Administrators of identity tools hold the skeleton keys to the kingdom now that identity is the new perimeter. To be clear, all administrator accounts — regardless of use case — represent accounts with elevated levels of power and access and should be a focus of heightened security controls. However, in recent months, administrators of identity infrastructure and tooling have come under specific attack.

Therefore, understanding who your identity administrators are, what they do, and how to monitor their activities is crucial for maintaining a secure environment. In this blog, we will explore the importance of securing identity admins, highlight the risks of poorly managed admin accounts and provide best practices to mitigate these risks.

What is an identity administrator?

Identity administrator accounts have elevated permissions to deploy, configure, and modify relevant identity systems. In many enterprises, this includes administrators for tools like on-premises and cloud directories, single sign-on (SSO) solutions and multi-factor authentication (MFA) providers.

These administrators are essential for configuring key workflows for identity and access management (IAM) within organizations. For example, they often define and configure the lifecycle of employee identity accounts, provision application access for user groups, set access policies for these groups, and determine authentication requirements for various policies. Identity admins play a large role in defining and setting access policy and requirements, making these accounts attractive targets for cyber attackers.

The risks of poorly managed administrator accounts

Poorly managed identity administrator accounts can lead to significant security risks. Excessive privileges, lack of visibility, and undetected anomalous activity can all contribute to security breaches. To illustrate the risk, let’s use the notable example of the Scattered Spider attacker group, which has been known to exploit administrator accounts to gain control of identity systems.

Case study: Scattered Spider

Scattered Spider is the name of an attacker group associated with several major identity-based breaches. Their techniques have been outlined in this helpful briefing from CISA. They famously use a variety of social engineering techniques (e.g., calling the help desk and asking for password and MFA resets) to gain initial access to environments.

Once they obtain initial compromise of a user's account, Scattered Spider threat actors register their own MFA tokens to establish persistence. This is where they begin targeting and performing identity administrator accounts and administrative actions. They will change the access policy so that it no longer requires MFA or even go so far as to create and link new identity provider instances.

For example, they have been documented adding a federated identity provider to the victim's SSO tenant and activating automatic account linking, enabling them to sign into any account using a matching SSO account attribute. This allows them to perform privilege escalation and maintain access even when passwords are changed.

The key takeaway is that gaining administrative control of identity systems can have devastating consequences. However, with the right tools and practices, organizations can detect and respond to such activities early, reducing the potential impact.

Monitoring identity administrators with Cisco Identity Intelligence

Cisco Identity Intelligence offers powerful capabilities to evaluate and monitor administrator accounts and activities. By providing necessary visibility into the number of identity admins and their interactions with the environment, Cisco Identity Intelligence helps ensure proper use of privileges and alerts on anomalous activity.

Key features of Cisco Identity Intelligence for Administrator Security

Dashboards:

• Administrators per source

• Administrator logins

Checks:

• Admin filter on weak or no MFA

• Admin activity anomaly

• Admin role assigned to user

• Login to admin console

• Admin impersonation

• New IdP created

These features enable organizations to detect and respond to risky admin activity, reducing the likelihood of security breaches.

Best practices for securing identity administrators

To enhance the security of identity admins, organizations should implement the following best practices:

1. Limit the number of admins

Restrict the number of admin accounts to the minimum needed to function effectively. This reduces the attack surface and makes it easier to monitor and manage these accounts.

2. Limit privileges and access

Grant admin accounts only the privileges and access necessary for their roles. Implement the principle of least privilege to minimize the potential impact of a compromised account.

3. Enforce strong multi-factor authentication (MFA)

Require strong forms of MFA for admin access. When we say strong MFA, we mean disabling weaker forms of MFA like SMS and requiring phishing-resistant MFA via passwordless or combining traditional MFA with a trusted device requirement.

4. Implement monitoring and detection

Continuously monitor admin accounts and implement detection logic for high-risk activity. Use tools like Cisco Identity Intelligence to gain visibility into admin activities and detect risky activity.

5. Establish a response workflow

Develop and implement a response workflow for various levels of administrator risk. This ensures that your security team can quickly and effectively respond to potential threats.

Keep an eye on your identity watchmen

If we revisit the case of Scattered Spider after having implemented these controls, the picture is much rosier. It’s unfair and unwise to say that all breaches would be prevented or detected. But by proactively limiting the attack surface and putting in place detection logic to alert on strange admin activity (e.g., creating a new tenant or connecting a new SSO), organizations will be much better off.

To assess the security of your identity administrator accounts, consider the asking the following questions of your own environment:

1. How many identity administrators do you have in your environment?

2. Is strong MFA required for all identity administrators in every case?

3. Do you have good visibility into normal admin activity?

4. How do you detect anomalous admin activity?

5. What is the response workflow when risky admin activity is detected?

If you’re interested to learn more about building a robust Identity Security program to handle identity admin security and much more, check out our ebook: Building an Identity Security Program. Talk with someone about how Cisco Identity Intelligence and Duo can help bolster your organization’s identity defenses by contacting us.

We are less than two months away, are you ready?

Starting next month, Microsoft announced that they will begin rolling out mandatory multi-factor authentication (MFA) sign-in for Azure (also known as Microsoft Entra ID) resources.

It is no secret that identity-based breaches are on the rise, so we applaud Microsoft by taking the first step towards better protecting Azure resources! As Microsoft points out in their announcement, MFA “can block more than 99.2% of account compromise attacks.”

MFA “can block more than 99.2% of account compromise attacks.”

Not only do we applaud them, but at Duo we have been partnering with Microsoft for years to provide seamless integrations that make any Microsoft deployment more secure. Most recently, Duo became the first approved vendor in Microsoft’s new External Authentication Methods framework.

To illustrate the depth of our integration, you can satisfy Microsoft’s mandatory MFA requirement through any one of the following Duo configurations:

1. Duo Single Sign-On for Microsoft 365 supports Microsoft’s mandate out of the box

2. Duo two-factor authentication for Microsoft Entra ID External Authentication Methods (EAM) supports Microsoft’s mandate out of the box

3. If you are using Duo with Active Directory Federated Service (AD FS), you will need to ensure you are sending the Authentication Methods Reference (AMR) in the AD FS custom claim to support Microsoft's mandate

However, while MFA has shown to help stop attacks, authentication alone is not the answer. The security industry has diligently battled compromised credentials. We have evolved from passwords to multi-factor authentication (MFA) to phishing-resistant passwordless — our most secure form of authentication to date. Duo has been at the forefront of passwordless development and fully supports passwordless authentication as a component of an identity security program.  

Despite these advancements, we still see many identity-based breaches year over year. This is why we released Continuous Identity Security earlier this year. Continuous Identity Security is built on the premise that we need to enhance our traditional access management controls. It combines Duo’s current authentication capabilities like MFA, Passwordless and SSO with powerful security insights into identity and device risk. It also  provides mechanisms to maintain and revoke trust based on these insights.

For example, Continuous Identity Security includes an Identity Intelligence layer that provides visibility and context into identities across multiple data sources such as EntraID, Duo, Okta, Workday, Google and Salesforce. This context can be used to proactively improve identity security posture by doing things like finding and removing dormant accounts. But, it can also be used to inform an identity threat detection & response (ITDR) practice that seamlessly responds to identity threats.

In addition to Identity Intelligence, Continuous Identity Security includes functionality like Duo Passport which securely brokers trust across disparate authentication scenarios, reducing the number of times a user is asked to log in. Just like SSO before it, Duo Passport eases the burden of performing authentication on an end user, making them much less susceptible to frustration-based attacks like Push Bombing.

With Continuous Identity Security, not only can you satisfy Microsoft’s mandatory MFA requirement, but you are able to protect yourself against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for your end users. Security is better because you now have deep visibility across all your identity environments enabling ISPM and ITDR. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.

If you’re interested to learn more about how Duo and Microsoft can help secure your organization, check out this eBook that highlights how we work together to enable Zero Trust.

If you’d like to learn more about how to implement Continuous Identity Security at your company, you can read more on our product page or reach out to sales for a quick discussion.

The importance of gaining visibility into identity data

Over the last two years, the security of an organization's identity ecosystem has become paramount. Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data. This visibility is the cornerstone of any robust identity security program.

You cannot protect what you can't see. Identifying what to protect is the first step in an organization’s identity security program. To achieve this, building an accurate user inventory is necessary. If you don’t trust us, the Center for Internet Security (CIS) also recommends maintaining an accurate inventory of devices and users to ensure that only authorized users have access to the system. Without an accurate user inventory, it becomes difficult to identify and mitigate security risks.

Challenges facing organizations trying to gain identity visibility

However, organizations often face several challenges when trying to gain visibility into their identity ecosystem. To start, identity providers store data in different formats with varied attributes and schemas, making it hard to map and reconcile data between systems, especially HR directories and identity providers. Additionally, data quality varies, with HR directories often having more accurate and up-to-date data compared to cloud-based identity providers. This creates inconsistencies when forming a unified view of user identities. And finally, individual users often have multiple accounts (Gmail, Yahoo, etc.) with access to company data. These accounts should be linked to a singular corporate entity.

By leveraging Cisco Identity Intelligence, organizations can easily overcome these challenges to gain powerful visibility into their identity ecosystem. One of the key functions of Cisco Identity Intelligence is creating an identity graph that is a mapping of accounts and access within an organization.

