OTP (one-time password) started off in the early 1980s specifically to be used as a cryptographic hash function for an authentication system. Fast forward to today, nothing new here and many companies have since patented their own delivery system on how they generate and deliver these OTP codes. With this much time lapse into a technology, comes many attackers trying to compromise this technology through diverse ways and behaviors. In recent years, we have seen attackers continue to try to compromise MFA by circumventing it or by going through it with phishing attacks.

While we still stand on recommending security keys or Duo Push with Verified Push over other auth method options when feasible, we do still recognize that certain organizations, their environments, and where they are with their security journey still requires the ease and flexibility of OTP passcodes. We want to meet you where you are and in doing so, provide you with the most secure option possible. In this case, it is with TOTP.

What is HOTP, what is TOTP & what is the big difference?

There are two options when it comes to OTP. Hash-based Message Authentication Code (HMAC) based One-Time Password or HOTP for short and Time-based One-Time Password or TOTP for short. HOTP uses an event-based OTP algorithm which executes and invalidates during an event counter once a user uses the code. TOTP uses a time-based OTP algorithm which executes and invalidates from a specific time counter, once the countdown of time-to-use hits zero. Duo now has both options available for users, with our recommendation to move strictly to TOTP once your organization can (we will discuss how to achieve this below).

Why use TOTP instead of HOTP?

Given how each option operates, HOTP becomes more susceptible to successful compromise if an attacker can phish and harvest these codes from a user. Combining this with a compromised primary credential and the attacker can take their time to plan out an attack or even use it for monetary gain. TOTP can impede and stop these types of attacks even if a previous OTP code was harvested or phished from a user. The TOTP code will get invalidated after 30 seconds even if the user never used the code to begin with.

This raises the bar significantly from HOTP for organizations who do still need to rely on the OTP method. We know that it is still a very preventative measure in the three types of attacks from the study above; bot attacks, bulk phishing attacks, and targeted attacks. Primary credentials alone are still incredibly more vulnerable with 99.9% of accounts that are compromised do not have MFA and 50% of those are the cause of breaches.

How Duo Mobile TOTP settings are configured & things you should know

To find the settings, navigate to your Settings section in your Duo Admin Panel left menu bar. From here click on Duo Mobile App and locate the Passcodes section. You will have three options to prepare your migration to TOTP with a final option to permanently disable HOTP.

1. Do not generate TOTP codes in Duo Mobile.

2. Generate TOTP codes in Duo Mobile for specific groups.

Generate TOTP codes in Duo Mobile for all users. With an option to “Discontinue HOTP support permanently” when your organization is ready.

Prerequisite:

Mobile devices with Duo Mobile 4.49.0 or newer will generate TOTP codes when enabled in the setting above. Older versions of Duo Mobile will generate only HOTP codes.

Frequently asked questions:

I do not see the “Passcodes” setting at all in my Duo Admin Panel?

For customers who sign up a new Duo account after May 2024, these tenants will automatically be defaulted to utilize TOTP codes only. You will not see the “Passcodes” settings section shown below as this default is not interchangeable. This applies to both Users and Administrators.

What about my Administrators accounts?

Duo Administrators have been updated to support TOTP by default if they are on Duo Mobile 4.49.0 and later.

What if some Administrators still have an older version of Duo Mobile?

We will also support HOTP codes for Duo Administrators who have older Duo Mobile App versions until you change your Passcodes settings to “Discontinue HOTP support permanently” in your Admin settings. This is the only setting in the “Passcodes” configuration section that applies to both end users and administrators.

Best Practices for migration from Duo Mobile HOTP to TOTP

Given that this will be a change to the OTP method, we have implemented options in the settings to allow your organization to migrate to TOTP as slowly or quickly as feasible for your users. Note, the delivery, end users' usage, and experience does not change at all and will be seamless from an end user perspective. The main difference in experience will be the time allotted for the end user to input the code before it expires and the visible countdown on the end users Duo Mobile App screen once TOTP is enabled.

Disabling HOTP Codes in Duo Mobile App Permanently.

In both cases, we recommend waiting for a set period to review and monitor your users' authentications before completing the ultimate step of Discontinuing HOTP support permanently for Duo Mobile App. Two important notes:

1. This setting is only for Duo Mobile App and will not affect your OTP Hardware Tokens.

2. This setting is permanent once you save the discontinued use of HOTP codes. We cannot reverse this action with the main goal of all accounts utilizing a more secure option in TOTP for your Duo-protected apps.

Easily monitor & keep track of your migration with Duo’s robust logging & reporting

You administrators will have complete visibility during testing, migration, and finally disabling HOTP codes through Duo’s authentication logs. From Duo’s authentication logs, you will see a clear distinction between users who use HOTP and TOTP codes to help your organization through the process of migrating to TOTP in the various stages as shown in the example below. To get to your logs, you can gather them directly in your Duo Admin Panel by navigating to Reports → Authentication Log and through Duo’s Admin API (application programming interfaces) for a customized view.

While TOTP is not a “one solution to rule them all” to stop all phishing attacks it is a step forward to dramatically increase the prevention of this attack vector that HOTP brings to the table. Making it more difficult to compromise users' accounts. In your journey to a Zero Trust architecture and hardening your security posture with all the old and new ways attackers try to compromise your environment, Duo has all the tools you need to make a big dent in the progress to thwarting cyber criminals and increasing your security.

