and keep their data secure. We’re always looking for ways to improve CRXcavator for individual users and organizations, and we’ll continue to update CRXcavator as the needs of browser extension security and our users evolve. 

<![CDATA[The 2021 Two-Factor Evaluation Guide Is Here!]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/the-2021-two-factor-evaluation-guide-is-here https://duo.com/blog/the-2021-two-factor-evaluation-guide-is-here Industry News Tue, 04 May 2021 08:30:00 -0400

When it is time to evaluate 2FA (two-factor authentication) providers there are some key questions to ask your vendors to determine which solution is best for your needs.

Two-factor authentication (2FA) is the simplest, most effective way to make sure users really are who they say they are. But, not every two-factor solution is the same. Some vendors only provide the bare minimum needed to meet compliance requirements – and some carry lots of hidden costs for deployment, operation and maintenance. Plus, many traditional solutions are clunky, error-prone and require extensive user training and support – costing your employees time and productivity. How can you tell which solution is the right one for you?

We have created this easy to follow Two-Factor Authentication Evaluation Guide – updated for 2021 – to help you navigate the pros and cons of choosing the right solution for your company. 

In this guide we evaluate:

  • Security - Does your solution reduce risks, and can it provide visibility into your environment?
  • Strategic Business Initiatives - Does your solution support cloud, mobile and BYOD initiatives? And can it fulfill compliance?
  • Total Cost of Ownership (TCO) - Does your solution provide more upfront value, or more hidden costs?
  • Resources Required - What kind of resources will it take to deploy and provision your users?

Learn which key questions to ask before deciding on a 2FA solution. 

In our refreshed Two-Factor Authentication Evaluation Guide you’ll also get:

  • An overview of the hidden costs of some two-factor solutions and how to determine your return on investment (ROI)
  • What to look for to ensure your solution can protect against the risk of a data breach
  • A list of resources needed to deploy, provision and integrate your solution
  • An overview of the different strategic business initiatives, and how your solution fits into them
  • An overview of how to use a comprehensive set of criteria to customize your evaluation to your organization’s needs

When you are ready to find the right 2FA solution for your company, be sure to read this guide to gain clarity and understanding into how to evaluate solutions against your needs. Read our free Two-Factor Authentication Evaluation Guide today.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Why Duo Security Is a Great Place To Work]]> skathuria@duosecurity.com (Seema Kathuria) https://duo.com/blog/why-duo-security-is-a-great-place-to-work https://duo.com/blog/why-duo-security-is-a-great-place-to-work Industry News Tue, 04 May 2021 07:30:00 -0400

Do you know Duo Security? Although I heard and remember seeing their booth at RSA and Black Hat events over the years, I wasn’t aware of what they had been doing in addition to two-factor authentication until I was hired. When I shared that I work at Duo with some of my friends at Facebook, Workday, Autodesk, etc., they said they know and use Duo’s mobile app and like it! Just the word “Duo” helped them make a positive association.

Duo’s Unique Culture and Values

I’ve learned more about Duo when I started my new job here. No matter what your role is at Duo employees are respected and appreciated for contributing ideas and driving improvement. Some of the company culture is rooted in its values. 

Be Kinder Than Necessary

Duo is a company that’s for and about people. Duo believes that empathy and kindness are the secret sauce for building awesome teams. We strive to make our team members feel valued, positioned to succeed, and able to be their authentic selves at work. 

Duo invests and encourages employees to grow and learn. Duo hires for talent and curiosity versus just skill. Duo might hire a person and provide them ample resources and opportunities to learn so they can do their best and succeed. When it comes to the people, my immediate team is diverse and varied in terms of their backgrounds and experiences.

Duo rewards employees for going the extra mile. On a regular basis, we give kudos to each through chat. We begin team meetings with appreciations, where team members can give thanks to others in an open forum. This sets a great tone for the rest of the meeting! I think every company should do this. 

Duo believes in a healthy work-life balance. For example, Duo gives all employees extra paid time off every so often to switch off from work and come back more energized. We try not to chat or communicate after hours, and take timezones into consideration when scheduling meetings. 

Engineering the Business

Engineering the business is about providing our customers the tools they need to address their security challenges, By building diverse teams we are able to look at problems from a well-rounded view and uncover unexpected solutions.

For example, during a Duo Hack Day we brought together team members from multiple disciplines (engineering, sales, marketing, customer success, and others) and other countries together virtually in a fixed 8-hour period to creatively solve problems that matter to our customers. It was an amazing experience of collaborative ideation and problem solving, so that we can improve the user experience. The collaboration helped us knock out important projects in a short period of time.

Learn Together

Duo wants every team member to feel empowered to offer their biggest and best contributions. To achieve that and reach our fullest potential as a company, Duo believes it is essential that we avoid silo mentality and leverage the sum of our parts. That means sharing our knowledge widely, holding space for dissenting opinions, and amplifying voices that push us to our learning edges. 

When I share ideas, my manager and peers listen with intent to understand; they consider my points of view and respond in a pleasant manner even if they have a different perspective and feedback for me to improve and learn. This encourages me to never stop sharing my ideas and to approach each interaction as an opportunity to learn, versus try to “prove a point” or defend myself.

Build for the Future

Building for the future is about being thoughtful. For our customers, that means addressing today’s security issues while also anticipating the challenges that people will face in years to come — and continuing to uphold our values of building simple, people-centered solutions, and offering straightforward thought leadership. 

Duo recognized early on that end users are nearly constantly using their mobile device for a variety of operations and built the mobile app with this in mind. Over time, utilizing customer research and feedback, Duo has extended its product portfolio to include additional capabilities such as cloud Single Sign-On, Secure Remote Access, and Device Trust, continuing to innovate and delight customers.

Onboarding Remotely 

With the myriad of resources available to employees, I saw that onboarding remotely was possible and not burdensome. Using Webex video calls and chat, I easily and quickly received help and connected to the corporate network and applications on day one, despite being in a different place and time zone from the IT team.

Each new hire attends the Duo Culture Belonging & Employee Training with the founders. I really enjoyed learning about the company, including Duo’s early days by Dug Song and Jon Oberheide and subsequent growth as a security SaaS company up to its acquisition by Cisco in 2018. I learned why customers trust and love Duo products. 

