<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2022 3600 <![CDATA[10 Reasons Universal Prompt Strengthens Security and Improves User Experience]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/reasons-universal-prompt-strengthens-security-improves-user-experience https://duo.com/blog/reasons-universal-prompt-strengthens-security-improves-user-experience Product & Engineering

Earlier this year, Duo Security announced the General Availability of the Duo Universal Prompt, and many customers have happily upgraded to it from the Duo Traditional Prompt. For our customers who have not yet migrated, we would like you to be aware of these 10 reasons Universal Prompt gives Duo customers heightened security and a better user experience!

From: Traditional Prompt

To: Universal Prompt

What is the Duo Universal Prompt?

The Universal Prompt is Duo's next-generation authentication experience that delivers an easier, more secure, and more accessible authentication experience for every user.

Upgrading to Universal Prompt helps organizations:

  • Modernize authentication – Universal Prompt paves the way for customers to modernize their infrastructure and benefit from latest technologies. For example, updating corporate applications to use SAML and WebAuthn for authentication mitigates vulnerability posed by legacy protocols (RADIUS, LDAP) and weak authentication factors such as one-time passcodes. This also helps organizations get started on a journey towards a passwordless future.

  • Strengthen security – Bad actors continue to develop more sophisticated means of social engineering attacks to bypass security controls. Universal Prompt minimizes the risks they pose by enabling Duo customers to implement advanced security measures, such as Verified Duo Push and Risk-Based Authentication.

  • Simplify secure access – The move to modernizing and strengthening your IT security infrastructure can be disruptive for end users, but Universal Prompt minimizes user friction with a simple authentication experience, intuitive web-based design, and self-service empowerment.

10 reasons to move to Duo Universal Prompt

All the following great functionality is ONLY available using the Duo Universal Prompt, and we will continue to rapidly deliver new functionality that will be built on Universal Prompt only.

  1. Verified Duo Push – Asks users to verify push requests in order to mitigate the risk of push harassment attacks

  2. Risk-Based Authentication – This reduces user friction and improves security by analyzing risk signals and automatically stepping-up authentication only when necessary

  3. Built-In Security - Universal Prompt utilizes OpenID Connect and moves away from using iFrames, which eliminates the need for additional security configurations (allowed hostnames) that is recommended with the Traditional Prompt    

  4. Self-Service Portal – Admins can securely enable the new Duo hosted Self-service portal by enforcing policies and requiring strong authentication, empowering users to self-enroll and manage their authentication devices

  5. Improved User Experience – Universal Prompt is a major redesign with new styling and workflow-based authentication experience

  6. Localization – Includes support for 15 languages, with more to come

  7. Customization and Branding – Allows admins to give users a familiar and trusted experience

  8. Chromebook – Supports WebAuthn flows for Chromebook logins

  9. Accessibility – Makes strong authentication inclusive and easy for every user. Universal Prompt is designed and tested to meet Web Content Accessibility Guidelines (WCAG) 2.1 at the AA level

  10. Last-Used Authentication Method – Duo recalls the last-used auth method which gives users one less decision to make and expedites the login workflow

How can you update your environment to the new Universal Prompt?

Most on-premises applications require administrators to install a software update with the necessary changes to support the Universal Prompt on their web application servers. This software update may be supplied by Duo or by our technology partners, depending on who developed the integration. Cloud-hosted software as a service (SaaS) may require limited account changes. Read more in the Universal Prompt Update Guide.

Try out the Universal Prompt now!

Now is a great time to upgrade from Duo Traditional Prompt to Duo Universal Prompt. Your users will have a much better experience behind a better, more efficient design, along with a variety of experience focused features.

Also, admins will be able to better secure their environments with the rich set of security functionality that Universal Prompt enables. Get your plans started ASAP to benefit from the new functionality only available with Universal Prompt!

Get to know Duo Universal Prompt

For more information on Duo Universal Prompt see how in may be utilized in the Duo Guide to Two-Factor Authentication or for specifics on its implementation see documentation on in the Duo Universal Prompt Update Guide.

<![CDATA[The Updated FTC Safeguards Rule Signals New Cybersecurity Changes]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/updated-ftc-safeguards-rule-signals-new-cybersecurity-changes https://duo.com/blog/updated-ftc-safeguards-rule-signals-new-cybersecurity-changes Industry News

On October 27, 2021 the Federal Trade Commission (FTC) announced changes to the FTC Safeguards Rule in order to protect consumer data. The new cybersecurity rules were published on December 9, 2021 and will require compliance by December 9, 2022.

Does the FTC Safeguards Rule affect you?

If you are not sure what the new security requirements are or if they affect your business or organization, don’t worry – we put together a webinar to help answer those questions. Watch Cisco Duo CISO Advisor, Wolfgang Goerlich and Duo Product Marketing Manager, Desdemona Bandini as they discuss the implications of the ruling, how it will affect businesses and what you need to do to stay compliant.

Watch the FTC Safeguards Rule Webinar.

The definition of financial institutions includes non-financial institutions.

The important thing to note is the new and expanded rules have updated security requirements for financial and non-financial institutions that do transactions that use personal consumer data. These institutions must take steps to secure that data. This includes those companies taking measures to ensure their affiliates and service providers also safeguard consumer data in their care. Some of the new required security measures include:

Multi-factor authentication is now required by the FTC

The most significant changes in this amendment include the expansion of the term “financial institution” and new technology requirements. Specifically, the rule calls out multi-factor authentication (MFA) as a mandatory requirement (regardless of company size) by December of 2022.

This means that, in addition to a username and password, users with access to consumer data will need another factor, such as a token, biometric, or application that can verify the user’s identity.

While these changes can seem confusing to navigate and intimidating to  implement, Duo has extensive experience partnering with industries who have complex security requirements, including healthcare, education, and, of course, finance. Duo’s MFA solution can quickly and efficiently ensure your company’s compliance while also protecting your customer data.

Quickly meet compliance deadlines

As a cloud-based solution, Duo easily integrates with your infrastructure and can be rolled out enterprise-wide. This includes out-of-box integrations for more than 200 applications and supports for secure access to cloud-based, on-premises and custom applications, VPNs, servers and more. 

Applications can be set up in minutes,xs and Duo is often deployed in weeks, not months or years. Duo also scales to meet companies at their security needs, providing offline MFA, compliance-friendly reporting and logs, and the ability to add users and devices at any time. 

Duo helps customers across industries comply with regulations to ensure their security strategy is in line with all relevant requirements.

Ease of use

The login process with Duo is designed to be simple for all users, without compromising productivity. Flexible authentication methods such as push notifications, tokens, biometrics and more allows users to choose the best fit for their workflow.

Duo’s push solution allows employees to authenticate quickly and easily with one tap on an app using their smartphones, making security frictionless. MFA can pair with your existing single-sign on (SSO) or Duo's SSO to create a consistent login experience across all applications and sync with directories to ensure policies stay current even as users change. 

Frustrate hackers, not users

Duo helps protect every device and every application, allowing your users to continue working with the tools they love, anywhere, anytime.

When a user attempts to access a protected application or resource, Duo examines the device’s health and security posture, and only permits secure access when all requirements are met. It works with both bring your own devices (BYOD) and managed devices.

Duo gives you the policies and control you need to limit access based on endpoint or user risk, without interrupting employees’ ability to use the tools they need to get their job done.

Try Duo for free!

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[The Meaning Behind the Cisco Recruitment Process]]> mkschmermund@duo.com (Mary Kate) https://duo.com/blog/meaning-behind-cisco-recruitment-process https://duo.com/blog/meaning-behind-cisco-recruitment-process Industry News

Felicia Miller was given a second chance at life. That’s one of the reasons she takes her job as a recruiter at Cisco Secure focused on Duo Security positions so seriously. It’s also why she finds advocating for candidates so meaningful, particularly at a company that values kindness and inclusivity.

A resident of Las Vegas with extensive agency and in-house recruitment experience, Miller is driven by passion—whether in the arts or in the candidates she feels honored to guide.

“Vegas is a never-ending opportunity to see people showcasing their passion. I think that’s where my desire to see it in candidates may come from,” Miller said.

Miller shared what candidates can expect through the recruitment process, how she combats imposter syndrome, and how Cisco’s culture continues to surprise and energize her.

What aspects of your journey allow you to thrive at work?

Felicia Miller: When you are out there working a full-time job and then suffer a medical trauma, like a brain tumor, that puts a halt to your work. You realize that work isn’t everything, but it’s a huge part of who you are. You want to make sure that the company that you work for aligns with your values and needs.

When I was contacted about this opening, there were a few things I was looking for in a job. Since this position is my return to the workforce after a silent disability diagnosis and a brain surgery, I needed a remote job so that I didn’t have to drive while taking neurological medication and a job where I could organize my office to accommodate my medical needs.

I loved the idea of immersing back in the world of tech, which actually doubles as physical therapy for my brain. This job allows me to continually be learning. I feel extremely fortunate to have found this opportunity.

What are you most excited to share with candidates about working here?

Felicia Miller: When you look at what I have to offer candidates, it’s the dream assignment for a tech recruiter. Security has never been more important.

Seeing the effort that the engineering teams take to get products to market as soon as possible, to make the world safer in light of cybersecurity threats, the pandemic requirements where we have people working remotely. I am in awe of what these individuals do. So when I’m sharing with a candidate how exciting this opportunity can be for them, it comes from a very real and a very personal place.

I get to offer candidates meaningful assignments doing meaningful work in a culture that appreciates and supports them. Our benefit package is second to none. It addresses the complete individual, providing time for the personal care that we all need.

Being able to talk with hiring managers and understand their needs and sitting in on interview debriefs and seeing how much hiring managers put into the interview process and bringing a new employee on, I feel honored to be part of that.

What can candidates expect from Cisco’s recruitment process?

Felicia Miller: I hate job searching. Most people hate job searching or interviewing, so if you can do that for the least amount of time, that’s what you want to try to do.

