<![CDATA[The Duo Blog]]> Duo's Trusted Access platform verifies the identity of your users with two-factor authentication and security health of their devices before they connect to the apps you want them to access. en-us info@duosecurity.com (Amy Vazquez) Copyright 2023 3600 <![CDATA[Duo Single Sign-On (SSO) Support for OpenID Connect Soon in GA, Enabling More Secure Access]]> skathuria@duo.com (Seema Kathuria) cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/duo-sso-support-openid-connect-in-ga-enabling-secure-access https://duo.com/blog/duo-sso-support-openid-connect-in-ga-enabling-secure-access Product & Engineering

At Duo Security, we’re on a mission to secure user access to applications while lightening the load on IT teams. So today, we are announcing that Duo Single Sign-On (SSO) support for OpenID Connect is going to be generally available, so that organizations that require users to use these applications can seamlessly and securely do so.

Though it’s currently in public preview, once OIDC support is in general availability this spring, we will support three grant types: OIDC Authorization Code, OAuth 2.0 Client Credentials and Authorization Code with PKCE, and add more over time. You can also expect to see more out-of-the-box SAML 2.0 application integrations and on-demand, self-service password resets.

Configure SSO for OpenID Connect (OIDC) applications for seamless, secure access

With applications becoming commonplace in the workplace including cloud and mobile apps, validating the identity of users trying to access those apps is critically important. Many of the applications organization use today have been developed based on the Security Assertion Markup Language (SAML) v2.0 authentication standard, but OpenID Connect (OIDC) is also becoming popular because it is ideal for use with mobile apps and single-page web apps. 

Some of the applications we’ve seen customers protect so far include:

  • AWS Verified Access

  • Epic’s Haiku, Canto, and Rover mobile apps

  • Grafana

  • IBM Spectrum Virtualize

  • IFS Cloud Datto

  • Salesforce

  • Datto

  • Autotask

“It is great to see the Duo Single Sign-On product mature over just a short period of time to meet Enterprise-scale deployments,” says Sarabjeet Rana, Enterprise Security Architect, Cisco, “Our team started rolling out cloud-based Duo Single Sign-On in 2021 and so far, we have over 1,000 application integrations in Production. We are migrating about 3,000 applications from our legacy IAM solution to this modern Duo SSO platform enabling our users to enjoy Passwordless authentication and Zero Trust borderless access to the applications.”

We are migrating about 3,000 applications from our legacy IAM solution to this modern Duo SSO platform enabling our users to enjoy Passwordless authentication and Zero Trust borderless access to the applications.

“We are also very excited to use the Duo SSO OpenID Connect capability which allows us to secure more applications on modern Duo SSO along with existing SAML 2.0 support," Sarabjeet continues, "The simple and intuitive UI allows us to modernize web apps within a few minutes. Plus, the Passwordless future is upon us and Duo SSO capabilities have brought us closer to realizing that future.”

Easily configure SAML 2.0 applications that your users depend on

IT teams continue to tell us that they want to easily onboard applications to Duo SSO. Hence, we are extending the library of applications available out-of-the-box. We have added SSO connectors for the following enterprise cloud applications, with more coming soon:

  • Cisco Meraki Secure Client

  • Cisco Umbrella End User Logins

  • BambooHR

  • Datadog

  • Freshdesk

  • ServiceNow

  • Splunk

  • Sumo Logic

Enable users to reset expired Active Directory passwords to lighten the burden on IT teams

Expand protection with Duo SSO, now supporting OpenID Connect

Enable your users to access apps securely and help IT teams save time and money with Duo SSO. Sign up for a free 30-day trial today.

And while you’re at it, check out some of the other updates we’re making at Cisco Secure.

<![CDATA[How to Become a Site Reliability Engineer: Never Stop Growing]]> mkschmermund@duo.com (Mary Kate) https://duo.com/blog/how-to-become-site-reliability-engineer-never-stop-growing https://duo.com/blog/how-to-become-site-reliability-engineer-never-stop-growing Industry News

For Site Reliability Engineering (SRE) Manager Stacey Young, a passion for engineering sprouted early in life. With the support of a teacher who recognized Young’s promise, she’s paved her own path as an engineer and leader. Young’s commitment to empowering her team to grow while appreciating a workplace in which she can bring her full, authentic self to work matters most.

If you also value having your voice heard, learning, and collaboration, check out our open positions.

How did you become a site reliability engineer?

When did you first develop a passion for engineering?

Stacy Young: I’ve always liked mechanical things, putting things together, taking them apart. Seeing how things worked has always, always, always intrigued me. My sixth-grade teacher, Patricia Glorfield, decided that I was going to be her student before I got to sixth grade. I believe she was a chemist then a science teacher turned elementary school teacher. She looked for kids like me who were interested in the sciences in any way, and she pushed us to hone our skills, to learn new things, to dive into things that were a little different.

I was very mechanically minded, and she pushed that in me. We did science fairs and lots of projects above and beyond regular schoolwork. She pushed me to do things that were different for me and different for someone like me in my community.

It was a blast and I never got away from it. I never forgot her, and I don’t think I ever will. That was a big turning point in my life when the things that I liked made sense to someone other than me.

What brought to you Duo and Cisco Secure, and how have you found working here?

Stacy Young: In my technical career it’s always been fun to see how things worked, figure out how I can make them better and see how I can automate. I’m trained in databases and mostly been a Linux Unix system admin.

“The interview process was pretty awesome, and I never thought that that was a thing.” – Stacy Young

Coming in, the interview process was pretty awesome, and I never thought that that was a thing. I interviewed with several different engineering managers and a couple of directors, but I’d never been through an interview process like that. It was honest. I felt like what I should be showing was my whole self, my real self, not something contrived for this interview. That made my introduction to the company awesome.

What are your goals and what lights you up about your work?

Stacey Young: My goals and what I love about my work go hand in hand. I see myself in general as a helper, someone who can help or who would at least like to help others achieve their goals. That applies both up through my management structure and down through to my direct reports — I want to help.

I want to help my direct reports become the best versions of themselves. I want to help them achieve the goals that they have for themselves, whether that is talking about barbecuing a steak or setting up your desk at home. We talk about, "Hey, what classes would be relevant to the things that you want to learn, and how can they help you with work?"

I don’t see it as everything is work, work, work. We’re whole people and we have to address our whole selves. Any of the people that work with me know that a lot of my references are about my six grandkids. Their personalities literally span the spectrum so it’s easy to use that in talking about things that we do.

What makes good company culture?

What makes working on this team, at this company, and doing this work different from other places you’ve worked?

Stacey Young: One of the things that I’ve learned is that I as an individual can absolutely affect change. How I handle the changes that come to me, how I portray them to my team and how we go about addressing them are all things that can be changed by a single person. I’ve also learned how to push changes that we wanted to see.

“I didn’t think that I would be allowed to have a voice like this at this point in my career and this quickly after coming on board here.”- Stacey Young

I can see the individuals on my team growing. I can see myself and my peers growing, too, which is why it’s so exciting to be here. I can see that the ideas that I have and the discussions that I have with my peers, with my leadership, are making a difference. And not just on my team, but above as well; I never imagined that it would be as simple as having conversations. I didn’t think that I would be allowed to have a voice like this at this point in my career and this quickly after coming on board here.

What qualities do you look for when hiring for your team?

Stacey Young: A willingness to learn and to grow is imperative. You can’t move forward without it. You’re going to have some stumbling blocks and we all know that growth is two steps forward, one step back. And so knowing that, yeah, I’m going to stumble, I’m going to fall, I’m going to make mistakes, I’m going to misstep. I’m probably going to say some things that are plain and simply wrong or just taken wrong.

But I can learn. There’s no time where I can’t learn. I like the adage, “I never lose.” I'm either winning or growing and learning, but I don’t lose. If I can learn, if I can grow, then whatever mishap or mistake that I had or made, it’s just a growth opportunity. It’s just helping me to get better. So far, it’s working.

What advice do you have for people who want to enter this field?

Stacey Young: If we can keep an open mind about things that are different from us, different to what we’ve learned in the past, different to what we've experienced so far, we’ll go a lot farther. We will achieve things that we never imagined.

“I don’t like to limit myself to anything that’s going to exclude me from something else that might be really cool.” – Stacey Young

I’m like any other person. I’m an onion with tons and tons and tons of layers. I like keeping labels off of things as much as possible, because labels push us to close our minds. I don't like feeling boxed into a label. I can only do this thing or I’m an SRE manager. No, not really. I’m a manager in the SRE space, but I don’t like to limit myself to anything that’s going to exclude me from something else that might be really cool.

Interested in joining the Cisco team?

If you share a passion for innovating collaboratively, visit our open roles.

<![CDATA[ACTION REQUIRED: Upgrade to Universal Prompt Now for Better Protection & User Experience]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/upgrade-to-universal-prompt-for-better-protection-user-experience https://duo.com/blog/upgrade-to-universal-prompt-for-better-protection-user-experience Product & Engineering

Last year, Duo Security announced the General Availability of the Duo Universal Prompt and many customers have happily upgraded to it from the Duo Traditional Prompt. For our customers who have not yet migrated, we would like you to be aware of a few key reasons that ONLY Universal Prompt provides Duo customers with better protection and improved user experience!

What is Duo Universal Prompt?

The Universal Prompt is Duo's next-generation authentication experience that delivers an easier, more secure, and more accessible authentication for every user. Universal Prompt is Duo's answer to modern security based on zero-trust principles. The Universal Prompt is inherently more secure, as it has updated web-based technology and allows for features that provide "step-up security" such as Verified Duo Push, silent push, Risk-Based Authentication, passwordless, and more.

Upgrading to Universal Prompts helps organizations:

  • Modernize authentication – Universal Prompt paves the way for customers to modernize their infrastructure and benefit from the latest technologies. For example, updating corporate applications to use SAML (Security Assertion Markup Language) and WebAuth(the Web Authentication API) for authentication mitigates vulnerabilities posed by legacy protocols (RADIUS, LDAP) and weak authentication factors like one-time passcodes. This also helps organizations get started on a journey towards a passwordless future.

  • Simplify secure access – The move to modernizing and strengthening your IT security infrastructure can be disruptive for end users, but Universal Prompt minimizes user friction with a simple authentication experience and intuitive web-based design.