Duo’s mission has always been to democratize security -- to make it usable for any person and company. This is such a human-centric mission and one that we can all agree is worth working hard for.

I am delighted to work at Duo where I get to collaborate with multiple teams, learn about the secure access market landscape, and drive customer awareness and adoption of Duo solutions.

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

See the video at the blog post.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[How To Achieve Device Visibility & Control With Ease]]> jhogue@duosecurity.com (Jonathan Hogue) https://duo.com/blog/how-to-achieve-device-visibility-and-control-with-ease https://duo.com/blog/how-to-achieve-device-visibility-and-control-with-ease Industry News Thu, 29 Apr 2021 08:30:00 -0400

Duo introduced Device Health App in November 2019 with the goal to close the secure access management gap between user identities and endpoints.

Duo Device Health App gives organizations more visibility and control over which desktop and laptop devices are able to access corporate applications based on the security posture of the device. Compliance with corporate device health policy can be enforced each time the user attempts to authenticate.

If the device is compliant the user is allowed through. If not, the health app guides the user through the actions needed to become compliant. For example, if disk encryption is required but not turned on, the app will walk the user through the steps needed to enable FileVault or BitLocker encryption.

We Incorporated Customer Feedback for Enhanced Ease-of-Use

Multiple customers partnered with us as we designed and built the app, giving feedback and helpful suggestions at every step of the way. Over the last year and a half, we have continued to receive customer feedback and act on it. We are pleased to announce the general availability of three new capabilities that make the Device Health app easier to deploy in customers’ environments and more end-user friendly.

1. Gain Visibility in a Frictionless Manner With Reporting Mode

Reporting mode offers a frictionless way to get a sense for the overall security posture of your fleet of desktops and laptops. When deployed in this mode, the Device Health app will simply collect health data and report it back at each authentication when the application is installed on the access device. If the user decides not to install the app, the authentication will proceed without prompting the user for installation or blocking the user’s access.

Simply deploy the app using a system management tool and get immediate visibility.

For example, you might be pretty sure that disk encryption is enabled on all of your users’ devices, but by deploying the Device Health app in reporting mode you can eliminate the risk of blocking users. Once you’re satisfied that your devices are compliant with company standards, then you can confidently enforce the device-based access policy without impact to user productivity or IT helpdesk using the Device Health app.

Visit our documentation page to understand the various Device Health Application policy options.

2. Improve Productivity & Usability By Hiding a Health Check Row

Hide a health check row and reporting mode pair well together, just like peanut butter and chocolate.

Hide a health check row lets you hide one or more of the rows on the home screen of the Device Health app by using your system management tool to modify Windows registry keys or push out a plist file on MacOS. Now the users only see what they can remediate and won’t get stuck trying to fix a problem that they cannot fix. 

Let’s say you’ve deployed the Device Health app in reporting mode to all of your desktops and laptops, and one of your users notices that BitLocker isn’t enabled. The app will guide the user through the steps needed to enable it, but what if the user doesn’t have permission to make changes to BitLocker settings? It’s very common for users to not have administrative privileges, and in this case the user would be stuck.

The Endpoints and Authentication Log reports will show that BitLocker isn’t enabled on that device, so that it can be turned on by administrators that have permissions to do so.

Check out this article for detailed instructions on how to hide a health check row.

3. Get Granular Control Using Operating System Specific Device Health Policies

Many organizations today have a mix of Windows and MacOS devices in their IT environment. To ensure appropriate levels of trust across the diverse device platforms, administrators must be able to enforce granular health policies based on the Operating System (OS) of the device. For example, let’s say you wanted to require the firewall to be turned on for systems running MacOS but not for Windows devices. Now, with Device Health app, administrators can enforce distinct policies for MacOS and Windows devices with OS specific device health policies

At Duo, we work closely with our customers to gather feedback and develop features that solve real world problems. The recently added capabilities make it easier for customers to establish device trust by making it simple to adopt and deploy Device Health app, while minimizing user friction and impact to productivity. We are eager to hear from you on how these additional controls help you improve your security program.

Learn More

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Zero-Knowledge, Zero Trust for All With Keeper Security and Duo]]> gleishman@duosecurity.com (Ginger Leishman) https://duo.com/blog/zero-knowledge-zero-trust-for-all-with-keeper-security-and-duo https://duo.com/blog/zero-knowledge-zero-trust-for-all-with-keeper-security-and-duo Industry News Wed, 21 Apr 2021 08:30:00 -0400

Passwords are a problem. We are fatigued with many things in our lives from juggling work life balance, to constant video calls as we transitioned to working remote, to struggling to maintain all the passwords for all the applications we use to do our work. According to Keeper Security’s Workplace Password Malpractice Report, 57% of employees admitted to writing their passwords on sticky notes. With so many applications and passwords to manage, it is easy to understand why an employee might not practice good password hygiene and potentially be at a higher risk of phishing.

The Password Problem

We are all likely aware that we should create a unique password for each application or account we have. Keep the passwords unique, 12 characters or more, do not reuse passwords, use special characters, and stay away from personal information and dates. These are best practices, but when the mental tax is so high along with the amount of time investment to manage and update these passwords is also high, employees (and even IT administrators) are going to be lax and break the rules.

The Ponemon Institute published a recent study uncovering the security behaviors of individuals and IT Professionals. Spoiler alert, the IT Professionals surveyed were more likely to reuse passwords across workplace accounts. The study showed 39% of individuals were likely to reuse passwords at work, and more IT professionals were likely to reuse passwords at 50%. When you consider that IT professionals have access to the crown jewels within an organization's network, it is clear that a better way to manage passwords is needed.

The Password Solution

Enter the solution, use an encrypted enterprise password management and security platform to store, create strong passwords. Never reuse a password, and manage logins to all the applications employees use at work. Keeper Security is well known for their password management solution that supports Duo’s multi-factor authentication, bringing strong authentication to lock the information stored within. With an eye on the future of continuing to remove the friction workers encounter with passwords and password resets, organizations can now extend their Duo SSO to include access to Keeper Security with their new Keeper SSO Connect Cloud™.

"SSO provides great convenience for enterprise employees to access a handful of cloud applications with a single login. However, this leaves large security gaps for protecting the thousands of websites and services that employees use, in addition to other confidential information that needs to be protected in an encrypted vault." — Craig Lurey, Keeper Co-Founder and CTO.