When I talk with my candidates, I try to understand where are you looking to go, what went right in your last position and what do you want to work on as you move into the next step of your career? We want to provide candidates with all of the information that they can possibly have up front so they understand how this role could fit into their career path.

As someone who is immersed in the technical industry on a daily basis, I can see trends that are happening and have been changing and offer advice and an outlook. I like being that conduit to give information so people feel more empowered.

I feel like I have a responsibility now. I’ve been given a second chance, and that’s why I take my recruiting efforts and my job so seriously. I want to make sure that I leave this world better than I found it. I take everything seriously that I do, and I am excited. I hope that shines through and that candidates see that throughout the interview process.

What do you look for in potential candidates?

Felicia Miller: Usually when I am talking with a candidate, I’m not really looking to qualify them technically. I’m looking for thoughtful responses, a confidence for what they know and specifics on what they would like to learn. Definitely the ability to accept criticism, a desire to make things better for everyone, a genuine passion for their work and a respect for the work of others.

I want to understand that candidate’s desired career path and how Cisco fits into that. I’m listening and thinking about whether this is a person with whom I could collaborate and learn from.

What energizes you about working here?

Felicia Miller: Something I feel really good about is in the last year we have had an increase in new hire diversity. We’re reaching a lot of underrepresented populations by sharing our opportunities and seeing the type of skill brought to the table.

“When you are told that you may not be able to continue working or living, that’s a big, huge thing. To be able to work with individuals that are passionate about their coworkers as they are about the products that they’re creating, this is a dream come true for me.” – Felicia Miller

I’ve worked in recruitment for more years than I want to share and I’ve been doing that without a degree. I come from a background of on the job work experience more than formalized education. I was intimidated about that, but you have to look for resources to supplement your education. I have been able to find those within Cisco.

When I first came here and saw the difference being made and how we’re encouraged to give back, when I hear the stances Cisco takes, these things make me proud of where I work. When you are told that you may not be able to continue working or living, that’s a big, huge thing. To be able to work with individuals that are as passionate about their coworkers as they are about the products that they’re creating, this is a dream come true for me.

I thought that Duo’s motto of being kinder than necessary was a lovely tagline. I had no idea how much it would apply to my candidates and to myself. It’s infectious and has impacted how I recruit.

How do you advocate for candidates, especially candidates from communities that are underrepresented in tech?

Felicia Miller: It’s consistency in candidate experience. It’s really not something that you have to do differently for anyone of any population. It’s making sure that the candidate has the information they need to know about the opportunity and the team that they’re interviewing with. I also make sure that the candidate understands what is expected in every step of the interview process so they can focus on what they’re looking to bring to that interview.

When a hiring manager makes the decision to hire, I’m the one who socializes that offer to the candidate. When I call to do that, I work with them to establish a start date that works for their schedule. They may need two weeks’ notice for their current employer. They may need a two week vacation between jobs. We want to make sure that we take the whole candidate into consideration when we’re setting those start dates and not just our timeline.

If necessary, I will field questions regarding background check or immigration service timelines. Basically, I try to make the transition from candidate to being ready to be onboarded as a new employee as easy as possible. This is a new environment for that employee. We want to make sure that candidates feel confident and secure in finding the resources they need to be successful.

How do you combat imposter syndrome?

Felicia Miller: Stay true to what you know. If you genuinely come with the best intentions, if you listen more than you talk, if you are approaching something and giving the best that you can, if you accept and take blame for what you miss and then try to correct that, that is the best way to fight against imposter syndrome.

It’s easy for all of us to feel that imposter syndrome, but by knowing what you know and knowing what you want to learn, it’s easier to have the confidence to stand in the industry.

If you find something that you love, move forward on it. If you find a project that really appeals to you, move forward on it. If you find someone in the community that you feel you can learn from, step out and ask them for a 30-minute chat. You will learn so much and feel more confident in what you do know.

What has contributed to your sense of belonging at Duo?

Felicia Miller: I remember the first time I heard about DJ Graffiti. We had a virtual winter holiday party and it was going to be DJ’ed by DJ Graffiti. I rolled my eyes. I was like, "How can this go? We’re working remotely."

Well, I’ve never felt more included than I did listening to his 90s R&B, watching the live stream and seeing people talk back and forth. From the very beginning, life at Cisco has been an inclusive family affair.

Join us!

If you want to love where you work, check out our open positions!

<![CDATA[Trying to Find a Balance: Introducing Risk-Based Authentication]]> joshterr@cisco.com (Joshua Terry) https://duo.com/blog/introducing-risk-based-authentication https://duo.com/blog/introducing-risk-based-authentication Product & Engineering

As we move through life, we are constantly seeking balance.

As a father, I balance keeping my children safe, with helping them grow through challenging experiences. As an employee, I balance my responsibilities to my team with the demands of parenting and community engagement, all while saving some energy for mountain biking. As a human, I balance my goals with the constraints of finite resources and time. Looking at ecology, sociology or economics we see similar patterns of competing forces finding moments of equilibrium before facing disruption.

Cybersecurity is no exception. As a security professional, you work tirelessly to balance dozens of competing priorities in an organization. Employees want to get their jobs done without hassle. Executives need immediate access to important files from the other side of the world. Independent contractors won’t install your company software on their personal devices. All of these demands make your goals of implementing the most secure protocols, procedures and technology much more challenging. These challenges make it hard to follow the most secure practices: employing the most secure authentication methods, requiring constant re-authentication and only allowing access from corporate devices.

For brief moments you might strike the right balance, only to be disrupted by new and emerging threats, changing user behavior, and a complex IT environment.

To help you find that balance, we are excited to introduce Duo Risk-Based Authentication which automatically looks for known threats, anomalies or insecure behavior and mitigates risk at the point of authentication. Risk-Based Authentication, a cornerstone of Continuous Trusted Access, gives you the confidence to balance the needs of your workforce while ensuring better security at the point of authentication.

How does it work?

Risk-Based Authentication assesses user and device telemetry to identify known threat patterns and high-risk anomalies. Duo focuses specifically on account takeover, looking for:

  • Push harassment or fatigue

  • Location anomalies

  • Compromised passwords

  • Fraudulent device enrollment

When Duo detects something suspicious, the authentication automatically steps up to a Verified Duo Push or more secure factor to ensure the user is who they say they are. After the user re-establishes trust, they can return to their normal, lower-friction authentication method.

We enhanced Duo Remembered Devices as well to account for changes in risk: when we recognize the device a user is on, we use a securely generated device token to authenticate.

For example, imagine a corporate employee logs in to an application from the office. A Duo Remembered Devices policy would secure a remembered device token that allows them seamless access. Let’s say next when they decide to go work from a nearby coffee shop, Duo will automatically detect that something has changed and require the user to re-authenticate. If we see that this was an anomalous location, we would go further and require a Verified Duo Push. Once these challenges are successfully completed, we are able to baseline this behavior and ensure only high-risk authentications from this user are stepped up going forward.

In summary, these tools make every authentication more secure and give you the confidence to make access for your workforce more seamless.

Where do we go from here?

This is just the first step in our journey toward Continuous Trusted Access. As we move forward, we are committed to bringing our customers more tools to achieve balance, with:

  • Improved detection capabilities that respond to the latest threats around identity and account

  • Going beyond the point of login to ensure device and user trust throughout application sessions

  • Passwordless authentication to remove the weakest points in your authentication flow and ensure security using the most advanced security protocols

<![CDATA[Duo’s MacLogon Release Enhances MacOS Security With Offline and M1 Support]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/duo-maclogon-enhances-macos-security-with-offline-m1-support https://duo.com/blog/duo-maclogon-enhances-macos-security-with-offline-m1-support Product & Engineering

MacOS is a popular computer operating system used on Apple computers. Like any personal computing device, it requires local authentication to login. Apple provides username and password login for primary authentication and Cisco Duo provides secondary factors to strengthen the macOS security authentication process. Now Duo has extended support for secondary authentication when the macOS endpoint is offline and added support for the popular M1 line of macOS hardware.

MacOS and MFA

MacOS is the second most used desktop/laptop operating system at ~15% of the worldwide market and it is estimated to have as much as 30% share among developers. Among other benefits Mac enthusiasts communities, such as at universities, often claim it provides a better user interface and with a closed ecosystem has less security vulnerabilities. Those communities look to vendors like Duo to provide multi-factor authentication (MFA) to mitigate the risk of bad actors breaching their macOS security systems.

Prior Duo support for MacOS

Until now Duo could be implemented in macOS environments easily, like most Duo products – we are good at both admin and user experience! Admins push a plugin to macOS user endpoints that have keys and a hostname needed to securely connect to Duo Cloud. Within the cloud console admins could create a variety of granular policies to manage authentication according to their security strategy.

New Duo support for MacOS

Duo can still be implemented with macOS security in the same way to provide secondary authentication, but now admins have the option of allowing offline access including specific constraints around its use like how many login attempts are allowed until a user is back online. So, now when users are traveling, at a remote location without Wi-Fi, or just taking a break from social media they can still login to their macOS endpoint with Duo providing second factor authentication.

How it works online

After admins go through the Duo installation process on macOS endpoints they have a Plugin running with hooks into the local authentication process. Then after the macOS security process validates a local username and password it prompts Duo to perform secondary authentication for that username.

The user may be assigned a specific method like Push or be allowed to select a method. Once they proceed with a method, Duo validates the user and confirms or denies them access to the macOS endpoint.

How it works offline

When macOS users are offline the initial process is similar, but once the Duo authentication process recognizes it cannot reach Duo Cloud it initiates offline login. The first login it offers the user is the option to enroll in offline login.

The user will be asked to select a:

  • Duo Mobile Passcode - A 6-digit numeric string is provided in the Duo mobile app for the user to enter in order to validate secondary authentication on the macOS device

Duo admins are given other configuration options to manage the offline authentication experience, such as the maximum offline login attempts allowed.