Visibility unlocks identity security posture management (ISPM)

Once an organization gains visibility, they can start getting proactive by implementing an identity security posture management (ISPM) initiative. But what exactly is ISPM?

Identity security posture management (ISPM) is the idea that an organization has a certain level of posture when it comes to the defense of the identity environment. This posture is affected by different levels of security hygiene and control in place both for individual users and for the organization more broadly. ISPM involves continuously monitoring and analyzing identities, access rights and authentication processes across your entire ecosystem to inform the current identity security posture. This gives you insights into your identity risk profile and guidance on how to remove that risk.

To get concrete, here are some examples of use cases or insights that would fall under the category of ISPM:

• Uncover dormant or inactive accounts

• Ensure widespread coverage and proper usage of strong MFA

• Evaluate administrator accounts for risky activity

• Monitor guest, contractor or service accounts for proper use

Deep dive into dealing with dormant accounts

So, what are dormant or inactive accounts? The definition can vary from organization to organization, but this usually refers to a licensed and provisioned account that has not performed any activity for an extended period of time.

Why are dormant accounts a risk?

Dormant accounts pose a significant security risk. The Cybersecurity and Infrastructure Security Agency (CISA) recently highlighted that attackers are now targeting these accounts as an initial entry point into organizational environments. According to a CISA report: "Attackers have also targeted dormant accounts belonging to users who no longer work at a victim organization but whose accounts remain on the system."

The report also highlights that attackers can time their activities to align with a breach or incident at the company. For example, it is often the case that during an incident, employees across an organization are forced to do a password reset. CISA noted that attackers have “also been observed logging into inactive accounts and following instructions to reset the password. This has allowed the actor to regain access following incident response eviction activities."

In either case, dormant accounts are providing a viable entry point for attackers looking to gain access into company environments.

How Cisco Identity Intelligence helps identify dormant accounts

After ingesting data from identity data sources, Cisco Identity Intelligence analyzes the data and offers a variety of checks that highlight potentially inactive or dormant account risks. These checks can be used individually or in combination to zero in on dormant accounts and abnormal activity associated with dormant accounts. To illustrate the how Cisco Identity Intelligence does this, here are some of the checks that run inside the tool:

• Inactive Users: Detects users who are enabled (Active status) and who have not successfully authenticated for more than 30 days.

• Inactive Account Probing: Detects users with a sudden spike in failed login attempts after a long period of inactivity, which may be an account takeover attempt.

• Never Logged In: Detects accounts that were created but never successfully logged in. These accounts appeal to attackers, as they may be able to register their own MFA factors.

• Access from Dormant Account: Adversaries often target dormant accounts that belong to users who no longer work at a victim organization, but whose accounts still have access to the system.

• Unused Application for a User: Detects applications unused by a user. Users will fail this check if they have not used an application within 30 days.

Once the dormant accounts have been identified, it’s straightforward to limit or cut off access where necessary.

What is the benefit of remediating dormant or inactive accounts?

Security Benefit: By leaving standing entitlements in place that are not needed or not used on a regular basis, attackers may be able to use a dormant account to gain access to sensitive systems and data. By removing these entry points, the attack surface is made smaller and harder for attackers to penetrate.

Economic Benefit: Dormant accounts may consume license costs without using them. By remediating dormant accounts, the organization can save money on these unused licenses by removing them.

Interested in learning more?

By addressing the risk of dormant accounts, organizations can significantly enhance their security posture and reduce unnecessary costs. With Cisco Identity Intelligence, gaining visibility and managing identity security has never been easier.

Be sure to download our free ebook — Building an Identity Security Program — to learn more about building and maintaining an identity security program that actually works.

To learn more about how Duo can help you on your ISPM journey, check out our Duo and Cisco Identity Intelligence page. Or, start a free trial of Duo to try out this functionality for yourself.

In the June D292 Duo D-release, the Duo Federal edition integration with Microsoft Entra ID Conditional Access policies became available.

This Duo integration with Microsoft Entra ID (formerly Azure Active Directory) Conditional Access policies adds 2FA to Entra ID logons, offers inline user enrollment and supports a variety of authentication methods — such as Duo Push, Verified Duo Push, passkeys and security keys in the Universal Prompt. 

Microsoft Entra ID Conditional Access allows you to set policies that evaluate Entra ID user access attempts to applications and grant access only when the access request satisfies specified requirements e.g. user group memberships, geolocation of the access device, or successful multifaceted authentication.

Duo’s custom control for Microsoft Entra ID Conditional Access provides strong secondary authentication to Entra ID logons along with Duo’s granular access policies and controls complement and extend the access controls in Entra ID. It is important to note that this integration only works with Commercial Entra ID tenants and does not work for Entra ID GCC or GCC-High.

This is one of the first major updates since the Duo Federal edition since its FedRAMP Authorization.

Duo Federal MFA & Duo Federal Access

Both the Duo Federal MFA and Duo Federal Access editions will be undergoing an upcoming update to the edition names similar to what the Duo Commercial edition had back in May 2023. These changes align with the Cisco Security Portfolio and reflect our comprehensive solutions and rich feature-set.

For the Duo Federal editions, Duo MFA will be renamed to Duo Essentials and Duo Access will be renamed to Duo Advantage. Regardless of the name change, they will continue to be federally compliant and FedRAMP authorized. Learn more about Duo’s Federal editions.

These Duo Federal editions support Authentication Assurance Level 2 (AAL2) with Duo Push or Duo Mobile Passcode for both Android and iOS devices by default out-of-the-box with no additional configuration required. Duo also supports AAL3 authenticators such as FIPS YubiKey from Yubico.

Duo Care Premium Support available for Duo Federal

The Duo Care premium support program is available for our customers utilizing the Duo Federal editions.

This offering provides a dedicated team of Customer Success experts that will ensure your deployment is smooth and work with you through the lifecycle of your subscription to make sure you are maximizing the value of your Duo investment as your organization and business needs evolve.

In addition to the team of dedicated trusted advisors that serve as your strategic point of contact and technical experts - the Duo Care premium support program also includes extended support services such as: 24x7 phone availability, priority ticket SLA, VIP support line and more!

Download the Duo Care Information Sheet.

Get started with a free trial of Duo’s Federal Editions

Duo Federal MFA and Duo Federal Access editions are listed on FedRAMP Marketplace, and can be purchased via DHS’ CDM or by visiting our Federal editions page. If you would like to get started with a free trial of Duo’s Federal MFA and Federal Access editions, sign up through our Federal editions page and we’ll reach out to get you started!

OTP (one-time password) started off in the early 1980s specifically to be used as a cryptographic hash function for an authentication system. Fast forward to today, nothing new here and many companies have since patented their own delivery system on how they generate and deliver these OTP codes. With this much time lapse into a technology, comes many attackers trying to compromise this technology through diverse ways and behaviors. In recent years, we have seen attackers continue to try to compromise MFA by circumventing it or by going through it with phishing attacks.

While we still stand on recommending security keys or Duo Push with Verified Push over other auth method options when feasible, we do still recognize that certain organizations, their environments, and where they are with their security journey still requires the ease and flexibility of OTP passcodes. We want to meet you where you are and in doing so, provide you with the most secure option possible. In this case, it is with TOTP.

What is HOTP, what is TOTP & what is the big difference?

There are two options when it comes to OTP. Hash-based Message Authentication Code (HMAC) based One-Time Password or HOTP for short and Time-based One-Time Password or TOTP for short. HOTP uses an event-based OTP algorithm which executes and invalidates during an event counter once a user uses the code. TOTP uses a time-based OTP algorithm which executes and invalidates from a specific time counter, once the countdown of time-to-use hits zero. Duo now has both options available for users, with our recommendation to move strictly to TOTP once your organization can (we will discuss how to achieve this below).

Why use TOTP instead of HOTP?

Given how each option operates, HOTP becomes more susceptible to successful compromise if an attacker can phish and harvest these codes from a user. Combining this with a compromised primary credential and the attacker can take their time to plan out an attack or even use it for monetary gain. TOTP can impede and stop these types of attacks even if a previous OTP code was harvested or phished from a user. The TOTP code will get invalidated after 30 seconds even if the user never used the code to begin with.

This raises the bar significantly from HOTP for organizations who do still need to rely on the OTP method. We know that it is still a very preventative measure in the three types of attacks from the study above; bot attacks, bulk phishing attacks, and targeted attacks. Primary credentials alone are still incredibly more vulnerable with 99.9% of accounts that are compromised do not have MFA and 50% of those are the cause of breaches.

How Duo Mobile TOTP settings are configured & things you should know

To find the settings, navigate to your Settings section in your Duo Admin Panel left menu bar. From here click on Duo Mobile App and locate the Passcodes section. You will have three options to prepare your migration to TOTP with a final option to permanently disable HOTP.

1. Do not generate TOTP codes in Duo Mobile.

2. Generate TOTP codes in Duo Mobile for specific groups.

Generate TOTP codes in Duo Mobile for all users. With an option to “Discontinue HOTP support permanently” when your organization is ready.

Prerequisite:

Mobile devices with Duo Mobile 4.49.0 or newer will generate TOTP codes when enabled in the setting above. Older versions of Duo Mobile will generate only HOTP codes.

Frequently asked questions:

I do not see the “Passcodes” setting at all in my Duo Admin Panel?

For customers who sign up a new Duo account after May 2024, these tenants will automatically be defaulted to utilize TOTP codes only. You will not see the “Passcodes” settings section shown below as this default is not interchangeable. This applies to both Users and Administrators.