Utilizing a cloud solution of Duo SSO + Keeper SSO Connect is easy to set up as both do not require on-prem installation, but can work to protect hybrid environments. Duo SSO provides users with an easy and consistent login experience for any and every application, whether it’s on-premises or cloud-based. An organization will be able to use the zero trust access of Duo to verify the identity of the user, the security posture of their device, and apply access policies each time an access request is made to ensure only trusted users and devices are accessing the sensitive password information stored within Keeper.

"Keeper is the only enterprise password management solution that uses zero-knowledge encryption while at the same time providing a seamless login experience with any SAML 2.0 compatible identity provider, like Duo. Unlike other solutions, Keeper's integration does not require the user to type in a master password to access their vault. Keeper's security model ensures that the enterprise is in complete control of their encryption keys" — Craig Lurey, Keeper Co-Founder and CTO.

As the world continues to move to the cloud and embrace remote work, the urgency to adopt a zero trust security framework is important. Breaking away from passwords and embracing a stronger, better security of zero trust (never trust, always verify each time an access request is made), protects organizations and their users from potential breaches.

Click here to learn more about how Keeper SSO Connect works with Duo to protect your organization.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Security Outcomes Study: A Look at What Works and What Doesn’t]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/security-outcomes-study-a-look-at-what-works-and-what-doesnt https://duo.com/blog/security-outcomes-study-a-look-at-what-works-and-what-doesnt Industry News Tue, 20 Apr 2021 08:30:00 -0400

The Cisco Secure’s Security Outcomes Study is sure to intrigue you. Cisco contracted survey research firm, YouGov, to field a fully anonymous (source and respondent) survey that ran during the middle of 2020. We surveyed over 4,800 active IT, security, and privacy professionals from 25 countries. The Cyentia Institute conducted an independent analysis of the survey data on behalf of Cisco Secure and generated all results presented in this study.

In this survey report respondents answer some big questions, like:

  • Is there evidence that security practices actually do affect program-level outcomes?
  • What is the strongest correlation of them all?
  • What about the second strongest correlation?
  • Can you achieve overall program success?
  • If you want a strong security culture embraced by all, how do you achieve it?
  • Do you want to avoid future incidents and losses?
  • Which security practices are most difficult to implement?
  • Where are programs most successful? Where do they struggle the most?
  • Which function of the NIST Cybersecurity Framework contributes most to success?
  • How did organizations minimize the impact of COVID-19 on operations?
  • Where are we going with security program outcomes?

“This is not a marketing report to toss in your swag bag and ignore; this is a report to cuddle up with and read over and over again. In fact, this report will change how we think about running infosec programs. ” — Wendy Nather, Head of Advisory CISOs, Duo Security at Cisco

There’s no shortage of security industry reports out there vying for your attention, and we made this one to provide some actionable, data-driven insights to help you build a more successful security program.

Intrigued yet? Download Cisco’s Security Outcomes Study and see the results today.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Duo Security Named a 2021 Gartner Peer Insights Customers’ Choice for Access Management]]> dgainer@duosecurity.com (Darcie Gainer) https://duo.com/blog/duo-security-named-a-2021-gartner-peer-insights-customers-choice-for-access-management https://duo.com/blog/duo-security-named-a-2021-gartner-peer-insights-customers-choice-for-access-management Industry News Thu, 15 Apr 2021 00:00:00 -0400

Customer feedback is integral to how we innovate and develop our products. That laser focus on the customer is what we believe helped Duo Security to become the most loved company in security.

On that note, we’re excited to announce that Duo has been recognized as a Customers’ Choice in the April 2021 Gartner Peer Insights ‘Voice of the Customer’: Access Management. We’re honored by this distinction. As of April 15th 2021, Duo Security has an overall rating of 4.8 out of 5 based on 86 reviews in the Access Management market. 

The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings. To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

Here are some excerpts from customers who helped us earn this distinction:

  • "Duo Security has been a very valuable and trusted solution for our company from day one. The ease of deployment of what traditionally required very complicated technical configuration makes Duo stand out and worth every penny." - Senior Network Architect, Media Industry Full Review
  • "Implementation was the smoothest of any vendor that we've brought on board. The resources for training users, helpdesk and administrators of the system are outstanding. From our users perspective ‘It just works!’" - Senior IT Security Analyst, Healthcare Industry Full Review
  • "Enabled us to accurately and easily control access to internal applications based on device trust. Well featured platform including MFA." - Systems Engineer, Energy & Utilities Industry Full Review

Read more reviews for Duo Security here.

Everyone at Duo is deeply proud to be honored as a Gartner Peer Insights Customers’ Choice for Access Management. To learn more about this distinction or to read the reviews written about our products by the IT professionals who use them, please see the Access Management page on Gartner Peer Insights.

To all of our customers who submitted reviews, thank you! You help shape our products and our customer journey, and we look forward to building on the experience that helped recognize us as a Gartner Peer Insights Customers’ Choice!

If you have a Duo Security story to share, we encourage you to join the Gartner Peer Insights crowd and weigh in.

*Gartner, Gartner Peer Insights ‘Voice of the Customer’: Access Management, Peer Contributors, 13 April 2021
The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliates.

<![CDATA[How Cisco Rolled Out Zero Trust With Duo to 100,000+ Users]]> acubas@duosecurity.com (Ashley Cubas) https://duo.com/blog/how-cisco-rolled-out-zero-trust-with-duo-to-100-000-users https://duo.com/blog/how-cisco-rolled-out-zero-trust-with-duo-to-100-000-users Industry News Wed, 14 Apr 2021 08:30:00 -0400

There’s nothing like being a part of a team that has a goal of rolling out zero trust to 100,000 users in less than six months. If you’re thinking to yourself...that’s fast! You are 100% correct! It was very fast, incredibly efficient, and highly effective. 

Cisco IT recently rolled out a significant security upgrade for their workforce. With the help of Duo Security, Cisco users can now access resources more seamlessly and efficiently. I am half of a Duo Care team that helped Cisco IT achieve its ambitious goal. Duo Care is a premium service many of our customers have today. Customers are assigned a Customer Success Manager (that’s me!) and a Customer Solutions Engineer who are there to help with our customer’s deployments and ongoing iterations of their security stacks. We gleefully get to be in the room where it happens. 