 On top of TOTP, you can layer additional security features to add to your arsenal with Duo like Risk-Based Authentication with novel IP detection for codes and impossible travel, Trusted Endpoints to only allow access to a Trusted machine deemed by your organization, passwordless authentication, and Single Sign-On to name a few.

For interested customers who would like to continue the conversation with a trusted advisor and further strategize a customized plan for your migration and best practices, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

Additional resources

• Google Security Blog - New research: How effective is basic account hygiene at preventing hijacking

Join the thousands of Palo Alto firewall customers who take advantage of protecting Palo Alto VPN logins with Duo Single Sign-On via SAML 2.0 to help prevent unwanted access and streamline the user experience. Duo is a leading identity security platform that protects access to all applications, for any user and device, from anywhere. It is designed to be easy to use, administer, and deploy while providing complete endpoint visibility and control.

Duo SSO simplifies the authentication process for users by providing a single point of access to multiple applications. When paired with Palo Alto’s GlobalProtect VPN, it creates a fortified security perimeter that not only safeguards sensitive data but also ensures compliance with regulatory requirements. You may be asking yourself, ‘I already have Duo protecting my Palo Alto GlobalProtect VPN via RADIUS with the Duo Authentication Proxy, why would I modernize to Duo SSO?’ and to this we could talk about the security implications that come along with RADIUS as a protocol, as it further ages but instead, I think it is best that we talk about that as well as the further enhancements that you will receive without any change in your Duo licensing costs.

Reasons to move to Duo SSO with Palo Alto VPN

All of the following functionality is only available for Palo Alto VPNs using the Duo Universal Prompt and protecting Palo Alto Firewalls with SAML 2.0. Duo will continue to invest in our focused security principles through the Duo Universal Prompt, so be sure to keep an eye out for new policy improvements.

Secure:

Duo's Verified Push multi-factor authentication (MFA) and passwordless biometric FIDO2 MFA options protect against phishing attacks by delivering a secure and frictionless user experience no matter if on mobile, laptop or using a security key. Duo's contextual access policies adapt to factors like unknown or untrusted devices, location, risk correlation, artificial intelligence and user behavior analytics to continuously verify identity and authorize access.

Simplify:

Duo’s simply easier for all. Easier for admins to configure, deploy and manage, while being easier for users to enroll, authenticate, self-remediate and self-service. It’s also easier for the help desk team to solve problems with Duo’s simple to use troubleshooting tools and detailed event logs. Last, it’s easier for security operations analysts to review and analyze threat data to resolve risk faster.

Control:

Duo's platform provides robust, integrated ITDR and ISPM capabilities powered by Cisco Identity Intelligence, which provides identity security visibility from posture risk to advanced security threats with analysis from across your identity stack. This comprehensive set of tools allows visibility into all identities and devices accessing corporate applications, enabling zero trust security for any user on any device and quickly mitigating risk.

How to protect & modernize Palo Alto GlobalProtect VPN logins with Duo

Integrating Duo SSO with Palo Alto’s GlobalProtect VPN is a straightforward process that involves a few key steps:

1. Configure Duo SSO within the Duo Admin Panel, adding users and defining authentication methods.

2. Connect Palo Alto’s GlobalProtect VPN via SAML 2.0 to Duo SSO.

3. Create Duo Policy requirements for Cisco ASA or Cisco Firepower by application or group.

4. Validate the sign-in experience and test with a pilot group.

More detailed instructions can be found on Duo Docs.

Modernize security without sacrificing productivity

Duo SSO quickly connects to your identity provider of choice and integrates with any SAML or OIDC application with dedicated integrations for:

• Cisco VPN

• Microsoft 365

• Citrix NetScaler

• Palo Alto Networks

• SonicWall

• SalesForce

• Cisco Webex

• Many others

With Cisco Duo Single Sign-On, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.

Imagine a bustling city. Each day, its citizens follow a rhythm: waking up, commuting to work, engaging in their tasks, and returning home. In macroeconomics, analyzing such behaviors helps predict broader economic trends. How are they commuting to work? What are most people spending their money on? Similarly, in cybersecurity, considering the user as a whole entity—both as an employee and in their daily routines—yields significant insights. What applications are they authenticating to? What are the risks associated with this authentication?

In the realm of cybersecurity, user experience (UX) plays a crucial role in ensuring effective security measures. Just as understanding daily behaviors in a city can lead to better urban planning, focusing on UX in cybersecurity can lead to more secure and user-friendly environments.

Onboarding and Offboarding

Traditionally, onboarding and offboarding are associated with the beginning and end of an employee's tenure. Much like the daily rhythm of a city, it's equally important to think about these processes daily. Just as an employee starts their day by logging into various systems and ends it by logging off, each session can be considered a micro-onboarding and offboarding event. This daily cycle is crucial for maintaining security without compromising user experience.

Now imagine Lee, an end user. He starts his day by logging into his computer and accessing various applications. Each login represents a potential security risk if not managed properly. Duo simplifies this process. By thinking of onboarding and offboarding as daily events, we can ensure that Lee's interactions with their work environment are both secure and efficient.