What about my Administrators accounts?

Duo Administrators have been updated to support TOTP by default if they are on Duo Mobile 4.49.0 and later.

What if some Administrators still have an older version of Duo Mobile?

We will also support HOTP codes for Duo Administrators who have older Duo Mobile App versions until you change your Passcodes settings to “Discontinue HOTP support permanently” in your Admin settings. This is the only setting in the “Passcodes” configuration section that applies to both end users and administrators.

Best Practices for migration from Duo Mobile HOTP to TOTP

Given that this will be a change to the OTP method, we have implemented options in the settings to allow your organization to migrate to TOTP as slowly or quickly as feasible for your users. Note, the delivery, end users' usage, and experience does not change at all and will be seamless from an end user perspective. The main difference in experience will be the time allotted for the end user to input the code before it expires and the visible countdown on the end users Duo Mobile App screen once TOTP is enabled.

Disabling HOTP Codes in Duo Mobile App Permanently.

In both cases, we recommend waiting for a set period to review and monitor your users' authentications before completing the ultimate step of Discontinuing HOTP support permanently for Duo Mobile App. Two important notes:

1. This setting is only for Duo Mobile App and will not affect your OTP Hardware Tokens.

2. This setting is permanent once you save the discontinued use of HOTP codes. We cannot reverse this action with the main goal of all accounts utilizing a more secure option in TOTP for your Duo-protected apps.

Easily monitor & keep track of your migration with Duo’s robust logging & reporting

You administrators will have complete visibility during testing, migration, and finally disabling HOTP codes through Duo’s authentication logs. From Duo’s authentication logs, you will see a clear distinction between users who use HOTP and TOTP codes to help your organization through the process of migrating to TOTP in the various stages as shown in the example below. To get to your logs, you can gather them directly in your Duo Admin Panel by navigating to Reports → Authentication Log and through Duo’s Admin API (application programming interfaces) for a customized view.

While TOTP is not a “one solution to rule them all” to stop all phishing attacks it is a step forward to dramatically increase the prevention of this attack vector that HOTP brings to the table. Making it more difficult to compromise users' accounts. In your journey to a Zero Trust architecture and hardening your security posture with all the old and new ways attackers try to compromise your environment, Duo has all the tools you need to make a big dent in the progress to thwarting cyber criminals and increasing your security.

 On top of TOTP, you can layer additional security features to add to your arsenal with Duo like Risk-Based Authentication with novel IP detection for codes and impossible travel, Trusted Endpoints to only allow access to a Trusted machine deemed by your organization, passwordless authentication, and Single Sign-On to name a few.

For interested customers who would like to continue the conversation with a trusted advisor and further strategize a customized plan for your migration and best practices, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

Additional resources

• Google Security Blog - New research: How effective is basic account hygiene at preventing hijacking

Join the thousands of Palo Alto firewall customers who take advantage of protecting Palo Alto VPN logins with Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Duo is a leading identity security platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.

Duo SSO simplifies the authentication process for users by providing a single point of access to multiple applications. When paired with Palo Alto’s GlobalProtect VPN, it creates a fortified security perimeter that not only safeguards sensitive data but also ensures compliance with regulatory requirements. You may be asking yourself, ‘I already have Duo protecting my Palo Alto GlobalProtect VPN via RADIUS with the Duo Authentication Proxy, why would I modernize to Duo SSO?’ and to this we could talk about the security implications that come along with RADIUS as a protocol, as it further ages but instead, I think it is best that we talk about that as well as the further enhancements that you will receive without any change in your Duo licensing costs.

Reasons to move to Duo SSO with Palo Alto VPN

All of the following functionality is only available for Palo Alto VPNs using the Duo Universal Prompt and protecting Palo Alto Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.

Secure:

Duo's Verified Push multi-factor authentication (MFA) and passwordless biometric FIDO2 MFA options protect against phishing attacks by delivering a secure and frictionless user experience no matter if on mobile, laptop or using a security key. Duo's contextual access policies adapt to factors like unknown or untrusted devices, location, risk correlation, artificial intelligence and user behavior analytics to continuously verify identity and authorize access.

Simplify:

Duo’s simply easier for all. Easier for admins to configure, deploy and manage, while being easier for users to enroll, authenticate, self-remediate and self-service. It’s also easier for the help desk team to solve problems with Duo’s simple to use troubleshooting tools and detailed event logs. Last, it’s easier for security operations analysts to review and analyze threat data to resolve risk faster.

Control:

Duo's platform provides robust, integrated ITDR and ISPM capabilities powered by Cisco Identity Intelligence, which provides identity security visibility from posture risk to advanced security threats with analysis from across your identity stack. This comprehensive set of tools allows visibility into all identities and devices accessing corporate applications, enabling zero trust security for any user on any device and quickly mitigating risk.

How to protect & modernize Palo Alto GlobalProtect VPN logins with Duo

Integrating Duo SSO with Palo Alto’s GlobalProtect VPN is a straightforward process that involves a few key steps:

1. Configure Duo SSO within the Duo Admin Panel, adding users and defining authentication methods.

2. Connect Palo Alto’s GlobalProtect VPN via SAML 2.0 to Duo SSO.

3. Create Duo Policy requirements for Cisco ASA or Cisco Firepower by application or group.

4. Validate the sign-in experience and test with a pilot group.

More detailed instructions can be found on Duo Docs.

Modernize security without sacrificing productivity

Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for:

• Cisco VPN

• Microsoft 365

• Citrix NetScaler

• Palo Alto Networks

• SonicWall

• SalesForce

• Cisco Webex

• Many others

With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.

Imagine a bustling city. Each day, its citizens follow a rhythm: waking up, commuting to work, engaging in their tasks, and returning home. In macroeconomics, analyzing such behaviors helps predict broader economic trends. How are they commuting to work? What are most people spending their money on? Similarly, in cybersecurity, considering the user as a whole entity—both as an employee and in their daily routines—yields significant insights. What applications are they authenticating to? What are the risks associated with this authentication?

In the realm of cybersecurity, user experience (UX) plays a crucial role in ensuring effective security measures. Just as understanding daily behaviors in a city can lead to better urban planning, focusing on UX in cybersecurity can lead to more secure and user-friendly environments.

Onboarding and Offboarding

Traditionally, onboarding and offboarding are associated with the beginning and end of an employee's tenure. Much like the daily rhythm of a city, it's equally important to think about these processes daily. Just as an employee starts their day by logging into various systems and ends it by logging off, each session can be considered a micro-onboarding and offboarding event. This daily cycle is crucial for maintaining security without compromising user experience.

Now imagine Lee, an end user. He starts his day by logging into his computer and accessing various applications. Each login represents a potential security risk if not managed properly. Duo simplifies this process. By thinking of onboarding and offboarding as daily events, we can ensure that Lee's interactions with their work environment are both secure and efficient.

Duo Passport

Lee’s day improves significantly with Duo Passport. Without it, they would need to repeatedly log into different applications, a process that is not only time-consuming but also increases the risk of security lapses. Duo Passport simplifies application access and reduces logon fatigue by sharing remembered device sessions between applications, whether accessed from a browser or a desktop client. With Passport, Lee logs in once, and their authentication status is maintained across all applications, both in the browser and on the desktop. This seamless experience means that Lee can focus on their work without constant interruptions for re-authentication.

For more information on Duo Passport, and how it plays a larger role in Continuous Identity Security, check out this blog post.

How does it work?

Duo Passport leverages Duo Desktop, which shares trusted session information across browsers and desktop applications. This integration allows Lee to maintain their authenticated state, reducing the need to repeatedly enter credentials throughout the day.

For instance, when Lee logs into a web application and opts to remember their device during the authentication flow, that trust session extends to desktop applications as well. This seamless experience means that logging into one service can authenticate access to others, streamlining Lee's daily workflow without compromising security.

To truly appreciate the benefits of Duo Passport, let's walk through a typical day for Lee.

Morning: Let’s get this day started

Lee begins the day by logging into their Windows computer. They complete the Cisco Duo authentication process, selecting the option to remember the device. With Passport, this initial authentication carries over to other applications. As Lee opens their email client, they don't need to log in again. The trust session established during the Windows login extends to the email application, saving time and reducing frustration.

Midday: I’m on a roll

Throughout the day, Lee moves between various applications—project management tools, internal chat systems, and cloud-based storage solutions. With Passport, each transition is smooth. When Lee switches from the browser to a desktop application, the trusted session persists. Lee can access the resources needed without repeatedly entering credentials.

Afternoon: I need a change of scenery

As the day progresses, Lee decides to work from a different location. They move to a conference room for a meeting. Duo Passport adapts to this change. If the system detects a significant security event, such as an unusual login location, it prompts Lee to re-authenticate. This ensures that security remains robust even as the user environment changes.

Evening: Oops, I forgot to submit my timesheet!

At the end of the day, Lee logs off their computer. The trust session established by Passport remains in effect until it expires according to the configured policy. This means that if Lee logs back in later that evening to check on a project, they won't need to re-authenticate every application. The balance between convenience and security remains intact.

Think about an organization with hundreds of employees like Lee. If every employee saves just a few minutes each day by not having to log into applications repeatedly, the overall time savings are significant. More importantly, reducing the hassle associated with security protocols makes it more likely that employees will follow them, which strengthens the organization's security.

