<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2024 3600 <![CDATA[Legacy Authentication Protocols: Why RADIUS Is (Still) Important]]> pdackiew@cisco.com (Paul Dackiewicz) https://duo.com/blog/why-radius-is-still-important https://duo.com/blog/why-radius-is-still-important Industry News

When reading the title of this blog, you might be wondering to yourself why RADIUS is being highlighted as a subject — especially amidst all of the advancements of modern authentication we see taking place recently. The truth is, for as old as RADIUS is, it is still (to this day) a vital protocol used in virtually every network infrastructure. Although it has many functions within the network itself, the purpose of this article is to show how RADIUS can be used when protecting applications with Duo, the benefits/drawbacks of the protocol, and why it deserves our attention.

Also, customers who subscribe to Duo Care have access to a Customer Success Manager (CSM) and a Customer Solutions Engineer (CSE). This dynamic duo provides solution architecture consulting, best practices, and overall security strategy when it comes to using RADIUS in conjunction with Duo’s services — and can help you navigate the pros and cons of the protocol relative to your organization’s specific environment and end-user needs.

What is RADIUS?

First, let's level-set on what we are talking about. RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. It is commonly used for network access into VPNs, wireless access points, and other devices (more on this later). 

RADIUS itself is a protocol that defines a method for passing authentication information between the network service and the AAA server, but it doesn't define the actual authentication methods. Instead, it supports a variety of authentication protocols, including EAP, PAP, CHAP, and others. Here are the differences between some of these protocols:

1. Extensible Authentication Protocol (EAP)

  • EAP is a framework that supports multiple authentication methods.

  • It’s very flexible and can work with a range of authentication mechanisms, including certificates and public key infrastructure (PKI).

  • EAP itself isn’t a specific authentication mechanism, but a way to encapsulate the authentication process.

  • EAP can be used in conjunction with RADIUS to authenticate users in more secure and complex scenarios.

  • It’s commonly used with wireless networks and Point-to-Point connections, but it’s also used for a specific VPN integration with Duo.

  • The only officially supported Duo integration that makes use of EAP is NetMotion Mobility.

  • Does the Duo Authentication Proxy support EAP or PEAP?

2. Password Authentication Protocol (PAP)

  • PAP is a simple authentication protocol where usernames and passwords are sent to the server as plain text.

  • Credentials are not encrypted using this protocol, but they can be obfuscated by the use of a shared secret, which is required when using the Duo Authentication Proxy.

  • Learn more about how Duo protects PAP authentication.

3. Challenge-Handshake Authentication Protocol (CHAP)

  • CHAP is more secure than PAP as it uses a challenge-response mechanism where the server sends a challenge to the client, the client responds with a value obtained by using a one-way hash function and the server checks this value.

  • The password itself is never actually sent over the network.

  • Periodic challenges can be sent to ensure that the password hasn’t been compromised and that the connection is still being managed by the same client.

  • The Duo Authentication Proxy does not support CHAP.

4. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP

  • MS-CHAP is a Microsoft version of CHAP that includes additional features, such as a different method for hashing and an additional authentication response designed to support Microsoft clients and servers.

  • MS-CHAP v2 is an improvement over the original MS-CHAP and provides better security by using stronger cryptographic keys and a two-way authentication (mutual authentication).

  • Does the Duo Authentication Proxy support MS-CHAPv2 or EAP-MSCHAPv2?

In practice, the choice of which authentication protocol to use with RADIUS depends on the required level of security, the capabilities of the client and server equipment, and the specific use case.

Anatomy of a RADIUS packet (with Duo MFA)

The flow of a RADIUS packet through the RADIUS protocol involves several steps and typically follows this sequence:

  1. Access Request — The flow begins when a client device (known as a RADIUS client, usually a network access server or NAS) sends an Access-Request packet to a RADIUS server. This request includes credentials provided by the user, such as a username and password, along with other attributes like the IP address and port number. The application that Duo is protecting is acting as the RADIUS client device.

  2. Processing the Request — Upon receiving the Access-Request, the RADIUS server processes the request by verifying the user's credentials against a user database, typically by way of the Duo Authentication Proxy. This might involve checking Active Directory (via LDAP) or another downstream RADIUS server, such as Microsoft NPS.

  3. Challenges (Optional) — If additional information is required from the user (in the case of challenge-response authentication), the RADIUS server sends back an Access-Challenge packet to the RADIUS client. The client then prompts the user for additional information, which is sent back to the RADIUS server in another Access-Request packet. A typical example of this is when using the radius_server_challenege configuration of the Authentication Proxy.

  4. Duo Multi-Factor Authentication — Once the Authentication Proxy receives a successful message from the user database (AD, NPS, etc.), it will send an HTTPS request to Duo’s cloud service to perform MFA. The results of that authentication will determine which RADIUS message is sent next.

  5. Access-Accept or Access Reject — After processing the request, the RADIUS server will respond to the NAS with one of the following:

  6. If Access-Accept — The user's credentials are valid, and the server provides authorization attributes that inform the NAS of any specific conditions for access. The user is permitted to access the application.

  7. If Access-Reject — The user's credentials are not valid or the user is not authorized for access. No further attributes are needed or sent. The user is not permitted to access the application.

Fig. 1: Example network diagram of a RADIUS packet flow with Duo

We won’t delve into Accounting workflows since Duo does not support this part of the RADIUS protocol. When Duo MFA is invoked, record-keeping data is tracked in the Authentication Log.

Throughout the entire process, RADIUS communication uses UDP as the transport protocol, with port 1812 being used by default. The RADIUS packets are also usually encrypted between the client and server to maintain security of sensitive information, such as passwords. It's important to note that RADIUS itself does not define encryption methods for the data payload; instead, it relies on a shared secret between the RADIUS client and server for obfuscating passwords and certain attributes. Learn how to protect the shared RADIUS secret and other passwords that reside on the Duo Authentication Proxy.

Is RADIUS still relevant?

RADIUS is typically viewed as a legacy network protocol since it cannot take advantage of modern security benefits that would normally be available when using WebAuthn, such as phishing-resistant MFA, enhanced device telemetry, biometrics, and Passwordless. We typically see RADIUS deployed (to this day) in a network appliance ecosystem because (along with TACACS+) it is one of the protocols of choice for logging into routers, switches, wireless access points, and VPNs. Robust identity platforms such as Cisco Identity Services Engine (ISE) can enhance the agility, automation, and visibility of the RADIUS protocol. Although it is recommended that end-user facing applications be migrated over to a modern authentication protocol such as browser-based SAML or OIDC (that leverage Single Sign-On), the need for RADIUS-based client/server authentication is still prevalent today. For example, consider the following points:

  1. Widespread Adoption: RADIUS has been implemented in a wide range of network devices and services. Many vendors support RADIUS in their networking equipment, making it a de facto standard for network access control.

  2. Centralized Authentication: RADIUS allows for centralized management of authentication credentials. This means that users can be authenticated across various network services and devices from a single point of control, which simplifies administration.

  3. Support for Multiple Authentication Methods: RADIUS supports a variety of authentication methods, including PAP, CHAP, MS-CHAP, EAP, and more. This flexibility allows it to integrate with various types of user databases and authentication mechanisms, including modern multi-factor authentication (MFA) systems, such as Duo.

  4. Interoperability: RADIUS works across different types of networks, including wired, wireless, and VPN connections. Its ability to function in diverse environments makes it a versatile tool for network administrators.

  5. Scalability: It can handle a large number of authentication requests, making it suitable for organizations of all sizes, from small businesses to large enterprises and ISPs. Compared to LDAP, RADIUS has less overhead when processing requests via the Authentication Proxy.

  6. Security: Although it has some limitations in terms of encryption, RADIUS does offer a level of security that is sufficient for many scenarios. The use of shared secrets and attribute obfuscation helps protect sensitive information as it travels across the network.

  7. Compatibility With Legacy Systems: Many organizations have legacy systems and infrastructure that already integrate with RADIUS. Switching to a new system using SAML or OIDC may not be (yet) feasible for an organization or the application vendor, so RADIUS remains relevant for ensuring compatibility and protecting existing technology investments.

Should I use RADIUS with Duo?

Duo supports many named integrations via RADIUS as well as a generic integration that can be used to protect virtually any RADIUS-based application. When determining when to use RADIUS, you might be at the mercy of the application to only use RADIUS (and perhaps even a specific authentication protocol, such as MSCHAPv2). Or you might have the option to choose between RADIUS and another protocol such as LDAP or SAML when integrating with Duo. For example, Cisco ASA for AnyConnect has multiple integration options as seen in the ‘What are the differences between the various Cisco ASA configurations?’ knowledge base article.

To help you choose the best option for protecting your application with Duo, note some of the key differences between RADIUS and other protocols:

Conclusion

No matter what authentication method or protocol you choose to integrate with Duo, there will always be differences in security, useability, and compatibility that should be carefully considered. RADIUS remains an integral part of most network ecosystems and has enough use today to warrant serious consideration. As applications move toward modern protocols such as OIDC and WebAuthn, we should see a reduction in overall RADIUS usage — but there will likely remain critical use cases to support for the foreseeable future.

Access-Accept!

]]>
<![CDATA[Device Security Beyond Enrollment: Securing the Self-Service Portal]]> pschafer@cisco.com (Phillip Schafer) https://duo.com/blog/device-security-beyond-enrollment-securing-self-service-portal https://duo.com/blog/device-security-beyond-enrollment-securing-self-service-portal Product & Engineering

Duo’s Self-Service Portal (SSP), which lets users manage their own authentication devices, saves time for both Duo users and admins. However, it can also be a target for cyberattacks. Often the first step for an attacker with stolen credentials is to try to fraudulently register an MFA device, giving persistent access to the user’s account.

In a recent blog, we discussed best practices for user enrollment, including how to prevent malicious device registration when users self-enroll. In this blog we’ll share best practices for Duo admins to continue reap the benefits of self-service after enrollment while keeping their user accounts secure.

Why use the Self-Service Portal?

What’s the risk?