  • Strengthen security – Bad actors continue to develop more sophisticated means of social engineering attacks to bypass security controls. Universal Prompt minimizes the risks those attacks pose by enabling Duo customers to implement advanced security measures.

A few key reasons Duo Universal Prompt strengthens security

Our Self-Service Portal, Verified Duo Push, and Risk-Based Authentication functionality is ONLY available using the Duo Universal Prompt. We will also continue to rapidly deliver new functionality built specifically on the Universal Prompt.

  1. Verified Duo Push  - Asking users to verify push requests and using number matching mitigates the risk of push harassment and MFA fatigue attacks.

  2. Self Service Portal – Admins can securely enable the new Duo-hosted self-service portal and require strong authentication while empowering users to self-enroll and manage their authentication devices.

  3. Risk-Based Authentication – Reduce user friction and improve security by analyzing risk signals and automatically step up authentication only when necessary.

The benefits of Verified Duo Push

Verified Duo Push makes MFA more secure by mitigating the risk of push harassment and MFA fatigue attacks by requiring additional input to complete authentication. These popular attacks involve bad actors with stolen credentials to an app or service repeatedly submit push verification requests until the confused and weary user unintentionally accepts thinking it was for a session renewal or something similar.

The new verification step included in Verified Duo Push - known generically as number matching - asks the user to enter a set of numbers displayed on their “authentication device” into the authentication prompt on their “access device” in addition to accepting this push. By doing so, the user is protected against inadvertently accepting a fraudulent push request with minimal additional friction. Admins can configure the length of the match code required, from 3-6 numbers, based on their security posture.

For more implementation information see Verified Duo Push documentation.

The benefits of Duo Self-Service Portal

The new cloud-hosted Self-Service Portal provides an optimal way for end users to manage their devices and complete enrollment. Users can add, edit, and remove secure authentication methods from the Universal Prompt while logging into protected applications.

After passing primary authentication, the “Manage Devices” option is shown at the bottom of the current authenticator list. Duo authentication with a previously added authentication method is needed to gain access.

Users can rename or remove existing devices with the “Edit” options, or use “Add a device” to register another authentication device.

The benefits of Duo Risk-Based Authentication

Duo Risk-Based Authentication dynamically challenges users with stronger authentication methods based on risk signals. It complements Verified Duo Push well, as Verified Duo Push is one of those strong authentication methods Risk-Based Authentication uses when it’s deemed necessary based on a risk signal.

Those signals include:

  • Device trust, including whether key systems are up to date

  • Location, like access from a prohibited country

  • Known attack patterns, such as suspicious activity with unusual patterns like repeated failures that can indicate attacks

  • Wi-Fi fingerprint, which detects when a user roams to another network

Security needs to be easy for users, otherwise they will resist it. Duo Risk-Based Authentication effectively manages trust by presenting users with the right authentication method at the right time for the right risk.

For more implementation information see Risk-Based Authentication documentation.

How can you upgrade your environment to the new Universal Prompt?

Most on-premises applications require administrators to install a software update with the necessary changes to support the Universal Prompt on their web application servers. This software update may be supplied by Duo or by our technology partners, depending on who developed the integration. Cloud-hosted software-as-a-service (SaaS) may require limited account changes.

For more implementation information see Universal Prompt update guide.

Get to know Duo Universal Prompt

Now is a great time to upgrade from Duo Traditional Prompt to Duo Universal Prompt. Your users will have a better experience behind a better, more efficient design, along with a variety of experience-focused features. Also, admins will be able to better protect their environments with the rich set of security functionality that Universal Prompt enables.

Why is Action Required? Effective March 30, 2024, Duo will no longer support the traditional Duo Prompt! Get your plans started ASAP to benefit from the new functionality only available with Duo Universal Prompt!

For more information on Duo Universal Prompt see how in may be utilized in the Duo Guide to Two-Factor Authentication or for specifics on its implementation check out the Duo Universal Prompt Update Guide.

<![CDATA[Weak Cipher, TLS 1.0, and TLS 1.1 Deprecation with Duo MFA]]> daluk@cisco.com (David Luk) https://duo.com/blog/weak-cipher-tls-1-0-1-1-deprecation-with-duo-mfa https://duo.com/blog/weak-cipher-tls-1-0-1-1-deprecation-with-duo-mfa Industry News

TLS 1.0 and 1.1 were deprecated in Mar 2021 with IETF RFC 8996. Today, the baseline TLS version used by most enterprises and businesses is 1.2. Many organizations, particularly those in highly regulated verticals and government agencies, also have to meet their respective compliance requirements. These requirements – like HIPAA, PCI-DSS, etc. – mandate the use of TLS 1.2 as a minimum version to meet the latest security standards. The consequences of not meeting compliance requirements could be huge, ranging from hefty fines to significant legal consequences. 

There are also real security risks of using TLS 1.0 or 1.1 in any IT infrastructure or solutions. Well-known attacks like BEAST (Browser Exploit Against SSL/TLS), POODLE (Padding Oracle On Downgraded Legacy Encryption), etc. target insecure TLS versions, increasing organizational risks in exposing both their own and their users’ valuable data, potentially incurring major financial penalties and legal liabilities.  The ever-evolving hacker landscape also means new cyberattacks will continue to emerge for any businesses that are not moving forward with secure technologies like TLS 1.2 or 1.3. 

Even with TLS 1.2, it has been proven that the use of weaker ciphers has exposed unnecessary vulnerabilities to hackers (see FREAK).

To protect Duo Security customers and users from violating compliance and to properly protect their data, we are deprecating these insecure technologies from our solution offerings in 2023.

Duo is here to help you

For customers starting their zero-trust network access (ZNTA) journey with Duo multi-factor authentication (MFA), TLS 1.0 and 1.1 and some generally weak ciphers will no longer be supported by the end of January 2023. 

For existing customers, Duo will remove the support of TLS 1.0 and 1.1 and weak ciphers for those using our MFA solution starting June 30, 2023*. Any MFA client codes – whether it is 3rd party applications, custom installers, Windows Login/MacLogin integrations, etc. – that have embedded Duo code will be updated to leverage TLS 1.2 or 1.3. 

Weak ciphers (e.g. those using Cipher Block Chaining or CBC) that previously were available to encrypt the TLS 1.2 traffic will also be deprecated, ensuring that only industry-recognized strong ciphers can be used.

What action do you need to take?

At this time, there is no immediate action required by customers due to this TLS 1.0 and 1.1 deprecation. Duo will send out direct customer communication to describe the exact transition path in the first half of 2023. Please follow our instructions in these communications and plan for the migration as soon as possible, as you may otherwise experience service disruption after June 30, 2023.

We also understand that there will be situations where legacy systems may not be able to upgrade to higher TLS versions in the near future.  We are providing a feedback form and will continue to work with you to ensure that there will be a viable solution moving forward.



*NOTE: Many Duo solutions (e.g. SSO) already only support TLS 1.2 and above today. The deprecation of TLS 1.0/1.1 from the MFA path will mean that all Duo solutions will support TLS 1.2 or 1.3 only.

<![CDATA[Announcing General Availability of Server Message Block Protocol Support for Duo Network Gateway]]> matbroo2@cisco.com (Matthew Brooks) https://duo.com/blog/announcing-ga-smb-support-for-duo-network-gateway https://duo.com/blog/announcing-ga-smb-support-for-duo-network-gateway Product & Engineering

Last year, Duo announced the General Availability of Remote Desktop Protocol (RDP) for the Duo Network Gateway (DNG), and today we are happy to share that we’ve now extended transmission control protocol (TCP) support to the Server Message Block (SMB) protocol. This capability is generally available for Duo Beyond customers.

This means that the DNG now enables users to access on-premises shares, without requiring a full VPN connection.

What is Duo Network Gateway?

For those unfamiliar with DNG, it is a remote access proxy security solution that enables organizations to provide zero-trust remote access to a broad variety of applications hosted on premises. It includes support for Web Applications over HTTP or HTTPs, Remote Desktops over RDP, Secure Shell (SSH) servers, and now file sharing over the Server Messaging Block. It also eliminates the need for full VPN and avoids exposing those applications directly to the internet.

DNG is part of the Duo Beyond edition and includes many other capabilities to protect customer environments based on zero trust principles. It begins with a device posture check by verifying the health of key operating system services. Then it verifies user identity with advanced multi-factor authentication (MFA). It continues monitoring trust and logging potential anomalies with machine-learning (ML) driven trust monitoring.

Why do I need DNG?

The SMB protocol is a network file sharing protocol integrated in Microsoft Windows operating systems. SMB is an application layer protocol that is transported over TCP/IP. Domain joined clients on the corporate networks who have established trust can connect seamlessly to shares on Windows servers using SMB. Untrusted remote users need a secure way to navigate the internet and corporate firewalls to establish trust and gain access.

How does DNG for SMB work?

1.  On the Client: The user selects the Network Drive (for example, Windows Explorer)

2.  On the Client: The Duo Connect Plugin intercepts the call and resolves the network domain name (for example, smb://SMBsharename.company.com/shared/Files)

3.  The Company CNAM record directs “SMBsharename” to a DNG-hosted FQDN (for example, dngxyz.duo.com)

4.  DNG returns a “Carrier” public IP address

5.  On the Client: The Duo Connect Plugin sets up a secure TLS tunnel to the DNG

6.  On the Client: The Duo Connect Plugin passes a SMB file request to DNG

7.  DNG proxies request username and password, then initiates authentication with Duo SSO or other supported Security Assertion Markup Language (SAML) providers

8.  Duo Cloud validates the user and responds with a SAML assertion

9.  DNG resolves the server on Company Network and relays Client SMG commands

10. On the Client: The user is presented with the file (or pertinent SMB file operation output)

Who is using DNG?

Duo Network Gateway has already helped hundreds of organizations across multiple industries, including technology and IT services, education, finance, healthcare. It offers their workforces consistent and secure access to corporate resources from any device and location, and customers are already benefiting from adopting this solution.

“If you want to get rid of the VPN management burden, use the Duo Network Gateway to give access to your web and desktop applications. Users – and their access – are managed in the Duo Admin platform. No more firewall, no more AAA or whatsoever complicated thing. Once you go for DNG, you never go back.” – Antony Gallez, Operations Manager at Cameo Global, a New Era Technology Company

Where is DNG going?