Duo Passport

Lee’s day improves significantly with Duo Passport. Without it, they would need to repeatedly log into different applications, a process that is not only time-consuming but also increases the risk of security lapses. Duo Passport simplifies application access and reduces logon fatigue by sharing remembered device sessions between applications, whether accessed from a browser or a desktop client. With Passport, Lee logs in once, and their authentication status is maintained across all applications, both in the browser and on the desktop. This seamless experience means that Lee can focus on their work without constant interruptions for re-authentication.

For more information on Duo Passport, and how it plays a larger role in Continuous Identity Security, check out this blog post.

How does it work?

Duo Passport leverages Duo Desktop, which shares trusted session information across browsers and desktop applications. This integration allows Lee to maintain their authenticated state, reducing the need to repeatedly enter credentials throughout the day.

For instance, when Lee logs into a web application and opts to remember their device during the authentication flow, that trust session extends to desktop applications as well. This seamless experience means that logging into one service can authenticate access to others, streamlining Lee's daily workflow without compromising security.

To truly appreciate the benefits of Duo Passport, let's walk through a typical day for Lee.

Morning: Let’s get this day started

Lee begins the day by logging into their Windows computer. They complete the Cisco Duo authentication process, selecting the option to remember the device. With Passport, this initial authentication carries over to other applications. As Lee opens their email client, they don't need to log in again. The trust session established during the Windows login extends to the email application, saving time and reducing frustration.

Midday: I’m on a roll

Throughout the day, Lee moves between various applications—project management tools, internal chat systems, and cloud-based storage solutions. With Passport, each transition is smooth. When Lee switches from the browser to a desktop application, the trusted session persists. Lee can access the resources needed without repeatedly entering credentials.

Afternoon: I need a change of scenery

As the day progresses, Lee decides to work from a different location. They move to a conference room for a meeting. Duo Passport adapts to this change. If the system detects a significant security event, such as an unusual login location, it prompts Lee to re-authenticate. This ensures that security remains robust even as the user environment changes.

Evening: Oops, I forgot to submit my timesheet!

At the end of the day, Lee logs off their computer. The trust session established by Passport remains in effect until it expires according to the configured policy. This means that if Lee logs back in later that evening to check on a project, they won't need to re-authenticate every application. The balance between convenience and security remains intact.

Think about an organization with hundreds of employees like Lee. If every employee saves just a few minutes each day by not having to log into applications repeatedly, the overall time savings are significant. More importantly, reducing the hassle associated with security protocols makes it more likely that employees will follow them, which strengthens the organization's security.

Conclusion

In cybersecurity, the importance of a seamless user experience is often underestimated. Yet, it’s crucial for the adoption and effectiveness of security products. Cisco Duo shows how focusing on user experience can boost security by increasing user adoption. Viewing onboarding and offboarding as daily events rather than just at the start and end of employment can create a more secure and efficient work environment.

By integrating Duo Passport, companies can provide their users with a smooth, secure, and efficient workday. This balance between user experience and security not only makes the workday easier for employees but also enhances overall productivity and security, highlighting the thoughtful design of Cisco Duo.

When you think about it, the parallels to macroeconomics are clear: just as an economy prospers when its citizens can go about their daily lives smoothly, an organization thrives when its employees can navigate their digital workspaces effortlessly. Cisco Duo, with its Passport feature, creates this seamless experience, proving that great user experience and strong security can work hand in hand to drive organizational success.

Start a Free Trial with Duo today to see Duo Passport in action!

The challenge: Limited visibility

Not all new software categories are created equal.

Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based, so identity needed some focused security attention.

Why? Access and identity sprawl is creating new security challenges for organizations of all sizes:

More likely than not, your organization has hundreds of applications across different departments and roles. The applications could be sensitive, privileged access, or not, and may be on-premises, SaaS-based cloud, self-hosted cloud or some combination. The identities (usually people, but sometimes service or machine identities) accessing the apps are likely working from anywhere, at any time, and maybe even from a work or personal device. They could be staff, but maybe there’s also temporary contractors or third parties who need controlled access.

The trouble with access policies

Access management policies control access to applications are complex and typically unique per organizational role. They must be individually assessed frequently to ensure consistent enforcement of the organization's security strategy (hopefully, a zero trust security strategy). Given the complexity of policy, even the most advanced teams struggle to deploy, maintain and assess a strong access management policy posture standard that helps mitigate threats while also supporting a productive business. In 2022, Gartner saw this as a large enough security issue to create a new security software category called Identity Threat Detection and Response (ITDR).

Later in 2022 CISA bolstered this claim and posted an urgent cybersecurity advisory stating that “Weak Security Controls and Practices Routinely Exploited for Initial Access”, which is CISA’s polite way of saying “your access management policy is weak and will get hacked”. Access policies are inherently complex as human behavior pushes new work boundaries and can be expensive to deploy, support and update securely while maintaining productivity across users and the IT and security teams supporting the infrastructure.

There are likely multiple departments across IT with ownership to compliance and security teams, and identity and other miscellaneous IT teams. In some scenarios, endless products cover parallel and competing use cases as well. This leaves organizations with a scenario where vulnerable access policies are deployed to avoid friction across various stakeholders, teams and leadership.