Self-service device management presents a similar risk to new user self-enrollment: a bad actor with stolen user credentials can attempt to access the SSP and register their own device. Once they do so, they gain persistent access to the account.

Unlike new user enrollment workflows, the SSP is protected by MFA. However, actors may try to circumvent MFA using techniques such as passcode phishing or MFA fatigue attacks. If one of these techniques succeeds against the SSP, the actor's newly registered device lets them circumvent MFA protections for future logins to other applications.

How to protect the SSP

Protecting the SSP follows the same principles as any other resource. However, secure posture exists on a spectrum and often has tradeoffs with end-user friction. A critical resource like the SSP should lean toward the secure end of that spectrum. Fortunately, users should need to access the SSP infrequently, so lockdown access controls won’t be too much of a burden.

Duo by default overrides configuration settings that allow users to bypass MFA, such as remembered device and authorized network policies and user bypass status, for SSP access. We further recommend setting custom policies for the SSP to ensure a strong posture. Specifically:

In addition to these application policy settings, admins can elect global settings to guard against device registration attacks.

With some or all of these safeguards in place, the SSP can be an effective way for users to manage their devices.

]]>
<![CDATA[Social Engineering 201: How the User Protection Suite Safeguards Organizations]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/social-engineering-201-how-user-protection-suite-safeguards-organizations https://duo.com/blog/social-engineering-201-how-user-protection-suite-safeguards-organizations Product & Engineering

In Social Engineering 101, we shared the story of John, the well-meaning employee who fell victim to a phishing attack. In this scenario, John was tricked into resetting his password by a bad actor pretending to be the IT team, which gave away access to his account. In that blog, we also discussed the many ways Duo protects John, from strong authentication methods to pairing authentication with device trust policies.

But what if the email never reached John, or the phishing link was blocked? That’s why most organizations do not rely on a single security solution but layer defenses around users and sensitive resources to ensure there isn’t a single point of failure. However, the disparate security solutions meant to protect against particular threats can lead to visibility and administration challenges for organizations.

That’s why Cisco protects users from the top attack vectors targeting organizations with the User Protection Suite, which includes Duo. The User Protection Suite defends all users, devices and access to applications to reduce gaps in the attack surface.

Now, let's rethink the story of John when he is protected by the suite.

In this new story, let's assume that email protection was not in place and the malicious email made it to John. When he clicked on the bad link, Cisco Secure Access would step in and block the user from accessing the malicious destination. Cisco sees 1 million malicious domains every hour, and all that data means we have a good idea when a website should be blocked. In this new scenario, we know John could only click the link on his managed laptop because Duo’s Trusted Endpoints would block email access on unknown or unmanaged devices.

We’ve now seen John’s credentials protected by Duo and his access protected by Secure Access. But now let’s consider if John never received the attacker’s email because Email Threat Defense recognized signs of malicious intent: there was an urgent request, from an unknown sender, with a malicious link. Email Threat Defense uses multiple AI detection engines to determine the difference between true threats and false positives. It would block the email from reaching the end user and quarantine the link to provide the organization’s administrators with the context to better understand the nature of the threats targeting their organization.

When protecting users against threats, we can never assume there is one silver bullet or singular solution. Attackers are constantly finding new ways to target users and get access to an organization’s resources and data. This is not a new story. However, when Cisco security solutions bring email, web, endpoint and authentication to work together to layer the defenses around the user, that makes our users, and organizations, safer.

To learn more about how the User Protection Suite can protect your organization today, see the Cisco User Protection Suite webpage and connect with an expert today.

]]>
<![CDATA[Enhancing Duo With Cross-Platform Identity Data]]> kara@duo.com (Ben Myers) https://duo.com/blog/enhancing-duo-with-cross-platform-identity-data https://duo.com/blog/enhancing-duo-with-cross-platform-identity-data Product & Engineering

Identity remains a key target of attackers. Breaches leveraging identity for initial access or even privilege escalation and lateral movement are on the rise. The increased complexity of modern identity systems only intensifies the challenge of securing the identity perimeter. Organizations are grappling with a stark reality: Without contextual insights into their multi-vendor identity ecosystems, they are often blind to gaps in their defenses.

As a part of Duo’s new Continuous Identity Security solution, our deep integration with Cisco Identity Intelligence is here to bridge these gaps and deliver a new standard of protection. In the current climate of diverse Identity Providers (IdPs), hybrid workforces, and a mix of managed and unmanaged devices, Duo and Cisco Identity Intelligence organize identity perimeter data and make it easier to defend and protect.

Here's the essence of the solution: Cisco Identity Intelligence amplifies the value of your identity and security tools, including industry standbys Microsoft Entra and Okta. By integrating data from various sources, including HR systems like Workday and customer relationship platforms like Salesforce, Cisco Identity Intelligence constructs a comprehensive identity landscape. With this enriched data, Cisco Identity Intelligence organizes identity-related activity, encompassing all accounts and devices across your IdPs. This panoramic view can then be leveraged by Duo to inform enforcement points, perform Identity Threat Detection & Response (ITDR), and proactively harden your Identity and Access Management (IAM) posture.

The advantages are clear and twofold. First, you receive actionable intelligence on IAM posture gaps, enabling proactive fortification against identity-based attacks. Second, access decisions are enriched with multi-vendor identity context.

Consider the practical implications: Cisco Identity Intelligence enables administrators to significantly enhance their organization’s identity posture through critical insights into dormant accounts, gaps and vulnerabilities in MFA deployment, admin activities, and more. By coupling these insights with Duo's robust access management capabilities, organizations can modify access experiences — stepping requirements up or down – based on identity enrichment. For example, if Cisco Identity Intelligence detects a compromised session — it can seamlessly pass that information to Duo to provide enforcement like stepping up authentication requirements or revoking a session.

A CISO from a leading healthcare company expressed the tangible benefits of the integrated solution: "Cisco Identity Intelligence provides us with precise insights into identity threats. We're able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo."

“Cisco Identity Intelligence provides us with precise insights into identity threats. We’re able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo.”

Next steps

The most exciting news is that Duo’s integration with Cisco Identity Intelligence is available in Public Preview to most customers today. For Duo Advantage and Premier customers, follow the documentation here to activate your integration today.

If you’re an Essentials customer or a prospect interested in learning more about the power of Duo + Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

This is just the beginning. The integration between Duo and Cisco Identity Intelligence will only improve over time — so stay tuned for product updates. Here’s to helping defend the identity perimeter!

]]>
<![CDATA[The Front Door Just Got a Lot Harder to Break Into: Announcing Passwordless Authentication for Windows Logon]]> kehankin@cisco.com (Kevin Hankins) https://duo.com/blog/announcing-passwordless-authentication-for-windows-logon https://duo.com/blog/announcing-passwordless-authentication-for-windows-logon Product & Engineering

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now in Private Preview!

See the video at the blog post.

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

How does this improve the proverbial front door?

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Stronger

Useable

Where won’t Passwordless for Windows logon work yet?

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.
Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

How can I try Duo Passwordless for Windows logon?

For an opportunity to participate in the Private Preview this summer, please reach out to us here! And if you are interested in trying Duo, signup for a free 30-day trial.

]]>
<![CDATA[Dive in With Duo Passport: A Secure, Seamless Future]]> jduggan@duo.com (Joe Duggan) https://duo.com/blog/dive-in-with-duo-passport-secure-seamless-future https://duo.com/blog/dive-in-with-duo-passport-secure-seamless-future Product & Engineering

Duo has long been the most loved company in security. But here’s the thing: That’s despite MFA being the most grumbled-about part of many end-users’ day. While our customers love us for our ease of use, flexibility and focus on security, a lot of end users think of Duo the way they think of floss, bike helmets and low-sodium foods. Secure authentication isn’t fun, but you put up with it as part of your day because you know it’s keeping you safer.

At Duo, we are constantly pushing the envelope — how can we deliver the security that our customers need, with less inconvenience for end users? Can we make secure access a positive experience for our end users? That’s why we’re so excited to bring to market Duo Passport — a new capability that drives secure, seamless access to all the permitted applications with just one interactive authentication.

Over the past decade, MFA adoption has increased across organizations of all sizes. This is a great thing and a huge achievement for the security teams. However, it’s led to an unfortunate side effect: lots of workers, through no fault of their own and without presenting any particular risk, end up authenticating again, and again and again throughout their day. It’s normal to use an email client, a VPN, a browser, and maybe a handful of other apps in your to-do list; so why do authentication vendors put up so many walls for you?

Duo Passport reduced end-user authentication by more than 65% in one customer, who tested it over several months.

Enter Duo Passport: A better way forward

When Duo Passport is enabled, a user’s authentication is remembered for a specified time period by Duo’s cloud services across all of their applications. It leverages device binding, facilitated by Duo Desktop, to deliver a Remembered Device experience, even as the end user moves across web applications and client-based applications. Unlike other solutions, Passport does not rely on just the cookie store in the browser, or each application’s settings, to deliver a seamless experience for end-users and minimize repeated authentication requests.

Duo meets the user wherever their day starts and works behind the scenes as they move through their tasks.

Here’s where Passport gets cool: it’s customizable to your environment and compatible with all other strong security features that Duo offers. Let’s look at some examples!

One of the customers in our private preview program is an enterprise electronics company. They protect Windows Logon in their environment, as well as hundreds of applications. Some of these applications are browser-based SaaS applications, and many of them have their own clients. By rolling out Passport to more than a thousand users in their trial, they’ve saved tens of thousands of authentications that their end users didn’t have to complete interactively, while resting assured that Duo was still enforcing security through these integrations. This customer plans to roll Passport out to more than 18,000 users, and had this to say:

“The experience with Duo Passport has been really good and the feedback from all 1300 pilot users has been extremely positive. In the past, our use of MFA has been very strict and this has eased up on the end user friction that we were inadvertently putting on users.”

In another example, let’s look at Cisco’s own implementation of Duo. Cisco has deployed Passwordless widely, uses Risk-Based Authentication, and enforces Trusted Endpoints as well as Device Posture using Duo Desktop. Passport works seamlessly with all of these features! Passport adoption here is well under way, with plans for a company-wide rollout.