Once Duo re-establishes communication with Duo Cloud it uploads details of offline activity to populate corresponding logs, dashboards, and reports. It also reestablishes the online secondary authentication requirement moving forward.

Duo support for Apple M1 series


Cisco Duo is a cornerstone for multi-factor authentication in the security industry. Duo supports leading authentication methods including verified Push, OTP (One Time Password) Hardware Token, Duo Mobile, and SMS Passcodes. At the same time macOS users and admins delight in the easiness of the experience.

Now Duo’s macOS security offline login functionality extends that great MFA protection to users when they are traveling. Admins can rest assured that once users are back online, their access details are seamlessly synchronized with Duo cloud.

Try Duo for free!

With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[What is MFA? Educating Users About the Authentication Product]]> klittonruggiero@duo.com (Kathryn Litton) https://duo.com/blog/what-is-mfa-educating-users-about-authentication-product https://duo.com/blog/what-is-mfa-educating-users-about-authentication-product Industry News

Cisco Secure Access by Duo is a leading provider of multi-factor authentication (MFA) for the global workforce – but what does that mean?  This month, Duo Security unveiled an important educational asset, our What is MFA explainer page, to help users understand exactly what MFA means and how it can help secure the global workforce.

Multi-Factor Authentication (MFA) is the practice of adding multiple (two or more) identity verification dimensions at login. MFA differs from its two-dimensional counterpart, 2FA, which only involves adding a single verification method. This distinction is important to note because many organizations seek a second factor option without realizing that they could boost their access security even further with multiple factors.

Secure Your Network Like You Secure Your Home

When a homeowner locks their front door with a key, they’re adding one layer of protection to their home security. Similarly, our application passwords work as layer one in data access security.

When that same homeowner installs a deadbolt lock, they’re doing the same thing 2FA does for access security: adding a second layer of protection.

The safest and most secure homes, however, might also have a key code lock on their door, or a guard dog, or a security alarm system, or motion-activated cameras. These additional third, fourth, fifth (and beyond) layers of security are like MFA in that they build off of those first two layers to provide in-depth, multi-faceted security.

Discover MFA with Cisco Secure Access by Duo

Duo Security is a secure access provider that offers both authentication methods (MFA and 2FA) with autonomous and flexible integration options. Our scalable software and network technology is user-focused, meaning that a workforce protected by Duo MFA or 2FA is given the opportunity to choose how many and which additional factor tools work best for them. We invite you to explore “What is MFAand our MFA Product Page to discover why you should invest in additional verification factors, how MFA works, what MFA methods you can choose from to help make your workforce safer than ever before.

<![CDATA[Healthy Device? Check With the Duo Device Health App Before Granting Access]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/healthy-device-check-with-the-duo-device-health-app-before-granting-access https://duo.com/blog/healthy-device-check-with-the-duo-device-health-app-before-granting-access Product & Engineering

We’re taught from an early age that good health is important to our well-being. Eat the right foods, exercise and get at least eight hours of sleep. But what about preventive care? Most of us aren’t great about getting regular check-ups. In an ideal world we’d get an assessment of our “personal health posture” before we walk in the front door of our home. After all, no one wants to bring home a cold to family and friends.

We can apply this concept to the work environment. The corporate network is our home, other devices we interact with are our family members and friends, and resources such as applications and data are the stuff we need access to like the refrigerator and television. And that cold we want to avoid getting and passing around? That’s malware. If we bring malware into our network, it can lead to all sorts of problems – data breaches, denial of service attacks and account take-overs to name a few.

Much like the modern family, today’s workforce is a bit more blended. Many organizations have employees, contractors and partners who need network access. Some work in the corporate office while others are remote. There are corporate-owned devices, personal devices (BYOD), even shared devices. You wouldn’t let someone into your home if they were sick, so why let these devices on your network without first checking their health?

Establish device trust with health checks

Verifying user identity before granting access to a network application is the first step in a well-designed security strategy. But it’s no longer enough. There have been too many cases where a verified employee/contractor/partner brought a malware-riddled device onto the network with disastrous results.

Beyond establishing user trust, organizations also need to verify the health of every device before allowing access. But what makes a device “healthy”? Here are some checks to consider when creating your access security policy:

  • Is the device running the latest OS version including patches?

  • Is the browser up to date?

  • If there are plug-ins, are they the latest version?

  • Is a system password in place?

  • Does the device have an encrypted drive?

  • Is the host firewall enabled?

  • Is the device running an endpoint security agent?

  • Is it a corporate-issued managed device or an unmanaged BYO device?

Verify device security posture with the Duo Device Health app

As the number of connected devices continues to grow, so does the pressure on security and IT teams to ensure these devices have a healthy security posture. One tool that can help is the Duo Device Health Application. A lightweight client application for macOS and Windows clients, the Device Health application provides the controls organizations need to create custom access policies that allow or block connections to applications based on device health. It’s part of a more extensive Duo Trusted Endpoints policy that also considers whether a device is managed or unmanaged.

The good news is the Device Health application includes guided remediation that enables users to address the issue and bring the device under compliance quickly and easily. Once that happens, access is granted. Not only is your end-user happy, there’s also no Help Desk ticket to bog down your IT team.

More ways to check device health

In addition to the list above, the Device Health application enables administrators to combine a Device Health application policy with other Duo policies to check the status of browsers and plug-ins. For example, organizations may hesitate to allow access from devices that aren’t running the latest version of Google Chrome.

The same goes for devices using plug-ins. Outdated browsers and plug-ins are well-known attack vectors, so keeping them current is critical. Again though, the Device Health application’s self-remediation feature makes it easy to update to the latest version with step-by-step instructions.

Duo Beyond edition customers have additional device health check options at their disposal. The Device Health application can check to see if an endpoint security agent is running on the device. Duo supports many of the leading endpoint security solutions.

For organizations that want even tighter control, the Device Health application reports unique device identifiers to verify whether devices are enrolled in your endpoint management solution. While a device may pass the required health checks, IT may want to distinguish between devices managed by your organization and those that are not before deciding whether or not to grant access.

What’s new with Duo Device Health?

I’ve written a lot about the importance of good device health. Creating and enforcing strong security policies when it comes to allowing or blocking access to your applications will help keep your network protected from cybercriminals.

If you’d like to try the Device Health application and experience how Duo can simplify access for your workforce, sign up for a free 30-day trial.

<![CDATA[Does Apple’s Recent Security Flaw Make You Feel Vulnerable? Enter Duo Device Trust]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/does-apples-recent-security-flaw-make-you-feel-vulnerable-enter-duo-device-trust https://duo.com/blog/does-apples-recent-security-flaw-make-you-feel-vulnerable-enter-duo-device-trust Industry News

Recently, several Apple security vulnerabilities made headlines. These vulnerabilities affected certain Apple products running versions of its iOS, iPadOS and macOS Monterey operating systems and Safari browser. Apple disclosed the vulnerability and moved quickly to address the flaw with updates for each. Pretty straight-forward process. But for organizations with users that have devices affected by the vulnerability, knowing there is a “fix” available is just the beginning.

When it comes to software and system vulnerabilities, no news is typically good news. However, when a new vulnerability is discovered, it’s time to spring into action. Quickly. Unpatched software can be exploited and lead to serious threats such as data breaches and ransomware attacks. Unfortunately, there are a lot of vulnerabilities out there. According to the National Vulnerability Database (NVD) more than 8,000 vulnerabilities were published in the first quarter of 2022.

So for security teams, having a resource like Duo Device Trust can make all the difference.

Time to remediation is critical

In an ideal world, everyone in your organization will install the new update before the cybercriminals can take advantage of the security flaw. Getting users to update to the latest operating system or browser version that closes the vulnerability, however, can be challenging. Employees are busy at their jobs, they don’t read the update memo or maybe they’ll just get to it later.

Whatever the reason, time to remediation is critical. In its 2022 Vulnerability Statistics Report Edgescan revealed the mean time to remediate critical risk vulnerabilities is almost 58 days. In the case of the Apple security flaw, that would be 58 days during which hackers can exploit these vulnerabilities to seize control over their victims’ devices. And once they have that control, accessing the company network is simple.

Having visibility into the health posture of devices before they access your network resources is a good idea to help address vulnerabilities. A healthy device is one that meets your security requirements such as running the latest OS version. Along with that, you want to enforce an access policy that reflects the need to update the OS or browser version before granting access to applications and resources on your network.

Take control by enforcing device trust

Duo Device Trust can help you address these needs by giving you the controls to block risky devices and allow access only to healthy devices. For macOS and Windows laptops and desktops, the Duo Device Health application collects information from each endpoint at the time of authentication and checks it against your access policy. When a new vulnerability is discovered, you can update your existing policy to block access until a device has been updated to the desired OS release. When Apple announced the security vulnerability, teams using the Duo Device Health app had the option to restrict Apple devices from accessing resources until updates were installed.

Similar to the Device Health application, the Duo Mobile application has a Security Checkup feature that assesses the security hygiene of mobile devices running iOS or Android. Among the device attributes it looks for is whether the operating system is up to date. Refining your policy to require devices to have the latest OS version installed and running is simple. To balance security with ease of use, both solutions offer guided remediation to help users address the issue and quickly bring the device under compliance before access is granted.

Granular visibility with Duo Device Insight

Keeping track of each device’s health posture can be daunting. How many are running the latest OS or browser? What about devices running older versions that are now out of compliance with your new access policy? Which devices can I trust? There’s a lot to digest.

With Duo Device Insight that granular information is available in the Duo Administrator dashboard. Device Insight tracks versions of operating systems, browsers, and plugins on the devices accessing your protected resources and provides a summary view on the Device Insight overview page. You can easily see how many access devices are up to date and those that are out of date throughout your organization.

Whether the next security vulnerability comes from Apple or somewhere else, the time to prepare is now. Make sure the devices accessing your applications and resources are up to date and healthy. Duo has the tools you need to gain granular insight and adjust your access policies to keep your organization secure.