Try Duo for Free

With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.

<![CDATA[New Duo Feature Guide: Strengthening Your Multi-Factor Authentication]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/new-duo-feature-guide-strengthening-your-multi-factor-authentication https://duo.com/blog/new-duo-feature-guide-strengthening-your-multi-factor-authentication Product & Engineering

Multi-Factor Authentication (MFA) is a security tool used by various organizations to protect user credentials, or the username and password. MFA has been recommended, or required, by governments and has grown in popularity as a measure to quickly add a layer of security, especially if credentials are compromised as part of a phishing attack.

However, MFA has been in the news recently as attackers are finding new and creative ways to get around it. On the one hand, this means that MFA is such a common practice that attackers have had to get creative. On the other hand, it means that simply enabling MFA is not enough and organizations must follow secure MFA practices. Some examples of these attacks include one-time-passcodes intercepted by bad actors (MITRE ID T1111), adversaries registering a fraudulent device to a trusted account (MITRE ID T1098.005), or push phishing attacks that rely on a trusted user to grant access to an attacker (MITRE ID T1621).

What can organizations do?

There are best practices organizations should follow in order to make sure that MFA in their environment is secure against these new threats. As a first step, organizations need to modernize their authentication, moving away from RADIUS or LDAP protocols and moving towards SAML. Additionally, it is important to adopt FIDO2 compliant authentication, such as passwordless or security keys, wherever possible.

For Duo customers, we also recommend moving all authentications to the new Universal Prompt. The Universal Prompt unlocks important security measures that Duo is releasing to strengthen organizations against the new threat landscape. 

New secure features

In addition to Duo’s new broader solutions, like Passwordless and Risk-Based Authentication, Duo has released a number of additional features that organizations can deploy today to better protect their users. These include the following updates:

  • Self-Service Portal: Step up authentication requirements for users when they are enrolling new devices

  • API for User Activity Logs: Stay on top of user device enrollment threats through Duo’s API solution

  • Enrollment Threat Detection: Use machine-learning to surface new enrollment threats that need the security team’s attention

  • Verified Duo Push: Require users to enter a code in the Duo mobile application to better protect against push phishing attacks

  • Policy Defaults: Duo has established new policy defaults based on research that enhance organizations’ secure access without adding unnecessary friction.

How to get started

For all new Duo customers, the Liftoff Guide walks through best practices of how to deploy and manage Duo. To highlight the newly available features, Duo has added the companion guide, New Duo Feature Guide: Strengthening Your MFA. This guide can walk customers through these new features and how to deploy and manage them.

Not a Duo customer but interested in trying out these features? Sign up for a free trial today to get started.

<![CDATA[The Life and Death of Passwords: Computing Era]]> ccherrie@duo.com (Chrysta Cherrie) https://duo.com/blog/life-death-passwords-computing-era https://duo.com/blog/life-death-passwords-computing-era Industry News

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.

Today: The arms race between code makers and code breakers ushers in the computing era, digital passwords are introduced (and quickly broken), and encryption fixes the security loophole of storing passwords in plaintext.


It wouldn’t be long after WWII when the burgeoning development of computer systems grew large enough that MIT had to solve a new problem: With limited computing power available and more researchers needing access than the system could handle at once, how could they divvy up a schedule that allowed all users a guaranteed window of access? This culminated in the Compatible Time-Sharing System (or just CTSS), a researcher access scheduling system which assigned each user a unique password and limited the number of accounts that could access the system at once.

But, as can often happen when security for users conflicts with what users need to get done, this new system didn’t function as intended for very long. Almost as soon as it was implemented, researchers began to swap passwords to share their access windows. Before long, one researcher discovered that all passwords were stored in plaintext on the mainframe, giving them a master key for unlimited access.

Over the following decades, further refinements were added to try and shore up the effectiveness of password security. Pioneering researchers Ken Thompson and Robert Morris fixed the security loophole presented by storing passwords in plaintext with the introduction of “hashing.” This used an algorithm to scramble the password into what looked like random characters, but which could be decrypted by the system when needed and checked against what a user entered. You can think of the hashing algorithm here much like the Caesar and Vigenère ciphers we just talked about: if the encryption works as intended, only the system with the set of rules used to encode the secret password should be able to decrypt it.

But just like many codes and ciphers fell flat in the face of frequency analysis, anything that can be predictably hidden can eventually be predictably found. And similarly to how null or dummy characters would be added to an encoded message to throw off prying eyes, Thompson and Morris improved their method with “salting”, which would add these padded characters to an encrypted password. Cracking passwords now required someone looking to reverse it to have both the algorithm AND salting pattern used.

Despite the dawning awareness among the population at large to the idea of computer security through pop culture media like the “WarGames” film series, through much of the ’80s the techniques of password security appeared to have outpaced most techniques for compromising them. While computing power grew by leaps and bounds, the time required and number-crunching necessary to crack most passwords could measure into decades, even centuries long.

That changed in 1988, when what many consider the first computer virus to spread through the internet appeared in the form of the Morris Worm. In a twist worthy of Shakespeare, security pioneer Robert Morris’ own son, Cornell University graduate student Robert Morris Jr., developed the worm as a research project. But thanks to a minor quirk in coding, this project spread much further and did far more damage than he intended, knocking 6,000 networked systems around the world offline. The novelty and dramatic family aspect of the story grabbed the public’s attention, and the younger Morris became the first person charged under the Computer Fraud and Abuse Act passed five years earlier. What made the Morris Worm so sophisticated was its combined methods of using a “dictionary attack” of the then-most common 900 passwords, along with a method that tried to search out a system’s password file to crack it if that didn’t work.

Before the Morris Worm, the general attitude towards computer security was lax. As a tool primarily used by government, academic, and large corporate organizations, most systems were built to allow minimal friction for users that might slow their work. They often relyed on standard or default passwords that would allow users to log in regardless of the machine they sat down at. After Morris Jr’s conviction, that attitude quickly changed, and organizations like the Department of Defense began to quickly lock down systems with stronger measures like multi-factor authentication.

The late ’80s and ’90s sped down the road towards ubiquitous computing access, as more and more homes brought home powerful desktop PCs that would have cost thousands of dollars just a few years before. The introduction of home internet services like Prodigy, CompuServe, and America Online saw the profile of the average computer user expand from employees and researchers to… well, just about anybody.

With that seismic change, the security passwords provide and the encryption keeping those secrets safe went from important to vital:

See the video at the blog post.

Hearing all this, you might think that most password hacks look like they do in the media: a shadowy figure frantically types away while complex code scrolls past, as their nefarious software cracks someone’s password one character at a time.

But the truth is much more mundane, though no less concerning. In the last couple decades, the biggest driver of breached accounts have been either stealing user passwords through phishing and malware attacks, or finding re-used credentials available in the growing number of “password dumps” where MASSIVE quantities of previously-stolen passwords are bundled and shared with other attackers. Because most users repeat the same password for multiple accounts, this can often be as effective as finding an extra copy of someone’s house keys. And when we say “massive”, we mean it: the largest password dump to date, RockYou2021, included more than 8.4 BILLION passwords, which means there was more than one password for every human being on earth in this single release.

That brings us to today, where 2/3 of people in the US have experienced some form of data theft largely driven by compromised passwords, which are a factor in 85% of successful breaches. With numbers this daunting, what’s the good news? Are we doomed, or can we solve these password problems to help keep ourselves and our personal information safe?

To answer that, we’ll check in with our experts.


Next in our series on passwordless history: Our panel of experts share their password-related pain points, from the challenges of remembering and rotating them to unequal access to technology slowing passwordless adoption.

<![CDATA[Extend Your BYOD Security Policy and Start Trusting Unmanaged Devices with Duo Device Trust]]> sgrebe@duo.com (Scott Grebe) https://duo.com/blog/extend-your-byod-security-policy-with-duo-device-trust https://duo.com/blog/extend-your-byod-security-policy-with-duo-device-trust Product & Engineering

Determining the trustworthiness of company-owned devices is usually straightforward: We install a mobile device management (MDM) tool, then implement security policies that allow IT and SecOps teams to protect the device or remotely wipe the endpoint if it’s been compromised. But for organizations with a bring-your-own-device (BYOD) policy, improving security by establishing device trust is more challenging. What if it belongs to a contractor or seasonal worker we’ve hired? Or a partner we’re collaborating with on a project? On top of that, how do we handle our own employees’ personal devices?

In each case, the device needing access is not corporate owned and managed so we may not be allowed to, or the owner may not want us to, install the company’s management software on their device. While the contractor/employee needs access to apps and data on the network, we want that device to be in a healthy and trusted state before it’s granted access to our network. How do we balance providing unmanaged BYOD access with ensuring these endpoints are in a secure, healthy and trusted state?

Health as a component of device trust

For years it was assumed that once the user’s identity was verified, they were considered to be on the “inside.” Anyone on the inside was trusted and had access to everything the network had to offer. Little attention was given to the access device and its health status, however.

Eventually, cybercriminals figured out that if they could install malware on an endpoint there was a chance the infected device would pass undetected once the user’s identity was validated. It was like the early days of airport security where the passenger simply had to show a ticket and ID to pass through security. Once their identity was confirmed, it was assumed any luggage they had wasn’t carrying something illegal.

This “castle-and-moat” model led to some high-profile data breaches that cost the affected companies millions in financial and reputational damage. We now understand that trust in the user is no longer enough. Regardless of whether you’re securing unmanaged BYOD endpoints or company-issued managed devices, it’s essential to account for trust in the device used to access network applications. And a key component of that trust is the health of the device.

Duo device health as trusted

How does device trust help with BYOD security and trust?

Let’s go back for a minute to our contractors, seasonal workers, partners and employees with devices not under our management. While they may balk at installing management software, the Device Health app is a lightweight client app that is much less intrusive and controlling. Users can install the app quickly and easily without needing assistance from IT.

Once installed, the Device Health app collects unique device identifiers during authentication and compares them against a list of known devices stored by Duo. If those device identifiers are recognized, it means we trust that device. It’s part of the Duo Trusted Endpoints feature in Duo Beyond, which secures your sensitive applications by ensuring that only known devices can access Duo-protected services.

But here’s where it gets interesting for those non-managed devices. Organizations can use the DHA to extend trust to them as well.