ITDR & ISPM introduced

Around the time of the CISA advisory, former startups like Oort (acquired by Cisco in 2023, now Cisco Identity Intelligence) and Spera Security (acquired by Okta in 2023) began to gain traction with thought leadership around identity security. Regardless, bad actors were already planning large-scale user identity-based attacks, such as the 2023 casino breaches, or the recent Snowflake breach, which prove social engineering’s getting easier, faster and cheaper with the advancement of artificial intelligence (AI) automated attack toolkits and services.

With the aggressive growth of identity-focused attacks, it's critical that organizations have a resource that ensures they have minimized their identity posture and threat risks so that bad actors cannot capitalize on hidden vulnerabilities across an organization's multi-vendor identity security posture — such as policy misconfiguration, poor security strategy, poor end-user posture/hygiene and more — and as a result, align with the requirements of compliance auditors as well. We’ll do our best to define the emerging categories of Identity Threat Detection and Response (ITDR) and Identity Security Posture Management (ISPM) in the following post below and what you should look for in a solution.

What is ITDR, or Identity Threat Detection & Response?

ITDR, or Identity Threat Detection and Response, is an emerging security software category coined by Gartner. ITDR helps organizations detect and mitigate identity risk by surfacing identity posture and security threats from across your environment. ITDR evaluates risk by analyzing existing identity providers, human resources information systems and other enterprise apps simultaneously while detecting risk with policies, permissions, user authentication logs, security events and additional third-party telemetry. Once gathered, ITDR solutions can correlate data from across all source tools and will typically surface the most critical vulnerabilities first or provide an ability to sort based on severity, compliance frameworks, security architecture guidelines, application source and more. This data is often capable of being sent to an external target, such as an XDR, SIEM, instant messaging applications, admin email distribution lists and more.

ITDR and ISPM solutions should also facilitate access management policies with a stronger, more reliable posture and threat signal for real-time risk assessment at the point of login or during an existing login session with correlation across identity providers, HRIS systems and enterprise apps.

What is ISPM, or Identity Security Posture Management?

ISPM, or Identity Security Posture Management, is a sub-category of ITDR focused on proactive identity posture assessment (not advanced security threat mitigation). This category is still emerging from ITDR, but some ISPM solutions have differentiated themselves by providing deeper posture mitigation than offered by standard ITDR solutions (such as user remediations).

Similar to ITDR solutions, ISPM solutions can correlate gathered data from across all source tools and will typically surface the most critical posture and hygiene risk first or provide an ability to sort based on severity, compliance frameworks, security architecture guidelines, application source and more. This data is often capable of being sent to an external target, such as an XDR, SIEM, instant messaging applications, admin email distribution lists and more. ITDR and ISPM providers should also facilitate access management policies with a stronger, more reliable posture and threat signal for real-time risk assessment at the point of login or during an existing login session with correlation across identity providers, HRIS systems and enterprise apps. 

The Cisco Identity Intelligence team has a list of 50+ examples of posture risks and security threats for you to review which can help disambiguate between posture and threat risk.

Why is ITDR & ISPM important?

Identity and access management (IAM) policies are complex, unique per organization and are frequently poorly configured. ITDR (Identity Threat Detection and Response) and ISPM (Identity Security Posture Management) solutions are important because they provide visibility and control over your organization's identity posture (ISPM) issues and security threats (ITDR) in a single, comprehensive interface with correlation from across your identity stack — including identity providers (IdP), enterprise applications and human resource information systems (HRIS) — so your administrators can put in place stronger access management policies and strengthen access requirements. In the future, ITDR and ISPM will continue to be developed into a risk signal for identity and access management (IAM) policy for a stronger, proactive security response.

What should I look for in an ITDR & ISPM solution?

An ITDR, or Identity Threat Detection and Response solution, and ISPM, or Identity Security Posture Management should:

• Connect and protect a multi-source list of connected target identity providers, human resources information systems (HRIS) and critical enterprise applications.

• Control and visualize with a robust list of security and posture alerts that are based on a strong multi-source collection of security threat and posture hygiene signals and support advanced report filtering such as compliance frameworks, regulatory standards, and more.

• Alert and remediate with live or retro event data to IAM solutions, ITSM solutions, SIEM solutions, email or chat/messaging notification solutions or mitigation remediation solutions.

Connect & Protect

ITDR and ISPM should support the ability to connect and protect a multi-source list of connected target identity providers, human resources information systems (HRIS) and critical enterprise applications with the same level of integration and focus, or have roadmap plans to support in the future. This may include identity providers such as Microsoft, Okta, Google, Auth0, or Ping, HRIS systems such as WorkDay or SAP, and enterprise applications such as Salesforce.

Control & Visualize

ITDR and ISPM should allow the ability to control and visualize with a robust list of security and posture alerts based on a strong multi-source collection of security threat and posture hygiene signals. The collection of signals should come from reliable sources including the target identity providers, human resources, enterprise applications, access devices, access telemetry, threat feeds, security solution integrations and more to understand the full impact of each posture or risk alert. 