<![CDATA[Learning Together: Celebrating Duo’s Culture on Hack Day]]> mkschmermund@duo.com (Mary Kate) https://duo.com/blog/learning-together-celebrating-duo-culture-on-hack-day https://duo.com/blog/learning-together-celebrating-duo-culture-on-hack-day Product & Engineering

When Engineering Manager Ian Beals joined Duo Security, he was eager to participate in the activities that make Duo culture unique. One such tradition is Duo Hack Day (DHD), a semiannual event in which employees from all over the organization collaborate on projects that contribute to Duo and honor one of Duo’s core values: learning together.

Duo Dictionary + Chrome Extension = Accessible Information

A key piece of onboarding at Duo is learning through the Duo Wiki, an extensive collection of articles and links highlighting the company’s history, programs, products and culture. The Wiki contains the Duo Dictionary, which defines terms and acronyms specific to Duo as well as the broader cybersecurity space.

See the video at the blog post.

Beals relied on these resources when learning the ins and outs of his new company and decided that creating a Chrome extension for the Duo Dictionary could benefit new employees like himself and others who wanted a refresher, especially as new terms are added and definitions evolve.

“A Chrome extension seemed like the perfect way to harness all of the Duo Dictionary terms and plug them directly into places where people use them,” Beals said.

Beals spearheaded the project for his first DHD, collaborating remotely with people from different teams and creating an internal tool for Duo team members. The Duo Blog got to see the Chrome extension in action and learn the inner workings of Beals’ process and passion for collaboration and innovation.

How a creative outlet creates a useful resource

Question: What was your process of DHD?

Ian Beals: On Hack Day, I was able to leverage the experiences that other people have and collaborate. We worked on the Chrome extension, like any other DHD project, from sunup to sundown almost. We did a few rounds of vetting the idea and thinking about it from the user standpoint. Users include both people who are new to the company and people who have been around but still don’t quite know all of the acronyms, all the terms.

Then, we set out to define the user experience, what it should look like when someone is interacting with it. Next, we came up with a couple proof of concepts and ultimately landed with the idea and took it from there.

Q: How did you gather the data to include in the extension?

Beals: The Chrome extension itself is actually pulling from an already established knowledge base, the Duo Dictionary. We just indexed it and then used it where needed. So, starting off with, we got the content from the Duo Dictionary on the Duo Wiki. We had to make a few minor adjustments so it’s a little more uniform and easier to parse.

We went through a few different iterations of parsing through the HTML, live, by way of screen share. The way that we thought of it is that the Duo Dictionary is the best source because it is used and updated frequently.

Q: What does the Chrome extension do?

Beals: When brand new to Duo, we say familiarize yourself with the Wiki as part of our onboarding process. As you are reading and getting all of this content, you may find a word that is associated with our common Duo Dictionary. You can directly look that content up with the extension so that you don’t lose the context as you’re reading.

For instance, if I see Universal 2-Factor (U2F), I just highlight U2F and then right click on the highlighted words themselves. There’s a pop-up that says U2F and grabs the definition and some of the other content and displays it on the page where I’m actually consuming the content initially. I don’t have to navigate anywhere else. I don’t have to keep a tab open and search through the tab.

Q: How does participating in DHD contribute to your work?

Beals: I have been a part of places that have done hack days before, but at Duo, it being scheduled is immensely powerful. That sends the signal that this matters to us. It’s companywide; it’s a part of who we are, our identity, to say that we will innovate and we want to hold this event twice a year.

For me, Duo Hack Day is a creative outlet." - Ian Beals

It’s really important to me to be given the space of saying you can make something that’s very in tune with the product or you can make something that helps everyone, or you can find something that you believe in and go work on it and then tell everyone about it. It serves many purposes. For me, Duo Hack Day is a creative outlet.

Q: What is your hope for the Duo Dictionary Chrome extension moving forward?

Beals: I had the idea and built the extension with my DHD team because it’s a need that I had. A lot of times I assume if I have a question, a lot of people probably also have this question, or if I have this problem that I’m looking to solve, there might also be other people who have that problem to solve.

I really hope that people find the Chrome extension useful. As known as the Duo Dictionary is, I also want to make sure that people have it in the back of their mind to say, “We have a new term. We developed a new product. I’m going to update the dictionary.” So, the secondary motivation is that people will take the time to update the Wiki so that everyone can benefit from it.

If employees are interested in the project, I would love to see more momentum on it and gladly join in. Right now, the code is accessible for developers to pick it up and run with it.

Q: Why do you think engineers would like working at Duo?

Beals: Duo has a reputation for making great products that solve important security needs. At Duo, we approach product development based on customer research and focus on design that is easy-to-use. Those are traits that engineers look for. It gives us a sense of building products and features that will actually be used. That’s key to feeling ownership and long-lasting job satisfaction.

Q: What advice do you have for people who want to work at Duo?

Beals: Show up curious and have a passion for security. Engineers who want to learn more, share what they know and help solve security related problems will do well at Duo.

Come innovate with us!

If you’re energized by collaborative innovation and learning together, check out Duo's open roles

<![CDATA[Three Best Practices Every Security Leader Should Consider When Using Duo]]> adonis1@cisco.com (Adonis Gutierrez) https://duo.com/blog/three-best-practices-every-security-leader-should-consider-when-using-duo https://duo.com/blog/three-best-practices-every-security-leader-should-consider-when-using-duo Industry News

As cybersecurity leaders have been stepping up efforts to secure all users and applications with multi-factor authentication (MFA), Duo Security is highlighting security best practices that can help deter against malicious attacks. With vulnerabilities such as PrintNightmare (CVE-2021-34527), which have been reported by the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA), it’s important to consider and reference a defense-in-depth security strategy to protect against ongoing security threats.

In this article, the Duo Care team breaks down three best practices that existing Duo customers and new customers who are planning their MFA rollout should follow:

1. User Auditing

Have your team create a user audit of unenrolled users in Duo and create a plan for enrollment. Why do this? Making sure all users have a valid MFA device is crucial to secure Duo deployment. It deters malicious actors from attempting to enroll an MFA device if a user’s password is compromised.

2. Out-of-Band MFA Enrollment

Create an enrollment flow for MFA where the user’s password is not used to complete enrollment into MFA. With any MFA workflow, it is important to have confidence and trust in whoever is enrolling. Some organizations do not have confidence in user passwords and may not consider them fully trusted.

By securing and safeguarding your initial user enrollment workflow through an out-of-band enrollment process which does not use passwords, you will improve your overall security posture and can deter malicious actors from attempting to enroll into an MFA as a user.

3. Duo Policy Hardening

Utilize Duo Policy to deny access to unenrolled users. It’s important where possible to block any MFA enrollment through an externally accessible application, as these applications are accessible through the internet and can be an attack vector. Instead, rely on your out-of-band MFA enrollment process.

We provide additional, actionable steps for following these best practices in our guide for securing a Duo enrollment.

Duo Care helps ensure your MFA rollout goes smoothly

The three best practices discussed above can help ensure your organization properly builds extra layers of security. They also deters malicious actors from accessing your resources. Duo will continue to educate customers and safeguard organizations against potential attacks.

For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

You can also read our guide on preventing cyber actors from bypassing two-factor authentication.

<![CDATA[Verified Duo Push Makes MFA More Secure]]> joshterr@cisco.com (Joshua Terry) https://duo.com/blog/verified-duo-push-makes-mfa-more-secure https://duo.com/blog/verified-duo-push-makes-mfa-more-secure Product & Engineering

As a security focused organization, Duo Security is committed to giving our customers the best available tools to address their security concerns. So we listened when customers pointed out the weaknesses in the Duo Push – the notification Duo Mobile users approve when they want to log into protected accounts. We’re excited to announce early access release of the Verified Duo Push, which will increase the security of our push-based multi-factor authentication (MFA) solution. This, in turn, will help improve the resilience of your network against bad actors looking to exploit push harassment or push fatigue.

Access security is evolving

While some customers begin to move toward passwordless to improve their security posture, not all organizations have the infrastructure or resources to make that change. With modern phishing-resistant authentication methods, we need to ensure that organizations continue to have the best security around push-based MFA.

Working with our customers, we have identified that push-based authentication can be vulnerable to:

  • Push Harassment – Multiple successive push notifications to bother a user into accepting a push for a fraudulent login attempt

  • Push Fatigue – Constant MFA means users pay less attention to the details of their login, causing a user to mindlessly accept a push login

User training, device trust, and adaptive policies all help, but Duo is committed to offering more for customers.

Introducing Verified Duo Push

As a first step, we are excited to bring our customers Verified Duo Push in early access, which stops these attacks by asking users to enter a verification code from the access device into the Duo mobile app during the push login process. By using a verification code, we ensure only verified users are able to log in and prevent someone absent-mindedly accepting a push they did not request.

For example, imagine a key employee is vacationing and notices their phone has a Duo push. Ordinarily they would ignore it, but this time they deny it. They receive a second notification and assume it's simply their VPN (Virtual Private Network) at home reconnecting and accept the push.

With a standard push-based MFA solution, the bad actor now has access to the company network. However, with Verified Duo Push that same attack is immediately stopped because the bad actor is unable to complete the transaction -- they cannot enter the unique code in the Duo app, and the employee is encouraged to alert their IT team with a fraud report.

By deploying this new authentication method as part of Duo’s adaptive policies you can harden your device enrollment process, secure sensitive applications, and protect your organization against the latest techniques from adversaries.