In her blog, Shilpa Viswambharan discusses how a manual integration feature based on the Device Health app enables IT administrators to manage macOS, Windows and Linux endpoints that are not enrolled in a management system by adding them to their list of trusted devices. This includes contractor-owned, partner and employee personal devices. Once an unmanaged device is added to the list, it’s considered trusted just like devices enrolled in an MDM.

The feature offers other benefits that enable you to trust these devices beyond checking their health posture. For example, administrators can set a trust expiration date, perfect for short-term and seasonal hires. They can add devices individually or in groups using a CSV file. Information can be edited, descriptions can be added and devices can be removed altogether through the Duo Admin panel. Ultimately, administrators can use the Device Health app as a solution to accommodate BYOD in security policies instead of overruling or ignoring users’ aversion to conventional endpoint management software.

Is it time to trust unmanaged devices?

Device trust is a tricky concept. We know our full-time employees, contractors and partners need access to network resources using their devices. We’ve also seen firsthand the importance of establishing the health posture of any device before access is granted. But is it necessary for the device to have an MDM installed to be considered trusted?

Not too long ago we would have said yes. But now with Duo’s manual integration feature for Trusted Endpoints there’s an alternative. You can proclaim any unmanaged device to be trusted by adding it to your organization’s customized list of trusted devices. It’s all up to you.

To learn more about how Duo can help your organization establish trust in unmanaged devices, read “The Essential Guide to Device Trust in the Enterprise.”

<![CDATA[3 Best Practices for Improving Mobile Device Security on Your Network]]> dwakanda@cisco.com (Derrick Sison) https://duo.com/blog/best-practices-for-mobile-device-security https://duo.com/blog/best-practices-for-mobile-device-security Industry News

With hybrid and fully remote work becoming more mainstream, more employees than ever are using both personal and corporate mobiles to access company data. This leaves security teams scrambling to implement best practices for mobile device security. Fortunately, Duo makes implementing mobile security policies simple.

In this post, we’ll talk about some impactful policies Duo Access and Beyond organizations can start enforcing today with minimal effort and high value to increase security posture. These policies are geared to protect your organization when access devices don't meet your security needs. We can help block those authentications and provide remediation steps that your users can use to make their devices much more secure before accessing your sensitive applications and data.

1. Require screen lock

Policies Available in: Duo Access and Duo Beyond

One of the more prevalent best practices for securing your mobile devices, whether it is a corporate device or a personal device, is to enable a screen lock in order to gain access to the device. However, we continue to see people not taking these steps to secure their devices either due to wanting more ease of use without having to enter a screen lock or some users forgetting or unknowingly skipping this step to secure their device. 

In previous years, we’ve seen research groups like Pew Research Center report that 28% of smartphone owners say they do not use a screen lock or other security features to access their device. In our own findings with a subset dataset, we found that 1 in 3 Android devices don't use passcodes on their lock screens, compared to 1 in 20 on Apple devices. Over the past two years, Duo has found that 5% of users do not have screenlock enabled and configured on their devices.

With the increase in development of more secure protocols and improved user experience with biometrics and pattern locks for devices is changing things. Consumers now have an avenue of a less scary and easy setup and usage regarding screen locks. Yet findings from Statista, a research company surveying 1,146 people globally, 1.6% or 18 people from this small group still have no screen lock enabled for their devices.

You can increase your security posture by enabling Screen Lock on your Duo Policy which will block these devices trying to access your applications until the user remediates their device by securing their device with a screen lock.

2. Shut out tampered devices

Policies Available in: Duo Access and Duo Beyond

People jailbreak their devices for different reasons, some legitimately due to research and development reasons and some due to ill intent.  Part of a bad actor's goal is to go through their attack undetected and unidentified. Having a jailbroken or rooted device helps bad actors conceal their identity and information about their device with false data. Regardless of the reason, once the device is jailbroken it means that the security model of the mobile device OS can no longer be acceptably trusted. 

Just like with screen lock, this is common with users around the world having a tampered device. It is difficult to determine an exact number of jailbroken devices. However, Pingdom reports a rough estimate of as many as 8.5% of all iOS devices are jailbroken. We know that jailbreaking iOS is also a very popular topic among users, as a subreddit for jailbreak consists of 658,000 members who provide tips and discussions on their jailbroken devices. 

For android devices, security experts from Verimatrix reported data that shows 36 out of every 1000 Android devices are rooted globally. That’s 3.6% Android devices being rooted but does not calculate all other types of tampered methods like code and memory tampering.

By enabling Tampered Devices policy, Duo can help verify if a device is jailbroken or rooted and prevent these devices from accessing your applications. Duo has developed a unique detection and algorithm to determine a jailbroken iOS device and also utilizes Google's SafetyNet device attestation to identify tampered-with Android devices.

3. Enable full-disk encryption

Policies Available in: Duo Access and Duo Beyond

Why should you care if mobile devices are full disk encrypted and why should you care if non-encrypted devices are accessing your applications? 

Data gets saved onto a device’s hard drive, whether automatically from apps or manually by a user. This means some of your organization's data could be stored on a device's hard drive. Leaving the device unencrypted opens the door for potential bad actors to gain access easily to that critical data if the device were to fall into the wrong hands. 

With the growing number of devices being used in organizations, there is now more risk as your critical data becomes more mobilized. More mobile devices lead to more security vulnerabilities occurring like lost or stolen devices which could go unreported. Verizon’s 2022 Data Breach Investigation reported that 82% of breaches involved the Human Element and there has been an increase in ransomware by 13% – more than in the last 5 years combined.

When a device has full-disk encryption enabled, it automatically encrypts the data on that hard drive to something that cannot be deciphered without the right authentication key. Instantly protecting the data on that device.

By turning on Full-Disk Encryption in your policy checks, you’re ensuring that only devices with full-disk encryption enabled are accessing your applications protecting your critical data.

More information on best practices for mobile device security

To review more policies to help protect your users, endpoints, and data even further please review our Duo Administration Policy & Control guide or read our series. 

Duo also provides dashboards that allow customers to monitor the status of mobile devices on their networks.

For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

<![CDATA[The Life and Death of Passwords: Pre-Computing History]]> ccherrie@duo.com (Chrysta Cherrie) https://duo.com/blog/life-death-passwords-pre-computing-history https://duo.com/blog/life-death-passwords-pre-computing-history Industry News

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is  established in a passwordless future. With its release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.

Today: The pre-computing history of passwords — codes and ciphers, the arms race between code makers and code breakers, the Enigma machine, and more.


Today we use passwords to “unlock” access to our most important private information, but even 2,000 years ago people needed a secure way to “lock” and “unlock” secret messages between one another. Since we use more modern methods of encryption for securing information today, understanding at least a tiny bit of how these ancient methods work can help us understand how passwords work today. And we’ve brought an expert along to guide us on this trip through the past.

Simon Singh is the author of “The Code Book,” an international bestseller which takes a deep dive into the history and evolution of secret communication. For starters, we’re going to be using specific terminology that often gets tossed around interchangeably, so we asked Simon to share some working definitions.

“When we talk about secret communication,” Simon explains, “We use words like encryption and encipher and encode, and all of these things are kind of used interchangeably […] a code is where one word is always replaced with a certain symbol, for example, and that’s always the case. One word, one symbol. And encipherment tends to mean that the word is jumbled up and it can be jumbled up in different ways on different occasions." 

For an early example of basic encryption, we go back to Rome during the reign of Julius Caesar, who provided one of the best-known ways of keeping communications secret.

As Simon puts it: “A Caesar cipher is a type of simple substitution cipher, and we don’t just replace the letter A with any old symbol or any old letter, we replace A by shifting it down the alphabet. Now a classic Caesar cipher shifts by three places so A becomes B, C, D, A becomes D. And that’s all you do, you just shift every letter down three places.”

Believe it or not, you can still find examples of Caesar ciphers today. If you ever found a decoder ring in your cereal box as a kid, odds are good that it used this method or a slight variation of it. Of course, early ciphers often had a short shelf life, which is why what once protected the battle plans of Caesar has been relegated to a puzzle for children.

See the video at the blog post.

Vigenère's cipher was far more complex than Caesar’s cipher, but by adding more randomness and possibilities for each letter’s actual meaning, it’s exponentially harder for a codebreaker to puzzle out what the message means. As a result, Vigenère’s method resisted all attempts to crack it for a very long time.

"Vigenère invents the Vigenère cipher in the 16th century. […] In the Victorian era, the Vigenère cipher is eventually broken and it was broken by Friedrich Kasiski, or at least that's what we thought. It turns out that it was actually broken a decade earlier by a chap called Charles Babbage who's famous today for being the kind of pioneer of mechanical computing, as well as many other things.” - Simon Singh

Almost 300 years — not a bad record. Babbage’s historic contributions to the development of mechanical helped to usher in the beginning of the computing age. And the need for better codes and codebreaking helped bring it even closer, thanks to a historic development known as the Enigma cipher.

See the video at the blog post.

In fact, the number of possible combinations provided by the Enigma machine are so large, even if a persistent codebreaker checked one possibility every minute, it would take longer than the age of the universe to check every possibility.

The Enigma machine proved to be a tipping point in encryption, a culmination leaps forward in complexity to the point that humans needed mechanical and, later, digital computers to keep track of and compute the complex algorithms involved in making and breaking these new encryption methods.

For our next stop in the rise and fall of passwords, we need to head to college – MIT, to be specific.


Next in our series on passwordless history: the arms race between code makers and code breakers ushers in the computing era, digital passwords are introduced (and quickly broken), and encryption fixes the security loophole of storing passwords in plaintext.

<![CDATA[It Started With a Sticker: What Site Reliability Engineering for Duo Looks Like]]> mkschmermund@duo.com (Mary Kate) https://duo.com/blog/what-site-reliability-engineering-for-duo-looks-like https://duo.com/blog/what-site-reliability-engineering-for-duo-looks-like Industry News

Blake Ellingham is a site reliability engineering (SRE) manager who has worked on Duo for the past five years. Starting in Austin, Ellingham’s commitment to building connections with managers and colleagues while understanding the evolving business needs once acquired by Cisco led him to grow engineering teams in London and soon in Sydney.