“With Duo, we are able to strike the right balance between User Experience and Security. It is rare that these words are used together in one statement when it comes to security related enforcements. Our User Experience satisfaction score is increasing every quarter and at the same time our security team is happy with the enforcements we are able to implement.” — Sarabjeet Rana, Information Security Architect at Cisco

A great litmus test for any balance of security and end user experience is understanding how Managed Service Providers feel about it. We’ve had a great partnership throughout our preview program with several MSPs, which speaks to the improved end user experience that Passport delivers.

“Duo Passport is an essential step on our road to making secure access the default for our customers. We selected Duo as our partner because of their attention to ease of use and their expertise across platforms. We are accelerating our deployment of Duo Passport to maximize the strength of our customers’ defenses while we keep interruptions of their workflows to the minimum.” — JustWorks, a pure play MSP founded in 1996

Duo Passport is available today, to all Duo Advantage and Premier customers. You can enable it yourself now.

We’re really excited to get this in your hands and are already hard at work on what’s next. We’re bringing Passport to multi-user scenarios, which has been requested by all our healthcare customers in preview. And if you thought that we didn’t like too many authentications…just wait until we tell you about our thoughts on passwords and remember-me cookies!

]]>
<![CDATA[Duo’s New Session Trust Solution Provides Continuous Policy]]> jgolden@duo.com (Jennifer Golden) rayluo@cisco.com (Raymond Luo) https://duo.com/blog/duos-new-session-trust-solution-provides-continuous-policy https://duo.com/blog/duos-new-session-trust-solution-provides-continuous-policy Product & Engineering

User experience and security protocols have historically been at odds. To improve security outcomes, users are forced to jump through more hoops to gain access to sensitive resources. Duo is rethinking this paradigm with the launch of Session Trust’s continuous policy.

Challenge with sessions

When a user logs in to a new application, the website sends a cookie that is stored in the browser. This enables the website to remember you. Without these cookies, users would have to re-login with every click. Imagine if you had to enter your username and password for your account every time you added a new item to your shopping cart or clicked on a new webpage.

That's why sessions are so important. However, a lot can change over the course of a session. At the beginning, session trust is high because the application can verify it’s the right user accessing the right resources. But over time, that trust might degrade as users move locations, devices become infected with malware, or new signals show that the current user is not the same one that initially logged in. Despite changing risks, access today is binary: it’s granted once at the start of a session and never re-evaluated until hours, or even days, later when the session expires.

So how can we enable organizations to evaluate risk throughout the session and take action beyond the point of authentication? What other tools can we provide organizations beyond setting session length?

Introducing continuous policy with Session Trust

Session Trust now makes access safer by continuously evaluating device health policy over the entire lifecycle of the session. There are three parts to this new functionality — device posture heartbeats that are collected continuously, ongoing evaluation of posture against the organization’s policy and web session enforcement to terminate an incompliant session.

Whereas device health policy was previously evaluated once at the time of login, continuous policy now leverages Duo Desktop heartbeats to evaluate posture constantly. Once a change is detected, a heartbeat is sent to Duo. If the device no longer complies with policy, the Duo browser extension revokes the session by removing the login cookie, prompting users to remediate device issues and re-establish trust.

By protecting sessions throughout their lifecycle, administrators can confidently increase session time, knowing that sessions can be revoked the moment risk levels change. End users can stay logged in longer, and administrators no longer need to face the hard choice of frustrating end users or attackers.

Duo’s vision for Continuous Identity Security

The Session Trust continuous policy feature is an important milestone for Duo as we seek to achieve our goal of providing Continuous Identity Security for our users and organizations. We see a world where trust is neither binary nor permanent, where Duo works continuously so you don’t have to.

As we look to the future, we are working to expand the signals that Duo can collect and process—providing a more cohesive view of risk — and giving organizations more tools to better protect their users. Additionally, we are working to make Session Trust available for more application types, ensuring that every session maximizes user experience and security.

To learn more, sign up for a free trial of Duo or reach out to your sales rep to sign up for private preview today.

]]>
<![CDATA[Cisco Duo Announces Agentless Native Integration With Google Chrome Enterprise]]> jekwok@cisco.com (Jennifer Kwok) https://duo.com/blog/cisco-duo-announces-agentless-native-integration-with-google-chrome-enterprise https://duo.com/blog/cisco-duo-announces-agentless-native-integration-with-google-chrome-enterprise Product & Engineering

Cisco Duo plays pivotal role in safeguarding identities for organizations of all sizes and industries, providing a simple way to defend against identity-based attacks. However, challenges to zero trust security still exist; organizations must maintain strong security in mixed-IT environments while balancing increases in staffing, spending and agent fatigue.

In collaboration with Google Chrome Enterprise, Cisco Duo is excited to introduce the general availability of Duo's native Device Trust integration with Chrome Enterprise and ChromeOS to address these concerns, empowering organizations through agent-free device trust across all three major platforms: Windows, Mac and ChromeOS.

Announcing Duo Device Trust Connector for Chrome Enterprise and Chrome OS

According to Duo’s 2024 Trusted Access Report, 62% of desktop authentications were made from Chrome. With many users already utilizing Chrome browser to get work done, Duo’s partnership with Chrome Enterprise strikes a balance of security and user experience.

With a Chrome Enterprise-managed browser, the browser itself provides device posture signals. Traditionally, establishing device trust often involved deploying and managing endpoint agents, a process that could slow down onboarding and add administrative overhead. Duo’s Device Trust integration with Chrome Enterprise eliminates this pain point with an out-of-the-box, cloud-delivered integration. Duo's integration with Chrome Enterprise provides attestation of the device identity using Duo Trusted Endpoints policy before enabling access. This is Duo’s second Chrome Enterprise Recommended solution and an updated solution of Google Verified Access.

“Traditionally, establishing device trust often involved deploying and managing endpoint agents, a process that could slow down onboarding and add administrative overhead. Duo’s Device Trust integration with Chrome Enterprise eliminates this pain point with an out-of-the-box, cloud-delivered integration.”

Let’s take a look at how it works!

How Duo’s Device Trust integration protects your organization

As enterprises continue to become more reliant on the browser, more sensitive data is being stored in the cloud. It is more important than ever to protect your user identities and ensure your resources are only being accessed by managed devices.

Advantages of Duo and Google Chrome Enterprise

  • Agentless Deployment — Simplify deployment and reduce risks of transitional downtime through tested cloud delivery.

  • Stronger Security — Verify device trust at every login attempt, and limit access to only known devices and browsers.

  • Enhanced User Experience — Streamline user experience and boost productivity with an integration that secures access from any location.

  • Wide OS Support — Deploy Duo Device Trust across Windows, MacOS and ChromeOS from a single Google Admin panel (Chrome Enterprise).

  • Ease of Management — Less to manage in a centralized Duo dashboard, with granular policy adjustments for organizations of any size.

Duo Trusted Endpoints with DTC offers a powerful, agentless approach to device trust. Start customizing your zero trust strategy by enforcing device trust on your most sensitive application(s) or a particular group of users with Duo’s granular policies. Leverage Google Chrome Enterprise Core to effortlessly configure your devices, and manage access for your Windows, Mac and ChromeOS devices centrally through Duo's intuitive Admin Panel.

Read our documentation page to get started setting up Duo with DTC. And to see additional ways Duo customers can secure their users across Google’s ecosystem, please visit our Cisco Duo + Google partner page.

Want to learn more about additional Cisco Security Chrome Enterprise Recommended solutions?

]]>
<![CDATA[Authentication Alone Is Failing: Introducing Continuous Identity Security]]> ivablazi@duo.com (Iva Blazina) https://duo.com/blog/introducing-continuous-identity-security https://duo.com/blog/introducing-continuous-identity-security Product & Engineering

The security industry has diligently battled compromised credentials, evolving from passwords to multifactor authentication (MFA) to passwordless — our most secure and phishing-resistant method to date — and one that is fully supported in Duo. Despite these advancements, we still see many identity-based breaches year over year. Why?

For one, MFA coverage is still vastly incomplete, with weaker forms of MFA now easily bypassed by attackers. And second, organizations still face practical challenges deploying passwordless solutions. Despite their remarkable security value, our 2024 Trusted Access Report reveals that passwordless methods still account for less than 5% of authentications.

This means there are serious holes in our authentication armor today. To duct tape over these gaps, we’ve often demanded our users repeatedly prove their trustworthiness — a cumbersome and frustrating experience.

To simultaneously address the increase in identity-based attacks and ease the frustration of repeated authentication, Cisco Duo is proud to announce our new solution: Continuous Identity Security. Continuous Identity Security minimizes these gaps today in chaotic real-world environments with multiple identity providers (IdPs), hybrid workforces, unmanaged devices and legacy applications. With Continuous Identity Security, you can be safer while working towards a passwordless future.

“Continuous Identity Security minimizes these gaps today in chaotic, real-world environments with multiple identity providers (IdPs), hybrid workforces, unmanaged devices and legacy applications. With Continuous Identity Security, you can be safer while working towards a passwordless future.”

To deliver Continuous Identity Security, Duo has developed two new pieces of functionality: deep integration with Cisco Identity Intelligence and a seamless new access experience, Duo Passport.

Our integration with Cisco Identity Intelligence adds value on top of your identity and security investments like Microsoft Entra and Okta. It uses AI to analyze all identity-related activity across all accounts, all devices and IdPs to provide deep visibility into identity infrastructure and continuously inform Cisco Duo enforcement points.

The benefit is twofold. Organizations get a strong understanding of what’s happening in their identity environments, enabling them to improve posture by increasing MFA coverage, decreasing dormant accounts and controlling administrator privileges more concisely. Additionally, Duo access decisions are now enriched with identity data. For example, if an administrator takes a risky action or a dormant account attempts access after months, Duo can increase authentication requirements.  