An ITDR and ISPM should also support advanced report filtering such as:

• Identity hygiene view/filter that identifies posture-based risk such as identity hygiene, no/weak MFA, dormant accounts, over-privileged users and more

• Identity threats view/filter that identifies active identity-based threats to your organization based on signals provided from geo-location, device telemetry, external identity or security sources, anomaly detections, impossible travel and more

• A compliance, regulatory and security framework monitoring view/filter that identifies alignment across CIS, CMMC, MITRE, NIST, PCI and SOX standards

·       An Idle license insight view/filter that allows the ability to review identity licensing usage across connected target identities, human resources and enterprise applications

Alert & Remediate

The ITDR and ISPM solution should make it simple to act with alert and remediation options natively, or to your external target of choice including Identity and Access Management solutions (such as Microsoft and Duo) to influence access policy, SIEM (such as Splunk) or XDR (such as Cisco XDR) to correlate with other threat events, ITSM (such as Service Now or Jira) to submit new requests or tickets, and urgent email notifications or instant messaging notifications to your platforms of choice such as Google, Microsoft 365, Cisco Webex, Slack and Microsoft Teams. The event stream should support the format of the preferred target solution and provide clear, actionable logs with correlated data points.

The ITDR & ISPM Solution Checklist

Based on Duo research, we put together a simple three-step ITDR and ISPM: Solution Checklist that may help your journey:

1. Can you connect and protect a multi-source list of your target identity providers, human resources information systems (HRIS) and critical enterprise applications?

2. Can you control and visualize a robust list of security and posture alerts based on a strong multi-source collection of security threat and posture hygiene signals?  Can you support your advanced report filtering needs such as compliance frameworks, regulatory standards and more?

3. Can you alert and remediate with live or retro event data to your target IAM solutions, SIEM solutions, ITSM solutions, email or chat/messaging notification system or additional remediation solutions?

We hope this helps you on your identity security journey.

Does Cisco Duo have an ITDR or ISPM?

Yes, Cisco Identity Intelligence is Cisco's ITDR and ISPM solution. Cisco Identity Intelligence is available now to all Duo Advantage and Premier customers at no additional cost. Existing solutions in the market today are either too noisy with false positives, hyper-focused on legacy infrastructure or tailored for one specific identity solution. Current solutions lack the immediate, cross-platform enhanced visibility and value that customers seek. Cisco Identity Intelligence provides customers with unmatched visibility across their identity ecosystem in a single, comprehensive interface with low-noise insights based on a strong risk signal.

To learn more about creating a strong identity security strategy, be sure to watch our on-demand webinar Identity Under Siege: Strategies for Enhancing Security in a Zero Trust World.

Curious about your identity security hygiene? Schedule a Cisco Identity Security Assessment today!

As the world embraces the future of passwordless authentication with passkeys, Duo Security continues to innovate and provide solutions that enhance the user experience while maintaining robust security. One such solution is Duo Passport, a feature that complements the power of passkeys by enabling seamless access across different applications and platforms.

The challenge of siloed authentication

In the traditional authentication landscape, users often face the frustration of having to repeatedly log in and authenticate across various applications and devices. Even with the adoption of passkeys, which eliminate the need for passwords, the authentication session can remain siloed within a specific application or browser context. This fragmentation can lead to logon fatigue and diminish the user experience, particularly in enterprise environments where employees need to access multiple resources throughout the day.

Duo Passport: Bridging the gap

Duo Passport addresses this challenge by enabling shared remembered device sessions between browser and desktop applications when accessed using Duo Desktop and a remembered devices policy. Here's how it works:

When Passport-enabled users sign in with Duo, Duo Desktop performs automatic device registration by attempting to generate a key pair, register the public key with Duo and use the key to sign further reports sent to Duo. This process allows the trusted session information used by Duo authentication to be shared between browser and desktop apps.

Without Duo Passport, Duo stores the trusted session information locally on the user's device, preventing seamless access across different applications and platforms. However, with Duo Passport leveraging the automatic registration and payload signing features of Duo Desktop, users can enjoy a shared Passport session experience where they sign in once and seamlessly access browser and desktop applications without re-entering credentials or repeating two-factor authentication.

Benefits of Duo Passport

1. Improved User Experience: By eliminating the need for repeated logins and authentication prompts, Duo Passport significantly enhances the user experience, reducing logon fatigue and increasing productivity.

2. Seamless Access: Users can seamlessly transition between different applications and platforms without interruptions, providing a consistent and cohesive authentication experience.

3. Enhanced Security: Duo Passport leverages the security features of Duo Desktop, including automatic device registration and payload signing, ensuring that the shared authentication session remains secure and resistant to potential threats.

4. Compatibility With Passkeys: Duo Passport complements the adoption of passkeys by enabling a shared authentication experience across different applications and platforms, further enhancing the benefits of passwordless authentication.

As organizations continue to embrace the future of authentication with passkeys, Duo Passport offers a valuable solution for bridging the gap between different applications and platforms, ensuring a seamless and secure user experience.

Want to experience Duo Passport for yourself? Sign up for a free trial today!

As identity-based attacks become more prevalent, the ability to fine-tune access at a granular level is not just an advantage — it's a necessity. Duo has been born at the forefront of this shift, offering SAML support since 2015 and OIDC since 2023, which has helped many of our customers secure applications with Duo’s best-in-class identity security controls. Now, we're refining our approach even further with the integration of OAuth Client Credentials, now Generally Available, to provide even more precise control mechanisms within our security suite.