Conclusion

In cybersecurity, the importance of a seamless user experience is often underestimated. Yet, it’s crucial for the adoption and effectiveness of security products. Cisco Duo shows how focusing on user experience can boost security by increasing user adoption. Viewing onboarding and offboarding as daily events rather than just at the start and end of employment can create a more secure and efficient work environment.

By integrating Duo Passport, companies can provide their users with a smooth, secure, and efficient workday. This balance between user experience and security not only makes the workday easier for employees but also enhances overall productivity and security, highlighting the thoughtful design of Cisco Duo.

When you think about it, the parallels to macroeconomics are clear: just as an economy prospers when its citizens can go about their daily lives smoothly, an organization thrives when its employees can navigate their digital workspaces effortlessly. Cisco Duo, with its Passport feature, creates this seamless experience, proving that great user experience and strong security can work hand in hand to drive organizational success.

Start a Free Trial with Duo today to see Duo Passport in action!

The challenge: Limited visibility

Not all new software categories are created equal.

Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based, so identity needed some focused security attention.

Why? Access and identity sprawl is creating new security challenges for organizations of all sizes:

More likely than not, your organization has hundreds of applications across different departments and roles. The applications could be sensitive, privileged access, or not, and may be on-premises, SaaS-based cloud, self-hosted cloud or some combination. The identities (usually people, but sometimes service or machine identities) accessing the apps are likely working from anywhere, at any time, and maybe even from a work or personal device. They could be staff, but maybe there’s also temporary contractors or third parties who need controlled access.

The trouble with access policies

Access management policies control access to applications are complex and typically unique per organizational role. They must be individually assessed frequently to ensure consistent enforcement of the organization's security strategy (hopefully, a zero trust security strategy). Given the complexity of policy, even the most advanced teams struggle to deploy, maintain and assess a strong access management policy posture standard that helps mitigate threats while also supporting a productive business. In 2022, Gartner saw this as a large enough security issue to create a new security software category called Identity Threat Detection and Response (ITDR).

Later in 2022 CISA bolstered this claim and posted an urgent cybersecurity advisory stating that “Weak Security Controls and Practices Routinely Exploited for Initial Access”, which is CISA’s polite way of saying “your access management policy is weak and will get hacked”. Access policies are inherently complex as human behavior pushes new work boundaries and can be expensive to deploy, support and update securely while maintaining productivity across users and the IT and security teams supporting the infrastructure.

There are likely multiple departments across IT with ownership to compliance and security teams, and identity and other miscellaneous IT teams. In some scenarios, endless products cover parallel and competing use cases as well. This leaves organizations with a scenario where vulnerable access policies are deployed to avoid friction across various stakeholders, teams and leadership.

ITDR & ISPM introduced

Around the time of the CISA advisory, former startups like Oort (acquired by Cisco in 2023, now Cisco Identity Intelligence) and Spera Security (acquired by Okta in 2023) began to gain traction with thought leadership around identity security. Regardless, bad actors were already planning large-scale user identity-based attacks, such as the 2023 casino breaches, or the recent Snowflake breach, which prove social engineering’s getting easier, faster and cheaper with the advancement of artificial intelligence (AI) automated attack toolkits and services.

With the aggressive growth of identity-focused attacks, it's critical that organizations have a resource that ensures they have minimized their identity posture and threat risks so that bad actors cannot capitalize on hidden vulnerabilities across an organization's multi-vendor identity security posture — such as policy misconfiguration, poor security strategy, poor end-user posture/hygiene and more — and as a result, align with the requirements of compliance auditors as well. We’ll do our best to define the emerging categories of Identity Threat Detection and Response (ITDR) and Identity Security Posture Management (ISPM) in the following post below and what you should look for in a solution.

What is ITDR, or Identity Threat Detection & Response?

ITDR, or Identity Threat Detection and Response, is an emerging security software category coined by Gartner. ITDR helps organizations detect and mitigate identity risk by surfacing identity posture and security threats from across your environment. ITDR evaluates risk by analyzing existing identity providers, human resources information systems and other enterprise apps simultaneously while detecting risk with policies, permissions, user authentication logs, security events and additional third-party telemetry. Once gathered, ITDR solutions can correlate data from across all source tools and will typically surface the most critical vulnerabilities first or provide an ability to sort based on severity, compliance frameworks, security architecture guidelines, application source and more. This data is often capable of being sent to an external target, such as an XDR, SIEM, instant messaging applications, admin email distribution lists and more.

ITDR and ISPM solutions should also facilitate access management policies with a stronger, more reliable posture and threat signal for real-time risk assessment at the point of login or during an existing login session with correlation across identity providers, HRIS systems and enterprise apps.

What is ISPM, or Identity Security Posture Management?

ISPM, or Identity Security Posture Management, is a sub-category of ITDR focused on proactive identity posture assessment (not advanced security threat mitigation). This category is still emerging from ITDR, but some ISPM solutions have differentiated themselves by providing deeper posture mitigation than offered by standard ITDR solutions (such as user remediations).

Similar to ITDR solutions, ISPM solutions can correlate gathered data from across all source tools and will typically surface the most critical posture and hygiene risk first or provide an ability to sort based on severity, compliance frameworks, security architecture guidelines, application source and more. This data is often capable of being sent to an external target, such as an XDR, SIEM, instant messaging applications, admin email distribution lists and more. ITDR and ISPM providers should also facilitate access management policies with a stronger, more reliable posture and threat signal for real-time risk assessment at the point of login or during an existing login session with correlation across identity providers, HRIS systems and enterprise apps. 

The Cisco Identity Intelligence team has a list of 50+ examples of posture risks and security threats for you to review which can help disambiguate between posture and threat risk.

Why is ITDR & ISPM important?

Identity and access management (IAM) policies are complex, unique per organization and are frequently poorly configured. ITDR (Identity Threat Detection and Response) and ISPM (Identity Security Posture Management) solutions are important because they provide visibility and control over your organization's identity posture (ISPM) issues and security threats (ITDR) in a single, comprehensive interface with correlation from across your identity stack — including identity providers (IdP), enterprise applications and human resource information systems (HRIS) — so your administrators can put in place stronger access management policies and strengthen access requirements. In the future, ITDR and ISPM will continue to be developed into a risk signal for identity and access management (IAM) policy for a stronger, proactive security response.

What should I look for in an ITDR & ISPM solution?

An ITDR, or Identity Threat Detection and Response solution, and ISPM, or Identity Security Posture Management should:

• Connect and protect a multi-source list of connected target identity providers, human resources information systems (HRIS) and critical enterprise applications.

• Control and visualize with a robust list of security and posture alerts that are based on a strong multi-source collection of security threat and posture hygiene signals and support advanced report filtering such as compliance frameworks, regulatory standards, and more.

• Alert and remediate with live or retro event data to IAM solutions, ITSM solutions, SIEM solutions, email or chat/messaging notification solutions or mitigation remediation solutions.

Connect & Protect

ITDR and ISPM should support the ability to connect and protect a multi-source list of connected target identity providers, human resources information systems (HRIS) and critical enterprise applications with the same level of integration and focus, or have roadmap plans to support in the future. This may include identity providers such as Microsoft, Okta, Google, Auth0, or Ping, HRIS systems such as WorkDay or SAP, and enterprise applications such as Salesforce.

Control & Visualize

ITDR and ISPM should allow the ability to control and visualize with a robust list of security and posture alerts based on a strong multi-source collection of security threat and posture hygiene signals. The collection of signals should come from reliable sources including the target identity providers, human resources, enterprise applications, access devices, access telemetry, threat feeds, security solution integrations and more to understand the full impact of each posture or risk alert. 

An ITDR and ISPM should also support advanced report filtering such as:

• Identity hygiene view/filter that identifies posture-based risk such as identity hygiene, no/weak MFA, dormant accounts, over-privileged users and more

• Identity threats view/filter that identifies active identity-based threats to your organization based on signals provided from geo-location, device telemetry, external identity or security sources, anomaly detections, impossible travel and more

• A compliance, regulatory and security framework monitoring view/filter that identifies alignment across CIS, CMMC, MITRE, NIST, PCI and SOX standards

·       An Idle license insight view/filter that allows the ability to review identity licensing usage across connected target identities, human resources and enterprise applications

Alert & Remediate

The ITDR and ISPM solution should make it simple to act with alert and remediation options natively, or to your external target of choice including Identity and Access Management solutions (such as Microsoft and Duo) to influence access policy, SIEM (such as Splunk) or XDR (such as Cisco XDR) to correlate with other threat events, ITSM (such as Service Now or Jira) to submit new requests or tickets, and urgent email notifications or instant messaging notifications to your platforms of choice such as Google, Microsoft 365, Cisco Webex, Slack and Microsoft Teams. The event stream should support the format of the preferred target solution and provide clear, actionable logs with correlated data points.

The ITDR & ISPM Solution Checklist

Based on Duo research, we put together a simple three-step ITDR and ISPM: Solution Checklist that may help your journey:

1. Can you connect and protect a multi-source list of your target identity providers, human resources information systems (HRIS) and critical enterprise applications?

2. Can you control and visualize a robust list of security and posture alerts based on a strong multi-source collection of security threat and posture hygiene signals?  Can you support your advanced report filtering needs such as compliance frameworks, regulatory standards and more?

3. Can you alert and remediate with live or retro event data to your target IAM solutions, SIEM solutions, ITSM solutions, email or chat/messaging notification system or additional remediation solutions?