The 100,000+ User Rollout of Duo to Cisco

What is impressive about this rollout is not only the scale but Cisco’s ability to anticipate their user’s needs. They did so well that only less than 1% of users contact the help desk. When an enterprise organization is rolling out a security stack to 100,000+ users, 120,000+ devices, within a span of 5 months there are a lot of lessons to be learned.

#1 - Have a plan and know the challenges you’re trying to overcome 

  • Cisco had a clear vision, which allowed for everyone on the project to understand the mission. At a high level, they wanted to protect worldwide access, expand access to users securely, secure all users and devices, and have a consistent experience for users

#2 - Executive buy in is key! 

  • Anytime Cisco needed to move fast, they had air cover from the top to push through what was needed to get the job done. 

#3 - Keep your end user in mind

  • With evolving sophistication of security, the end user experience should improve. Less passwords, less authentication, less barriers to get work done. All while increasing security.

#4 - Don’t go at it alone - we are here to help!

  • When Duo says we want to democratize security, we don’t just mean making MFA (multi-factor authentication)  easy. Our portfolio has grown, matured, and gone through the test of a Cisco wide rollout. We want to make all of our solutions easy. 

Lastly, and I think this is something many folks already know, zero trust is a journey. And it’s not a one size fits all. Duo is constantly pushing ourselves to innovate ahead of the curve. 

If you’re interested in learning more about how Duo can help your organization with its zero trust initiatives, please contact your Duo Care team or our support team at support@duo.com.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Duo Care's Premium Customer Care Provides Extra Layers of Support]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/duo-care-premium-customer-care-provides-extra-layers-of-support https://duo.com/blog/duo-care-premium-customer-care-provides-extra-layers-of-support Industry News Mon, 12 Apr 2021 08:30:00 -0400

The Duo Care premium support program was created because we really do care — about your Duo rollout, about your end-users' experience, and about your continued satisfaction with us as a trusted partner. With Duo Care, you'll work with a team of Duo experts who will guide you through the life of your subscription, to help you maximize the value of your Duo investment as your organization and business needs evolve. Duo Care also gives you access to extended support services, so you can get the assistance you need, whenever you need it.

See the video at the blog post.

What’s Included With Duo Care

Customized Expertise 

Our team of dedicated Custom Success experts learn your business’ unique needs. We help you navigate complex deployments and add business value. With Duo Care you’ll receive strategic planning and deployment advice, periodic business reviews and health check-ups to keep you current. You’ll also get a first look at Duo’s product roadmap and more. 

Duo Provides You With Dedicated Support Advisors

You'll be paired with two dedicated support advisors: a Customer Success Manager (CSM) and a Customer Solutions Engineer (CSE). Your CSM will serve as your strategic point of contact — a trusted advisor in areas like administrator training, security policy development, user enrollment plans, product updates, project requests and future planning. Your CSE works in tandem with your CSM and is a technical expert who offers consulting, architectural strategies and best practices as you deploy or expand your coverage with Duo.

Ensure Smooth Deployments 

Roll out your Duo deployment with our custom tools and launch kid, security policy recommendations and user enrollment planning. Duo Care includes training and education to ensure success. 

Take A Look At What Duo Care Comes With

Support Services

  •  24x7 Phone Availability 
  • Priority Ticket SLA 
  • 99.95% Uptime 
  • VIP Support Line 
  • And more!

Technical Expertise 

  • User Enrollment Strategy & Planning
  • Security Policy Planning
  • Solution Architecture Consultation
  • Technical Integration and Deployment Consultation
  • And more!

Planning Leadership

  • Helpdesk Enablement
  • End User Communication Planning
  • Serve as a Strategic Advisor
  • Periodic Business and Product Roadmap Reviews
  • Priority Access to Betas
  • And more!

How Can I Get Duo Care?

Duo Care is available through our sales team. Contact a representative today to get more information on how Duo Care’s premium support features can help you. Contact our sales team.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Duo Network Gateway – Reduce VPN Dependency Using Zero Trust]]> lgreer@duosecurity.com (Landon Greer) https://duo.com/blog/duo-network-gateway-reducing-vpn-reliance https://duo.com/blog/duo-network-gateway-reducing-vpn-reliance Industry News Wed, 07 Apr 2021 08:30:00 -0400

It’s Friday, you just got paid and you’re getting ready to take off for the weekend but you want to check your pay stub to verify your taxes so you hit your employee records portal. Those wonderful words of ‘Denied Access’ appear in your browser; you need to connect to the corporate VPN to access your pay stub.

If you are like me, you sigh, and put your machine to sleep because the workflow for your VPN requires far too much effort for something that should be a simple and quick process. If you do find yourself having the motivation to continue further on your journey of checking that pay stub, you first load up the crusty VPN client.

From here you copy and paste your username and password out of your password manager because the client is utilizing an embedded browser that can’t utilize your password manager, then you perform 2FA manually because the client is again using an embedded browser and it can’t utilize your Yubikey. After all of that you are finally logged in, but wait, there is an alert that you have to read about the VPN endpoint changing in the next 3 months. You are finally connected to the corporate network through the creepingly slow data pipe that is shared by a multitude of your coworkers.

Phew, finally time to actually perform the task you set out to originally; checking your pay stub. You hit the employee portal and you are finally able to verify that your taxes are correct, health insurance looks accurate and all checks out but what a process that seemingly small task turned into.

What is the Duo Network Gateway?

The Duo Network Gateway (DNG) enables organizations to provide zero trust remote access to web applications, web pages and SSH servers without the requirement of a VPN or exposing those applications to the internet directly.

This empowers any end user to access their applications from any device, on any network, and adds granular policy controls that ensure only the users that need access, have access as well as ensuring the hygiene of the connection.

How To Use Duo Network Gateway

The Duo Network Gateway can turn the employee pay stub story from above into a single process all from within the comfort of your web browser. An end user hits the employee payment portal directly just like they would hit Office 365 or Salesforce and they are greeted with a request for primary authentication then 2FA and they are in. 

No need for a clunky client, copy and pasting sensitive information to the machines clipboard, and they get to utilize any of their desired 2FA devices through the process. The end user gets to enjoy a much simpler experience of hitting the resource they want to access without jumping through hoops to do so. 