Understanding OAuth Client Credentials

Before delving into how Duo Single Sign-On (SSO) leverages OAuth Client Credentials, let's clarify what this protocol entails. OAuth Client Credentials is a part of the OAuth 2.0 specification, which is a widely adopted industry standard for authorization. Unlike other OAuth 2.0 flows designed for end-user approval, the Client Credentials grant type is specifically tailored for server-to-server authentication, where no user interaction is involved.

In this flow, a client application can directly request an access token from the Authorization Server using its own credentials. Once the Authorization Server authenticates the client, it issues an access token. This token then grants the client application access to the protected resources hosted by the resource server. It's a streamlined process designed for efficiency and security, ideal for scenarios where applications must perform automated tasks without manual user intervention.

See the video at the blog post.

See the video at the blog post.

Secure segmentation by default

Duo SSO's implementation of OAuth Client Credentials is akin to a master key maker crafting unique keys for each room in a building. Just as a key maker can design a master key system with individual keys that provide access to specific areas while maintaining overall security, Duo SSO creates separate Authorization Servers for each OAuth client. This architecture allows for multiple clients to be associated with each Authorization Server, enabling secure segmentation by default — each client operates within its own compartmentalized space, much like rooms in a secure facility.

For applications that require broader access — like having passageways between rooms — we've developed Global Token Introspection. This feature is like installing viewports in doors, allowing one room to verify if a keyholder from another room should be granted access, all while keeping the doors locked and the integrity of each room intact. Global Token Introspection ensures that clients can check the validity of tokens from other Authorization Servers within the Duo SSO ecosystem, maintaining a secure boundary even as information is shared.

To enable Global Token Introspection and effectively manage the flow of access within your organization's infrastructure, we encourage you to reach out to Duo Support.

The integration of OAuth Client Credentials into Duo SSO's offerings shows Duo’s commitment to providing advanced, adaptable, and precise security solutions. It's a testament to our dedication to evolving with the needs of our customers and to our vision of a secure, controlled enterprise environment. As we continue to refine and expand our capabilities, we invite you to explore the benefits of this granular security approach and join us in our mission to safeguard the identity perimeter with unmatched precision.

Next steps

OAuth Client Credentials support in Duo SSO is available for customers on Essentials, Advantage and Premier today! Check out the documentation for how you can start protecting your applications. 

For more on what we’re doing to revolutionize Continuous Identity Security, follow along in our Release Notes. If you’re an Essentials customer or a prospect interested in learning more about the power of Duo and our recently announced Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

Here’s to the future of secure Identity with Duo!

Multi-factor authentication (MFA) has become a security staple, almost as ubiquitous in our daily lives as a morning cup of coffee. In the last year, more than 16 billion authentications have been handled by Duo. MFA is an important security tool to combat unauthorized account access. However, it is not foolproof. Traditional hardware-based MFA is high friction and imposes limitations that can be frustrating at best and increase risk surface at worst, such as through MFA fatigue and account recovery processes. We are excited to share with you a new Duo Technology Partner Badge, and Badge’s unique integration with Duo that provides the first-hardware independent roaming MFA.

Many Duo authentications are for securing virtual infrastructures like cloud environments, or remote access systems, workstation hopping and restricting unknown and out-of-date devices from accessing applications and networks. Requesting access multiple times a day is commonplace in the day-to-day workflow of users, including billions of frontline workers worldwide. Some MFA methods can disrupt operations, and the resulting employee workarounds significantly increase the opportunity for security breaches during the authentication process. Worse, when users are in device-not-present situations — like when a mobile phone required for an MFA push is lost, broken, or unavailable — the fallback is usually a phishable, high-friction account recovery process. Not only is this bad for the user experience, but it’s bad for security too, since account recovery is increasingly becoming the front door for attackers and phishing. We’ve seen this fallback to account recovery as an increasing vector for fraud, such as with recent high-profile attacks in healthcare and entertainment targeting large companies

Badge's novel, privacy-preserving authentication enables Duo users to authenticate passwordlessly from any device without requiring the user to have previously registered on that device. This eliminates the need for Duo users to fallback to account recovery or redirect to a phone or token each time they need to authenticate. Badge seamlessly enables enterprise authentication across applications from multiple devices, all from a single enrollment. Badge helps Duo strengthen its security posture with a seamless MFA experience that's both portable and resistant to phishing, while also enabling a truly passwordless user experience.

“Badge not only streamlines access across applications and devices but crucially reduces the risk of phishing attacks or credential exposure, making it an indispensable tool for maintaining the integrity of secure environments. Badge is excited to partner with Cisco Duo to bring this important security and user experience benefit to Duo users.” — Dr. Tina P. Srivastava, Co-Founder of Badge

Moving the trust anchor

MFA works by relying on a device or a token as the trust anchor, which means that users need to have their device or token with them — and in working order — at all times to authenticate. This reliance on specific hardware, called device dependency, is a pain for user experience and impacts security when users are forced into fallback authentication flows. With Badge, the device dependency is gone — people are their own roots of trust, rather than just a device or token.