If Cisco Identity Intelligence enhances security, Duo Passport dramatically enhances user experience. Passport takes the promise of traditional Single Sign-On (SSO) solutions (i.e. one login, many use cases) and expands it beyond SaaS apps to multiple browsers, operating systems and thick clients. Now, a user can login securely to their laptop and that trust will be seamlessly brokered to the web, but also to thick client logins like a VPN. The experience is seamless and secure for end users, drastically reducing the repeated authentication requests they face daily.  In fact, a preview customer reduced authentications by 66% in their environment.

“In fact, a preview customer reduced authentications by 66% in their environment.”

However, the expedited experience only persists in trusted scenarios. Duo will continuously assess the risk throughout the user’s session — before, during, and after login. In suspicious situations, Duo will dynamically increase authentication requirements, or even block a user.

With Continuous Identity Security, organizations can protect themselves against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for their end users. Security is better because organizations now have deep visibility into identity environments and access decisions are enriched with both device and identity context. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.

While the ultimate goal is a fully passwordless landscape, the journey there is complex. Duo offers a powerful new solution for today's security challenges. With Continuous Identity Security, we make a large step forward in our commitment to frustrating attackers while delighting users. If you’d like to learn more about Continuous Identity Security, register for our webinar, read more at our solution page, or just drop us a line.

]]>
<![CDATA[Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods]]> gleishman@duo.com (Ginger Leishman) kyang@duo.com (Katherine Yang) https://duo.com/blog/duo-continues-to-enhance-partnership-with-microsoft-on-new-entra-id-external-authentication-methods https://duo.com/blog/duo-continues-to-enhance-partnership-with-microsoft-on-new-entra-id-external-authentication-methods Product & Engineering

If you’ve been wondering what the plan for Microsoft Custom Controls is, wait no more! We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, now in Public Preview!

External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set. We know our customers love using the power of Duo’s identity security solution together with Microsoft Entra ID (previously Azure AD) to make it easy to set-up SSO, deploy passwordless, or create and manage granular access policies and ensure that only trusted users and devices are given access to their applications. Duo is now a fully integrated MFA and advanced identity security provider within Entra ID.

“At Microsoft Security, we're always looking for ways to help our customers stay ahead of the curve when it comes to security. The integration of Entra ID External Authentication Methods with Duo is a prime example of this commitment, as it allows our customers to leverage the MFA solution they already have in place to protect against increasingly sophisticated phishing attacks.” — Natee Pretikul, Principal Product Management Lead, Microsoft Security

Benefits of Duo and Microsoft Entra ID EAM

Heterogenous infrastructure and mixed-vendor IT environment add complexity to managing policies, users, and devices. This can lead to confusing sign-in processes or security loopholes. Switching between multiple MFA providers can cause confusion for organizations and friction for their users. Duo’s new integration with Entra ID through EAM enables authentications through Duo to be recognized by Entra ID as a strong security factor that meets MFA requirements. Now, Duo works even more seamlessly across all Microsoft and non-Microsoft workflows, allowing customers to consolidate their identity security and MFA while delivering a consistent and frictionless experience to end users.

Duo and Microsoft for Managed Service Providers

“Duo and Microsoft EAM is a killer combination. Using them together allows Tigunia to have a single MFA system for all protected applications, while still satisfying the MFA requirement in Microsoft 365. Previously with Custom Controls, we would have to switch to MS Authenticator to perform DAP/GDAP operations or Verify Apps, but with EAM and Duo we can use a single system to require MFA for everything. The efficiency, user experience, and security gains of using EAM with Duo are incredible.” — Martin Twerski, Director of Internal Systems at Tignunia

Get started with Duo as a Microsoft Entra ID External Authentication Method

Microsoft Entra ID External Authentication Methods is available now in Public Preview, and you can dive in, begin testing and plan your migration from Custom Controls to EAM. Stay tuned, as we'll be providing further updates and support to assist customers in the transition to External Authentication Methods, like self-service password resets.

Without having to worry about transitional downtime risks, customers can experience seamless cloud delivery and set-up of Duo’s stronger access security solution. Start integrating Duo with Microsoft Entra ID External Authentication Methods for an even better security experience!

Read Microsoft’s announcement for more to learn more about this integration. And check out Duo’s technical documentation for guidance on making the switch.

Are you attending the RSA Conference next week? Experience a demo at Cisco’s RSA Conference booth in the North Hall.

 

 

Duo is a Microsoft Intelligent Security Association partner (MISA) and continues to strengthen our commitment to providing customers with best-in-class security experiences. See Duo on Azure Marketplace.

]]>
<![CDATA[Best Practices for Enrolling Users in MFA]]> pschafer@cisco.com (Phillip Schafer) https://duo.com/blog/best-practices-for-enrolling-users-in-mfa https://duo.com/blog/best-practices-for-enrolling-users-in-mfa Industry News

Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. In this blog we’ll discuss enrollment options and best security practices for Duo admins, whether they are rolling out MFA for the first time or maintaining enrollment for their users.

Enrollment basics

Enrollment is the process by which users are added to a Duo account and enabled to use MFA. To be enrolled, a username must exist in Duo (i.e., be visible under the Users page in the Duo Admin Panel) and the user must have registered at least one MFA device.

Enrollment methods

Administrators have several methods to choose from for enrolling users.

  • In automatic enrollment, user information is uploaded in CSV format or synced from a directory service.

  • In self-enrollment, users enroll themselves either from an enrollment email or inline as they attempt to access a Duo-protected application.

  • In manual enrollment, admins enter information for users one at a time.

Automatic enrollment might seem easier for users, but they still must follow up to add their authentication devices. Even when a phone number is included with automatic enrollment, enabling SMS and phone call authentication out of the gate, we recommend that users add additional methods that are more secure against attacks.

To reduce helpdesk calls and encourage the use of secure authentication methods, Duo recommends that users be allowed to self-enroll and to manage their own devices after enrollment.

New User Policy

Prior to enrollment, users’ access to Duo-protected resources is governed by the New User Policy. Like all Duo policies, this can be set globally or for specific applications and user groups.

The New User Policy has three options. The default is “Require Enrollment,” which prompts users for inline enrollment the first time they try to gain access. “Allow access” exempts new users from MFA and should be used with caution. “Deny Access” provides the tightest security control but can lead to friction for new users. For example, admins should be careful not to deny access to email accounts where users are sent self-enrollment links.

Self-enrollment risks

Duo recommends enabling users to self-enroll when possible, but there are some risks. An attacker with stolen credentials may attempt to enroll on the legitimate user’s behalf, either by stealing an emailed self-enrollment link or by initiating inline self-enrollment when attempting to access a resource. They can then register their own device, gaining persistent access to the user’s account.

Admins must weigh these risks when choosing enrollment methods and setting New User Policy. On balance, self-enrollment still can be an effective option if admins follow best practices.

Secure enrollment best practices

Organizations’ primary goal with enrollment should be to get as many users using MFA as possible, as quickly as possible. However, they must also be careful not to leave the door open to bad actors. This section will outline best practices for keeping enrollment secure.

Practice #1: Eliminate bypass access

Enrolling users is no help if an organization’s resources do not require MFA by policy. Duo Admins can exempt applications, user groups, network addresses or locations from MFA and can place individual users in bypass status. These options are powerful tools when used appropriately but can leave resources vulnerable if organizations aren’t careful.

When users can bypass MFA and inline self-enrollment is enabled, they may never encounter the enrollment prompt and will remain unenrolled or partially enrolled indefinitely. These users’ accounts are “sitting ducks” for bad actors to steal credentials and initiate the enrollment prompt themselves.

To reduce bypass access, admins can review the access policies set in the Duo admin panel. They can also check their organization’s authentication logs to gain visibility into authentications in their environment that bypass MFA.

Practice #2: Resolve inactive and overprovisioned accounts

Inactive accounts are a risk to any organization, since bad actors can take over these accounts and use them to enroll with Duo and gain persistent access. Active accounts that are provisioned to access Duo-protected resources, but where users do not access the resources and have not enrolled with Duo, are similarly risky.

To address these risks, admins should look for user accounts with access to Duo-protected resources that are not enrolled with Duo. Tools like Cisco Identity Intelligence can help with this task by bringing together user information from multiple sources.

Practice #3: Monitor partial enrollment

Users who exist in Duo but who do not have any authentication devices registered are considered partially enrolled. Partial enrollment results when no phone number is provided during automatic or manual enrollment, or when a user fails to follow up from a self-enrollment email. Admins can also return a user to this state by deleting all their authentication devices.

Partially enrolled users are a problem because, depending on the New User Policy, they may be denied access to resources or may be at risk for self-enrollment attacks. They also consume a license and contribute to the organization’s costs.

Duo provides several tools for addressing partial enrollment. Admins can view these cases in the Admin Panel’s Users table under the heading “Not Enrolled” and can send out enrollment emails. Users who were sent an enrollment email (including through automatic enrollment) can be further reviewed in the Pending Enrollments table. As a safeguard against partially enrolled user accounts persisting indefinitely, admins can elect to lock out users who have not registered a device for a period of time after appearing in Duo.

Practice #4: Detect suspicious activity

Even the best security posture does not provide 100% protection against malicious actors. Organizations should monitor for suspicious device registrations and authentication activity, which could indicate access by a malicious actor.

Duo Trust Monitor, available on Duo’s Advantage and Premier editions, detects and notifies admins about suspicious activity in their accounts, including device registrations. Activity and authentication logs can also be imported into a third-party monitoring and detection tool using the Duo Admin API.

Conclusion

Duo’s policy and configuration options give administrators lots of ways to ensure that users are broadly enrolled in MFA across their organization. The choice of enrollment method and New User Policy ultimately come down to each organization’s individual needs. Regardless of which options they choose, admins can keep the enrollment process secure by following the best practices above.

To learn more about setting up your organization’s Duo account, check out our Liftoff Guide.