We aren’t stopping there

We are excited to bring our customers more secure authentications with the following roadmap investments landing right around the corner:

  • Risk-Based Authentication – Dynamically assesses the authentication for push harassment and other threat patterns enhanced with anomaly detectors to automatically step up the authentication to the most secure methods including Verified Duo Push

  • Passwordless Push – By using a “known device” cookie, passwordless push ensures that only authorized devices authenticate while providing simple and easy passwordless authentication powered by Duo Mobile

  • Device Enrollment Threat Detection and Response – Analyze, surface and quarantine risky device enrollments to ensure only valid devices can be used to authenticate

<![CDATA[Why We Comply: Breaking Down the Learning Curve in K-12 Cybersecurity Compliance]]> klittonruggiero@duo.com (Kathryn Litton) https://duo.com/blog/breaking-down-learning-curve-in-k-12-cybersecurity-compliance https://duo.com/blog/breaking-down-learning-curve-in-k-12-cybersecurity-compliance Industry News

It’s never been more important to protect our children against cybercrimes. A Sophos survey of school IT professionals around the U.S. estimated that 44% of educational institutions were targeted by ransomware attacks in 2020 — more data breaches than we’d ever seen in prior years. The numbers have only climbed since.

Thankfully, the government is responding with new laws and cybersecurity compliance revisions in hopes to educate, fund and bolster data security initiatives in K-12.

While this is all great news, legal verbiage can be tricky to decipher and it’s easy to get lost in an influx of new information. It can also be challenging for school leaders to break down what new laws mean and what they can do to support pre-existing academic compliance mandates to help secure student data. However, adding two-factor or multi-factor authentication (MFA) cybersecurity may be a good place to start.

What is the K-12 Cybersecurity Act?

The toolkits take a holistic approach to cybersecurity, taking into account school size, online presence and access to funding when developing a strategy against threats like ransomware. Some key takeaways from this literature are:

  • School administrators should implement access control standards so that each user only has access to the applications they need to use.

  • All students, faculty, staff and parents should use secure authentication tools like MFA to verify their identity before accessing sensitive school data.

  • School networks should be secured for both on-premises and remote access through use of a virtual private network (VPN), secure shell (SSH) servers or another secure network product like Duo Network Gateway (DNG).

  • Districts should insure their data by investing in cyber liability protection (more on this later!).

With all appropriate data security measures in place, schools can help protect their student body and their families, the district’s dedicated staff and even the country as a whole from bad actors. Additionally, these protections can even help satisfy other compliance mandates like Family Educational Rights and Privacy Act (FERPA).

Does FERPA protect student data online?

Prior to the signing of the K-12 Cybersecurity Act, districts were held to three main regulatory compliance mandates that also sought to protect school data from malicious access. As a parent, educator, administrator or CISO in the education sector, you’re likely familiar with:

  • Family Educational Rights and Privacy Act of 1974 (FERPA), which requires that student and school data be kept private and confidential

  • Health Insurance Portability and Accountability Act (HIPAA), which requires that health records be kept private and confidential

  • Freedom of Information Act (FOIA), which requires that all records are available and accessible

FERPA is pretty much a catch-all privacy act for schools. Its mandates supersede that of both HIPAA and FOIA which means that, in a K-12 school district, protecting student health records, transcripts and personal identifying information is required by law The only student data that’s excluded from FERPA is directory information like a child’s name and home phone number.

Does FERPA require MFA?

In the modern classroom, MFA is required. To comprehensively satisfy FERPA guidelines, any school that handles data online must invest in a two-factor or multi-factor authentication product.

While MFA is not named in its documentation, it in fact does satisfy FERPA’s rigid authentication requirements in the context of digital data. This law requires that schools identify and authenticate all parties before granting access to the data it covers, which is exactly what MFA satisfies in online data management.

To protect data stored online covered under FERPA, schools must purchase an MFA product that is able to work in all school applications, including custom applications. Some MFA products, like Duo MFA, offer the whole package with an unparalleled user experience, which eliminates unnecessary added steps for busy educators and IT administrators.

Do K-12 schools need cyber liability insurance?

Per CISA’s recommendations, K-12 schools are now strongly encouraged to enroll in cyber liability insurance. In the event of a school data breach or ransomware attack, a good cyber liability insurance policy will cover data recovery costs, plus any expenses incurred by notifying and helping the individual victims. In any school district, a cyberattack can result in lots of unexpected expenses without this added layer of financial protection.

When considering cyber liability insurance for K-12, the importance of a solid MFA solution comes back into play. Most providers require MFA and access control software integrations as a baseline for coverage eligibility.

Why are K-12 data security attacks on the rise, and what can we do?

Today, school districts have many resources at their disposal to keep our children safe from cyberattacks. The challenge that remains lies in finding the right cybersecurity products, securing the right data protection strategies and obtaining adequate funding to accomplish their unique cybersecurity goals. Tools like The K-12 Cybersecurity eXchange (K12 SIX) K-12 Cyber Incident Map demonstrate the sheer magnitude of online threats in U.S. schools. 

In 2020, educators in over 150 pandemic-afflicted nations were forced to display incredible resilience as they navigated an unexpected, rapid shift to remote work. To adapt to unprecedented change, they had no choice but to pioneer educational software-as-a-service (SaaS) tools, adjust curriculum coursework and whip up creative solutions. As if educational IT professionals weren’t already inundated with help desk tickets before the remote learning shift, they now have to carry this learning curve burden for their entire district.

Two years later, the online learning tools employed during the pandemic are now permanent fixtures in classrooms – and schools are still struggling to understand exactly how to secure them. Furthermore, educational budget constraints still pose a challenge for many districts, leaving major gaps in their security strategy.

Fortunately, there are endpoint security solutions out there that can solve these challenges without restricting staff or draining the school budget. These solutions should adequately check MFA boxes and also offer VPN protection for onsite learning and robust remote access solutions for remote learning. Duo’s flexible, effective, user-friendly and easy-to-deploy security products are built for use cases like schools. Products like ours even support lower total cost of ownership (TCO) in the education industry.

Want to learn more?

Check out these additional resources our team has put together:

<![CDATA[How Zero Trust Protects Retailers From Malware]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/how-zero-trust-protects-retailers-from-malware https://duo.com/blog/how-zero-trust-protects-retailers-from-malware Industry News

The retail industry is important to protect. Some of the biggest retailers have been breached in recent years costing millions of dollars in lawsuits and brand degradation. They were not prepared with the basic requirements of good cybersecurity hygiene outlined in the PCI DSS (Payment Card Industry Data Security Standard), the White House Executive Order and the new National Security Memorandum, which all recommend multi-factor authentication.

Learn how criminals break into a retail organization’s systems and how to harden your security posture. Phishing and other point-of-sale hacking methods like brute force, stolen credentials and offline hacking give them access to customer credit card numbers, but they don’t have to.

In this guide you will learn:

  • How adapting a zero trust stance can protect you before and during an attack

  • About new risks to the retail industry presented by cloud, mobile and Bring Your Own Device (BYOD)

  • Business and compliance drivers for strengthening authentication security

  • How outdated security solutions can no longer effectively protect retailers and consumers alike

  • How implementing a modern multi-factor authentication solution can work to protect the new IT model

Retailers need to ensure corporate and boots on the ground employees can access applications in the cloud or through legacy systems safely. They need extra protection from third-party vendors and contractors that may be breached.

Ready to protect your retail company?

Download the guide Retail Cybersecurity: The Journey to Zero Trust and learn how zero trust can help stop malware from accessing retail corporate and consumer data

<![CDATA[NYFDS Cybersecurity Regulation Updates Address MFA Hurdles in the Finance Industry]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/nyfds-cybersecurity-regulation-updates-address-mfa-hurdles-in-finance-industry https://duo.com/blog/nyfds-cybersecurity-regulation-updates-address-mfa-hurdles-in-finance-industry Industry News

In 2017, New York Department of Financial Services (NYDFS) passed cybersecurity regulation 23 NYCRR 500, requiring all financial services companies to implement multi-factor authentication (MFA). Since its creation, the Cybersecurity Framework has continued to offer updates and guidance on best security practices.

In 2021, the NYDFS cybersecurity department explicitly called out MFA weaknesses as one of the most common gaps exploited at financial services companies. During the NYDFS cybersecurity investigation from January 2020 to July 2021, they found that more than 18.3 million consumers were impacted by cyber incidents from inadequate use of MFA. These failures arise from a variety of sources including the absence of or problem with the current use of MFA.

Common problems with MFA according to NYFDS cybersecurity research findings

In order to close the exploited gaps, organizations need to evaluate their current MFA solution and ensure that it’s actually protecting from vulnerabilities, and not just checking a box for compliance purposes. 

According to the NYDFS cybersecurity regulations, there are common MFA violations that have occurred across financial service organizations.

  • Legacy Systems: Legacy technology, or technology that is outdated and does not require MFA, can provide an open door to an attacker. When a company migrates to a modern system, all unneeded legacy systems must be decommissioned, or, if still in use, protected with an MFA solution.

  • Remote Access Application Coverage: Many companies rely on a virtual private network (VPN) to access sensitive company information. However, it is common to allow exceptions to VPN use to access email or other applications. MFA must be enabled for remote access of all applications, even if employees don’t have to go through a VPN to get there.

  • No MFA for Third Parties: Third parties, just like employees, should follow the same security protocols, especially if they have access to sensitive information. Any individual, regardless of employment status, is a potential target if they lack secure access controls.

  • Slow & Ineffective MFA Deployment: Once a company has an MFA solution, then that solution needs to be rolled out across the organization. If a user is never required to set up MFA, those individuals can be a source of vulnerability.

  • Poor Exceptions Management: Exceptions to MFA can open up doors to hackers, especially if c-suite executives, with access to highly sensitive information, are not required to follow the same security protocols. Exceptions should be rare, and if allowed, be tracked and managed.

The solution? Duo

To summarize, if an organization is not purposeful about their use of MFA, they can leave open a lot of back doors and vulnerabilities for an attacker to exploit. One of the main reasons that MFA is not used to the best of its ability is because it can be time consuming and burdensome to the security and IT teams that manage it and the users that have friction added to their workflow.