What prompted Ellingham to pursue a career with Duo and go on these adventures? A sticker. Read on to learn about Ellingham’s journey and what site reliability engineering is like at Cisco. If you’re ready for a new adventure, check out our open roles.

What is site reliability engineering?

In your current role, what are your typical responsibilities and goals?

Ellingham: What SRE means for us is we run all of our services in the cloud and SRE helps us scale our hardware to accommodate any load from our customers, and we do that by writing software. So we write software that scales hardware, ultimately for the purpose of serving our customers, and we ensure that we do so securely and cost effectively.

Typically my day-to-day is ensuring that the team’s set up for success. I also do a lot of recruiting and have hired many people since I joined engineering management. I facilitate career planning and development conversations and manage people’s promotions. I also do performance management and make sure that our teams are doing well and achieving our goals. I’m technical myself, so I jump into the weeds sometimes. I like getting my hands dirty in code and code review.

What about this SRE experience has been unique for you?

Ellingham: Before this position, I had never worked for a company that was doing something as important as cybersecurity. Within Cisco, we are protecting very, very important organizations that really need our site to be up, everyone from hospitals to education to large companies. We protect all these organizations and they expect our product to be up and they expect it to be secured. That’s where we step in as SREs to ensure that those two things are true.

I loved the fast pace and being able to solve problems within the startup world, but I had never experienced what mission critical software used by thousands of customers feels like. It’s not a good feeling when we go down, our customers aren’t super happy, and they shouldn’t be. It’s a really important product that we support. So that’s been really interesting, and obviously it comes with some pressure, but I think at the same time we do a really good job of supporting one another, so you never feel like it’s all on your shoulders, you always have teammates to rely on. Our mission’s really awesome, and it’s not like we’re just helping the big guy either, we have customers ranging from nonprofits to multinational corporations to governments.

Transitions as a company and as a team member, post-acquisition

What do you like most about working here?

Ellingham: I joined about 10 months before the Cisco acquisition, so I got to see a little bit of Duo as a private company and then all the acquisition process into fully integrating into Cisco. That was a great experience and ultimately solidified my desire to be here longer term. To see the professionalism and how it was such an atmosphere of wanting to amplify what we were doing at Duo, it was really cool to see, so Cisco’s acquisition process was really excellent.

My favorite thing about our culture is the individuals I work with. We have a really unique team that is very kind and very welcoming. I’ve had a series of awesome managers that support me well and a series of awesome team members who, together, we get to work on really cool things.

How have you been supported in transitioning to new roles?

Ellingham: I’ve had awesome advocates and managers throughout my entire time here that have allowed me to explore interests and be okay with taking risks. Ultimately, they took a risk on me to manage a team. Before Duo I was in a startup environment where I guess you could say I was a manager, but at the same time I was kind of doing everything. So I didn’t have any professional experience managing people, at least not in a large corporate environment.

But I realized pretty early on that I like that type of work. I liked learning about the business fundamentals, what we were going for as a product organization, and how we were going to sell the product. So, I found engineering management to be a really interconnected role that suited my interests and voiced that I wanted to pursue it. Management was super gracious to give me a try at it, and then invest in me. I’ve gotten to experience larger scale responsibilities, including starting the team in the U.K. and management’s been able to support me through all of that, so it’s been really fun.

From the Heart of Texas, Across the Pond, and Down Under

What prompted you to relocate from Austin to London?

Ellingham: I love sharing this story. After my startup started to lose traction and it was time to close down the business, I interviewed at a couple of places, and Duo was one of them. I came into the Austin office for my interview and saw a sticker. It was a map in the shape of the U.K. in our Duo green with a heart on London.

I thought it was really cool that they have an office in the U.K. and that it’d be really fun to work there. So, when my wife and I were deciding what company I should work for, it was actually on a pros and cons list for Duo and I chose Duo.

Working in my role for the first year was great. In my second year, I started having conversations with engineering leadership about the business and that there was an ongoing issue in that engineers located in the U.S. were responsible for our global footprint of customers.

That distribution could involve engineers waking up in the middle of the night to debug something with a customer that’s in Europe. So that wasn’t very fun, and we wanted to give our engineers the experience of being able to rest and not worry about hours beyond the core U.S. business hours. So the main purpose of my relocating and building out a team was to see if we could solve that issue. I put together a proposal, had it accepted, and worked with my manager to initiate the relocation to the U.K.

How has Cisco supported your relocation?

Ellingham: At Cisco, we have a full team dedicated to employee mobility, so it was actually really simple when it came to getting together the logistics of internationally relocating me. We had a ton of support from the international team and really it was a matter of making sure that we had the approvals in place. They took care of everything and I just provided information and support to that team, and then they took care of all the logistics. My manager also helped a ton at the time, and it was a really smooth process.

Ready to take the leap?

What advice do you have for others who are interested in moving to a new region or trying a new role?

Ellingham: I would say two things. The first is: Develop great relationships such that you can go to your manager, your manager’s boss, whomever, and understand where there are opportunities. If I look back at my story, having the relationship I had with leadership was really important so that I could fully understand if there was even a need to satisfy this huge personal desire I had. Relationships are really important.

The second thing is: Understand where the business is going and try to figure out how what you’re aiming to do aligns with that. In my story, that was seeing that we were increasing our international footprint for our customers — but we weren’t increasing our international footprint for our engineers, and I knew that would create some tension that we could step into and solve.

What did you find most rewarding and most challenging about relocating?

Ellingham: One really cool thing that you get when relocating is a new set of perspectives. You start to understand what other cultures are thinking through. I found that to be really, really enlightening, and we’ll get a new set of cultures in Australia, which will be really fun.

On the personal side, I love the process of experiencing somewhere new and starting to build community somewhere new. It can also be challenging. A fair warning is that it can feel lonely sometimes. You’re maybe far away from friends or family, but at the same time, the reward of making lifelong friends abroad is really, really fun. So, I would recommend it if you’re ready for the challenge.

If you’re interested in doing meaningful and impactful work like site reliability engineering, check out our open positions.

<![CDATA[Retail and Hospitality Trending Holiday Cyber Threats]]> dbandini@duo.com (Desdemona Bandini) https://duo.com/blog/retail-hospitality-trending-holiday-cyber-threats https://duo.com/blog/retail-hospitality-trending-holiday-cyber-threats Industry News

As the weather cools down and consumers prepare for the winter holiday season by shopping for loved ones or traveling to see them, malicious threat actors are standing by ready to ramp up their activities. The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) just released the 2022 Holiday Season Cyber Threat Trends report that reveals the most prevalent malware tools leveraged by cyber criminals this year, with phishing and fraud dominating the list.

In this post, we break down some of the threats facing retail security teams. And in our ebook, Retail Cybersecurity: The Journey to Zero Trust, we share ways that Duo can help retailers improve their security posture.

The state of security in retail and hospitality

RH-ISAC reports “organizations are seeing an increase in the prevalence of credential harvesting attempts, especially leveraging social engineering tactics.” The report found that QakBot, Agent Tesla, Dridex and Emotet are the most likely malware tools to be used by bad actors.

The top five primary cyber threats the report predicted for this holiday season include:

  1. Phishing and credential harvesting

  2. Account takeovers (ATO)

  3. Bots (scalpers and resellers)

  4. Gift and loyalty fraud

  5. Return fraud

The good news is that there is a simple, elegant and modern solution to the top threats this season. Businesses can prevent phishing and credential harvesting by investing in multi-factor authentication (MFA) as the first step to adopting a zero-trust stance (grant no access until trust is established and verified by multiple factors).

Retail and hospitality organizations may want to take cyber security a step further. Single sign-on (SSO) fortifies MFA by creating fewer passwords and a single dashboard for users to log into to reach all of their applications in one place. Couple MFA with Single Sign-On and reduce the human error element that plagues 82% of data breaches according to the Verizon Data Breach Investigations Report. Add a passwordless authentication factor like a biometric and block attempts at access.

Bolster your cybersecurity stance

This holiday season, retail and hospitality industries are expected to get hit even harder than past seasons by criminal attempts. As criminal rings become more sophisticated in how they target company employees through socially engineered phishing attempts, organizations can take a proactive approach that prevents attacks before they happen by utilizing MFA and SSO to protect employees during this busiest time of year and beyond, to keep private consumer data safe.

Get started by downloading our ebook, Retail Cybersecurity: The Journey to Zero Trust, today.

<![CDATA[IT Cyber Hygiene: Why It’s Important, and Duo’s Role in Securing Everyday Access]]> jhopler@cisco.com (Joe Hopler) https://duo.com/blog/it-cyber-hygiene-why-its-important-duo-role-securing-access https://duo.com/blog/it-cyber-hygiene-why-its-important-duo-role-securing-access Industry News

In today’s environment, you cannot go too long without learning about the latest company breach, social media hack, or vulnerability compromise.  What likely ensues in the fallout are mass compromised user credentials, negative brand impact and significant financial consequences. The pervasive nature of these events has become almost commonplace, like talking about the weather. But it doesn’t have to be, or they can at least be minimized. Cyber hygiene – or cybersecurity hygiene – can help organizations secure their most critical data and mitigate security compromise. 

What is cyber hygiene?

Cybersecurity hygiene is a set of habitual practices for ensuring the safe handling of critical data and for securing networks. To maintain high-level safeguards against bad actors, organizations and individuals must perform these practices regularly to maintain the health and security of users, devices, networks, and data.

 Cybersecurity best practices include:

  • Awareness of what is on your network; identify critical and sensitive data

  • Access control; limit or control who can access what types of information and privilege access control

  • Implement security configuration settings

  • Patch/update applications, software, devices, and operating systems (OS) on a routine, scheduled basis

  • Train awareness of phishing and spear-fishing campaigns

How can Duo Care help?

Duo Care takes a holistic approach of incorporating elements of foundational security best practices, with Duo’s zero-trust security journey.

A dedicated Duo Care team helps to:

  1. Validate user identities – Ensure users are who they say they are at every access attempt, then regularly reaffirm their trustworthiness

  2. Establish device trust – See every device used to access your applications and continuously verify both device health and security posture

  3. Set adaptive policies – Assign granular and contextual access policies, limiting exposure of your information to as few users and devices as possible

  4. Secure access for every user – Provide appropriate permissions for every user accessing any application, any time, and from anywhere

  5. Secure access for every application – Reduce the risk of credential theft by enabling users to securely access their applications with a single username and password

Incorporating security best practices with a focus on cybersecurity hygiene and the support of a dedicated Duo Care Team provides the following advantages:

Implementation of cybersecurity best practices

This promotes improved cybersecurity posture for the workforce and workplace, while simultaneously mitigating data breaches and other security incidents. Securing sensitive data in a secure manner also protects it from either theft or attacks.