]]>
<![CDATA[Duo vs. Fraudulent Device Registration]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/duo-vs-fraudulent-device-registration https://duo.com/blog/duo-vs-fraudulent-device-registration Industry News

It is a well-known and established point that a password alone is not enough to secure an account. That’s where multi-factor authentication (MFA) comes in. Typically, a user confirms their identity using an application on their phone and accepts a push notification. But what if an attacker can just send that authentication request to their own personal phone? Now MFA can no longer stop the cybercriminal from gaining unlimited access.

This type of attack is known as Account Manipulation: Device Registration. This is when a bad actor gains access to a user’s account through compromised credentials and push bombing or phishing a one-time passcode to get past the MFA requirement. Then, the attacker enrolls a new device to bypass MFA and gain unlimited access to an organization’s resources and data.

Mike Moran, Duo data scientist, threat researcher, and co-contributor of this MITRE ATT&CK® technique wants customers to understand how important it is to be aware of and protect against this type of attack.

“An adversary attempting to or successfully registering their own MFA device has become much more common over the last few years, yet it is still an aspect of zero trust systems that is often overlooked. This reality highlights the need for security enhancements to the enrollment process that provide real-time detection and remediation while maintaining scalable usability.”

Protecting against fraudulent device registration requires fully understanding the device enrollment process within your organization and increasing your defenses against this specific action. In addition, it is important to continuously audit and monitor your environment to detect potentially risky registrations. With Duo, there are a few different approaches to harden your defenses. You can also check out this Duo help article that provides policy recommendations and directions for how to secure your accounts.

Proactive Protection:

  • Self-Service Portal Authentication: To enroll a new device on your Duo account, set up the policies in the self-service portal to limit authentication to more secure factors, like WebAuthn or Verified Duo Push.

  • Trusted Endpoints: Duo’s Trusted Endpoints feature allows an organization to block all unknown or unmanaged devices from accessing your organization’s resources, preventing the trusted user from getting fraudulent push or enrollment requests in the first place.

  • Risk-Based Authentication: Risk-Based Authentication can detect patterns from attackers and step up the authentication requirements to more secure factors in unknown or risky situations.

Detection & Response:

  • New Device User Notifications: Set up notifications so users are informed if a new device has been added to their account. If the user does not recognize the device or action, they can report the activity to the Duo administrator.

  • Duo Trust Monitor: Duo Trust Monitor uses a combination of machine learning models and security heuristics to surface events that may be a risk or threat to your organization. For device registration events, we primarily use heuristics that are defined by threat researchers based on previously observed or theorized attacks against MFA systems. The product is currently being improved to surface registration events in real time, combine intelligence from multiple data sources when making an assessment, and more.

For more information, on best security practices to protect against identity-based attacks, check out Duo’s new eBook, Securing Organizations Against Identity-Based Threats.

]]>
<![CDATA[Enhanced Duo Policy Management]]> aneuhoff@duo.com (Andrea Neuhoff) https://duo.com/blog/enhanced-duo-policy-management https://duo.com/blog/enhanced-duo-policy-management Product & Engineering

At Duo, we know just how important the admin experience is. Without it, features don’t get used and customers don’t get their return on investment. It’s for this reason that we’re excited to release a new view of Duo policies designed specifically to solve customer complaints and help admins manage their policies.

Policy is at the heart of deploying and managing Duo. It’s how admins customize the security experience of users and manage risk during authentications. It’s how you block untrustworthy devices or require the latest operating system versions. However, it traditionally doesn’t let admins easily understand policies they have or quickly view the contents. Instead, customers have faced long scrolling, no built-in searching or sorting, and no high-level summaries.

We’re changing that.

What’s new?

The first thing you’ll notice when exploring this new view is how compact it is. Gone are the days of scrolling and scrolling. This new screen is designed to show about 5 policies, because 90% of customers have five or fewer policies. Want to know if you’ve got policies with the same name or applied in similar ways? It’s easy to see all in one screen.

What if you want to see a few details or a summary of that policy? It’s just a click away. Click on “rules” and you’ll see a drawer designed to highlight the most important information. You can see when a policy was created, when it was last modified, what rules are enabled and how it’s been applied.

See the video at the blog post.

Want to know which policies have been applied to an application or user group? Search is now built into the page. The days of command+f are gone. You can search and the list will filter to only show policies with matching results. The layout is designed to make it significantly easier to scan and see how any particular policy has been applied.

It’s not just visual changes that we’ve added. You now have the ability to duplicate a policy or bulk delete policies. We talked to users and saw admins painstakingly recreating complex policies from scratch only to discover typos days or months later. With duplication, admins can duplicate any policy (including global) as many times as they like.

See the video at the blog post.

The policy team is very excited to introduce this new view. It’s the first big change to this page in years and it’s just the beginning of new policy features in the works. 

Try it out

How can you experience this new view? Sign into the admin panel, head over to policies and click on the banner. And since we know change is hard, if you don’t like the new view, you can always switch back.

]]>
<![CDATA[The Argument for Security Being a Priority, Not a Feature]]> mrotar@cisco.com (Mike Rotar) https://duo.com/blog/the-argument-for-security-being-priority-not-feature https://duo.com/blog/the-argument-for-security-being-priority-not-feature Product & Engineering

Negative Outcomes of Using Security Functionality From IT Tools Instead of Dedicated Security Controls

Vendor consolidation is gaining momentum in the IT space. CIO magazine reported that 95% of IT executives polled plan to consolidate software solutions due to “architecture consolidation” and “cost.” Hypothetically, consolidating vendors could seem appealing. After all, it could decrease spending and reduce silos in infrastructure, so what could go wrong?

When it comes to securing identities, the stakes are high; Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based. So, what really happens when you move to consolidate identity security from a best-of-breed identity security product like Duo to a bundled “identity management with security” solution?

Today, we’ll highlight key negative business outcomes to watch out for with the new software consolidation trend, and why Duo may be the best option for your organization’s identity security strategy.

Negative outcomes of migrating off best of breed

Bundled identity security licensing may have sticker price appeal, but customers find Duo more cost-effective to implement, maintain, and support. As stated in the Forrester Total Economic Impact™ of Cisco Duo blog, “customers saved $3.23 million net present value (NPV) and had a 159% ROI.”

On paper, the positive outcomes of decreased spending and reduced software infrastructure silos sound appealing. Still, if you decrease spending on the front end, and increase total cost of ownership, it could severely impact your return on investment.

In the long term, through complex deployment, ongoing maintenance, support, process changes and enablement, bundled identity solutions could severely reduce your return on investment and create negative outcomes for your identity security strategy.

Increased total cost of ownership

To move from a best-of-breed product like Duo to a bundled identity solution, the increase in cost of ownership begins with deployment and extends into ongoing life cycle management, support, and more.

Information technology and security leadership needs to be aware of the hidden costs and the burden of a “rip and replace” migration that impacts all users, administrators and contractors. This burden falls on your team's shoulders. Due to the impact of a project that touches the entire organization, this is the type of project with the potential impact of pushing back other projects. Your team must plan to disrupt the entire user population's access routines and prepare fellow directors and c-levels for their teams to experience disruptions and delays in response from support. Your attention must then turn to your admin teams as they secure, manage and support a new solution with a plan for an increase in support tickets and complications with advanced access policies, application gaps and other single-solution weaknesses.

Your super administrator accounts are now also a top attack vector and house both identity and security in one platform, so you need to make sure policy is as strict as possible for privileged access users and monitor abuse closely.

This also creates a lot of problems for your admins, analysts and help desk teams, as they’ll have to dedicate time to address testing and configuring new product technical prerequisites, access management policies, and new authentication configurations.

First, your team will need to test, configure, and deploy any new product technical prerequisites, access management policies, and change application configurations across your environment. Your team will then need to move any custom integrations — such as Duo software development kit (SDK) use cases, API use cases, and SIEM workflows —  and address any application, logging and policy gaps in the new solution. Your team will also need to update all existing administrator and user enablement while also informing, educating, and training administrators, users, and contractors on the new solutions. This includes policy, application configuration, troubleshooting tactics, log management, configuration documentation, diagrams and more while your organization grows comfortable with the new solution.

This brings me to user experience, which will be disrupted across the organization given the change in login experience. Users, contractors and partners will need to expect delays in help desk response time and support knoweldge of the new software. They’ll also need to take any new access management training and become familiar with new access management software. There will also be changes in experience, such as self-service device management policy limitations, mobile app experience and clear user messaging when logging in or remediating issues.

“User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately.”

User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately. If users do not remediate, you can enforce software policies across browsers and devices with access control policies. This allows organizations to lessen the help desk load by keeping devices up-to-date, healthy and able to meet corporate access requirements. Unlike other access policy engines, Duo manages software versions, so you don’t have to manually update.

Decreased security

Identity is the only perimeter left, and it’s a complex problem. It can be a game of whack-a-mole trying to plug every hole the identity journey creates. Identities are accessing both cloud and on-premises applications. They’re also working from anywhere, anytime, from any device, which creates an assortment of challenges that require strong, easy-to-use and deployable security. Without this kind of security, attackers simply find workarounds for existing security solutions and infiltrate.

CISA reported that “Weak Security Controls and Practices Routinely Exploited for Initial Access.” This means that advanced identity security access management policies are either being misconfigured or deliberately not configured, which allows attackers to attack gaps and weaknesses in access management policies. As highlighted by recent identity-based attacks, both scenarios are being exploited by attackers to the same effect.

Today's threat landscape requires the strongest levels of security on identities, applications and devices accessing sensitive, corporate applications. Artificial intelligence (AI) will continue to create more challenges as it continues to improve on impersonation and automatic attack generation.

With identity being the most attractive attack vector, your organization needs strong, easy-to-use and deployable identity security solutions to combat the evolving threat landscape. Bundled identity solutions have slower-to-deploy security tools with complex, strict technical prerequisites, security limitations, expensive licensing and reliance on expensive partner products to protect all workflows across identities, apps and devices. In addition, super admin account takeover attacks can have a higher impact, since identity management and access security are centralized under one login.

Once all identities, apps and devices are configured, inferior identity and device security policies and controls can lead to weak access requirements being put in place due to policy engine complexities and limitations. Reporting and logging tools typically lack security visibility and tailored usage insight, and it’s difficult to understand app, identities, and device activity over time across portals which makes it complicated to audit login issues and troubleshoot when issues arise.