We hope this helps you on your identity security journey.

Does Cisco Duo have an ITDR or ISPM?

Yes, Cisco Identity Intelligence is Cisco's ITDR and ISPM solution. Cisco Identity Intelligence is available now to all Duo Advantage and Premier customers at no additional cost. Existing solutions in the market today are either too noisy with false positives, hyper-focused on legacy infrastructure or tailored for one specific identity solution. Current solutions lack the immediate, cross-platform enhanced visibility and value that customers seek. Cisco Identity Intelligence provides customers with unmatched visibility across their identity ecosystem in a single, comprehensive interface with low-noise insights based on a strong risk signal.

To learn more about creating a strong identity security strategy, be sure to watch our on-demand webinar Identity Under Siege: Strategies for Enhancing Security in a Zero Trust World.

Curious about your identity security hygiene? Schedule a Cisco Identity Security Assessment today!

As the world embraces the future of passwordless authentication with passkeys, Duo Security continues to innovate and provide solutions that enhance the user experience while maintaining robust security. One such solution is Duo Passport, a feature that complements the power of passkeys by enabling seamless access across different applications and platforms.

The challenge of siloed authentication

In the traditional authentication landscape, users often face the frustration of having to repeatedly log in and authenticate across various applications and devices. Even with the adoption of passkeys, which eliminate the need for passwords, the authentication session can remain siloed within a specific application or browser context. This fragmentation can lead to logon fatigue and diminish the user experience, particularly in enterprise environments where employees need to access multiple resources throughout the day.

Duo Passport: Bridging the gap

Duo Passport addresses this challenge by enabling shared remembered device sessions between browser and desktop applications when accessed using Duo Desktop and a remembered devices policy. Here's how it works:

When Passport-enabled users sign in with Duo, Duo Desktop performs automatic device registration by attempting to generate a key pair, register the public key with Duo and use the key to sign further reports sent to Duo. This process allows the trusted session information used by Duo authentication to be shared between browser and desktop apps.

Without Duo Passport, Duo stores the trusted session information locally on the user's device, preventing seamless access across different applications and platforms. However, with Duo Passport leveraging the automatic registration and payload signing features of Duo Desktop, users can enjoy a shared Passport session experience where they sign in once and seamlessly access browser and desktop applications without re-entering credentials or repeating two-factor authentication.

Benefits of Duo Passport

1. Improved User Experience: By eliminating the need for repeated logins and authentication prompts, Duo Passport significantly enhances the user experience, reducing logon fatigue and increasing productivity.

2. Seamless Access: Users can seamlessly transition between different applications and platforms without interruptions, providing a consistent and cohesive authentication experience.

3. Enhanced Security: Duo Passport leverages the security features of Duo Desktop, including automatic device registration and payload signing, ensuring that the shared authentication session remains secure and resistant to potential threats.

4. Compatibility With Passkeys: Duo Passport complements the adoption of passkeys by enabling a shared authentication experience across different applications and platforms, further enhancing the benefits of passwordless authentication.

As organizations continue to embrace the future of authentication with passkeys, Duo Passport offers a valuable solution for bridging the gap between different applications and platforms, ensuring a seamless and secure user experience.

Want to experience Duo Passport for yourself? Sign up for a free trial today!

As identity-based attacks become more prevalent, the ability to fine-tune access at a granular level is not just an advantage — it's a necessity. Duo has been born at the forefront of this shift, offering SAML support since 2015 and OIDC since 2023, which has helped many of our customers secure applications with Duo’s best-in-class identity security controls. Now, we're refining our approach even further with the integration of OAuth Client Credentials, now Generally Available, to provide even more precise control mechanisms within our security suite.

Understanding OAuth Client Credentials

Before delving into how Duo Single Sign-On (SSO) leverages OAuth Client Credentials, let's clarify what this protocol entails. OAuth Client Credentials is a part of the OAuth 2.0 specification, which is a widely adopted industry standard for authorization. Unlike other OAuth 2.0 flows designed for end-user approval, the Client Credentials grant type is specifically tailored for server-to-server authentication, where no user interaction is involved.

In this flow, a client application can directly request an access token from the Authorization Server using its own credentials. Once the Authorization Server authenticates the client, it issues an access token. This token then grants the client application access to the protected resources hosted by the resource server. It's a streamlined process designed for efficiency and security, ideal for scenarios where applications must perform automated tasks without manual user intervention.

See the video at the blog post.

See the video at the blog post.

Secure segmentation by default

Duo SSO's implementation of OAuth Client Credentials is akin to a master key maker crafting unique keys for each room in a building. Just as a key maker can design a master key system with individual keys that provide access to specific areas while maintaining overall security, Duo SSO creates separate Authorization Servers for each OAuth client. This architecture allows for multiple clients to be associated with each Authorization Server, enabling secure segmentation by default — each client operates within its own compartmentalized space, much like rooms in a secure facility.

For applications that require broader access — like having passageways between rooms — we've developed Global Token Introspection. This feature is like installing viewports in doors, allowing one room to verify if a keyholder from another room should be granted access, all while keeping the doors locked and the integrity of each room intact. Global Token Introspection ensures that clients can check the validity of tokens from other Authorization Servers within the Duo SSO ecosystem, maintaining a secure boundary even as information is shared.

To enable Global Token Introspection and effectively manage the flow of access within your organization's infrastructure, we encourage you to reach out to Duo Support.

The integration of OAuth Client Credentials into Duo SSO's offerings shows Duo’s commitment to providing advanced, adaptable, and precise security solutions. It's a testament to our dedication to evolving with the needs of our customers and to our vision of a secure, controlled enterprise environment. As we continue to refine and expand our capabilities, we invite you to explore the benefits of this granular security approach and join us in our mission to safeguard the identity perimeter with unmatched precision.

Next steps

OAuth Client Credentials support in Duo SSO is available for customers on Essentials, Advantage and Premier today! Check out the documentation for how you can start protecting your applications. 

For more on what we’re doing to revolutionize Continuous Identity Security, follow along in our Release Notes. If you’re an Essentials customer or a prospect interested in learning more about the power of Duo and our recently announced Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

Here’s to the future of secure Identity with Duo!

Multi-factor authentication (MFA) has become a security staple, almost as ubiquitous in our daily lives as a morning cup of coffee. In the last year, more than 16 billion authentications have been handled by Duo. MFA is an important security tool to combat unauthorized account access. However, it is not foolproof. Traditional hardware-based MFA is high friction and imposes limitations that can be frustrating at best and increase risk surface at worst, such as through MFA fatigue and account recovery processes. We are excited to share with you a new Duo Technology Partner Badge, and Badge’s unique integration with Duo that provides the first-hardware independent roaming MFA.

Many Duo authentications are for securing virtual infrastructures like cloud environments, or remote access systems, workstation hopping and restricting unknown and out-of-date devices from accessing applications and networks. Requesting access multiple times a day is commonplace in the day-to-day workflow of users, including billions of frontline workers worldwide. Some MFA methods can disrupt operations, and the resulting employee workarounds significantly increase the opportunity for security breaches during the authentication process. Worse, when users are in device-not-present situations — like when a mobile phone required for an MFA push is lost, broken, or unavailable — the fallback is usually a phishable, high-friction account recovery process. Not only is this bad for the user experience, but it’s bad for security too, since account recovery is increasingly becoming the front door for attackers and phishing. We’ve seen this fallback to account recovery as an increasing vector for fraud, such as with recent high-profile attacks in healthcare and entertainment targeting large companies

Badge's novel, privacy-preserving authentication enables Duo users to authenticate passwordlessly from any device without requiring the user to have previously registered on that device. This eliminates the need for Duo users to fallback to account recovery or redirect to a phone or token each time they need to authenticate. Badge seamlessly enables enterprise authentication across applications from multiple devices, all from a single enrollment. Badge helps Duo strengthen its security posture with a seamless MFA experience that's both portable and resistant to phishing, while also enabling a truly passwordless user experience.

“Badge not only streamlines access across applications and devices but crucially reduces the risk of phishing attacks or credential exposure, making it an indispensable tool for maintaining the integrity of secure environments. Badge is excited to partner with Cisco Duo to bring this important security and user experience benefit to Duo users.” — Dr. Tina P. Srivastava, Co-Founder of Badge

Moving the trust anchor

MFA works by relying on a device or a token as the trust anchor, which means that users need to have their device or token with them — and in working order — at all times to authenticate. This reliance on specific hardware, called device dependency, is a pain for user experience and impacts security when users are forced into fallback authentication flows. With Badge, the device dependency is gone — people are their own roots of trust, rather than just a device or token.

Badge offers a cost-saving solution to help reduce friction and enable seamless, passwordless enrollment using verified credentials (VCs). Badge leverages the initial Identity Verification (IDV) enrollment, and from there the user can authenticate to access this credential anywhere, anytime, on any device. No need for repeat IDVs throughout the user lifetime journey. This saves money and user frustration.

In addition to simplifying the enrollment process, Duo can also operate as a certified passkey provider leveraging Badge, extending the passwordless capabilities of Duo. Unlike other passkey models, the Badge integration with Duo does not require users to cede trust of their key trees or login credentials to a centralized authority. Instead, Duo users leveraging the Badge passkey implementation benefit from a trust model where users can establish key provenance and maintain control over their authentication keys, enhancing security and privacy. Again, with Badge, users enroll once, and may access their passkeys on any device (including across Apple, Microsoft and Google ecosystems).