The organization gets the added security of the zero trust architecture that the Duo Network Gateway inherently provides; checking the user, the hygiene of the access device, the hygiene of the 2FA device, etc. for every application the end user needs to hit that day.

The organization can choose to allow the end user to check a “Remember Me” box if they wish as well to provide an even more seamless experience. An end user can authenticate once in the morning, hit that checkbox to be remembered for the acceptable duration that the organization sets, and the end user is free to use anything they need to access without requiring the authentication steps they already performed.

This is the power of the Duo Network Gateway.

Evaluating Use Cases For Duo Network Gateway

The Duo Network Gateway can provide an excellent end user experience while potentially leveling up the security of an organization in the process. The Duo Network Gateway, like any other technology, is not a silver bullet for all of the organization's use cases. The Duo Network Gateway provides zero trust access to an application or server but does not inspect every connection that an end user may be making that day. 

Let’s say that an end user needs to order lunch for a meeting today, does the organization need to know that a connection to the Panera Bread website was performed? Probably not. Does the organization need to protect the portal used for expensing the meal for the meeting? Absolutely. This is where one benefit of the Duo Network Gateway shines — protecting the organization without being creepy to the end user. 

Another example may be the requirement for an end user to utilize Microsoft's Remote Desktop Protocol, RDP, to access a Windows machine in the datacenter. The Duo Network Gateway will support this use case in the near future; but if you need this protection today, check out the Duo Authentication for Windows Logon and RDP application. 

Looking Ahead - The Future Of Duo Network Gateway

The Duo Network Gateway is a powerful tool that organizations can utilize for providing end users with the flexibility of cloud based access to applications that are hosted on-premises, whether that is inside the physical office or hosted in a cloud environment that is locked down to the physical office’s public IP and the DNG supports HTTP/S and SSH today.

This leaves a gap, and Duo has been working on covering this gap. The Duo Network Gateway team has plans to support much more with RDP being the first protocol in the line up. With that in mind, what other protocols can you see the DNG being used for that it doesn’t support today?

  • Let us know your thoughts in this survey.


We talked about the Duo Network Gateway a lot just now. We talked about what the DNG is and what the DNG isn’t. We covered the seamless end user experience that the DNG can provide, and we delved into the additional security that an organization gains via the inherent zero trust architecture of the DNG. If you would like to give the DNG a try within your organization or in your personal homelab environment, check out the free 30-day Duo Trial.

Learn More:

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[RSA Conference 2021: Resilience]]> noelle@duo.com (Noelle Skrzynski Hardie) https://duo.com/blog/rsa-conference-2021-resilience https://duo.com/blog/rsa-conference-2021-resilience Industry News Mon, 05 Apr 2021 08:30:00 -0400

With everything that’s happened in the last year, we’ve all learned some valuable lessons about dealing with change head on. That’s why the theme for this year’s RSA Conference 2021 is so fitting: resilience. We’re all navigating new waters, and this conference is no different.

For the first time ever, the conference will be hosted virtually, so you’ll attend sessions and keynotes digitally, and experience the vendor expo booths away from the crowd and in your own home. Regardless of the changes, the conference is still one of Duo’s favorite events, and we’re excited to attend!

So let’s get together from Monday, May 17 to Thursday, May 20 to catch up with our peers, dive into the latest trends and solutions, and learn best practices for dealing with present and future challenges.

As a proud sponsor of this event, we encourage you to register using the Duo code 54SDUOCIS for a free Digital Expo Pass!

Find Duo at the Cisco virtual booth in the Digital Expo, or attend one of our sessions below:

From Zero to Hero – How Cisco Deployed Zero Trust in Five Months

Chief Security & Trust Officer at Cisco Brad Arkin will present this talk on Tuesday, May 18 at 10:50 a.m. PT.

Brad draws on a wealth of security experience, including his former position as Chief Security Officer at Adobe, where he successfully rolled out Zero Trust. In this talk, Brad will discuss how Cisco’s Zero Trust rollout was not only a logistical challenge with 100,000 global users and a complex mix of cloud and on-premises applications, but also a huge shift in how the company itself thought about networks, perimeters, and security (including reducing its own VPN usage). Brad will talk about how Cisco faced its past and drove into the future — in less than five months’ time. Join Brad to learn how he plans, influences, communicates and delivers on the promise of Zero Trust.

Brad Arkin leads Cisco’s Security and Trust Organization, whose core mission is to ensure Cisco meets its security and privacy obligations to our customers, regulators, employees, and stakeholders. Before joining Cisco, Arkin was Chief Security Officer at Adobe and has held management positions at @Stake and Cigital. 

Secure Access Service Edge (SASE) Model

Getting Started with SASE: Connect, Control and Converge with Confidence 

Digital business transformation and the shift to a distributed workforce are driving networking and security to the cloud. The secure access service edge (SASE) model consolidates networking and security functions into a single integrated service. 

Join Meghan Diaz, Director, Cisco Cloud Security on Monday, May 17 at 10:35 a.m. PT as she shares the pitfalls to avoid when starting your transformation to SASE. 

Meg Diaz is the leader of the Cisco Cloud Security product marketing organization at Cisco, where she is responsible for the go-to-market strategy and execution across multiple products. Diaz has experience in network, endpoint, cloud, and data security. Prior to OpenDNS, she worked at RSA, the Security Division of EMC in various roles.

How To Make a Successful Security Program

What (Actually, Measurable) Makes a Security Program More Successful?

What makes a successful security program? Ask three infosec pros and you’ll get three different answers. Presented by Duo Head of Advisory CISOs Wendy Nather, and Partner and Co-Founder at the Cyentia Institute, Wade Baker, this keynote explores the survey answers of 4,800 infosec professionals evaluating security program performance. 

Join Wendy and Wade on Thursday, May 20 at 8:00 a.m. PT for insights into how security teams can enable business, manage risk and operate efficiently. 

Other Hot Happenings

Make sure to keep a spot in your schedule for these other Duo and Cisco sessions:

Special Highlights: Passwordless, SSO, and Device Trust

We’ve been thinking ahead to a simpler, more secure future. Our future could be unhindered by a pesky little thing we call the password. Many organizations see the benefits of a passwordless experience for their users, and Duo can help you get there. Duo recently announced our new passwordless authentication solution, so visit the Cisco booth to get a sneak peak at what that will look like.