Some upsold advanced security features, such as identity protection and risk-based authentication, are more reactive threat analysis tools than adaptive, real-time authentication security solutions that assess risk at the point of login and throughout the lifetime of the session. It’s also typically complex and/or expensive to protect workstations, legacy apps and servers such as SSH, RDP, RADIUS, and most do not have a software development kit or APIs like Duo.

How Duo is different

Easy to use

To begin with, Duo makes things simple for our customers:

  • Simple for users to enroll, authenticate and remediate issues

  • Simple for administrators to configure, deploy, protect and manage

  • Simple for security operations analysts to review and analyze threat data

Scalable and flexible

Duo can adapt to your customers’ needs as your organization evolves:

  • Grows with your business as your security needs change

  • Offers a broad range of authentication methods for every type of identity

  • Flexible, deploy-ready policy controls

Faster speed to security

Duo also provides what we refer to as “faster speed to security”:

  • Duo is fast and makes it easy to deploy advanced identity security controls across any size organization

  • Thanks to Duo’s self-service and user self-remediation features, end-users can resolve issues using Duo very quickly without contacting IT

  • Identity security in-depth; as threats change, we enable customers to respond and block threats rapidly

Broadest coverage

Finally, Duo delivers the broadest coverage across identities, devices and applications:

  • Supports all identity types (employees, contractors and partners)

  • All types of devices (corporate-issued and managed and personal unmanaged devices, plus most operating systems including macOS, Windows, Linux, iOS and Android)

  • Integrates with virtually any application, whether it’s off-the-shelf or custom-built, and hosted on-premises or in the cloud

Duo is just getting started

While the allure of bundled identity may be tempting, it's essential to carefully weigh the potential risks and costs associated with migrating from Duo to alternative solutions. By considering factors such as weaker security policies, deployment and training expenses, hidden costs and the value of familiarity and reliability, businesses can make informed decisions that prioritize their security and operational efficiency in the long run. In the complex maze of cybersecurity, often the best path forward is the one you're already on.

Where Duo is headed next

To learn more about where Duo is heading, please check out the Duo blog: Announcing Identity Intelligence With Duo, which highlights Duo’s available customer preview of identity threat detection and response (ITDR) and identity security posture management (ISPM) functionality and more exciting identity security innovations.

Stay tuned!

If you would like to chat more with a sales or partner specialist about identity security, feel free to contact us!

]]>
<![CDATA[Cisco Joins the FIDO Alliance Board]]> mmiller@duo.com (Matthew Miller) https://duo.com/blog/cisco-joins-fido-alliance-board https://duo.com/blog/cisco-joins-fido-alliance-board Industry News

Duo Security has been a long-time supporter of the FIDO Alliance, starting in 2014 with our adoption of U2F. We remain active through 2024 in many of FIDO's working groups and continue to support the FIDO Alliance's mission of reducing the world's reliance on passwords through passkeys.

Two years ago, work began to assess Duo's commitment to this mission and consider we might more actively participate in its evolution. We are happy to announce the following changes to this strategic partnership.

First, Duo Security has successfully migrated our FIDO Alliance membership to Cisco. This will let us extend access to the FIDO Alliance to other Cisco teams like Webex.

Second, we realized that for Duo to effectively push for the improvements and changes that our customer's desire (or even require), we needed to increase Cisco's membership within the FIDO Alliance to gain a seat on the Board. The Board drives the direction of the FIDO Alliance. Additionally, as the FIDO Alliance shifts its strategy to focus on passkeys adoption guidance, we felt now was the time to leverage our extensive experience as a Relying Party and add our voice to underrepresented passkeys use cases.

“We are pleased to announce that the FIDO Alliance has approved Cisco’s application to join the Board… This will allow us at Duo Security and greater Cisco to push for the changes we and our customers desire within the FIDO Alliance.”

After months of discussing this idea with internal and external parties, a formal written application, and virtual interviews, we are pleased to announce that the FIDO Alliance has approved Cisco's application to join the Board. Matthew Miller will be Cisco's delegate on the FIDO Alliance Board with Chris Anderson serving as his alternative. This will allow us at Duo Security and greater Cisco to push for the changes we and our customers desire within the FIDO Alliance as well as continue our thought leadership within the identity and authentication industry.

“We enthusiastically welcome Cisco to our board of directors,” said Andrew Shikiar, executive director and CEO of the FIDO Alliance. “Cisco has been a longtime and valuable contributor to FIDO Alliance and its authentication specifications first through Duo Security and now formally as Cisco.”

Shikiar continued, “We look forward to Cisco’s expertise and direction as a relying party at the board level, which is critical now as FIDO technology has matured and we’ve shifted our focus to the usability of passkeys and enabling relying parties to implement them effectively.”

Here's to passkeys in 2024 and beyond!

]]>
<![CDATA[Understanding the Silver SAML Vulnerability & How Duo SSO Can Help]]> cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/understanding-silver-saml-vulnerability-how-duo-sso-can-help https://duo.com/blog/understanding-silver-saml-vulnerability-how-duo-sso-can-help Industry News

In cybersecurity, the constant emergence of new vulnerabilities keeps organizations on their toes. A recent development is the discovery of the Silver SAML attack, a sophisticated vulnerability that targets Security Assertion Markup Language (SAML)-based authentication systems. Let's delve into what this means for organizations and how solutions like Duo SSO are designed to mitigate such risks.

What is the Silver SAML vulnerability?

Cybersecurity researchers have uncovered a new attack method known as Silver SAML. This technique can exploit SAML-based single sign-on (SSO) services, even when measures against similar Golden SAML attacks are in place. The vulnerability centers on the use of self-signed or externally generated certificates for signing SAML responses. If attackers obtain the private key of an externally generated certificate, they can forge SAML responses and impersonate any user, gaining unauthorized access to applications and services.

Duo SSO’s mitigation approach

Duo SSO has a security architecture that inherently mitigates this type of vulnerability. Unlike some identity providers that allow the use of externally generated certificates for SAML response signing, Duo SSO exclusively uses self-signed certificates. This design choice significantly reduces the risk associated with the Silver SAML attack in the following ways:

  • Controlled Certificate Lifecycle: Self-signed certificates are generated and managed internally within the Duo SSO ecosystem. This control over the certificate lifecycle minimizes the risk of private keys being compromised.

  • Integration Segmentation: Each Duo SSO integration has a dedicated signing key that is only ever stored in encrypted form and backed by a Hardware Security Module (HSM). The HSM provides an additional layer of protection by managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

  • No External Exposure: By not allowing externally generated certificates, Duo SSO ensures that the signing process is less susceptible to external threats. There's no risk of an attacker obtaining a private key from a certificate generated outside the protected environment.

  • Regular Auditing and Monitoring: Duo SSO includes robust auditing and monitoring features that help detect and alert on any suspicious activities, including unauthorized changes to configurations that could indicate an attempted security breach.

  • Best Practice Enforcement: Duo SSO encourages and enforces security best practices, such as strong authentication measures, which provide an additional layer of defense against various attack vectors, not just Silver SAML.

Remaining vigilant

While Duo SSO's approach to using self-signed certificates for SAML response signing effectively mitigates the specific risk presented by the Silver SAML attack, it's a stark reminder of the need for organizations to maintain constant vigilance. Cyber-based threats are constantly evolving, and defenses that are secure today may be challenged by the threats of tomorrow. To stay ahead of potential risks, it's crucial for organizations to target three essential processes:

  • Implement comprehensive security strategies that go beyond reliance on a single mitigation technique. Remember, a multi-layered approach to security is essential in creating a resilient defense against a variety of threats.

  • Stay up to date with the latest security advisories and updates. Keeping informed about new vulnerabilities and emerging attack vectors is the first step in a proactive defense.

  • Educate users and IT teams on potential threats. Knowledge is power in cybersecurity. Regular training and awareness programs can empower users to recognize and respond to security incidents.

When thinking about a comprehensive security strategy, increased visibility and monitoring around the identity perimeter is indispensable. Solutions like Duo’s identity security capabilities powered by Cisco Identity Intelligence play a pivotal role in enhancing security posture. By offering continuous monitoring and advanced analytics, Duo equips organizations with the capabilities necessary to detect and respond to anomalous behavior and access patterns in real-time. This level of insight is critical for identifying and mitigating potential compromises before they escalate into more significant breaches.

With features such as endpoint visibility, anomaly detection, automated alerts, and dynamic policy enforcement, Duo serves as a steadfast guardian, safeguarding the identity perimeter. It's a robust layer of security that complements the inherent strengths of Duo SSO, creating a unified front against identity-based threats.

As we traverse the complexities of the security landscape, it's clear that the partnership with trusted and proactive security providers like Duo is more than a convenience—it's a strategic imperative. By leveraging advanced solutions like Duo’s identity security, organizations can achieve the heightened level of security vigilance required in today's digital age.

Conclusion

The Silver SAML vulnerability highlights a landscape where threats constantly evolve and demand agile and robust defenses. Duo SSO's use of self-signed certificates sets a strong defensive baseline against such threats. However, to truly stay ahead, organizations need to augment foundational security with advanced protections.

Duo’s identity security capabilities powered by Cisco Identity Intelligence offers this next level of defense, providing the necessary visibility and proactive monitoring to identify and thwart potential threats swiftly. By choosing Duo Advantage or Duo Premier plans, organizations gain access to these enhanced capabilities, reinforcing their security posture in the face of sophisticated attacks like Silver SAML.

Act now to fortify your organization's defenses. Duo SSO is available in all Duo editions, allowing you to securely protect your SAML, OIDC, and OAuth applications. Explore the Duo Advantage and Duo Premier plans to unlock the full potential of Cisco Identity Intelligence and ensure your organization's resilience against the ever-changing threat landscape.