By addressing the dual challenges of security and user experience, while reducing costs to the enterprise, Duo and Badge are setting new standards for what’s possible in secure, efficient, and user-friendly identity and authentication solutions.

To learn more about Badge’s integration with Duo, check out our technology partners page or watch a short demo.

Want to learn more about Badge? Contact the Badge sales team today.

As MFA fatigue attacks continue to wreak havoc on organizations of all sizes, security teams are left with difficult choices about how best to secure their workforces. More stringent security requirements often come with a large user experience cost, which can frustrate employees and reduce productivity. Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA  requirements based on the level of risk an individual login attempt poses to an organization. Our algorithm considers the user’s authentication history, their location, and device to assess whether the user appears to be who they say they are, or whether their login is anomalous enough to resemble a potential attack. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor.

Organizations are sometimes hesitant to deploy policies that use artificial intelligence and machine learning because it is inherently difficult to predict what will happen. Will users get blocked? How many step-up authentications will a user have to do every week? Is the help desk going to be inundated with tickets? We heard these questions from our customers repeatedly, which is why we are thrilled to announce the launch of Risk-Based Authentication Preview Mode.

Now, Advantage and Premier customers can see the impact of Risk-Based Factor Selection before they turn on the policy. When Duo’s algorithm sees an authentication that would have been stepped-up with RBA, we will present a banner in the Authentication log to show administrators more information about why this authentication looked risky. The Preview Insights window will also show information about how many step-up authentications would have been required in the past 30 days and how many of those users would require assistance from the help desk (e.g., if the user does not have a more secure factor enrolled).

Our goal with these new features is to open the black box of RBA. AI is a powerful tool that can help us solve many different problems. But when it comes to security, we know how important it is to trust how access decisions are being made. We want to make sure customers feel confident that their users are protected against the most prevalent MFA attacks when they use Duo’s Risk-Based Authentication.

Preview Mode will be on by default for all Advantage and Premier customers and can easily be toggled off, should customers not wish to see banners with detection information. We hope this helps customers feel prepared to strengthen their authentication policy and enable Risk-Based Authentication.

Duo has a long history of protecting students across universities and higher education institutions. From personally identifiable information to federal grants and loans, students and schools are a regular target for attackers. Because Duo has such a large presence in the world of education, we can also spot trends in attack tactics and learn how to better secure your organization.

One threat pattern Duo has seen targeting higher education within the last year includes a mixture of MFA-targeted attacks including passcode phishing and MFA fatigue. If successful, the bad actor register malicious devices on the student’s account for continued access to the student’s account and the university’s VPN. Duo Data Scientist, Becca Lynch, wrote about these attacks in the blog, Identity Threat Trends for Higher Education.

Duo has continued monitoring and responding to these attacks, while working with many of the higher education targets to secure their environments. But Duo hasn’t stopped there, as we have a unique ability to respond and establish scalable, structured product enhancements to our threat detection and response capabilities.

How Duo can help

When users set up Duo mobile, Duo takes a device fingerprint of that phone that is stored securely in our database. A typical device might be linked to a small number of Duo accounts. For example, a user might use their personal cell phone to protect their school account and when they graduate, they use it at their new job to protect their corporate account.

However, it is extremely rare for one device to be paired with hundreds of accounts, and that’s what the attackers are doing. They’re pairing the same device to all user accounts they’ve breached. One device being used to authenticate the account of 27 students across 5 schools? That’s phishy.

With Duo’s new feature, we can now block those malicious devices from continuing to access Duo-protected applications and the Duo admin panel. In the Duo admin panel, the logs now present when a device is blocked and why. This can also trigger an email to any configured administrator to provide immediate and up-to-date alerts on what is going on in their environment.

Duo can help protect every organization, not just universities, from these threats through improved threat detection and response capabilities. But the importance of secure policies should not be ignored.

We encourage all Duo customers, especially schools and other educational institutions, to ensure that they set up their policies to better protect their users, students and faculty alike. That means using secure authentication factors, implementing risk-based authentication to respond to change in user context, and pairing authentication with device trust policies through Duo’s Trusted Endpoints. It also means using an observability tool, like Duo Trust Monitor, to provide a view of all user events, including registrations and authentications, across your environment.

If you are not a current Duo customer but are interested in learning more, sign-up for a free trial today.

When reading the title of this blog, you might be wondering to yourself why RADIUS is being highlighted as a subject — especially amidst all of the advancements of modern authentication we see taking place recently. The truth is, for as old as RADIUS is, it is still (to this day) a vital protocol used in virtually every network infrastructure. Although it has many functions within the network itself, the purpose of this article is to show how RADIUS can be used when protecting applications with Duo, the benefits/drawbacks of the protocol, and why it deserves our attention.

Also, customers who subscribe to Duo Care have access to a Customer Success Manager (CSM) and a Customer Solutions Engineer (CSE). This dynamic duo provides solution architecture consulting, best practices, and overall security strategy when it comes to using RADIUS in conjunction with Duo’s services — and can help you navigate the pros and cons of the protocol relative to your organization’s specific environment and end-user needs.

What is RADIUS?

First, let's level-set on what we are talking about. RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. It is commonly used for network access into VPNs, wireless access points, and other devices (more on this later). 

RADIUS itself is a protocol that defines a method for passing authentication information between the network service and the AAA server, but it doesn't define the actual authentication methods. Instead, it supports a variety of authentication protocols, including EAP, PAP, CHAP, and others. Here are the differences between some of these protocols:

1. Extensible Authentication Protocol (EAP)

• EAP is a framework that supports multiple authentication methods.

• It’s very flexible and can work with a range of authentication mechanisms, including certificates and public key infrastructure (PKI).

• EAP itself isn’t a specific authentication mechanism, but a way to encapsulate the authentication process.

• EAP can be used in conjunction with RADIUS to authenticate users in more secure and complex scenarios.

• It’s commonly used with wireless networks and Point-to-Point connections, but it’s also used for a specific VPN integration with Duo.

• The only officially supported Duo integration that makes use of EAP is NetMotion Mobility.

• Does the Duo Authentication Proxy support EAP or PEAP?

• Protected EAP (PEAP) allows for TLS inside of RADIUS. Note that this is different from RadSec, which is TLS encryption of RADIUS over TCP. 

2. Password Authentication Protocol (PAP)

• PAP is a simple authentication protocol where usernames and passwords are sent to the server as plain text.

• Credentials are not encrypted using this protocol, but they can be obfuscated by the use of a shared secret, which is required when using the Duo Authentication Proxy.

• Learn more about how Duo protects PAP authentication.

3. Challenge-Handshake Authentication Protocol (CHAP)

• CHAP is more secure than PAP as it uses a challenge-response mechanism where the server sends a challenge to the client, the client responds with a value obtained by using a one-way hash function and the server checks this value.

• The password itself is never actually sent over the network.

• Periodic challenges can be sent to ensure that the password hasn’t been compromised and that the connection is still being managed by the same client.

• The Duo Authentication Proxy does not support CHAP.

4. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP

• MS-CHAP is a Microsoft version of CHAP that includes additional features, such as a different method for hashing and an additional authentication response designed to support Microsoft clients and servers.

• MS-CHAP v2 is an improvement over the original MS-CHAP and provides better security by using stronger cryptographic keys and a two-way authentication (mutual authentication).

• Does the Duo Authentication Proxy support MS-CHAPv2 or EAP-MSCHAPv2?

In practice, the choice of which authentication protocol to use with RADIUS depends on the required level of security, the capabilities of the client and server equipment, and the specific use case.

Anatomy of a RADIUS packet (with Duo MFA)

The flow of a RADIUS packet through the RADIUS protocol involves several steps and typically follows this sequence:

1. Access Request — The flow begins when a client device (known as a RADIUS client, usually a network access server or NAS) sends an Access-Request packet to a RADIUS server. This request includes credentials provided by the user, such as a username and password, along with other attributes like the IP address and port number. The application that Duo is protecting is acting as the RADIUS client device.

2. Processing the Request — Upon receiving the Access-Request, the RADIUS server processes the request by verifying the user's credentials against a user database, typically by way of the Duo Authentication Proxy. This might involve checking Active Directory (via LDAP) or another downstream RADIUS server, such as Microsoft NPS.

3. Challenges (Optional) — If additional information is required from the user (in the case of challenge-response authentication), the RADIUS server sends back an Access-Challenge packet to the RADIUS client. The client then prompts the user for additional information, which is sent back to the RADIUS server in another Access-Request packet. A typical example of this is when using the radius_server_challenege configuration of the Authentication Proxy.

4. Duo Multi-Factor Authentication — Once the Authentication Proxy receives a successful message from the user database (AD, NPS, etc.), it will send an HTTPS request to Duo’s cloud service to perform MFA. The results of that authentication will determine which RADIUS message is sent next.

5. Access-Accept or Access Reject — After processing the request, the RADIUS server will respond to the NAS with one of the following:

6. If Access-Accept — The user's credentials are valid, and the server provides authorization attributes that inform the NAS of any specific conditions for access. The user is permitted to access the application.

7. If Access-Reject — The user's credentials are not valid or the user is not authorized for access. No further attributes are needed or sent. The user is not permitted to access the application.

Fig. 1: Example network diagram of a RADIUS packet flow with Duo

We won’t delve into Accounting workflows since Duo does not support this part of the RADIUS protocol. When Duo MFA is invoked, record-keeping data is tracked in the Authentication Log.