With Duo, security is made easy so organizations do not fall into the same common pitfalls highlighted in the updated MFA guidance published alongside the NYDFS cybersecurity regulations. Here’s how Duo can help:

  • Ease of Use: Duo’s MFA solution allows users to select from multiple authentication methods, including Duo push. With one tap, users are able to quickly and easily login to their account. Similarly, the Duo admin panel makes it easy for IT and security administrators to manage their users and ensure the correct access policies are in place.

  • Quick Deployment: Customers have deployed Duo in a range of manners, from a phased deployment to rolling out Duo over a weekend. Duo’s self-service options enable users to quickly secure their accounts and can reduce the number of help desk tickets enabling IT to spend more time on higher-priority tasks.

  • Broad Coverage: Duo’s vast integrations enables the solution to work with a wide-range of applications and systems, including legacy and on-prem technology. Duo works with companies in a wide range of industries that use various tools and was built to work for all customers, regardless of the level of complexity. 

  • Third Party Coverage: Regardless of employment status, all workers from full-time employees to contractors who need IT system access can use Duo to ensure secure login. Duo’s coverage enables visibility across the workforce to make sure all sensitive information is protected.

<![CDATA[Unpacking Zero Trust: Buzzword or Game Changer?]]> sylai@cisco.com (Sydney Lai) https://duo.com/blog/unpacking-zero-trust-buzzword-or-game-changer https://duo.com/blog/unpacking-zero-trust-buzzword-or-game-changer Industry News

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

To most college students, Duo Mobile is a huge pain! I have to log in to my account AND authenticate on my phone? Is this really necessary? In the past, my answer to this loaded question would have been no. However, becoming a Duonaut and joining our Product Marketing Management (PMM) team has completely transformed my mindset on the importance of Duo and cybersecurity as a whole.

For example, security is just like exercise! You may not like it very much in the moment, but it enables you to stay healthy and strong. Throughout my journey as a PMM intern, I’ve had the opportunity to learn all about security.

In particular, I’ve been unpacking zero trust – one of security’s hottest topics at the moment. Just like Duo to college students, zero trust is a controversial concept that is seen by some as a marketing ploy vendors use. However, I’ve learned that it can provide tremendous value to those who choose to implement it.

What is zero trust?

Hearing the term “zero trust” for the first time threw me for a loop. For me, it wasn’t an intuitive concept that I was able to grasp right away. This is the case for many people

In a nutshell, zero trust is a strategic approach to security that centers on the concept of eliminating trust from an organization’s environment. To break it down further, there are three pillars of zero trust:

  1. Never assume trust

  2. Always verify

  3. Apply least privileged access

Now that business needs and attacks are evolving rapidly, implementing a zero-trust security approach has become more relevant than ever.

For instance, organizations can achieve capabilities like improved remote and return-to-office worker productivity through zero trust. Given that we’ve passed the peak of the pandemic, it’s no surprise that 36.2% of respondents from a pulse survey that we conducted chose this as their top expected outcome from adopting a zero-trust strategy. With this in mind, I assumed that everyone would be clamoring for a taste of it.

The top expected outcomes after adopting a zero-trust strategy

The controversy surrounding zero trust

Although many organizations have already jumped on the zero-trust bandwagon, there are still many skeptics. This was a key finding from my research on what people are saying about zero trust.

I learned that the confusion regarding zero trust fueled skepticism. One source of confusion stems from pinpointing what zero trust is. Since it’s a complex concept, it means different things to different people. People see it as segmentation, or ZTNA, or endpoint security, or firewall, or identity.

Another source of confusion is learning how to achieve mature implementation of zero trust. Remember, it’s a security architecture or concept, not a product you can buy, so organizations find it difficult to get started.

In other words, zero trust can be compared to the Star Wars franchise: there are some people who haven’t seen a single movie and, at the same time, diehard fans that can’t come to a consensus on which movie to start on.

And the cherry on top? A deep dive into Reddit (shoutout to r/cybersecurity) demonstrated that skeptics believe that vendors have ruined zero trust.

Comments from r/cybersecurity about zero trust

To sum it up, they believe that zero trust has been turned into a buzzword, insinuating that it’s all bark and no bite.

However, I argue otherwise. Moving towards a zero-trust strategy can be a game changer for organizations, because it enables them to strike the right balance between security and usability. With a “frustrate attackers, not users” philosophy, zero trust can empower individuals of an organization to play an integral role in maintaining security without friction. All in all, worker productivity can be improved as problems that arise from traditional security models are avoided.

A fresh take on zero trust messaging

We can reduce skepticism by refreshing messaging. First, it’s imperative that we address anyone who’s confused about zero trust by answering the following questions:

  • Who should be implementing zero trust?

  • What is zero trust?

  • When should an organization implement zero trust?

  • Why should an organization implement zero trust?

  • How should an organization implement zero trust?

Answering these questions can help limit confusion while alleviating concerns that zero trust is an evil scheme for vendors to gain profit. We want to help organizations secure their business in a manner that’s forward-thinking and user-friendly at the same time.

Next, we need to ensure that our messaging is concise and straightforward. Being repetitive and long-winded can lead to our audience losing interest in our messaging (I felt this way when scrolling through a few vendors’ messaging). Furthermore, condensing messaging means that it will be easier for our audience to digest information. Knowing that zero trust is confusing to many, this should help consumers understand it faster and better.

Navigating zero trust as a PMM intern

To learn and understand zero trust on a deep level, I did a lot of reading and spent hours discussing with other two-thirds of what we like to call our team – the Zero Trust Trinity. As veteran PMMs and cybersecurity experts, my teammates not only broke down the technical side zero trust for me, but also shed light on how I could do the same for a general audience.

The Zero Trust Trinity: Megha Mehta, Sandy Hawke, and Sydney Lai (me)

With their guidance and wisdom, I’ve had the opportunity to create messaging to educate people about zero trust by writing copy for ad banners and creating decks that supports our sales processes. At the beginning of my internship, I was devoted to learning all about zero trust, and now I can finally play a part in educating others – a full circle moment for me.

Overall, my journey as a PMM intern at Duo Security has been a roller coaster ride. There’s ups and downs, but the thrill never ends. Learning about zero trust was and continues to be challenging for me, and it’s something that I welcome with open arms. Knowing that I can apply my knowledge and make a positive impact is what I love about being part of Duo. There may still be Duo and zero trust skeptics out there, but (hopefully) the work that I and other PMMs do will change their minds.

<![CDATA[My Journey at Duo With No Previous Cybersecurity Experience]]> aslu@cisco.com (Ashley Lu) https://duo.com/blog/my-journey-at-duo-with-no-cybersecurity-experience https://duo.com/blog/my-journey-at-duo-with-no-cybersecurity-experience Industry News

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.


Opening my offer letter for the Product Marketing Management (PMM) intern position at Duo Security, I was overjoyed and shocked. Although it was my dream position at a company that I loved, a lingering anxiousness about my lack of technical knowledge made me second guess if I was the right fit for the role.

However, after a lot of reflection and talking with my current manager, it was clear to me that even though it would be challenging, I wanted to take advantage of the opportunity to gain technical and industry knowledge while also pushing myself out of my comfort zone.

Challenges working in cybersecurity

Identifying my cross-applicable skills

Although I did not have prior knowledge about cybersecurity, I was still able to bring value to the team because of the skills I had gained from my previous experiences. Some skills including analytics, research, and strategy were transferrable to this internship.


In one of my past internships, I performed many markets segmentation analyses to understand market shares in different demographics. At Duo, I was tasked with a similar project. I needed to analyze win/loss data across industries, competitors, and regions. Both experiences wanted me to perform segmentation and find common trends.


During my time at Duo, I needed to perform market research on small-to-medium sized business (SMB) customers and industry research on the manufacturing sector. Having prior experience with both market and industry research helped me understand what information to look for.


I gained prior experiences in social media, branding, and sales strategy. Similarly, at Duo, I was challenged to recommend messaging and marketing strategies based on my analysis of SMB customers.

Why choosing Duo was worth it

Working at Duo not only meant that I got to learn about an industry completely out of my comfort zone, but also, I had the opportunity to work in different environments, take ownership of my projects and develop new skills.

Work anywhere & everywhere

Due to the remote work policy, Duo allowed me flexibility in where I wanted to work. So I moved to NYC with my friends for the summer. I was able to work from anywhere I wanted including cute coffee shops, fancy malls, the NYC Cisco office, and my tiny, crowded apartment.

The interns gather in the NYC Cisco Office

It gave me a glimpse of what hybrid work looked like in a big city. For someone like me who has only lived in the suburbs of Michigan it was exciting and new. I fell in love with the chaotic energy of NYC and enjoyed the flexibility in choosing where I wanted to work every day.

Project autonomy

Throughout the internship, I liked that I had a lot of autonomy in what direction I wanted to take each project. My manager and mentor guided me and provided feedback but trusted me to make decisions and conclusions based on my analysis.

Professional development

Lastly, Duo gave all the interns a professional development budget and with it I was able to receive Pragmatic Institute training on Product Management and Marketing. The training was insightful because it taught me about tech marketing, which was different from the traditional marketing classes I took in college.

I learned that in tech marketing, we should not focus on our products, but on the problems we can solve for our customers. It changed my whole perspective on product marketing and how I was framing my projects.

<![CDATA[3 Tools Product Designers Can Use to Organize Their Work]]> ashyang@cisco.com (Ashley Yang) https://duo.com/blog/3-tools-product-designers-can-use-to-organize-their-work https://duo.com/blog/3-tools-product-designers-can-use-to-organize-their-work Industry News

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.

One of Duo Security’s core values is “Building for the future,” which can feel like a big goal to work towards. Because designing products in the security space is complex, the first (and ongoing) step I take to work towards this value is staying organized. There are several tools the Duo design team uses to organize ideas, meetings, and decisions.