]]>
<![CDATA[Remote Desktop Threats & Remediations]]> beccalyn@cisco.com (Becca Lynch) https://duo.com/blog/remote-desktop-threats-remediations https://duo.com/blog/remote-desktop-threats-remediations Industry News

Remote Desktop Protocol (RDP) enables much of today’s hybrid workforce, allowing employees to remotely access desktop computers regardless of their location. Like any remote access tool, however, it is susceptible to security threats, including brute force attacks.

Attackers can gain unauthorized access to an RDP connection via several brute force methods, the most common of which is credential spraying. In this attack method, a small number of commonly used passwords are tried over many user accounts in succession. Many free and open-source tools, including NLBrute, Crowbar and Hydra, currently exist to allow attackers to automate these efforts over many user accounts at once. Once access is gained, even to a single user account, the results can be devastating. Malicious actors can potentially access any files on the desktop, install and operate malware, exfiltrate user and customer data, and access other devices on the same network. Research by Sophos estimates that 95% of all attacks in the first half of 2023 involved RDP access and emphasizes taking steps to further secure RDP applications.

"Research by Sophos estimates that 95% of all attacks in the first half of 2023 involved RDP access."

While securing RDP applications with multi-factor authentication (MFA) is an essential first step, we have seen a recent uptick in large-scale RDP attacks that can successfully subvert traditional MFA depending on the account policies and configuration. We will detail how these attacks appear in Cisco Duo authentication data, as well as outline simple and practical steps that you as an administrator can take to configure Duo to prevent this type of attack from infiltrating your environment.

Identifying RDP Brute Force attacks in MFA logs

As part of ongoing threat hunting efforts in collaboration with Cisco Talos Intelligence Group, we on Duo’s Security Data Science team sought to identify IP addresses that were responsible for RDP attack attempts on Duo customers. Over authentication data from 2023, we analyzed any IPs meeting the conditions of at least 100 authentication attempts to RDP applications over at least 3 organizations deploying Duo, with at least a 70% rate of failure. After vetting these IP addresses with the assistance of Talos, we identified 52 IP addresses confirmed or highly likely to be associated with RDP brute force attack patterns.

Observed behavior from one such IP can be seen below, with the vertical axis representing individual customers. With this visualization, we can see the attackers crawling customer environments, sending repeated failed attempts to a group of customer networks. All attempts shown here are failures. (Note that this is only a sample of the impacted customers).

The individual IPs and their corresponding active protocols varied widely, as we observed using Censys Search. Of the 25 hosts with active protocols at the time of our hunting efforts, 15 were running file-sharing protocols such as SMB and FTP, indicating file exfiltration as a possible primary goal of these attacks. The remaining active hosts were running a variety of VPN protocols, including OpenVPN, IKE (IPSec), and PPTP, likely in an attempt to obfuscate the true source of the attacks.

Most hosts belonged to cloud hosting providers, the most common being the Panamanian provider “Flyservers”. A small number of hosts appeared to be residential or commercial hosts that had been captured by the attackers and used to send malicious requests.

Duo has since added all IPs suspected of RDP brute force attacks to our global block list, preventing them from any further access to our service across all Duo customers. As it is trivial, however, for attackers to rotate IP addresses, we will outline ways in which long term prevention can be achieved through improved security posture and policy configurations.

Prevention

Deny unenrolled users

Among the roughly 80,000 attempts from these RDP brute force networks, only 2% of authentications were successful. Many of these successes were potentially preventable via policy configurations within the Duo Admin Panel. The first of these relates to the way that new users enroll in Duo, particularly the ability to allow unenrolled users (those without any user account in Duo) to bypass MFA upon initial access. Of the successful accesses by the attackers in this case, 53% were to user accounts which had this MFA bypass policy configured. By contrast, over half of all malicious attempts were stopped via denying access to users not enrolled in Duo.

If possible, we recommend the following prevention measures to reduce the attack surface area.

Good

Enable monitoring on authentication logs to be notified when access to an application occurs as a result of allowing unenrolled users, particularly upon access to RDP applications. Repeated successes from a single IP address with no further user enrollment following the authentication may indicate an RDP attack and that user credentials have been compromised.

Better

Deny unenrolled users access to RDP applications by setting a per-application policy. Unenrolled users can still be allowed to enroll via other applications you have configured, just not through RDP applications for which access can be easily automated by attackers.

Best

Deny all access to unenrolled users and enroll users in Duo MFA via either automatic enrollment or a manual user import.

User lockout mechanisms

For users enrolled in MFA, there is still a risk of RDP account access by an attacker. The most common attack pattern seen against enrolled users were methods known as push harassment (in which a single user is sent many push attempts in the hopes that they will eventually accept) or push spraying (in which push attempts are sent across many users). A visual example of this is shown below, in which a user was repeatedly sent push requests from an RDP attack IP until they accepted.

One way of preventing a malicious actor from sending repeated pushes to a user is by enabling a lockout threshold in the Duo Admin Panel. Roughly 11% of recent RDP brute force attempts from the IPs analyzed were prevented by user lockout mechanisms, the majority of which having a threshold of 10 repeated failures before locking out a user. 10 is the default number of failures before a user’s account is locked out, however, a more aggressive threshold can be customized in your Duo Admin Panel.

For increased visibility, administrators can configure Duo to notify them in the instance that a user is locked out, to further monitor suspicious activity. If this occurs, and users cannot account for the repeated failures, this may indicate user credential compromise.

User location restriction

To prevent malicious requests from reaching users in the first place, admins should configure Duo to block requests from countries that they do not expect to see traffic from. Of the IPs studied in these attacks, they originated from countries including Iran, Russia, Hong Kong, the Netherlands, Ukraine, Estonia, Romania, Pakistan and Nicaragua, all of which accounted for less than 1% of the benign traffic of the impacted customers. If it is conducive to your organization’s setup, consider denying access or limiting available authentication factors for requests that originate somewhere other than your organization’s expected locations.

Users that live in countries atypical to the majority of an organization’s users or who may need occasional access from a country that is otherwise blocked can be added to a user group with a specific policy exemption if necessary.

Summary

Basic MFA is a necessary first step in securing RDP applications. Without proper configuration, however, it’s still possible for attackers to subvert security measures and gain access to critical data and infrastructure. While attacks are constantly evolving, taking essential steps such as blocking unenrolled access and enabling user lockout functionality on RDP applications can help to prevent users from receiving malicious requests.

]]>
<![CDATA[New Duo E-Book, Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/new-duo-e-book-attack-vectors-decoded https://duo.com/blog/new-duo-e-book-attack-vectors-decoded Industry News

Identity-based cyberattacks are a challenge across all organizations, regardless of size, industry or technology. And every time organizations put up a new defense, cybercriminals seem to find their way around it. This becomes a constant cycle of organizations introducing new protections and attackers finding ways to exploit them.

Recently, attackers have targeted multi-factor authentication (MFA). MFA is a common second line of defense against compromised passwords. Even if an attacker has access to a username and password, they still need access to the second authentication factor to break into the organization.

However, attackers are finding ways around MFA. They can take advantage of the less secure methods of authentication, like one-time passcodes, and socially engineer a user to hand over codes or intercept them before they reach the end user. They can engage in MFA fatigue attacks where a trusted user might absentmindedly accept a push request because they’re so used to doing it or might accept the push requests to get the endless notifications to stop.

While attackers are finding new and creative ways to victimize users, organizations can deploy many tools to protect against these types of attacks. In Duo’s new eBook Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats, we summarize the top attack vectors targeting users and what organizations can do fortify their defenses.

So, what can organizations do to better protect themselves? Some of the solutions are easy policy changes that organizations can turn on immediately, like Duo’s Risk-Based Authentication (RBA). RBA analyzes risk signals at the point of login and can remove barriers for trusted users, while requiring more secure factors when new risk is identified (like multiple denied push requests being sent to the same user).

Other solutions are more of a journey, like rolling out passwordless across your organization. Passwordless login removes the “something you know” (e.g., the password) from the login process and instead uses “something you are” (e.g., a biometric) and “something you have” (e.g., a device). A user accesses an application with an asymmetric key exchange — a public key (that is held by the application), unlocks a private key that is secured on the device (so it cannot be stolen). While passwordless offers a phishing-proof solution, there are requirements to deployment, like ensuring all users have access to a biometric on their device or a security key.

And finally, organizations can combine a risk-based and phishing-proof authentication approach with device trust policies, like Duo’s Trusted Endpoints. Trusted Endpoints enables an organization to only let in managed or known devices so fraudulent MFA requests on an unknown device never even reach the end user.

To learn more about the current identity-focused attacks and how you can better protect your organization today and in the future, be sure to read Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats today.

If you’re interested in a deeper dive into this topic, also check out our new Duo labs piece that provides detailed, research-backed insight into identity threats and how to protect against them.

]]>
<![CDATA[The Strengths and Weaknesses of MFA Methods Against Cyber Attacks: Part 3]]> pschafer@cisco.com (Phillip Schafer) https://duo.com/blog/strengths-weaknesses-of-mfa-methods-against-cyberattacks-part-3 https://duo.com/blog/strengths-weaknesses-of-mfa-methods-against-cyberattacks-part-3 Industry News

The choice of authentication methods plays a key role in defending against identity threats. In the first two blogs of this three-part series, we discussed the MFA methods available to users and their strengths and weaknesses in defending against five types of cyber attack. In this blog, we’ll discuss how end-users and administrators can select the best methods to keep themselves and their organizations secure.

The importance of user experience

Authentication methods’ technical properties in addressing cyber-threats are part of the security picture, but not the whole picture. The convenience of the end-user experience also plays an important role.

A frictionless user experience can help ensure that MFA is widely adopted within an organization, and that once it is adopted, users comply with best practices. Users that are frustrated by the authentication experience are more likely to fall prey to MFA fatigue attacks, or to seek workarounds that avoid the need to authenticate at all.

When setting MFA policies for their organization, administrators must consider the human element, which plays a role in 74% of breaches.

Budget considerations

Cost is another factor influencing which authentication methods organizations should adopt. Methods that leverage users’ existing devices, for instance, offer cost advantages over methods requiring specialized hardware such as tokens and security keys. Conversely, adopting platform authenticators may require costly upgrades to enterprise hardware and software to support biometrics.