Part of the journey to a simpler, more secure future includes simple, secure single sign-on (SSO). With Duo’s SSO, you can provide easy access to your many platforms and programs in one place, protected by Duo’s strong MFA. See for yourself how Duo enables a streamlined login experience by checking out a demo at the booth.

Lastly, Duo is excited to share how we’re simplifying Device Trust. Duo provides visibility into every device on your network, enforces health checks at every login attempt, provides powerful reporting capabilities, and allows you to set granular access controls. Dive into the demo Duo dashboard for a closer look, and stop by the booth for answers to any questions you have.

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Duo's Passwordless Authentication is Coming!]]> wgoerlich@duosecurity.com (J. Wolfgang Goerlich) https://duo.com/blog/duos-passwordless-authentication-is-coming https://duo.com/blog/duos-passwordless-authentication-is-coming Industry News Tue, 30 Mar 2021 10:10:00 -0400

And lo! Passwords have been with us since the early days. When the number of computers on the internet could be counted with two hands, there was the password. When we dialed up for the first time, we used a password. We had a password for Geocities and MySpace. The mainframe came and went, the floppy disk came and went. The password might even outlast the corporate data center. It’s still with us.

Lo was the first word sent across the internet. Sadly, not in the “lo and behold” sense. The message was the starting characters of login. From the earliest of days, we’ve been beholden to the password.

Today we leave that legacy behind. 

What’s Coming 

I’m excited to share that Cisco is announcing Duo’s passwordless authentication. It replaces the password with security keys and platform biometrics such as Apple FaceID and TouchID, and Windows Hello. Built on Cisco’s industry-leading zero trust platform, securing access for any user, from any device, to any application, the solution will provide one easy login to all the organization’s cloud applications. 

Duo passwordless authentication will be available for public preview beginning summer 2021. 

Passwordless Emerges

A rule of technological innovation is that we leap forward when standards, infrastructure, and critical mass adoption come together. The FIDO Alliance’s FIDO2 specification, built upon the Web Authentication (WebAuthn) standard, laid the foundation for passwordless authentication. The ubiquity of the smartphone has led to improvements and prevalence of biometrics. In fact, many of us get into our phones and computers today without a password, thanks to biometrics securely stored on and validated by the device itself.

Workforces are ready for passwordless authentication. According to the 2020 Duo Trusted Access Report, 80% of mobile devices used for work have biometrics configured, up 12% the past five years. 

Passwordless has arrived. It’s no longer a question of when, but a question of what’s next.

Duo Security’s Passwordless Authentication

Security leaders are turning to passwordless to improve the user experience for the workforce. It has to be simple. Duo became the most loved company in security because of our relentless pursuit of simplicity. 

We make security painless, so security professionals can focus on what's important. Shifting from password multi-factor authentication to passwordless authentication builds upon Duo’s strengths in user-friendly authentication.

The journey to passwordless authentication will be taken in steps and stages. Like the cloud transformation before it, transitioning authentication faces the realities and complexities of the modern organization. 

The approach must be standards-based, interoperable, and identity-agnostic. Duo continues to contribute and collaborate with FIDO and the World Wide Web Consortium (W3C) working group in championing WebAuthn’s ratification as an official web standard and adoption across platforms. 

The promise of passwordless is both improved usability and improved security. While relieving people from the complexity and error-prone nature of maintaining too many passwords, we also must enforce strong security access policies. Building upon the instrumentation provided by Duo’s zero trust platform, we can increase trust in authentication by transparently verifying and validating every connection to every application. 

Passwordless authentication will be more than simply removing the password. It will be increasing trust and control across every authentication.

Duo’s Passwordless Authentication Resources

See the video at the blog post.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Secure Access to Your Google Chrome Enterprise With Duo]]> gumapathy@duosecurity.com (Ganesh Umapathy) https://duo.com/blog/secure-access-to-your-google-chrome-enterprise-with-duo https://duo.com/blog/secure-access-to-your-google-chrome-enterprise-with-duo Industry News Mon, 29 Mar 2021 08:30:00 -0400

In 2020, according to a report by IDC, Chrome OS became the second most popular choice of operating system in terms of number of devices sold. The news of this impressive growth comes on the heels of the 10th year anniversary for Chrome OS. Congratulations to the Chrome Enterprise team. Duo Security is proud to be on this journey as a Chrome Enterprise Recommended partner!  

What is Chrome Enterprise Recommended?

Chrome Enterprise Recommended is Google’s partner program for third-party solutions on Chrome OS. Chrome Enterprise Recommended partners have worked with Google to extend their product’s functionality, quality, security and end user experience.

A 2-Step Integrated Solution For Customers

Organizations that use Chrome OS devices can quickly and easily secure workforce access with Duo. Duo’s out-of-box integrations with Google allow enterprises to secure user and device access to corporate resources in two simple steps:

Step 1: Implement Single Sign-on & MFA 

Duo Single Sign-On (SSO), our cloud-hosted SSO product, layers Duo's strong authentication and flexible policy engine on top of Google Workspace (formerly G Suite) logins using the Security Assertion Markup Language (SAML) 2.0 authentication standard. Duo SSO acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or any SAML 2.0 IdP and prompting for two-factor authentication before permitting access to Google Workspace. 

Configure Duo SSO for your Google Workspace by following these simple instructions.

Step 2: Verify Device Trust for Chrome OS Devices 

Duo’s integration with Google’s Verified Access (GVA) service enables access time-checks to ensure the device was indeed managed by the customer’s Google tenant. 

Follow these simple instructions to help you set things up.

“Duo Beyond has enabled us to push our zero trust strategy faster, allowing us to utilize client systems (ChromeOS to be specific) that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls.” — Mike Johnson, former CISO at Lyft.

We can’t wait to get you started and see how this additional control helps you up your security.

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[(VIDEO) Getting Started With Duo - Step 5: Adding Users]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/video-getting-started-with-duo-step-5-adding-users https://duo.com/blog/video-getting-started-with-duo-step-5-adding-users Industry News Fri, 26 Mar 2021 08:30:00 -0400

At Duo, we combine security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era. It’s so simple and effective, you get the freedom to focus on your mission and leave protecting it to us.