As a product design intern at Duo, I mainly use three types of tools — document space, whiteboard, and calendar — to accomplish my tasks:

Tool #1: Document Space

Product design includes a lot of documentation, and tools that keep track of documents in one place help with keeping things in order. My app of choice is Notion, but other options (like Coda, Google Drive, Microsoft OneDrive, Dropbox, etc.) can work just as well.

My biggest consideration when choosing where to keep documents was how accessible the tool is for me and the people I work with. I went with Notion since most people on the Duo design team were already using it, and I was familiar with the tool and its capabilities. Each team uses Notion in the way that works best for them — here’s how I use it!

This is what my Notion space looks like!

The Duo Design Notion Workspace is divided into different teams. Under my design team, I created my own space. The space I use the most often within this Notion page is my own Kanban board. I use a Kanban board since it makes it easy to see all my documents and tasks in one page. I organize everything by the status of each task I have to complete.

A recreation of my Kanban board, included in the template.

If you’re looking for a starting point for your internship or project organization, you can duplicate this template and customize it to fit your own needs! Some pages that could be helpful to add:

  • 1:1 notes with your manager

  • Your internship goals and progress

  • Research folder

  • Personal notes

You can also easily edit it to fit a larger team’s needs by adding Assignments to assign people to tasks, and tags to help differentiate between different projects.

Tool #2: Digital Whiteboard

Designing for security means dealing with lots of complexity. Using Figjam (or any other whiteboarding tool, like Mural or Miro) is a great way to gather all your ideas before tidying them up.

The FigJam iPad app lets you sketch loose and quick wireframes at a low-fidelity level to help get your ideas out quickly. Sketching with pen and paper and inserting sketches into the file later works just as well. After sketching and ideating, dividing the file into sections helps with organizing the different ideas that came up.

The structure of my FigJam board.

One benefit of having a digital whiteboard is that it facilitates conversations between you and your collaborators. My mentor and I used FigJam to do a design jam session using the pen, sticky note, and timer capabilities, which helped us flush out and discuss ideas easily.

We worked directly in an existing file, but there are also pre-made templates that can help with brainstorming, user journey mapping, and any other purpose you might need.

Tool #3: Calendar

Your digital calendar can be a great tool to organize your time. I set a recurring, tentative “Focus time” event in my calendar at the beginning of my internship. This signals to collaborators to select other times to book meetings. This worked well for me — I booked out every Wednesday for focus time, which often gave me the entire day each week to do heads-down work!

At the beginning of the day, I sometimes schedule events within those blocks to work on specific tasks to help me stay on task and keep track of the time I allot to each project. Having the calendar open helps me mentally prepare for the things I am aiming to accomplish for the week.

Blocking off tentative focus times to work on projects.

I previously just used my digital calendar to keep track of meetings with other people, but adding my own personal “events” to work on specific tasks made those meetings more productive — It helped me to finish necessary items in time to prepare to discuss them with other people.

Moving Forward

When I first started my intern project, setting up my document space, digital whiteboards, and calendar helped me gather all the things I needed to do my best during my product design internship. I hope that using or remixing some of these tools and templates helps you too!  

<![CDATA[Duo Is Top Rated by TrustRadius in 2022]]> klittonruggiero@duo.com (Kathryn Litton) https://duo.com/blog/duo-is-top-rated-by-trust-radius-2022 https://duo.com/blog/duo-is-top-rated-by-trust-radius-2022 Industry News

Duo Security is honored to be a 2022 Top Rated by TrustRadius cybersecurity product in the Authentication, Cloud Computing Security and Single Sign-On categories. With an outstanding user interface and experience, a wide range of use cases and an extensive scope of deployment, Duo’s multi-factor authentication (MFA) cybersecurity product suite is beloved by its users and by the thousands of companies it protects, from the retail industry to the financial services sector – even academia and K-12.

What is a TrustRadius Award?

Since 2020, Cisco Secure Access by Duo has earned impressive marks from TrustRadius’ buyer intent software platform, which distributes its awards with the intention of helping organizations compare and verify the quality of software products.

What makes earning a TrustRadius accolade impressive for Duo?

Unlike some awards that rely solely on the breadth of public relations (PR) campaigns and media pitches, Top Rated by TrustRadius awards are determined exclusively by verified consumer reviews. The organization states that “there is no paid placement or analyst opinion.”

For Cisco Secure Access by Duo, this means that our customers have had outstanding things to say about Duo as an authentication MFA and two-factor authentication (2FA) provider. They’ve also praised its cloud computing capabilities and ease-of-use as a single sign-on (SSO) vendor.

Duo Security is named Best of Authentication in 2022

One of the most trusted sources for business to business (B2B) software insights, TrustRadius has also collected additional data on the Duo authentication app’s customer experience. Our impressive scores have subsequently earned us three additional Best of Authentication 2022 awards including Best of Feature Set, Best of Relationship and Best Value for Price.

TrustRadius’ “Best of” awards, much like the Top Rated awards, are based entirely on verified client reviews. There are three specific categories, all of which are areas of recognition for Duo this year:

Best of Feature Set 2022

With scores based on the product’s comprehensiveness, Best Of Feature Set awards are given to companies with the most extensive and autonomous feature suites. A customer will give high scores to a product with a wide range of features and applicable use cases for said features.

“Cisco Secure Access stacks up well with competitors like PingID; the user interface is simple and easy to use. This solution is very scalable and could be utilized by organizations of any size.” - Dustin Howey, Digital Marketing Consultant at DH Marketing in a TrustRadius review of Cisco Secure Access by Duo

Best Value for Price 2022

Best Value for Price awards are given to companies that rank high in consumer scoring of a product’s initial investment price, deployment and training costs and, ultimately, return on investment (ROI).

"We will have a smaller attack surface which will provide us the ability to better spend our budget on directed improvements instead of having to cast a wide net." - Sean Muller, IT Security Manager at Paraco Gas Corporation in a TrustRadius Review of Cisco Secure Access by Duo

Best of Relationship 2022

Best of Relationship is an award for products that maintain excellent consumer ratings in “Would Buy Again,” “Implementation Expectations,” and “Sales and Marketing Promises,” which speaks to both the integrity of the brand and its ability to deliver on its claims and its self-service capabilities.

"Duo Security helps me sleep better as I worry less about an external attacker gaining unauthorized access to my network." - Jeff Robinson, Chief Technology Officer/Director of IS at Hattiesburg Clinic in a TrustRadius Review of Cisco Secure Access by Duo

Duo Security Wins at TrustRadius

TrustRadius awards speak volumes about both customer satisfaction and the overall quality of a product. Duo Security is honored to have earned Top Rated, Best of Feature Set, Best Value for Price and Best of Relationship in 2022 and seeks to continually achieve these ratings in years to come.

Discover Duo’s numerical scores, real customer reviews and satisfaction ratings on TrustRadius

<![CDATA[Introduction to the New World of Tech as a Helpdesk Intern]]> sumsaeed@cisco.com (Summer Saeed) https://duo.com/blog/introduction-to-tech-as-a-helpdesk-intern https://duo.com/blog/introduction-to-tech-as-a-helpdesk-intern Industry News

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.


The “Work-from-Home" era began in March of 2020, but where was I when everything shut down? I was a mere Junior in High School. The main worries of prior graduating classes were the SAT and college applications. However, most of them never had to think about when they would be allowed to go back to school. What was initially advertised as a “2-week vacation,” turned into a 2-year(plus) social desert.

I would like to think that is the reason I was afraid to start this job as an intern at tech company Duo Security, along with a hint of imposter syndrome from being young. Do not get me wrong, there were some perks to being remote – like being able to talk to college recruiters thousands of miles away, but there was also a fair share of challenges that required a heavy amount of adjustment.

This “new normal” for everyone else was in fact my only normal. So, there was only one option – adapt or get left behind.

That’s what brought me to Duo in the first place, what sustained me during the mostly remote interview process, and what empowered me while working mostly from home. It’s also what allowed me to develop my skills as a Helpdesk intern, helping to keep our remote employees at their most productive regardless of where they’re located.

My Endpoint journey

In my first year of high school, I started programming the basics like HTML and JavaScript. Before I took that mandatory class, I was so intimidated because I could barely navigate my own computer back then, let alone start programming on one. Much to my surprise, I instantly clicked with everything programming. My middle school self would not believe that I could now solve the computer problems of others when I could not solve my own basic issues before.

I decided in high school that I wanted to major in Computer Science. When I got to college, I was a bit lost. I continued my Computer Science curriculum, but all I could think of was “I do not want to be sitting at a desk coding and debugging all day.” I thought I would lose my mind. (By the way, that is not what I do now, and my faith has since been restored).

But, during that short, but necessary, period, I started exploring my options. So here I am – with a Double Major in Computer Science and Anthropology. Two fascinating subjects that have absolutely no correlation whatsoever.

The moral of that story is I learned a lot more about myself along the way. I was always such a straight path person, “I need this done by the time I am 25, and this has to be completed by the time I turn 42.” I thought what I wanted in life would guide me, but in my case, it was what I did not want that led to true self-realization. There was always one goal to get to, but I never really knew what it was. Now, I realize the goal is not actually the goal, it is how much I learn and gain from my journey to the Endpoint.

How I became an intern for a tech company

Towards the end of my first year of college, I knew I needed a summer job. I was planning to become a barista, my dream job as a coffee and coffee shop lover. Clearly, that did not happen.

I got an unexpected email from a program called the Michigan Future Founders Fund, which has an internship program for minorities. They partner with tech start-ups to provide qualified interns for the companies, determined to help both the interns and companies grow at a rapid pace.

To be honest, I did not think I would get anywhere with it. Before I became a finalist, I saw all the other choices these companies had: Juniors and Seniors with much more experience and relevancy. I still applied with the mindset of “what is the worst that could happen?” since I did not want to get my hopes up. I had just been declined for an internship at my school's (University of Michigan) IT department and accepted that as an internship after my first year just might not happen. Even when I became a Finalist, and Duo requested an interview with me, I retained little hope.

