Get the security features your business needs with a variety of plans at several price points.

Desktop and mobile access protection with basic reporting and secure single sign-on.

All Duo Small/Medium Business features, plus adaptive access policies, greater device visibility, plus advanced device insights and remote access solutions.

FedRamp authorized, end-to-end FIPS compliant, streamlined solutions.

Meet compliance objectives with our friction-free MFA.

Duo provides secure access to any application with a broad range of capabilities.

Verify the identities of all users with MFA.

Provide secure access to on-premise applications.

Ensure all devices meet security standards.

Provide secure access to any app from a single dashboard.

Block or grant access based on users' role, location, and more.

Duo provides secure access for a variety of industries, projects, and companies.

Whether you're considering a big-picture security strategy like zero trust, or you want to address a specific threat like phishing attacks, Duo has you covered.

A zero trust model establishes trust in users and devices through authentication and continuous monitoring.

Duo's comprehensive access security sets the stage for user-friendly, password-free multi-factor authentication.

Secure your workforce against phishing attacks with strong multi-factor authentication, device trust and more.

Duo’s dynamic solution detects and responds to potential threat signals to secure trusted users and frustrate attackers.

Duo delivers peace of mind with strong security and increased productivity at an unmatched value.

Reduce friction and automate processes so that end-users and administrators can focus their time on moving your business forward.

Duo continues to pioneer MFA-approaches that keep your business a step ahead of the next threat.

Our Risk-Based Authentication reduces the burden placed on users so they can verify their identity quickly and get back to the task at hand.

Close the gap on your security perimeter and bring every user and every device under one secure roof.

Duo provides secure access for a variety of industries, projects, and companies.

Click through our instant demos to explore Duo features.

Duo Security is part of Cisco Secure — find out how we make global security resilience easier than ever!

Duo Product Security Advisory

Advisory ID: DUO-PSA-2018-002
Publication Date: 2018-05-23
Revision Date: 2018-05-23
Status: Confirmed, Fixed
Document Revision: 1

Overview

Duo has identified and fixed an issue with the Duo administrative panel. This issue could have allowed for a second-factor bypass of administrative logins. This issue was completely service-side and immediately resolved upon discovery of the flaw.

Description

A Duo Security employee identified a bypass condition for administrative logins by submitting specially crafted passcodes as a second factor of authentication. This issue was only applicable to administrative logins.

Impact

An administrative login for an account could have had its second factor bypassed if an attacker first acquired a valid set of primary authentication credentials. Duo Security has no knowledge of this issue being abused. Duo Security was able to remediate this issue within three hours of initial discovery by a Duo employee.

Affected Product(s)

Duo’s Administrative Panel

Solution

This issue was resolved internally through an immediate security fix applied to our cloud service deployments for all customers. No action was required by customers to have this fix applied to their account.

Duo Security conducted thorough log analysis and, from the available log data, found zero indicators that this issue had been used to attack customer accounts. However, customers may additionally choose to review their own accounts for suspicious activity by reviewing the Administrator Actions log in the administrative panel.

Vulnerability Metrics

Vulnerability Class: CWE-287: Improper Authentication
Remotely Exploitable: [Yes]
Authentication Required: [Partial]
Severity: [Medium]
CVSSv2 Overall Score: 5.7
CVSSv2 Group Scores: Base: 6.5, Temporal: 5.7
CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C

Timeline

2018-05-17

15:00 ET - Duo identifies a second-factor bypass in the Duo administrative panel.
16:35 ET - Duo verifies a fix for the root cause of the issue and begins a roll-out of the fix.
17:35 ET - All Duo customer deployments have received the remediation for this issue.

2018-05-21

Internal log analysis is conducted, and identifies no indications that this issue had been exploited.

2018-05-23

PSA is distributed to potentially impacted customers to provide awareness of this resolved issue.

References

==========

CWE-287: Improper Authentication - https://cwe.mitre.org/data/definitions/287.html

Credits/Contact

===============

If you have questions regarding this issue, please contact us at:

support@duosecurity.com, referencing "DUO-PSA-2018-002" in the subject
our phone line at +1(844)386.6748. International customers can find our toll-free numbers here: https://duo.com/about/contact.