Administrative and service costs must also be considered. Telephony-based methods require the purchasing of telephony credits, while the personnel costs of deployment and helpdesk support for some authentication methods can be significant.

Organizations must weigh the total cost of ownership of MFA against the considerable, but uncertain, cost of a breach.

What authentication methods are right for you?

To decide which methods to use, organizations must balance security, user experience, and budget considerations to meet their unique needs. To conclude this blog series, we’ll discuss each method in turn and why you may choose to adopt it.

WedAuthn-based authentication

WebAuthn-based authentication is a clear winner for threat protection, with strong defenses against a variety of threats including phishing and AiTM (adversary-in-the-middle) attacks. WebAuthn-based methods also offer superior user experiences using biometrics and passwordless authentication.

Despite these advantages, organizations often face challenges when adopting WebAuthn. Legacy software often must be upgraded to support this relatively new protocol, while upgrading employee endpoints to support biometrics or purchasing and distributing security keys can incur significant costs. Organizations must also incentivize users to register WebAuthn-based devices and train them to adapt to new authentication workflows.

The journey to WebAuthn, passkeys, and passwordless can be well worth it, and organizations can learn from the success stories of their peers.

Push-based authentication

Push-based authentication provides a good balance between security and user experience. It protects against many threats while allowing users to authenticate conveniently using their own phones. While it does not defend against AiTM threats as WebAuthn does, this gap can be addressed by other measures, such as adopting device trust policies.

Security against MFA fatigue attacks can be enhanced for push-based methods by enabling numeric code matching (e.g., Verified Duo Push). However, this security comes with additional user friction.  Organizations that want the security benefits of code matching but with minimal friction can try a policy like Duo Risk Based Authentication in which codes are required only for suspicious authentications.

Token-based authentication

Token-based authentication provides a third-tier option for threat protection behind WebAuthn-based and push-based methods. Passcode phishing and physical compromise are concerns for tokens but may partially be addressed by end-user training. Tokens remain popular for organizations where users cannot use their own phones to authenticate or where offline access is needed.

Telephony-based authentication

Telephony-based authentication is widely used due to its administrative convenience, since end-users can use their own phones without any specialized hardware or software. Hardware costs savings may be offset, however, by telephony costs. Telephony-based methods are also less secure than other methods, with SIM swapping adding a distinctive threat vector alongside common physical and social engineering concerns. Despite these drawbacks, telephony is an effective way for some organizations to ensure that MFA is widely adopted.

Conclusion

No matter what your authentication needs, Duo provides a variety of options to choose from. Duo’s adaptive access policies make it easy for administrators to customize settings by user group and application type, so that every authentication is as secure and frictionless as possible. End-users may further select from the methods allowed by their organizations to best suit their needs and preferences.

To learn more about authentication with Duo, sign up for a free trial today.

]]>
<![CDATA[Strengths and Weaknesses of MFA Methods Against Cyber Attacks: Part 2]]> pschafer@cisco.com (Phillip Schafer) https://duo.com/blog/strengths-weaknesses-of-mfa-methods-against-cyberattacks-part-2 https://duo.com/blog/strengths-weaknesses-of-mfa-methods-against-cyberattacks-part-2 Industry News

The choice of which authentication methods to use is individual to every organization, but it must be informed by a clear understanding of how these methods defend against common identity threats.

In the first part of this three-part blog series, we discussed the various methods available to MFA users. In this part, we’ll evaluate each method’s effectiveness in defending against five common types of cyber-attack. The table below summarizes the findings.

How MFA methods stand up to threats

Threat type #1: Physical compromise

Many authentication methods use device possession as a factor (i.e., evidence of a user’s identity), making physical security a concern. Devices can be stolen or temporarily accessed by an attacker to subvert MFA.

Varied protection: WebAuthn-based authentication, push-based authentication, token-based authentication

When used by WebAuthn-based authenticators, biometric user verification provides a strong layer of defense against physical compromise. However, some security keys do not support biometrics, while many authenticators fall back to passwords or passcodes when biometrics fail.

Physical security for push-based authentication relies on the access protections of the user’s phone. For best security, administrators should require that users implement screen lock on their devices when authenticating with Duo Mobile. They can additionally require biometric verification every time that a user approves a push.

Physical security of token-based authentication depends on the device. Some software tokens, like Duo Mobile, can be configured to require screen lock. However, many hardware tokens do not provide any protection. Furthermore, attackers with even temporary access to an HOTP device may memorize or write down a passcode and use it later. Users must take care to safeguard devices attached to keyrings and in other vulnerable locations.

Weak protection: telephony-based authentication

SMS passcodes and phone call authentication are vulnerable to physical compromise because text messages and phone calls often may be received without unlocking a phone. While users can elect secure screen lock settings, administrators cannot easily require them to do so.

Threat type #2: Logical compromise

Attackers may sometimes take virtual possession of authenticators without gaining physical access to a device. For example, by gaining access to a cryptographic key or taking possession of a phone number, they may be able to emulate the behavior of an authentication device.

Strong protection: WebAuthn-based authentication, push-based authentication, token-based authentication

While key theft is possible for these methods, most devices provide strong protections. WebAuthn-based authenticators use private keys that are not shared publicly and that can be stored securely on tamper-resistant hardware protected with strong encryption. Platform credentials (passkeys) that are synced using services like iCloud Keychain are encrypted in transit.

Duo’s push-based authentication uses private keys that are stored in encrypted form and never leave the device. Default Duo policy further prevents exfiltration of keys from Duo Mobile by requiring that user devices are not rooted or jailbroken.

Token-based authenticators use a secret key, called a seed, to generate passcodes. These seeds are encrypted when stored on both the device and on Duo servers.

Weak protection: telephony-based authentication

SIM swapping is a common technique that allows attackers to subvert telephony protections without physically stealing a phone. An attacker calls the phone carrier posing as the legitimate user and has the user’s phone number transferred to their own device. Then, they can authenticate via SMS passcode or phone call.

Threat type #3: Phishing and MFA fatigue

Phishing attacks and MFA fatigue attacks are related threats in which a user is given a fraudulent prompt to authenticate. In phishing, the attacker directs the user to a fake website with a login prompt that collects their password and/or single-use passcode. In an MFA fatigue attack, also known as push phishing or push harassment, the attacker uses stolen credentials to send the user repeated push requests in hopes that the user will inadvertently approve one.

Strong protection: WebAuthn-based authentication

WebAuthn-based authentication is sometimes referred to as “phish-proof” because it eliminates the need for shared codes, removing the risk that those codes could be intercepted. The browser also tells the authenticator what site the user is on, so credentials can only be used on the site they were created for. Authentications are verified locally on the login device, so the attacker cannot enlist the user’s help remotely in their authentication attempt via an MFA fatigue attack.

Varied protection: push-based authentication

Push-based authentication is vulnerable to MFA fatigue attack, but this threat can be mitigated through the use of numeric code matching, as in Verified Duo Push. Because the numeric code must be entered by the user, there is no risk of the attacker phishing the code (though other forms of social engineering are possible, see below). Admins can require that codes be entered for all push-based authentications, or they can use an approach like Duo Risk Based Authentication in which only risky authentications require the code.

Weak protection: token-based authentication, telephony-based authentication

Token-based and SMS passcode methods are vulnerable to passcode phishing, though the risk can partially be mitigated by adoption of TOTP rather than HOTP based tokens. Phone call authentication is vulnerable to MFA fatigue attacks.

Threat type #4: Social engineering

Social engineering is a class of techniques in which the attacker manipulates the legitimate user into aiding them in the attack. While phishing and MFA fatigue may be considered examples of social engineering, they are not the only ways that user behavior can be manipulated. For example, attackers will sometimes pose as fellow employees or IT team members to convince users to follow directions. Social engineering is often preceded by reconnaissance on professional social networks to make the engagements more personal and believable.

Varied protection: WebAuthn-based authentication, push-based authentication

While WebAuthn-based authentication is typically considered a strong protection against social engineering, the recent trend on many operating systems toward synced passkeys has opened the door to passkey sharing attacks. If a legitimate user is convinced to share their passkey, then the attacker can use the passkey on their own system. Biometric requirements do not mitigate this threat because once a passkey is stolen, it may be used by the attacker with their own biometric. Fortunately, many platforms implement additional measures to secure passkeys, such as requiring that sharing happens between devices in physical proximity.

Use of a numeric code with push-based authentication helps guard against MFA fatigue and passcode phishing attacks, but it does not close the door to other types of social engineering. An attacker can attempt to log in using a stolen password, then send the numeric code to the legitimate user and convince them to enter the code and confirm the push.

Weak protection: token-based authentication, telephony-based authentication

Token-based and telephony methods are subject to a wide array of social engineering techniques in which users are convinced to share a physical device, transfer a phone number, or enter a code.

Threat type #5: Adversary in the Middle

Adversary in the Middle (AiTM) is a sophisticated attack in which the attacker establishes a proxy server between the legitimate user and their login destination, allowing the attacker to steal credentials and cookies during an authentication attempt. Because the login is proxied to the legitimate destination, the user may be unaware that the attack is happening, while the adversary gains full access to the account.

Strong protection: WebAuthn-based authentication

WebAuthn-based authenticators protect uniquely against AiTM attacks. WebAuthn verifies the identity of the login site (e.g. duosecurity.com) and therefore will not work via a proxy connection. This property, known as origin binding, contributes to WebAuthn’s status as a “gold standard for MFA.”

Weak protection: push-based authentication, token-based authentication, telephony-based authentication

All these methods are vulnerable to AiTM attack. Even when second-factor authentication is out-of-band with the login, as in a push, the delivery of the session cookie can still be intercepted by the proxy.

What’s next

Understanding the threats affecting MFA is important, but the choice of authentication methods also depends on factors like cost and ease of use. In the next blog in this series, we’ll discuss how organizations can choose the methods that best suit their needs.

]]>