After the interview, I felt more at ease. My current mentor – IT Project Manager, Jenna – is the one that interviewed me first, and it was very reassuring. Prior to my interview, I heard about horrid technical interviews, and everything being so serious. In my experience at Duo, though, we just had a pleasant conversation talking about the company and my background.

I was offered a second interview, much to my surprise, with my current manager, which seemed even more intimidating at the time. Once again, my worries faded away after the meeting. The tech world is often portrayed to be a scary place, filled with serious people with no social skills. Yet, at Duo, I have seen nothing but the opposite. I have visited the office a few times and even weaseled my way into some friendly office war shenanigans once or twice.

About a month passed after the interview, and I lost all hope. As a first-generation student, I did not know what the timeline of a new job in my field looked like. There was no one I knew, especially in my family, that could give me sound advice. But on my last day on Campus, I received the offer email.

Manning the help desk

The day I was onboarded was the first day I met other members of my team. I currently have the formal title of “IT Support Analyst Intern.” and the Helpdesk team is definitely the best. I can absolutely say that with no personal bias at all.

My most prominent daily contribution goes towards the #helpme channel in Slack, where people send their IT issues and questions instead of filing tickets. As necessary, more intensive issues can lead to ticket creation. Some can be completed with a simple answer, but others can take a few hours of back-and-forth conversation.

Identifying the problem can be the trickiest part at times. I never feel stuck because I can always ask my team questions, which I ask a lot of. The most rewarding part of my job is knowing that I made someone’s day a little easier or solved a problem for them – especially by unblocking them and allowing them to get back to work and be their most productive. As an estimate, I help around 6-7 people a day through the channel.

When requests are more difficult or contain confidential information, a ticket can be filed. We use a software called Zendesk, where tickets are assigned to a Helpdesk Agent and the requester and agent can communicate about the issue. Tickets can be filed for many things, big or small, all the way from simple tasks like additional access and password resets to more daunting ones like device management and laptop refreshes.

Provisioning laptop refreshes have also been a significant part of my internship. I work on sending out, filing, and setting up more powerful laptops for engineers in need of an upgrade.

Why my fears were washed away

The best parts of my internship include the amount of knowledge I continue to gain and the interactions I have with my team, which are directly correlated. I thought an internship would be like those you see in movies, where interns do errands and run around to get coffee, likely modified due to Covid.

I was extremely mistaken, once again. My team welcomed me with open arms. Almost every one of them taught me something new, whatever seemed to be their “specialty,” even though all members can do it all. Being taught that way helped me form bonds with my team that I am very thankful for.

One of the first things that was said to me when I started was “Please ask questions.” I took that as a challenge apparently. Even now, towards the end of my internship, I constantly ask questions every day and not once have I felt deterred to ask them.

The hands-on approach I was able to take from the very beginning could never be replaced by lectures, textbooks, or watching others. However, I did learn a lot from watching, especially at the beginning when I had no idea what I was doing. I continue to learn every day, and I am certain that will happen until the end of my time here.

As an intern, I was surprised when I received the same access as other members of the Helpdesk team, after a lot of training, of course. I did not realize how essential it was to have all of it until I started helping. Helpdesk problems can be all over the board, and being able to solve problems on my own, with support if needed, was a huge advantage for my learning process.

The most challenging part of the internship was the training at the beginning, which took most of my time for a week or two. The IT training was interesting and relevant for day-to-day use. Then there was a lot of more general company training required for all employees. My manager wanted me to “hit the ground running,” which I feel like I did after the IT training. There were more difficult and prominent problems to handle for other members of my team when I joined, so I was able to jump right into helping people, in an attempt to relieve them from some of the load.

Of course, I still asked a lot of questions, even ones just for clarification. That time played a prominent role in the comfortability I have with solving issues now. For many questions, I was able to search for similar problems and their solutions from the past, which allowed me to gain a game plan for the unfamiliar problems I face every day.

Lessons from the Helpdesk

Walking into a big internship like this was an eye-opening experience after one year of college. It has cemented my interests in computer science, while giving me peace of mind for my future. I am forever grateful to my department for designing this internship to be so interactive and growth focused.

This experience has been nothing but refreshing and meaningful to me. I would intern at Duo a thousand more times if I could, and there would still be more to learn and gain from it.

<![CDATA[Overcoming Imposter Syndrome in Tech]]> lilyh@cisco.com (Lily Hu) https://duo.com/blog/overcoming-imposter-syndrome-in-tech https://duo.com/blog/overcoming-imposter-syndrome-in-tech Industry News

This article is part of a series of posts produced by the Duo interns, highlighting their experiences and the projects they worked on this summer. And be sure to check out our open internship positions.


You’re doing amazing. Thanks, you too.

It shouldn’t be that hard to accept a compliment. But it’s always been easier for me to deflect the attention back to the person complimenting me. Rather than appreciating my accomplishments, I quickly move on wondering “what’s next?”

I struggle with the feeling of inadequacy, not doing enough, or the need to do even more. And after reaching out to others, I learn that this feeling of imposter syndrome is all too prevalent in the lives of others working in tech.

From their stories, I learned that there are many ways one can experience imposter syndrome. And just as everyone has different experiences, their approaches toward imposter syndrome are equally as personal and unique.

In this blog, I’d like to share with you two different approaches I have learned through the stories of Nick Zolfo and Subha Madaka. In the first account, Nick's introspective approach. And in the second, Subha's collective approach.

The first step in combatting imposter syndrome? Acknowledgement

“It’s a self-love thing. My inability to self-love bled into me not acknowledging the great things I was doing and own them… that they came from me,” Nick Zolfo, design thinking coach at Cisco Secure, explains.

For Nick, his struggles are rooted in his core life experiences. It’s an issue which he believes to be deeply grounded in who he is and will always be there. To combat this, Nick makes the commitment towards bettering himself.

“To know what you want and to go after that, is the greatest thing that I have done for myself and can offer up to other people. That is the crucial point I had to say for myself. I spent too long not doing something but was aware. I was upset that nothing was changing. Recognize, you are the one that needs to take control.”

Nick brought up a key point; I have to care enough about myself to advocate for what I want. This is the baseline. You must care about your own wellbeing for any change. Care about yourself and take action.

“It’s always worth exploring what imposter syndrome means to you. Identify what is tactile. Identify what are the inputs.”

It’s always worth exploring what imposter syndrome means to you. Identify what is tactile. Identify what are the inputs.

For Nick, meditation helped him explore his space. Taking a moment to pause and reflect to identify the cause before tackling the problem is one strategy in identifying where to begin. But maybe you need a little more help in navigating those complex thoughts and feelings.

Remember, we are in this together

First, I must make a correction, and I encourage you to do the same. Instead of saying “imposter syndrome,” let’s call it an imposter phenomenon.

Subha Madaka’s story began when she first started her career as a software engineer.

“When I was growing up in India, the traditional path for girls was always to get a certain level of education and either get married or find a job. I had wanted to come to the United States to do a master’s.”

Subha Madaka is grateful for her loving family and supportive parents. But her bold decision to move into a new country and begin an untraditional path on her own was a daunting life decision leading her to question herself.

“There are days when I ask myself ‘am I where I need to be today’ or ‘do I deserve to be here?’ But I look back to the decision that I made and believe in the people who trusted in me. I believe in them enough to say ‘yes.’”

But working in America wasn’t always so easy. Coming from a traditional background, Subha was shy and introverted. The imposter phenomenon became more of an occurrence in her life as she went from an engineer to a manager. Lacking the experience and mentoring network, Subha would often question her management abilities.

“At Duo, I work with a really great group of people. It’s like everywhere you turn you meet somebody who you are going to look at and be in awe. And you wonder, ‘how can I be like that,’” she says. “It’s a good problem to have but many times it brings up thoughts like, ‘oh my gosh, there’s so much I need to learn. Do I really belong here?’” 

It’s a common sentiment I hear in tech, and one I strongly felt when I started my internship as well.

“What can we do about this?” I ask.

“Invest time in building relationships at the beginning of your time here at Duo as those relationships will serve as the foundation,” Subha responds. “It’s not one of those things where you can find a great way to overcome. Instead, it’s about finding the tools to prop each other up and acknowledging its existence.”

It's not one of those things where you can find a great way to overcome. Instead, it’s about finding the tools to prop each other up and acknowledging its existence.

That’s one thing I came to love about working here at Duo. In short, Duo encourages an authentic and collaborative culture where you know you can be supported. We are a community that values psychological safety. We are a community you can rely on when you have challenges. Product designer Sierre Wolfkostin writes about this when she explores Duo’s recipe for great culture.

We are all in this together so let’s ask ourselves, “how can we build each other up?”

Your own story

While Nick and Subha’s experiences are different from my own, it was relieving to hear that there were people I can reach out to and can have this sensitive conversation with. And for me, having those conversations help tremendously in embracing my imposter phenomenon.

As my internship comes to an end, I can say more confidently than before that this is the place for me. Duo Security was my first tech job and corporate experience. I had felt that there was so much I did not know and, likewise, so much I needed to learn to be on par with everyone. I was afraid of making mistakes because I wanted to prove that I wasn’t a hiring mistake.

But I took Nick Zolfo’s advice. I began with acknowledging that yes, I am going through an imposter phenomenon. And because I care enough about myself, I wanted to make a change starting with recognizing that I am deserving of good things.

I also took Subha Madaka’s advice. I wanted to build personal connections with others and have the conversation to better understand the imposter phenomenon within the team.

Due to a word count, I am unable to share their stories, but I’d like to thank Milly Yeh, Chisulo Mukabe, Camille Kapoor, Alice Shih, and everyone who have opened up to me with their stories of what imposter phenomenon is to them. By opening up to my team, I not only received the support I never knew I needed, but also grew more confident in my work.

There’s a lot to talk about and learn from. And for the time being, I will commit to bettering myself – reminding myself and others in awkward times of compliments to think...

Yes, I can be amazing. Thank you.