Duo is built on the promise of doing the right thing for our customers and each other. This promise is as central to our business as the product itself. Our four guiding principles are the heart of the sensibility: Easy, Effective, Trustworthy, Enduring. 

Welcome to our 5-part video series on getting started with Duo! 

We have created myriad resources that make it easy to get started with Duo. Here are five easy steps to get you on your way.  We covered differentiating user authentication methodsDuo enrollment and self-remediation and Duo admin dashboard and Device Insighthow to setup an application so far. Next we will discuss Step 5: Adding Users.

Step 5: Adding Users

See the video at the blog post.

Duo provides several enrollment methods to add users to the system. 

Self-enrollment allows users to add themselves to Duo and walks them through setting up a device for two-factor authentication. Larger organizations may prefer one of the automatic enrollment options, like synchronizing users from an external Microsoft directory. Administrators can create individual Duo users at any time (manual enrollment).

Users — and their phones, tablets, or hardware tokens — must be enrolled into Duo before they can start using the system. Enrolling may include the optional step of activating the user for Duo Mobile, which allows your users to generate passcodes from the Duo Mobile app or use one-tap authentication with Duo Push. In order to use Duo Push, users will need to install the Duo Mobile app on their devices and then add their Duo account to the app. This process will only take the user a few minutes.

There are three methods of user enrollment: automatic enrollment, self-enrollment, and manual enrollment. The automatic enrollment and self-enrollment methods save you the time and effort of manually adding your Duo users. To learn more visit our knowledge base, support and our Duo community resources. 

Trial Tips

If you are considering a trial first, take a look at our Advisory CISO Wolfgang Goerlich's blog, "Trials and Transformations: Test Driving Multi-Factor Authentication and Zero Trust Solutions." In it Wolfgang breaks down how to get the most out of your free Duo trial. 

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Duo Celebrates Women's History Month]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/duo-celebrates-womens-history-month https://duo.com/blog/duo-celebrates-womens-history-month Industry News Wed, 24 Mar 2021 08:30:00 -0400

A Women's History Celebration

March 1st kicked off the celebration of one half of the population, women! Women have come a long baby, and we aren't finished yet. There are new glass ceilings to break, and equality is still not exactly equal, but throughout history there have been significant contributions by women.

Our Instagram is heating up for Women's History Month (WHM) with hot stories featuring women all month long. Check out this video on women in tech.

Women in Tech 

See the video at the blog post.

How Did Women's History Month Begin?

Since the dawn of time, women have been working hard for a fair shake. Leaders, pioneers, homemakers, trailblazers -- women were essential to the birth of this nation and are essential to lead us into its future. The first recording was reported as a "Women's Day" organized by the Socialist Party of America in New York City all the way back in February 28, 1909. The United Nations began to recognize International Women's Day on March 8, 1975. 

The first celebrations took place in Sonoma County, California, in 1978. President Jimmy Carter issued a national proclamation declaring the week of March 8 National Women's History Week. Then in 1987, the National Women's History Project, successfully petitioned Congress to designate the month of March 1987 as Women's History Month. Each March carry's a theme and the theme for 2021 is "Valiant Women of the Vote: Refusing to Be Silenced."

At Duo we value women. If you have ever met any women of Duo you will see this is true. To all the ladies, we celebrate and honor your achievements!

We're hiring! If your passion is collaborating with inspiring teammates, and creating and supporting products that make a difference, we want to hear from you. Check out our open positions!

<![CDATA[Celebrazione! AgID Certification To Provide Cloud Services in Italy]]> amayle@duosecurity.com (Andy Mayle) https://duo.com/blog/celebrazione-agid-certification-to-provide-cloud-services-in-italy https://duo.com/blog/celebrazione-agid-certification-to-provide-cloud-services-in-italy Industry News Mon, 22 Mar 2021 08:27:00 -0400

As mentioned in our recent ISO 27000 series certification blog - achieving this global standard for information security has provided us with the opportunity to pursue more regional specific certifications and we are proud to announce that Duo has achieved the first of many of these with AgID (Agency for Digital Italy) certification for Italian Public Administration!

To achieve certification Duo’s application was audited by AgID to verify whether the services provided comply with the requirements laid down in eIDAS (electronic identification and trust services) regulation and in national law and duly granted Duo qualified status.

What is the Agency for Digital Italy (AgID)?

AgID is the Italian supervisory body that certifies qualified trust service providers. AgID is also  the national body responsible for establishing, maintaining and publishing national trusted lists.

Why Is Agid Certification Important to Duo and Our Customers?

Only Cloud Service Providers (CSPs)which meet the requirements laid down by AgID can be included in the Marketplace Cloud, a digital platform with a catalogue of cloud services available for the Italian Public Administration. 

With this valuable certification, Italian Public Administrations can be confident that Duo not only provides the highest possible standards of security for our customers, but also maintains its own quality and standards to the same high level.

Working with Trusted Partners

Duo’s dedication and commitment to meeting the specific compliance requirements across all regions supported by Duo is confirmed by this certification that shows we provide the highest levels of security, performance, availability and transparency for our customers all over the world.

“All the CISOs I speak with are constantly modernizing their security systems to keep pace with demands for organizational change and data privacy. Many of these CISOs are working with partners, such as Duo, to deliver SaaS-based solutions. It is important for them to trust their partner. Having a recognized certification, with all the investment that it requires, is increasingly in demand. It provides the CISO with a level of confidence, reduces third-party risk and confirms they are working with Trusted Partner.” — Richard Archdeacon. Advisory CISO, Duo

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[(VIDEO) Getting Started With Duo - Step 4: Setting Up an Application]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/video-getting-started-with-duo-step-4-setting-up-an-application https://duo.com/blog/video-getting-started-with-duo-step-4-setting-up-an-application Industry News Fri, 19 Mar 2021 08:30:00 -0400

Welcome to our 5-part video series on getting started with Duo! 

We have created myriad resources that make it easy to get started with Duo. Here are five easy steps to get you on your way.  We covered differentiating user authentication methodsDuo enrollment and self-remediation and Duo admin dashboard and Device Insight so far. Next we will discuss Step 4: Setting Up an Application.