Faster deployment

A team of trusted advisors equipped with knowledge of best practices and resources help you deploy cybersecurity solutions across your enterprise faster.

Higher ROI

With the built-in expertise of a Duo Care team in navigating diverse and complex IT environments, organizations can maximize feature adoption and overcome challenges with speed and precision. Combined with the extended support hours, you’ll maximize your investment in Duo.

Instant access to experts

Change happens. IT infrastructures evolve. Duo Care addresses your needs as they change. Alternatively, you can engage your Duo Care team at any time or get guidance on changes that impact your existing Duo deployment.

VIP service

With Duo Care, you will be partnered with a team of experts, receive enhanced support hours, dedicated support lines, improved SLAs, early access to new features, and priority access to Duo events.

It’s time to start practicing cyber hygiene

While cyber threats are always evolving, deploying comprehensive security practices based upon sound cybersecurity hygiene – coupled with Duo Care support – helps mitigate risk, increases trust and drives improved security posture for your organization.

Want to learn more about what Duo can do for your enterprise? Sign up for a free trial today!

<![CDATA[To Cover or Not to Cover: The Cyber Liability Insurance Quandary Facing Small- and Medium-Sized Businesses]]> rosies@cisco.com (Rosie Samuels) https://duo.com/blog/cyber-liability-insurance-quandary-facing-small-medium-businesses https://duo.com/blog/cyber-liability-insurance-quandary-facing-small-medium-businesses Industry News

Much has been published about how the demand — and subsequent cost — for cyber liability insurance has skyrocketed in line with increasing incidents of cyberattacks. Some recent research has suggested that some businesses, particularly small to medium-sized ones, are terminating their policies altogether due to budget constraints. But what are the risks with this approach?

Here, we provide guidance for firms that have already, or are currently considering, taking the ‘no cover’ path.

The state of cyber liability insurance

The topic of cyber liability insurance is full of datapoints, statistics and graphs all showing upward trajectories. Whether that’s the number of global incidents and overall cyberattacks, the amount of insurance claims, the pricing of cyber insurance products, the general rise in firms applying for policies the only way is up.

However, one statistic that has come to light recently is around a proportion of the companies who are discontinuing their current level of cover. In fact, according to Spiceworks, ‘due to budget constraints, about 30% of small and medium-sized businesses (SMBs) discontinued their cyber insurance contracts in 2021’.

This is doubtless a symptom of the soaring costs of cyber liability insurance cover twinned with an increasingly precarious economic landscape that is hitting hard for SMBs in particular. Tech Wire Asia cites that premiums could be expected to reach anywhere between US$500 million and US$1 billion by 2025. And while budgets are being stretched every which way, the short- and long-term knock-on costs of defending and recovering from potential cyberattacks can far outweigh preventative up-front costs.

Of course, insurance cover is not the only measure that can be taken. Ideally those firms that have discontinued their policies are barricaded well enough to weather potential cyber storms through their own procedures, policies, and people in place. However, research suggests otherwise. Security Magazine reports less than 10% of companies with fewer than 50 employees have dedicated financial resources for cybersecurity.

There are of course some measures that SMBs in particular can and really should employ that can protect themselves:

1. MFA is a necessity, not a luxury 

There is a good reason that nearly every cyber liability insurance carrier requires multi-factor authentication (MFA) and why, according to wholesale specialty insurance distributors CRC Group, clients without MFA risk non-renewal or a retention hike of 100% or more. MFA has proven to be a strong preventative strategy against stolen credentials and brute-force attacks.

But MFA should not only be viewed as a prerequisite for obtaining cyber liability insurance. By verifying your users’ identities before they access your network, two-factor authentication protects your applications and data against unauthorized access something that makes sense whether you take or leave cyber liability insurance cover. In this day and age, MFA should be looked at as a cost of doing business not an optional extra.

Questions to ask when selecting an MFA solution should be:

  • Can the solution protect against unauthorized access and provide visibility of users and devices in your environment?

  • Is the solution compatible with remote work and cloud applications?

  • Does your solution work with modern and legacy systems?

For more on how to evaluate MFA solutions, check out our evaluation guide.

2. Think like an insurer

If the decision has been made not to apply for a policy or renew an existing one, but cyber security is still a concern for the business, it's worth going over the same questions that an insurer may ask and having a robust answer ready and a plan in place to mitigate potential risks.

Earlier this year, we held a webinar with providers of data-driven cyber risk analytics for the insurance industry CyberCube, in which its former head of cyber intelligence Darren Thomson shared insight into the topics insurers are prioritizing. One of the key areas he zoomed was why organizations should be doubling down on protecting themselves from ransomware attacks.

He states that five or six years ago, ransomware attacks demanded an average of $500 and targeted consumers, as opposed to enterprises, and ransom demands can now sometimes reach $10s of millions. “That has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy.”

"That has driven insurers to harden the market and to be in a situation where they really want to understand what the risk of ransomware is to their potential client before they underwrite a policy." - Darren Thomson, Head of Cyber Intelligence for CyberCube

Thomson outlined how the best practices that were best practices five years ago still tend still to be the best practices now, advising firms to: “go through traditional means to mitigate the ransomware risk. What are you doing about backups? How are you protecting your endpoints? Are all of your network ports closed?”

As outlined in our ebook Protecting against ransomware zero trust security for a modern workforce, zero trust is a security model that is built on the principle of “never trust, always verify.” It can help organizations proactively implement best practices known to protect against cyberattacks, including ransomware whether there is a cyber liability insurance policy in place or not.

3. Ensuring minimal rough patches

Another key area of investigation for insurers when making a decision on how much to charge for coverage is how exposed firms are to software exploits if patches are not rolled out when needed. This is because unpatched vulnerabilities are the most consistent and primary ransomware attack vectors. So making sure this is managed effectively even if a company does not apply for or renew cover also makes business sense.

But ensuring all systems, computers, applications, and software within your firm are as current as possible is difficult to manage, especially considering the amount of technical debt held at many firms. Findings from McKinsey estimate that technical debt amounts to 20 to 40 percent of the value of firms’ entire technology estate before depreciation, and 60 percent of the CIOs we surveyed felt their organization’s tech debt had risen perceptibly over the past three years.

The best way to defend your organization in these cases is to install a system that warns you when your software is out of date, requires software updates before allowing access, and even blocks access from devices that don't meet your organization's requirements.

Next steps for small- and medium-sized businesses

If firms employ the three areas mentioned above, they will be well armed to protect themselves from a good amount of threats facing SMBs today. This proactive defense is especially crucial if a firm has decided to opt out of cyber liability insurance cover. In the long run, a solid cyber security practice could also bring premiums down, ensuring a ‘belt and braces’ approach for the company.

For more on this take a look at our guide: How Cyber Insurance Can Be a Lifeline in Today’s Evolving Threat Landscape.

<![CDATA[WebAuthn, Passwordless and FIDO2 Explained: Fundamental Components of a Passwordless Architecture]]> jefyeo@cisco.com (Jeff Yeo) https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture Industry News

When someone is told that passwords are going away in favor of a new, “password-less” authentication method, a healthy dose of skepticism is not unwarranted. After all, years of memorizing increasingly complex combinations of lower- and upper-case letters, numbers, and special characters have conditioned users to believe the fancier their password, the less likely they are to get breached.

While this isn’t entirely wrong, passwords are difficult to remember and rarely secure. Experts in the fields of data protection and information security now look towards new technologies to make system access much more secure.

Passwordless authentication refers to a system that does not require the use of passwords at all. A current IT security trend, the password is replaced by much more secure factors in passwordless authentication, allowing for smoother usability without compromising on the additional benefits of having multiple factors.

In this article, we will go in-depth on the basic building blocks of passwordless technology: WebAuthn, FIDO, CTAP, FIDO2, and how it all comes together for the user.

What is WebAuthn?

The Web Authentication API (WebAuthn) is a specification developed by the World Wide Web Consortium (W3C) and the FIDO Alliance, with participation from an international array of major technology companies – including Cisco Secure through Duo Security – actively contributing to WebAuthn development.

The WebAuthn API allows servers to register and authenticate users using public key cryptography instead of a password. When built into browsers and platforms, it creates a private-public keypair (known as a credential), enabling passwordless authentication by connecting applications with strong biometric authenticators like Windows Hello or Apple’s Touch ID.

In summary, WebAuthn is a:

  1. Browser API for Passwordless Authentication

  2. Strong Authentication using Public Key Cryptography (which makes a credential)

  3. A specification developed by W3C and FIDO Alliance

What is the FIDO Alliance?

The FIDO Alliance, an open industry association consisting of members from across the global tech world, works to develop technical specifications for non-password-based authentication. Their findings are based on public key cryptography, aligned with the technology used in WebAuthn. The Alliance additionally certifies that solution providers are interoperable and meet the specifications established—denoted as FIDO® Certified.

In the case of passwordless, we focus on CTAP1 and CTAP2 specifications.

What is the difference between CTAP1 and CTAP2?

Established by the FIDO Alliance, Client to Authenticator Protocol (CTAP) is a specification that describes how an application (such as a browser) and operating system communicate with a compliant authentication device via USB, NFC, or Bluetooth Low Energy (BLE).

  • CTAP1 focuses on a universal second-factor enablement

  • CTAP2 focuses on communication between applications (browsers, operating systems, etc.) and external authenticators. It is a key standard for FIDO2-certified passwordless authentication.

CTAP1 and CTAP2 are fairly interoperable, with most WebAuthn authenticators able to support both.

What is FIDO2?

FIDO2 is a standard that uses modern authentication technology to enable strong passwordless authentication. A joint project of the FIDO Alliance and the W3C, FIDO2 combines the Client to Authenticator Protocol (CTAP) with the Web Authentication API (WebAuthn).

What are some examples of FIDO2 authentication methods?

  1. Biometric-capable devices and platform authenticators: These are built-in authenticators that require a biometric, PIN, or passcode. Examples include Apple’s Touch ID and Face ID, Windows Hello, or Android fingerprint and face recognition.