• What do the RADIUS response codes generated by the Duo Authentication Proxy mean?

Throughout the entire process, RADIUS communication uses UDP as the transport protocol, with port 1812 being used by default. The RADIUS packets are also usually encrypted between the client and server to maintain security of sensitive information, such as passwords. It's important to note that RADIUS itself does not define encryption methods for the data payload; instead, it relies on a shared secret between the RADIUS client and server for obfuscating passwords and certain attributes. Learn how to protect the shared RADIUS secret and other passwords that reside on the Duo Authentication Proxy.

Is RADIUS still relevant?

RADIUS is typically viewed as a legacy network protocol since it cannot take advantage of modern security benefits that would normally be available when using WebAuthn, such as phishing-resistant MFA, enhanced device telemetry, biometrics, and Passwordless. We typically see RADIUS deployed (to this day) in a network appliance ecosystem because (along with TACACS+) it is one of the protocols of choice for logging into routers, switches, wireless access points, and VPNs. Robust identity platforms such as Cisco Identity Services Engine (ISE) can enhance the agility, automation, and visibility of the RADIUS protocol. Although it is recommended that end-user facing applications be migrated over to a modern authentication protocol such as browser-based SAML or OIDC (that leverage Single Sign-On), the need for RADIUS-based client/server authentication is still prevalent today. For example, consider the following points:

1. Widespread Adoption: RADIUS has been implemented in a wide range of network devices and services. Many vendors support RADIUS in their networking equipment, making it a de facto standard for network access control.

2. Centralized Authentication: RADIUS allows for centralized management of authentication credentials. This means that users can be authenticated across various network services and devices from a single point of control, which simplifies administration.

3. Support for Multiple Authentication Methods: RADIUS supports a variety of authentication methods, including PAP, CHAP, MS-CHAP, EAP, and more. This flexibility allows it to integrate with various types of user databases and authentication mechanisms, including modern multi-factor authentication (MFA) systems, such as Duo.

4. Interoperability: RADIUS works across different types of networks, including wired, wireless, and VPN connections. Its ability to function in diverse environments makes it a versatile tool for network administrators.

5. Scalability: It can handle a large number of authentication requests, making it suitable for organizations of all sizes, from small businesses to large enterprises and ISPs. Compared to LDAP, RADIUS has less overhead when processing requests via the Authentication Proxy.

6. Security: Although it has some limitations in terms of encryption, RADIUS does offer a level of security that is sufficient for many scenarios. The use of shared secrets and attribute obfuscation helps protect sensitive information as it travels across the network.

7. Compatibility With Legacy Systems: Many organizations have legacy systems and infrastructure that already integrate with RADIUS. Switching to a new system using SAML or OIDC may not be (yet) feasible for an organization or the application vendor, so RADIUS remains relevant for ensuring compatibility and protecting existing technology investments.

Should I use RADIUS with Duo?

Duo supports many named integrations via RADIUS as well as a generic integration that can be used to protect virtually any RADIUS-based application. When determining when to use RADIUS, you might be at the mercy of the application to only use RADIUS (and perhaps even a specific authentication protocol, such as MSCHAPv2). Or you might have the option to choose between RADIUS and another protocol such as LDAP or SAML when integrating with Duo. For example, Cisco ASA for AnyConnect has multiple integration options as seen in the ‘What are the differences between the various Cisco ASA configurations?’ knowledge base article.

To help you choose the best option for protecting your application with Duo, note some of the key differences between RADIUS and other protocols:

• RADIUS can send the IP address of the client (user) by way of an attribute, typically when using calling-station-id or NAS-IP-Address. However, not all RADIUS devices send the IP address by default or may be able to send the address at all. Check your RADIUS application’s documentation for details.

• LDAP cannot send the IP address of a client/user to Duo, so this makes RADIUS a better choice if you plan to use the IP address to make contextual decisions regarding your user’s location at the time of logon.

• Using web-based applications and authentication methods such as WebAuthn (via SAML or OIDC) are even better because they can obtain the IP address (and other system information) directly from the user’s browser via the User-Agent string.

• RADIUS supports Append Mode (concatenation), but only when using non-MS-CHAPv2 authentication protocols.

• RADIUS supports inline password reset with the Duo Authentication Proxy but only with MS-CHAPv2.

• As mentioned earlier, Cisco ISE can add more functionality to the RADIUS protocol. When ISE is integrated with Duo, you can easily add MFA to all RADIUS (and TACACS+) devices that use ISE as their downstream authentication server. See the solution overviews for Cisco ISE Auth API and Cisco ISE RADIUS. 

• RADIUS does not support phishing-resistant MFA methods such as Roaming Authenticators, Platform Authenticators, and Duo Passwordless as these all require use of the WebAuthn API. You can learn more about the WebAuthn specification.

Conclusion

No matter what authentication method or protocol you choose to integrate with Duo, there will always be differences in security, useability, and compatibility that should be carefully considered. RADIUS remains an integral part of most network ecosystems and has enough use today to warrant serious consideration. As applications move toward modern protocols such as OIDC and WebAuthn, we should see a reduction in overall RADIUS usage — but there will likely remain critical use cases to support for the foreseeable future.

Access-Accept!

Duo’s Self-Service Portal (SSP), which lets users manage their own authentication devices, saves time for both Duo users and admins. However, it can also be a target for cyberattacks. Often the first step for an attacker with stolen credentials is to try to fraudulently register an MFA device, giving persistent access to the user’s account.

In a recent blog, we discussed best practices for user enrollment, including how to prevent malicious device registration when users self-enroll. In this blog we’ll share best practices for Duo admins to continue reap the benefits of self-service after enrollment while keeping their user accounts secure.

Why use the Self-Service Portal?

What’s the risk?

Self-service device management presents a similar risk to new user self-enrollment: a bad actor with stolen user credentials can attempt to access the SSP and register their own device. Once they do so, they gain persistent access to the account.

Unlike new user enrollment workflows, the SSP is protected by MFA. However, actors may try to circumvent MFA using techniques such as passcode phishing or MFA fatigue attacks. If one of these techniques succeeds against the SSP, the actor's newly registered device lets them circumvent MFA protections for future logins to other applications.

How to protect the SSP

Protecting the SSP follows the same principles as any other resource. However, secure posture exists on a spectrum and often has tradeoffs with end-user friction. A critical resource like the SSP should lean toward the secure end of that spectrum. Fortunately, users should need to access the SSP infrequently, so lockdown access controls won’t be too much of a burden.

Duo by default overrides configuration settings that allow users to bypass MFA, such as remembered device and authorized network policies and user bypass status, for SSP access. We further recommend setting custom policies for the SSP to ensure a strong posture. Specifically:

• Restrict authentication methods to the most secure one accessible by your users, such as Verified Push or WebAuthn-based methods

• Deny access from anonymous networks and from countries not typically frequented by users

• Disallow the use of tampered devices

• Consider adopting security-enhancing features such as Trusted Endpoints and Risk-Based Authentication

In addition to these application policy settings, admins can elect global settings to guard against device registration attacks.

• Attackers may target inactive accounts for takeover; to prevent this, elect to delete inactive users after a period of time

• Turn on user notifications so that users can report suspicious device registration activity

• Monitor suspicious device registrations using Duo Trust Monitor

With some or all of these safeguards in place, the SSP can be an effective way for users to manage their devices.

In Social Engineering 101, we shared the story of John, the well-meaning employee who fell victim to a phishing attack. In this scenario, John was tricked into resetting his password by a bad actor pretending to be the IT team, which gave away access to his account. In that blog, we also discussed the many ways Duo protects John, from strong authentication methods to pairing authentication with device trust policies.

But what if the email never reached John, or the phishing link was blocked? That’s why most organizations do not rely on a single security solution but layer defenses around users and sensitive resources to ensure there isn’t a single point of failure. However, the disparate security solutions meant to protect against particular threats can lead to visibility and administration challenges for organizations.

That’s why Cisco protects users from the top attack vectors targeting organizations with the User Protection Suite, which includes Duo. The User Protection Suite defends all users, devices and access to applications to reduce gaps in the attack surface.

Now, let's rethink the story of John when he is protected by the suite.

In this new story, let's assume that email protection was not in place and the malicious email made it to John. When he clicked on the bad link, Cisco Secure Access would step in and block the user from accessing the malicious destination. Cisco sees 1 million malicious domains every hour, and all that data means we have a good idea when a website should be blocked. In this new scenario, we know John could only click the link on his managed laptop because Duo’s Trusted Endpoints would block email access on unknown or unmanaged devices.

We’ve now seen John’s credentials protected by Duo and his access protected by Secure Access. But now let’s consider if John never received the attacker’s email because Email Threat Defense recognized signs of malicious intent: there was an urgent request, from an unknown sender, with a malicious link. Email Threat Defense uses multiple AI detection engines to determine the difference between true threats and false positives. It would block the email from reaching the end user and quarantine the link to provide the organization’s administrators with the context to better understand the nature of the threats targeting their organization.

When protecting users against threats, we can never assume there is one silver bullet or singular solution. Attackers are constantly finding new ways to target users and get access to an organization’s resources and data. This is not a new story. However, when Cisco security solutions bring email, web, endpoint and authentication to work together to layer the defenses around the user, that makes our users, and organizations, safer.

