As an online service processing credit card transactions, onPeak is governed by PCI DSS compliance to protect their customers’ information. Their primary goal is to keep this data secure using a simple and effective two-factor authentication solution.
They needed to replace their existing clunky and old-school two-factor solution, Phonefactor, which was acquired by Microsoft while they were using the solution. “It just wasn’t a feel-good purchase for us to go and hand over even more money to Microsoft,” said Perry Straw, onPeak’s Director of Infrastructure and Security.
While initial research brought them to RSA, they found their two-factor solution involved an expensive upfront commitment with required hardware. onPeak was looking for a solution that could utilize their users’ smartphones with already-existing technology.
Cloud-based 2FA: No hardware, low cost of entry
As a cloud-based service, onPeak was able to easily test out Duo’s solution without much of a commitment - there was no hardware to buy and install. They needed something easy and painless that would also get quickly adopted by their remote IT team that worked odd hours.
They chose Duo Security for the ease of integration with their existing VPN technology, which they were able to research and review with the help of Duo’s white papers and documentation that outlined the steps for several different implementation scenarios.
Duo Security’s pricing model was also a deciding factor. With a very low cost of entry, Duo’s two-factor provided a cost-effective solution that enabled onPeak to use the Duo Mobile smartphone app.
onPeak integrated two-factor authentication with their Cisco ASA VPN and LDAPS infrastructure, leveraging Duo’s Active Directory Sync app to allow for AD authentication. The main goal was to protect their IT workforce comprised of systems, developers, QA and product teams that regularly accessed their networks to write code.
Faster push notifications, advanced administration capabilities
Although they initially started using Duo Security’s phone callback authentication method, Perry eventually switched his entire IT team over to the smartphone app, using push notifications, which proved to be much faster. Plus, the push app shows the originating IP address, as well as a geoIP lookup in order to ensure the user’s identity.
As an administrator, Perry liked that two-factor authentication was a requirement for all administrators that logged into the admin panel. He also leverages Duo Security’s web administration interface to view transaction logs. If a user reports that their VPN or two-factor isn’t working, he can log into the interface, pull up access logs and check out the problem.
Positive pre-sales experience with engineering
Shortly after signing up with Duo, Perry got a call from an engineer to help him through the integration. He had his questions about the technical requirements for onPeak’s Cisco implementation answered as a Duo engineer walked him through the entire process.
“It was one of those few occurrences where it was a positive pre-sales experience with engineering,” said Perry. “Getting those answers immediately really saved me a lot of time implementing in my environment.”
Security, regardless of compliance requirements
“In this day and age, you always hear about data breaches. No one wants to wind up on a headline somewhere with their customers’ data sitting out on the Internet,” said Perry. “Even if you aren’t required to meet PCI or HIPAA compliance, if you’re a small company and need two-factor, Duo Security’s the way to go.”