  2. Roaming authenticators or security keys: FIDO2-capable hardware tokens use USB, NFC, or BLE to communicate user verification via biometric or PIN.

In short: FIDO2 Framework = WebAuthn + CTAP2, and there are a few options for FIDO2-specific authentication methods. Passwordless authenticators can also come in the form of mobile applications, like Duo Mobile.

So how do all the pieces — hardware and software — come together to make passwordless secure?

How does passwordless authentication work?

The most significant difference between password-based authentication and key-based passwordless authentication is that no shared secrets are used to gain access to systems to verify the user’s identity. Multiple factors are still at play without having users remember a complex string of characters, namely the inherence factor (something you are - biometrics) and the possession factor (something you have - a registered device). Stronger factors significantly improve the user experience and mitigate the risk of phishing, stolen credentials, and man-in-the-middle (MiTM) attacks.

A keypair (the aforementioned “credential”) is generated during passwordless authentication. This keypair is always made up of a private and public key. In essence, the public key serves as a (public) lock that can only be opened with the private key. The combination of key and lock is unique per application, which greatly increases data security. A generated credential only works for the application or website it was created for, decreasing risk of being phished through fraudulent sites.

To generate the key pair of private key and public lock, users must use either a “external authenticator” (e.g., a security key) or a “internal authenticator” (e.g., a fingerprint reader). When a user logs into a system, the private key is kept by the user, while the public key (or public lock) is sent to the system. The public key is used to decrypt the private key by the system to which the user wishes to log in.

If the encryption and decryption sequence is successful – when the private key fits into the public lock – the user is also the owner of the private key.

Registering a Security Key or Biometric

For users to use security keys or biometrics, they would first have to register their devices to the Duo Cloud Service or another remote server. A challenge is returned with the relaying party ID, and in the third step, the system will check the TLS and generate the public and private key pair. Once the credential is created, this signed challenge with the credential ID generated by the key/biometrics system is sent back to Duo or the remote server service along with the public key. Finally, in the fifth step, the information is verified and saved along with the public key.

Authentication Flow

The authentication flow when user's login to a web application is simple and what makes passwordless a worthwhile investment. Using a web browser, the user would access the application server. The server would send a request to the user’s device, and in step 3 we see that a signed challenge using the private key is sent over to the server. This is verified with the public key stored on the remote server/Duo. Access is either denied or granted based on the successful cryptographic exchange.

Start your passwordless journey today

While there are several ways to start your journey to a passwordless future, I hope that this article has helped to understand the fundamental building blocks for a passwordless architecture.

For more technical explainers, read our Administrator's Guide to Passwordless series or learn more about Duo's passwordless solution today.

<![CDATA[Insert Tokens to Play! OpenID Connect (OIDC) Support in Duo SSO Is Now in Early Access]]> skathuria@duo.com (Seema Kathuria) cmedfisch@duo.com (Colin Medfisch) https://duo.com/blog/openid-connect-oidc-support-in-duo-sso-now-early-access https://duo.com/blog/openid-connect-oidc-support-in-duo-sso-now-early-access Product & Engineering

We are in an ever-changing world where tens, hundreds, sometimes even tens of thousands of applications are being used to keep your business moving forward. We see this here at Duo and Cisco every single day! As organizations work tirelessly to adopt these new business-critical applications, the identity and security industries are doing the same to ensure that end users have secure, frictionless access to all of them.

Today, we are excited to announce the Early Access release of Duo’s Single Sign-On (SSO) support for OIDC.

To date, Duo SSO has only supported SAML 2.0 web applications. Supporting OIDC allows us to protect more of the applications that our customers are adopting as we all move towards a mobile-first world and integrate stronger and modern authentication methods (e.g. biometrics).

What is OIDC?

OpenID Connect is a modern authentication protocol that lets application and website developers authenticate users without storing and managing other people’s passwords, which is both difficult and risky. Another benefit of OIDC is that end users find it easy to sign up and register on websites, thereby reducing website abandonment. Organizations that adopt and developers that build third-party OIDC apps want to enable users (B2C, B2B) single sign-on access to them.

OIDC is an identity layer that works on top of the open OAuth 2.0 protocol adding Authentication to what has historically been used for Authorization purposes. OAuth 2.0 offers a variety of grant types which support unique sets of use cases, both on their own and often when used in combination with another.  The most common OAuth grant types include:

  • Authorization code

  • Authorization code with proof key for code exchange (PKCE)

  • Client credentials

  • Device code

  • Hybrid

  • Refresh tokens

What can you protect today?

We have been on a journey to help various organizations in different industries (healthcare, IT, manufacturing) protect several OIDC based applications. We could not have done this without the amazing partnership with these Active Development Program customers. Here is one of our customers sharing their experience.

“OIDC has been phenomenal. It’s made everyone’s lives easier. Every time I click the button I am filled with joy.” – Iain McMullen, Director of Technology, Birmingham Consulting

In the Early Access release of Duo SSO support for OIDC, we will support two grant types: OIDC Authorization Code and OAuth 2.0 Client Credentials – with more coming before our Generally Available release. Organizations that use either or both grant types can participate in the Early Access release starting later this week!

Applications tested so far include Epic’s Haiku, Canto, and Rover mobile applications, Salesforce, IBM Spectrum Virtualize, IFS Cloud, Datto, and AWS Verified Access.

“We are very pleased that Duo SSO now supports OpenID Connect which allows us to secure more applications that our employees access on a regular basis. We use Duo SSO for securing access to Microsoft 365, Cisco AnyConnect VPN, and IFS Aurena, our ERP system. We will continue to integrate Duo in more applications and plan to expand usage to 50x more users over the next few months. We are glad we chose Duo for securing access to modern apps that our hybrid workforce depends on.” – Carlos Cortes, Business Systems Administrator, ASO Worldwide

How do I sign up?

OIDC and OAuth 2.0 support will start rolling out over the next week and be available to all customers using Duo Single Sign-On. To enable it, select Generic OIDC Relying Party or OAuth 2.0 Client Credentials from the Protect an Application list in the Duo Admin Panel.

We look forward to seeing what you protect with this new capability and invite you to share learnings and feedback with us. And if you want to learn more, check out our Duo + AWS Solution Brief.

<![CDATA[Amazon + Duo Continue to Provide Zero-Trust Access in the Cloud]]> gleishman@duo.com (Ginger Leishman) https://duo.com/blog/amazon-duo-continue-to-provide-zero-trust-access-in-the-cloud https://duo.com/blog/amazon-duo-continue-to-provide-zero-trust-access-in-the-cloud Product & Engineering

It is a truth universally acknowledged, that a single organization in possession of a good many applications, end users, and devices, must be in want of secure zero-trust access.

Adding to that complexity, we still have many organizations using the old method of a VPN to check a user’s identity before providing access to all applications regardless of who the user is, what device they are using and what permissions they SHOULD have based on their role. VPNs weren’t designed to serve the increasingly remote workforce of today. They weren’t built with the application-specific security controls nor for the enormous scale (users and sessions) required today. This is especially true for where employees are increasingly dependent on highly available, secure connectivity from anywhere, such as IT, education, and healthcare.

VPNs traditionally lack modern security features needed to protect the workforce and data in our hybrid reality. Let us not forget that while VPNs do not provide secure trusted access, they also slow down productivity. It can take minutes for a user to connect to the network. Sometimes you even have to restart your laptop and the fear of losing all your open tabs is real.

How do we then get around these challenges to provide secure access AND a great user experience?

Duo SSO + AWS Verified Access

About Duo SSO = Log in once, work everywhere

Single sign-on (SSO) from Duo provides users with an easy and consistent login experience for any and every application, whether in the cloud or on-premises. Cloud-based SSO is hosted by Duo, which makes it easy to set up and manage. It also features:

  • User-friendly dashboard to manage all access policies and applications

  • Customize granular access policies per-application to enforce security rules based on criteria like user, device health, location, and more

  • Vendor agnostic works across cloud platforms and all applications regardless of cloud-based or on-prem

  • Built with modern security features SAML and OIDC

About AWS Verified Access

AWS Verified Access delivers secure access to private, corporate applications in AWS, without a VPN. Through continuous evaluation for each access request in real-time, AWS Verified Access evaluates contextual security signals like identity, device security status, and location and then grants access based on the configured security policy for each application. Built on zero-trust principles, AWS Verified Access enables the networking team to create, configure, and manage a fine-grained set of policies for private application access in AWS.

Together, Admins can utilize Duo SSO + AWS Verified Access to protect applications, users and data while removing password fatigue. Employees will have one place to log in that supports multiple multi-factor options including biometrics, security keys, and also passwordless. Duo integrates with AWS Verified Access to check the user’s identity, location, device security posture and more before sending the user through AWS Verified Access to access the organization's private applications on AWS. The integration builds on Zero-Trust principles, ensuring only the right user at the right time has the right amount of access.

Both Duo SSO and AWS Verified Access are cloud-delivered services, making it very easy to set up and begin testing immediately.

Top use cases for Duo Single Sign-On (SSO) + AWS Verified Access

"Organizations are calling for security simplification and integration. With Cisco providing the data and signals needed for trust assessment with every authentication, AWS Verified Access can provide the consolidated, lightweight, secure access without needing an additional VPN. It’s ‘zero trust’ applied to the cloud environment from two strong security partners." - Wendy Nather, Head of Advisory CISOs, CISCO

Secure distributed users

No matter where a user is located, their access to private applications in AWS is based on zero-trust principles. Using AWS Verified Access, IT administrators can define policies and onboard new applications within minutes. AWS Verified Access integrates with Duo SSO to provide a single access dashboard with security contextual data like identity, location, and device security status that gives it the ability to set appropriate controls for granting application access. Go VPN-less!

Seamless user experience

Provide a simple and friendly access experience for users. Prevent password fatigue as AWS Verified Access and private applications are behind Duo SSO. Login once for all applications, making the experience easy and consistent, no matter which application users need to access.

Accelerate time to troubleshoot

AWS Verified Access evaluates each access request and logs all the requested data, including security signal input, using the information to authorize or deny requests. This provides visibility to the networking team into private application access requests, thereby enabling the team to quickly gather data and intelligence to direct a faster response.