Secure every application from anywhere with Duo. An application binds Duo's two-factor authentication system to one or more of your services or platforms, such as a local network, VPN (virtual private network), CMS (content management system), email system, or hardware device. You can protect as many applications as you need, and administer each independently.

Step 4: Setting Up an Application

See the video at the blog post.

Getting Started

To give Duo a try, just follow these steps:

  1. Visit the Duo account signup page and enter your information to create an account.
  2. Check your Inbox for a signup confirmation email from Duo. Click the Verify Email link in the message to continue setting up your account.
  3. Follow the steps on-screen set a password for your Duo administrator account. Your admin username is the email address you used to sign up for Duo.
  4. Install Duo Mobile on your Android or Applesmartphone and scan the barcode shown on-screen to activate Duo Push two-factor authenticationfor your Duo administrator account.If you don't have an Android or Apple smartphone, click the link below the barcode to skip to the next step.
  5. Set a backup phone number to your Duo administrator account. We'll automatically suggest the same phone number you entered when signing up for Duo. We recommend using a mobile phone that can receive text messages as the backup.
  6. Use your new administrator account to log into the Duo Admin Panel. If you activated Duo Push during account setup, click the Duo Push button to receive a two-factor authentication request from Duo Mobile. If you didn't activate a smartphone for Duo Push, you can send a passcode to your phone via SMS by clicking Text Me. Enter the passcode you receive in the passcode field on the Duo login page.
  7. Once you've logged in as a Duo admin, decide which service, system, or appliance you want to protect with Duo. The Applications page lists all resources that are linked and protected by your Duo service.Then, use our documentation to configure the Duo application on your service, system, or appliance.
  8. Enroll your usersin Duo. We provide several methods for enrollment, such as importing from an Active Directory domain. Some applications also support self-enrollment by users when they access the protected service.

Trial Tips

If you are considering a trial first, take a look at our Advisory CISO Wolfgang Goerlich's blog, "Trials and Transformations: Test Driving Multi-Factor Authentication and Zero Trust Solutions." In it Wolfgang breaks down how to get the most out of your free Duo trial. 

Try Duo For Free

See how easy it is to get started with Duo and secure your workforce, from anywhere and on any device with our free 30-day trial.

<![CDATA[Plaintext Podcast Ep. 5 Featuring Bugcrowd Founder Casey Ellis]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/plaintext-podcast-ep-5-featuring-bugcrowd-founder-casey-ellis https://duo.com/blog/plaintext-podcast-ep-5-featuring-bugcrowd-founder-casey-ellis Industry News Wed, 17 Mar 2021 08:30:00 -0400

Welcome back to the Plaintext Podcast with your host Dave Lewis, Global Advisory CISO for Duo Security, now part of Cisco.

In this first episode of 2021, Dave chats with Casey Ellis, founder of Bugcrowd.

See the video at the blog post.

The pair discusses how Casey got started in security, how the security market is changing and the pandemic-driven boom in remote work. They also chat about their shared love of music (and playing in bands) and how playing in a band shares similarities with a career in infosec.

If you have suggestions as to who you’d like to see join me on the show, send me an email at hacker @ duo dot com.

Like what you hear? Be sure to check out previous episodes of Plaintext Podcast. You can also read a transcript of this episode

Try Duo For Free

With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[Passwordless Authentication, This is the Way]]> gattaca@duo.com (Dave Lewis) https://duo.com/blog/passwordless-authentication-this-is-the-way https://duo.com/blog/passwordless-authentication-this-is-the-way Industry News Mon, 15 Mar 2021 08:30:00 -0400

Security leaders the world over tend to share many, if not all, of the same issues in their respective organizations. From having to deal with patching, firewalls, network zone segmentation of accumulated security debt. The issues repeat in every industry vertical with alarming consistency. Often security leaders find themselves as a lone figure trying to navigate the corporate world with a dedication to their mission that they carry in the face of overwhelming odds. This is the way. 

As security practitioners we have a fiduciary responsibility to protect the users, devices and applications that, in conjunction with the intellectual property, compromise the workplace, workforce and workload of the organization. That includes the data that the organization collects and utilizes in the course of their business activities. Securing the company is a constantly evolving goal, and the attackers have an unfortunate predisposition to move the goalposts. 

Passwords are a great example of a security control that has outlived its useful life. I often draw the analogy with the house key. Sure you can use it to lock your front door but if someone of a nefarious nature managed to find that key there is nothing to say who should or should not be coming through the front door. Therein lies the rub. Thankfully there are technologies that can alleviate the stress of trying to manage the myriad threats that are arrayed before us. 

The Progression to Passwordless Authentication

Let’s look at the natural progression of life. We’re born into this world, we crawl, then we learn to walk and ultimately to run. As with security there is a growth element to improve as we grow and mature as an industry. The criminal attackers in the past would compromise websites to gain credibility amongst their peer groups. Now we jump forward to the present day and we see that the criminal element has rolled that skill set into a massive monetary enterprise in its own right. 

Now when we apply the concept of forward progress cycle to the defender side of the equation, we can look at passwords as an example. Moving ahead we can get people to learn to use a password manager. This will help to better secure end-user credentials in a way that helps manage the risk of static passwords being stored in an insecure fashion. The next step is the move into multi-factor authentication (MFA). From push technology to biometric authentication and others, we have options available to us.

But, what about the future? A couple of years ago the World Wide Web Consortium published the WebAuthn standard. This was a first real stake in the ground for the future of passwordless authentication

What Passwordless Authentication Is Not

There has been a lot of confusion in the market as to what and what isn’t passwordless. As an example I have seen a case where one vendor was positioning QR codes as being passwordless. This is about as accurate as calling a username and password two-factor authentication. It’s incumbent upon the industry to be sure to not muddy the waters. 

To put a finer point on it, passwordless authentication is a method in which a user can log in to a system without the need to enter a password. WebAuthn is one of the core components of the FIDO2 project. Simply put: we have a website, a web browser as the client and a WebAuthn compatible authenticator. This is built on open standards and will help to shape the future of how we handle authentication.

As with any security journey we learn lessons along the road. We improve our defenses and work to stay on mission. Be sure to watch this space for more on passwordless authentication over the coming weeks. The passwordless future provides us a new hope to secure our systems. This is the way. 

Try Duo For Free

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.