Badge offers a cost-saving solution to help reduce friction and enable seamless, passwordless enrollment using verified credentials (VCs). Badge leverages the initial Identity Verification (IDV) enrollment, and from there the user can authenticate to access this credential anywhere, anytime, on any device. No need for repeat IDVs throughout the user lifetime journey. This saves money and user frustration.

In addition to simplifying the enrollment process, Duo can also operate as a certified passkey provider leveraging Badge, extending the passwordless capabilities of Duo. Unlike other passkey models, the Badge integration with Duo does not require users to cede trust of their key trees or login credentials to a centralized authority. Instead, Duo users leveraging the Badge passkey implementation benefit from a trust model where users can establish key provenance and maintain control over their authentication keys, enhancing security and privacy. Again, with Badge, users enroll once, and may access their passkeys on any device (including across Apple, Microsoft and Google ecosystems).

By addressing the dual challenges of security and user experience, while reducing costs to the enterprise, Duo and Badge are setting new standards for what’s possible in secure, efficient, and user-friendly identity and authentication solutions.

To learn more about Badge’s integration with Duo, check out our technology partners page or watch a short demo.

Want to learn more about Badge? Contact the Badge sales team today.

As MFA fatigue attacks continue to wreak havoc on organizations of all sizes, security teams are left with difficult choices about how best to secure their workforces. More stringent security requirements often come with a large user experience cost, which can frustrate employees and reduce productivity. Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA  requirements based on the level of risk an individual login attempt poses to an organization. Our algorithm considers the user’s authentication history, their location, and device to assess whether the user appears to be who they say they are, or whether their login is anomalous enough to resemble a potential attack. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor.

Organizations are sometimes hesitant to deploy policies that use artificial intelligence and machine learning because it is inherently difficult to predict what will happen. Will users get blocked? How many step-up authentications will a user have to do every week? Is the help desk going to be inundated with tickets? We heard these questions from our customers repeatedly, which is why we are thrilled to announce the launch of Risk-Based Authentication Preview Mode.

Now, Advantage and Premier customers can see the impact of Risk-Based Factor Selection before they turn on the policy. When Duo’s algorithm sees an authentication that would have been stepped-up with RBA, we will present a banner in the Authentication log to show administrators more information about why this authentication looked risky. The Preview Insights window will also show information about how many step-up authentications would have been required in the past 30 days and how many of those users would require assistance from the help desk (e.g., if the user does not have a more secure factor enrolled).

Our goal with these new features is to open the black box of RBA. AI is a powerful tool that can help us solve many different problems. But when it comes to security, we know how important it is to trust how access decisions are being made. We want to make sure customers feel confident that their users are protected against the most prevalent MFA attacks when they use Duo’s Risk-Based Authentication.

Preview Mode will be on by default for all Advantage and Premier customers and can easily be toggled off, should customers not wish to see banners with detection information. We hope this helps customers feel prepared to strengthen their authentication policy and enable Risk-Based Authentication.

Duo has a long history of protecting students across universities and higher education institutions. From personally identifiable information to federal grants and loans, students and schools are a regular target for attackers. Because Duo has such a large presence in the world of education, we can also spot trends in attack tactics and learn how to better secure your organization.

One threat pattern Duo has seen targeting higher education within the last year includes a mixture of MFA-targeted attacks including passcode phishing and MFA fatigue. If successful, the bad actor register malicious devices on the student’s account for continued access to the student’s account and the university’s VPN. Duo Data Scientist, Becca Lynch, wrote about these attacks in the blog, Identity Threat Trends for Higher Education.

Duo has continued monitoring and responding to these attacks, while working with many of the higher education targets to secure their environments. But Duo hasn’t stopped there, as we have a unique ability to respond and establish scalable, structured product enhancements to our threat detection and response capabilities.

How Duo can help

When users set up Duo mobile, Duo takes a device fingerprint of that phone that is stored securely in our database. A typical device might be linked to a small number of Duo accounts. For example, a user might use their personal cell phone to protect their school account and when they graduate, they use it at their new job to protect their corporate account.

However, it is extremely rare for one device to be paired with hundreds of accounts, and that’s what the attackers are doing. They’re pairing the same device to all user accounts they’ve breached. One device being used to authenticate the account of 27 students across 5 schools? That’s phishy.

With Duo’s new feature, we can now block those malicious devices from continuing to access Duo-protected applications and the Duo admin panel. In the Duo admin panel, the logs now present when a device is blocked and why. This can also trigger an email to any configured administrator to provide immediate and up-to-date alerts on what is going on in their environment.

Duo can help protect every organization, not just universities, from these threats through improved threat detection and response capabilities. But the importance of secure policies should not be ignored.

We encourage all Duo customers, especially schools and other educational institutions, to ensure that they set up their policies to better protect their users, students and faculty alike. That means using secure authentication factors, implementing risk-based authentication to respond to change in user context, and pairing authentication with device trust policies through Duo’s Trusted Endpoints. It also means using an observability tool, like Duo Trust Monitor, to provide a view of all user events, including registrations and authentications, across your environment.

If you are not a current Duo customer but are interested in learning more, sign-up for a free trial today.

