Skip navigation

The 2020 Duo Trusted Access Report

A Remote Access Playbook

There's no denying it — remote work is the star of the corporate security show right now. It's more important than ever for organizations to provide their employees with secure access to the tools they need to be productive.

Get The Full Report


Although it feels very of-the-moment, remote work has been on the rise for years now. That said, the recent and rapid expansion of work-from-home culture presents new security challenges. How can employees access all their applications without exposing mission critical information to unnecessary risk? How can organizations allow employees to use their devices on unsecured networks, and ensure that users keep their operating systems and software up to date? There's a lot to think about. 

At Duo, it's our job to make application access more secure for organizations of all sizes, and while every organization's remote access strategy will be slightly different, there are a few fundamental factors to consider — key plays to have in your remote access playbook, so to speak. 

In this report, we'll look at what companies are doing to secure remote work and discuss what makes a good remote access strategy. 

Did you know?

Almost 78% of survey respondents were working from home at least 60% of the time, per a CSO Online study in March 2020.

Pandemic impact report: Security leaders weigh in, CSO Online


The core considerations for a good remote access strategy generally fall into three categories. We'll look at each in depth.


In this report, our security research team analyzed data from over 26 million devices, more than 500,000 unique applications and roughly 700 million authentications from across our customer base, spanning North America, Western Europe, and Asia Pacific.

A diagram illustrating 26 million devices, 700 million authentications per month, and 500,000+ unique applications.

Report Highlights

An antenna with a checkmark on top.

72% increase in multi-factor authentications from remote tech

A crossed-out smartphone.

85% increase in use of policy to disallow SMS authentications

A finger hovering over a circle that displays the text 4x.

iOS devices were 4x more likely than Android to receive and install updates within 30 days

Total devices with biometrics enabled increased 64%

The average number of daily authentications to cloud apps increased 40%


As the workforce becomes more distributed, protections against credential theft are becoming both more stringent and more granular. This year, we saw 85% more customers disallowing less secure methods of multi-factor authentication — looking at you, SMS! — and the most-used authentication method, by a large margin, is Duo Push with almost 69% of total authentications.

Multi-Factor Authentication Methods by Industry

See how your industry's most common authentication methods compare to those in other fields.

0255075100Duo PushDuo Mobile PasscodeHardware TokenSMS PasscodeRemembered Device67%10%3%2%3%Financial ServicesHealthcareEducationRetailTechnology

Looks Like You Have Javascript Disabled

This content is animated. To view it, please enable Javascript in your browser (you’ll be glad you did, trust us!).

Photo of Dave Lewis, Duo Advisory CISO at Cisco.
Industries vary the type and scope of their authentication methods based on their risk appetites. As a result, we see some industries, like Media & Entertainment, Financial Services and Technology, leading the charge with stronger authentication regimens, such as Duo Push technology. — Dave Lewis - Global Advisory CISO, Duo Security at Cisco

More About Users

In the full 2020 Duo Trusted Access Report, we'll explore:

  • More Authentication Data. How are users authenticating, in addition to the methods shown here? Have those trends changed over time?
  • Biometric Use. How many users have biometric authentication enabled, and what does that mean for remote work?
  • And More. Get the Full Report


With an increasingly remote workforce, companies can't solely rely on corporate networks or recognized devices to provide security protections. Instead, thoughtful security policies allow users to access applications on the devices they have available, whether they're corporate-managed or not. 

Policies are being used to help companies adapt to changing circumstances and security threats — over the past year, we've seen companies allow login attempts from certain countries but not others. Last year, a Chrome vulnerability prompted an uptick in browser limitation policies. 

Most Common Policy Types

See how companies use security policies to allow application access only from devices they can trust.

Location Restricted30%Invalid Device23%Out of Date15%No Screen Lock10%Anonymous IP6%010203040

Looks Like You Have Javascript Disabled

This content is animated. To view it, please enable Javascript in your browser (you’ll be glad you did, trust us!).

Blocking High-Risk Locations

For security professionals, "work from anywhere" means "protect everywhere." In many cases, authentications can be monitored using measures like device health restrictions and tight policies for critical applications. However, it's sometimes necessary to block all access attempts coming from specified locations.

Heat maps show us that, of companies who block access based on location, Russia is blocked most frequently, followed closely by China. North Korea, Iran, and Afghanistan round out the top five.

Top 5Restricted Locations:1. RUSSIA2. CHINA3. NORTH KOREA4. IRAN5. AFGHANISTAN

Looks Like You Have Javascript Disabled

This content is animated. To view it, please enable Javascript in your browser (you’ll be glad you did, trust us!).

More About Devices

Get the full 2020 Duo Trusted Access Report to learn more about:

  • Update Enforcement. Which industries are requiring device and OS updates, and how stringent are they?
  • Browser Use. Which browsers are companies allowing, and which do users rely on most frequently?
  • And More. Get the Full Report


Unsurprisingly, our data shows that remote access and cloud applications are becoming more popular year over year (between June 2019 - June 2020). But the implications of this trend go far beyond user convenience and market availability. Cloud applications are easy to protect with a security layer, like Duo's Multi-Factor Authentication, reducing time-to-security for new vendors, and bringing users the productivity tools they need to work effectively in a remote setting. 

Remote access technologies, like VPN and RDP, further secure sensitive data and are still an essential part of most work-from-home strategies — in fact, they're by far our most commonly accessed application type, claiming almost 37% of total authentications.

Application Insights

See key trends in the types of applications companies are protecting.


of authentications are to remote access technologies.


increase in authentications to VPN and RDP applications.


growth in cloud app adoption among enterprise companies.


of authentications are to on-premises applications.

Photo of Dave Lewis, Duo Advisory CISO at Cisco.

Because they don't have the internal resources to go cloud-first, small and medium-sized companies tend to leverage on-premises solutions to run the day-to-day operations of their business. Relying on older, tried-and-true ways of deploying technology isn’t a bad thing, but it does present itself as a limiting factor for future growth. — Dave Lewis - Global Advisory CISO, Duo at Cisco

More About Applications

Get the full 2020 Duo Trusted Access Report to learn more about:

  • Application Access by Industry. Which industries are leading the charge in remote access applications?
  • Application Trends by Market Segment. How much has cloud app usage changed over the past year? How much has on-prem app usage decreased?
  • And More. Get the Full Report

The 2020 Duo Trusted Access Report

In this report, you'll learn:

  • Which regions and industries have adapted to a remote-first workplace, and how
  • What policies and procedures companies are using to mitigate changing security risks
  • How companies are securing access to applications from anywhere in the world
  • How device health measures are being used to secure remote access
  • And much more!