Excited to learn more or get started with Duo SSO and AWS Verified Access? Here are a few resources:

<![CDATA[6 Networking Tips for Building Connections at the Start of Your Career]]> emsames@cisco.com (Emily Samar) https://duo.com/blog/networking-tips-building-connections-start-of-career https://duo.com/blog/networking-tips-building-connections-start-of-career Industry News

Whether you are someone who has access to a wide variety of professional resources or you are a first-generation college student, networking plays a large role in career success. This article addresses the importance of networking and shares tips for how early-in-career talent can build a professional network as you seek out your first, second, or third internship.

The importance of networking

Building a strong network can give you insight into industry trends, employment opportunities, and professional development resources. Networking can also elevate your career helping to make lasting connections.

“It's 100% about who you know,” said Brandan Montgomery, program manager on the Cisco Secure Employee Experience Learning & Development team. One of the advantages of networking is building relationships that help you stand out and land a role that aligns with your career goals and interests. The relationships you build through networking can influence your career, creating opportunities for you to learn and assess your current competencies, providing a benchmark for where you can grow professionally.

Leveraging your professional network can also open many doors to help you get ahead in the application process.

6 tips for networking

While networking can help get your foot in the door, networking is a privilege and privilege comes in different shapes and sizes. For some, your network starts at birth. For others, your network may come to fruition in high school, college, or later in your career. For those who don’t have access to a wide network, getting creative and thinking outside the box can help you discover ways to build professional connections.

For those who are currently enrolled in a university or bootcamp, explore the professional services these institutions have to offer.

Actions you can take when exploring academic and professional services include:

  1. Visit your university’s academic resource center and talk with your academic advisor.

  2. Utilize your university’s career development office and meet with a career counselor.

  3. Ask your professors to connect you with folk who graduated from your current program.

  4. Become friends with your classmates! If you have a network, offer to make professional connections. If you are interested in building your network, connect with your peers and don’t be afraid to ask for help

  5. Attend career fairs and hiring events that your school facilitates

  6. Join an academic fraternity, sorority, club, or group

Networking in your community

Another area to explore networking is through your community! Getting involved in your community is a great way to build connections personally and professionally.

  • Visit your community resource center or chamber of commerce to see what opportunities are available locally

  • Create a Meetup account; Meetup uses your personal and professional interests to help you explore opportunities to connect with like-minded individuals and discover company-sponsored events in your area

  • Research non-profit organizations who support early-in-career talent development. Below are a few examples of nonprofits Cisco Secure has partnered with and/or recommends

    • Toastmasters, a nonprofit organization that coaches people on public speaking and leadership skills, is a great example of community offerings to explore in your region

    • Students Rising Above breaks down barriers for low-income and first-generation students; their work support and invests in students from junior year in high school through college graduation, as well as into the workforce

    • Code2College does important work to increase the number of high school students from diverse backgrounds entering STEM education and careers

    • Technovation supports young women as they work in teams to code mobile apps that address real-world problems. Along the way, they develop collaboration, problem-solving and leadership skills

Making the connection

“Don’t be shy, shoot your shot,” said Veronica Toscano, Chief of Staff to the Chief Privacy Officer and Privacy Specialist at Cisco.

Following Toscano’s point, take bold steps to make connections. One quick and easy way to create your network is by using LinkedIn. LinkedIn can help you discover industry leaders in your desired field and connect you to people who inspire you.

Before reaching out, create a short introductory script. This script can include a bit about yourself, how you found the person you’re contacting and why you’re contacting them. The why can include requesting an informational interview for you to learn about their role, company or their journey. The why can also ask for recommendations on reading materials and information to help you grow in your career. Whatever your why is, make sure to include it.

If you decide to connect in person or virtually, make sure to come with questions and talking points so you can make the best use of both parties' time. It says a lot about a person when they come prepared to a meeting. By putting your best foot forward, the person you’re connecting with can see you shine.

Bonus networking tip: Once your meeting is over, send a note thanking your new connection for their time and reflecting on a piece of information they shared with you that you plan on implementing. This demonstrates professionalism and good manners.

Maintaining your network

Maintaining your network doesn’t mean you have to reach out daily. An easy way to maintain your network is by checking in, asking follow-up questions and sharing updates on any major events that occurred since last you spoke. Another way is to share articles, learnings, and growth opportunities you’ve experienced that you think would excite your contacts.

Finally, if you and your new connection are working together to get a job within a certain company, share your hiring results! Your wins are their wins, and I can assure you that they will want to hear about your accomplishments.

Closing thoughts

At the end of the day, you are the only one who can take the steps to achieve your networking goals. The tips in this article will help you get started on building your professional network and provide resources to help you take action. By getting started and expanding your network, your future options multiply. Internships are another great way to build a professional network.

If you value growth and a hands-on learning experience, check out Duo's internship program!

<![CDATA[Announcing the General Availability of Verified Duo Push]]> hmullman@duo.com (Hannah Mullman) https://duo.com/blog/announcing-general-availability-duo-verified-push https://duo.com/blog/announcing-general-availability-duo-verified-push Product & Engineering

As attackers have figured out ways to get around traditional multi-factor authentication (MFA), Duo has continued to evolve to prevent fraudulent access and protect the workforce. Every day, users are inundated with notifications on their phones, and it can be difficult to appropriately respond to each buzz or alert. Some attack patterns, like push harassment, rely on the assumption that if you bother an end user enough times, they will eventually relent and accept the request.

In response to MFA fatigue and push-phishing attacks, we announced the Public Preview of Verified Duo Push in August of this year. Now, we are thrilled to announce the general availability of Verified Duo Push to all MFA, Access, and Beyond edition customers.

Making MFA More Secure

Verified Duo Push strengthens MFA security by adding friction to the authentication process. With a normal push request, an end user might absentmindedly click ‘Approve,’ but a Verified Duo Push requires the user to input a numeric code in order for the authentication to be successful. If the request is from a bad actor, the extra steps the user has to take means they have more time to realize they should deny the request and mark it as fraud. The user also will not have the unique code, which creates another barrier to access if the request is not valid.

Lessons from Public Preview

During public preview, we learned a lot from the hundreds of customers who participated. And we have used that feedback to continue to evolve the user experience. Our initial implementation of Verified Duo Push required users to input a 6-digit code to make it difficult for attackers to randomly guess the code correctly. However, customers wanted the option to customize the code length. With our GA release, Verified Duo Push can be configured to be between 3-6 digits long, depending on the preferred balance of security and end user experience.

Verified Duo Push helps strengthen the initial promise of MFA, even in light of new and emerging push attacks. Duo already supports FIDO2 authenticators, which offer the strongest protection against MFA-based attacks. But we know that rolling this out across an organization is a journey, and Verified Duo Push can help along the way. This is highlighted by a recent CISA Fact Sheet that recommended implementing a solution like Verified Duo Push to make MFA more secure.

However, some organizations might struggle to get organizational buy-in to add friction for every login. As an alternative approach, Duo’s new Risk-Based Authentication solution only steps up to the more secure method when risk signals in the environment indicate there are potential threats. Whether security teams enable Verified Duo Push for all users, or through a risk-based approach, this allows organizations to make decisions based on their risk appetite and organization’s needs.

As we continue to add to our Risk-Based Authentication policy stack, we know that Verified Duo Push will continue to play a big role in keeping users and organizations safe. Verified Duo Push is one step in customers’ security journey and Duo will continue to work towards the balance of protecting customers and providing a good user experience.

<![CDATA[3 Lessons From Gartner Peer Insight’s Hybrid Work Survey]]> jgolden@duo.com (Jennifer Golden) https://duo.com/blog/lessons-from-gartner-peer-insight-hybrid-work-survey https://duo.com/blog/lessons-from-gartner-peer-insight-hybrid-work-survey Industry News

Gartner Peer Insights and Cisco surveyed 100 network, IT, and security experts who evaluate or purchase cybersecurity and identity management tools to understand what they value and prioritize in today’s evolving threat landscape. One trend from this survey is clear: Hybrid work is here to stay. That means security leaders must continue to find better ways to secure access to corporate resources, without stopping employees from doing their jobs.

So, what can we learn from these survey results? Here are the 3 key challenges that security experts must navigate:

1. Managing a larger attack surface

Hybrid work means that employees are still logging in from the corporate network, but they are also logging in at home, on various devices, and changing locations. When companies had to manage one corporate device in one location, it was easier to differentiate between risky and normal user behavior. However, as the attack surface has increased, and the number of potential risk signals has increased, it makes it difficult for security teams to manage these new risks.

One approach companies can take to improve their security posture is to put controls in place to prevent bad actors from gaining access. This includes using multi-factor authentication to protect user accounts, using device trust policies to assess device health and control access across managed and unmanaged devices, and setting up remote access policies to protect applications, regardless of user location.

2. Balancing risk signals and privacy

Organizations can evaluate risk in the environment by tracking contextual signals to determine if there is any anomalous activity. However, analyzing risky behavior can sometimes lead to violating individual’s privacy if those signals are too intrusive.

In Duo’s new Risk-Based Authentication solution, we have developed a new risk signal, called Wi-Fi Fingerprint, to evaluate changes in location without invading the user’s privacy. Wi-Fi Fingerprint evaluates location by turning the Wi-Fi network information into a new data point that also anonymizes the user location. Then, Duo can compare current and past Wi-Fi Fingerprint data points to determine risk-level, without ever knowing that specific user location to begin with.

3. Making it easy for trusted users

Ultimately, security teams want to make it difficult for bad actors to gain access, but don’t want to get in the way of trusted users doing their jobs. However, if a company cannot differentiate between a low and high-risk scenario, then they cannot make it easier for trusted users to login. Duo’s new Risk-Based Remembered Devices policy allows users to automatically gain access to corporate resources when risk is low, and revoke that trust and require re-authentication if there is a change in behavior.

This allows security teams to feel confident about allowing their users to have longer sessions, and authenticate less frequently, without sacrificing security.

Want to learn more about securing hybrid work?

It is clear that the nature of work is rapidly changing. Security teams face a variety of new challenges as they seek to defend a larger attack surface against an evolving threat landscape. Duo is here to partner with organizations to help them achieve their security goals, without preventing trusted users from doing their job.

To learn more, check out the Gartner Peer Insights Survey Results.