To learn more about how the User Protection Suite can protect your organization today, see the Cisco User Protection Suite webpage and connect with an expert today.

Identity remains a key target of attackers. Breaches leveraging identity for initial access or even privilege escalation and lateral movement are on the rise. The increased complexity of modern identity systems only intensifies the challenge of securing the identity perimeter. Organizations are grappling with a stark reality: Without contextual insights into their multi-vendor identity ecosystems, they are often blind to gaps in their defenses.

As a part of Duo’s new Continuous Identity Security solution, our deep integration with Cisco Identity Intelligence is here to bridge these gaps and deliver a new standard of protection. In the current climate of diverse Identity Providers (IdPs), hybrid workforces, and a mix of managed and unmanaged devices, Duo and Cisco Identity Intelligence organize identity perimeter data and make it easier to defend and protect.

Here's the essence of the solution: Cisco Identity Intelligence amplifies the value of your identity and security tools, including industry standbys Microsoft Entra and Okta. By integrating data from various sources, including HR systems like Workday and customer relationship platforms like Salesforce, Cisco Identity Intelligence constructs a comprehensive identity landscape. With this enriched data, Cisco Identity Intelligence organizes identity-related activity, encompassing all accounts and devices across your IdPs. This panoramic view can then be leveraged by Duo to inform enforcement points, perform Identity Threat Detection & Response (ITDR), and proactively harden your Identity and Access Management (IAM) posture.

The advantages are clear and twofold. First, you receive actionable intelligence on IAM posture gaps, enabling proactive fortification against identity-based attacks. Second, access decisions are enriched with multi-vendor identity context.

Consider the practical implications: Cisco Identity Intelligence enables administrators to significantly enhance their organization’s identity posture through critical insights into dormant accounts, gaps and vulnerabilities in MFA deployment, admin activities, and more. By coupling these insights with Duo's robust access management capabilities, organizations can modify access experiences — stepping requirements up or down – based on identity enrichment. For example, if Cisco Identity Intelligence detects a compromised session — it can seamlessly pass that information to Duo to provide enforcement like stepping up authentication requirements or revoking a session.

A CISO from a leading healthcare company expressed the tangible benefits of the integrated solution: "Cisco Identity Intelligence provides us with precise insights into identity threats. We're able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo."

“Cisco Identity Intelligence provides us with precise insights into identity threats. We’re able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo.”

Next steps

The most exciting news is that Duo’s integration with Cisco Identity Intelligence is available in Public Preview to most customers today. For Duo Advantage and Premier customers, follow the documentation here to activate your integration today.

If you’re an Essentials customer or a prospect interested in learning more about the power of Duo + Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

This is just the beginning. The integration between Duo and Cisco Identity Intelligence will only improve over time — so stay tuned for product updates. Here’s to helping defend the identity perimeter!

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now in Private Preview!

See the video at the blog post.

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

How does this improve the proverbial front door?

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Stronger

Useable

Where won’t Passwordless for Windows logon work yet?

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.
Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

How can I try Duo Passwordless for Windows logon?

For an opportunity to participate in the Private Preview this summer, please reach out to us here! And if you are interested in trying Duo, signup for a free 30-day trial.

Duo has long been the most loved company in security. But here’s the thing: That’s despite MFA being the most grumbled-about part of many end-users’ day. While our customers love us for our ease of use, flexibility and focus on security, a lot of end users think of Duo the way they think of floss, bike helmets and low-sodium foods. Secure authentication isn’t fun, but you put up with it as part of your day because you know it’s keeping you safer.

At Duo, we are constantly pushing the envelope — how can we deliver the security that our customers need, with less inconvenience for end users? Can we make secure access a positive experience for our end users? That’s why we’re so excited to bring to market Duo Passport — a new capability that drives secure, seamless access to all the permitted applications with just one interactive authentication.

Over the past decade, MFA adoption has increased across organizations of all sizes. This is a great thing and a huge achievement for the security teams. However, it’s led to an unfortunate side effect: lots of workers, through no fault of their own and without presenting any particular risk, end up authenticating again, and again and again throughout their day. It’s normal to use an email client, a VPN, a browser, and maybe a handful of other apps in your to-do list; so why do authentication vendors put up so many walls for you?

Duo Passport reduced end-user authentication by more than 65% in one customer, who tested it over several months.

Enter Duo Passport: A better way forward

When Duo Passport is enabled, a user’s authentication is remembered for a specified time period by Duo’s cloud services across all of their applications. It leverages device binding, facilitated by Duo Desktop, to deliver a Remembered Device experience, even as the end user moves across web applications and client-based applications. Unlike other solutions, Passport does not rely on just the cookie store in the browser, or each application’s settings, to deliver a seamless experience for end-users and minimize repeated authentication requests.

Duo meets the user wherever their day starts and works behind the scenes as they move through their tasks.

Here’s where Passport gets cool: it’s customizable to your environment and compatible with all other strong security features that Duo offers. Let’s look at some examples!

One of the customers in our private preview program is an enterprise electronics company. They protect Windows Logon in their environment, as well as hundreds of applications. Some of these applications are browser-based SaaS applications, and many of them have their own clients. By rolling out Passport to more than a thousand users in their trial, they’ve saved tens of thousands of authentications that their end users didn’t have to complete interactively, while resting assured that Duo was still enforcing security through these integrations. This customer plans to roll Passport out to more than 18,000 users, and had this to say:

“The experience with Duo Passport has been really good and the feedback from all 1300 pilot users has been extremely positive. In the past, our use of MFA has been very strict and this has eased up on the end user friction that we were inadvertently putting on users.”

In another example, let’s look at Cisco’s own implementation of Duo. Cisco has deployed Passwordless widely, uses Risk-Based Authentication, and enforces Trusted Endpoints as well as Device Posture using Duo Desktop. Passport works seamlessly with all of these features! Passport adoption here is well under way, with plans for a company-wide rollout.

“With Duo, we are able to strike the right balance between User Experience and Security. It is rare that these words are used together in one statement when it comes to security related enforcements. Our User Experience satisfaction score is increasing every quarter and at the same time our security team is happy with the enforcements we are able to implement.” — Sarabjeet Rana, Information Security Architect at Cisco

A great litmus test for any balance of security and end user experience is understanding how Managed Service Providers feel about it. We’ve had a great partnership throughout our preview program with several MSPs, which speaks to the improved end user experience that Passport delivers.

“Duo Passport is an essential step on our road to making secure access the default for our customers. We selected Duo as our partner because of their attention to ease of use and their expertise across platforms. We are accelerating our deployment of Duo Passport to maximize the strength of our customers’ defenses while we keep interruptions of their workflows to the minimum.” — JustWorks, a pure play MSP founded in 1996

Duo Passport is available today, to all Duo Advantage and Premier customers. You can enable it yourself now.

We’re really excited to get this in your hands and are already hard at work on what’s next. We’re bringing Passport to multi-user scenarios, which has been requested by all our healthcare customers in preview. And if you thought that we didn’t like too many authentications…just wait until we tell you about our thoughts on passwords and remember-me cookies!

User experience and security protocols have historically been at odds. To improve security outcomes, users are forced to jump through more hoops to gain access to sensitive resources. Duo is rethinking this paradigm with the launch of Session Trust’s continuous policy.

Challenge with sessions

When a user logs in to a new application, the website sends a cookie that is stored in the browser. This enables the website to remember you. Without these cookies, users would have to re-login with every click. Imagine if you had to enter your username and password for your account every time you added a new item to your shopping cart or clicked on a new webpage.

That's why sessions are so important. However, a lot can change over the course of a session. At the beginning, session trust is high because the application can verify it’s the right user accessing the right resources. But over time, that trust might degrade as users move locations, devices become infected with malware, or new signals show that the current user is not the same one that initially logged in. Despite changing risks, access today is binary: it’s granted once at the start of a session and never re-evaluated until hours, or even days, later when the session expires.

So how can we enable organizations to evaluate risk throughout the session and take action beyond the point of authentication? What other tools can we provide organizations beyond setting session length?

Introducing continuous policy with Session Trust

Session Trust now makes access safer by continuously evaluating device health policy over the entire lifecycle of the session. There are three parts to this new functionality — device posture heartbeats that are collected continuously, ongoing evaluation of posture against the organization’s policy and web session enforcement to terminate an incompliant session.

Whereas device health policy was previously evaluated once at the time of login, continuous policy now leverages Duo Desktop heartbeats to evaluate posture constantly. Once a change is detected, a heartbeat is sent to Duo. If the device no longer complies with policy, the Duo browser extension revokes the session by removing the login cookie, prompting users to remediate device issues and re-establish trust.

By protecting sessions throughout their lifecycle, administrators can confidently increase session time, knowing that sessions can be revoked the moment risk levels change. End users can stay logged in longer, and administrators no longer need to face the hard choice of frustrating end users or attackers.

Duo’s vision for Continuous Identity Security

The Session Trust continuous policy feature is an important milestone for Duo as we seek to achieve our goal of providing Continuous Identity Security for our users and organizations. We see a world where trust is neither binary nor permanent, where Duo works continuously so you don’t have to.

As we look to the future, we are working to expand the signals that Duo can collect and process—providing a more cohesive view of risk — and giving organizations more tools to better protect their users. Additionally, we are working to make Session Trust available for more application types, ensuring that every session maximizes user experience and security.

To learn more, sign up for a free trial of Duo or reach out to your sales rep to sign up for private preview today.