When reading the title of this blog, you might be wondering to yourself why RADIUS is being highlighted as a subject — especially amidst all of the advancements of modern authentication we see taking place recently. The truth is, for as old as RADIUS is, it is still (to this day) a vital protocol used in virtually every network infrastructure. Although it has many functions within the network itself, the purpose of this article is to show how RADIUS can be used when protecting applications with Duo, the benefits/drawbacks of the protocol, and why it deserves our attention.

Also, customers who subscribe to Duo Care have access to a Customer Success Manager (CSM) and a Customer Solutions Engineer (CSE). This dynamic duo provides solution architecture consulting, best practices, and overall security strategy when it comes to using RADIUS in conjunction with Duo’s services — and can help you navigate the pros and cons of the protocol relative to your organization’s specific environment and end-user needs.

What is RADIUS?

First, let's level-set on what we are talking about. RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. It is commonly used for network access into VPNs, wireless access points, and other devices (more on this later). 

RADIUS itself is a protocol that defines a method for passing authentication information between the network service and the AAA server, but it doesn't define the actual authentication methods. Instead, it supports a variety of authentication protocols, including EAP, PAP, CHAP, and others. Here are the differences between some of these protocols:

1. Extensible Authentication Protocol (EAP)

• EAP is a framework that supports multiple authentication methods.

• It’s very flexible and can work with a range of authentication mechanisms, including certificates and public key infrastructure (PKI).

• EAP itself isn’t a specific authentication mechanism, but a way to encapsulate the authentication process.

• EAP can be used in conjunction with RADIUS to authenticate users in more secure and complex scenarios.

• It’s commonly used with wireless networks and Point-to-Point connections, but it’s also used for a specific VPN integration with Duo.

• The only officially supported Duo integration that makes use of EAP is NetMotion Mobility.

• Does the Duo Authentication Proxy support EAP or PEAP?

• Protected EAP (PEAP) allows for TLS inside of RADIUS. Note that this is different from RadSec, which is TLS encryption of RADIUS over TCP. 

2. Password Authentication Protocol (PAP)

• PAP is a simple authentication protocol where usernames and passwords are sent to the server as plain text.

• Credentials are not encrypted using this protocol, but they can be obfuscated by the use of a shared secret, which is required when using the Duo Authentication Proxy.

• Learn more about how Duo protects PAP authentication.

3. Challenge-Handshake Authentication Protocol (CHAP)

• CHAP is more secure than PAP as it uses a challenge-response mechanism where the server sends a challenge to the client, the client responds with a value obtained by using a one-way hash function and the server checks this value.

• The password itself is never actually sent over the network.

• Periodic challenges can be sent to ensure that the password hasn’t been compromised and that the connection is still being managed by the same client.

• The Duo Authentication Proxy does not support CHAP.

4. Microsoft Challenge-Handshake Authentication Protocol (MS-CHAP

• MS-CHAP is a Microsoft version of CHAP that includes additional features, such as a different method for hashing and an additional authentication response designed to support Microsoft clients and servers.

• MS-CHAP v2 is an improvement over the original MS-CHAP and provides better security by using stronger cryptographic keys and a two-way authentication (mutual authentication).

• Does the Duo Authentication Proxy support MS-CHAPv2 or EAP-MSCHAPv2?

In practice, the choice of which authentication protocol to use with RADIUS depends on the required level of security, the capabilities of the client and server equipment, and the specific use case.

Anatomy of a RADIUS packet (with Duo MFA)

The flow of a RADIUS packet through the RADIUS protocol involves several steps and typically follows this sequence:

1. Access Request — The flow begins when a client device (known as a RADIUS client, usually a network access server or NAS) sends an Access-Request packet to a RADIUS server. This request includes credentials provided by the user, such as a username and password, along with other attributes like the IP address and port number. The application that Duo is protecting is acting as the RADIUS client device.

2. Processing the Request — Upon receiving the Access-Request, the RADIUS server processes the request by verifying the user's credentials against a user database, typically by way of the Duo Authentication Proxy. This might involve checking Active Directory (via LDAP) or another downstream RADIUS server, such as Microsoft NPS.

3. Challenges (Optional) — If additional information is required from the user (in the case of challenge-response authentication), the RADIUS server sends back an Access-Challenge packet to the RADIUS client. The client then prompts the user for additional information, which is sent back to the RADIUS server in another Access-Request packet. A typical example of this is when using the radius_server_challenege configuration of the Authentication Proxy.

4. Duo Multi-Factor Authentication — Once the Authentication Proxy receives a successful message from the user database (AD, NPS, etc.), it will send an HTTPS request to Duo’s cloud service to perform MFA. The results of that authentication will determine which RADIUS message is sent next.

5. Access-Accept or Access Reject — After processing the request, the RADIUS server will respond to the NAS with one of the following:

6. If Access-Accept — The user's credentials are valid, and the server provides authorization attributes that inform the NAS of any specific conditions for access. The user is permitted to access the application.

7. If Access-Reject — The user's credentials are not valid or the user is not authorized for access. No further attributes are needed or sent. The user is not permitted to access the application.

Fig. 1: Example network diagram of a RADIUS packet flow with Duo

We won’t delve into Accounting workflows since Duo does not support this part of the RADIUS protocol. When Duo MFA is invoked, record-keeping data is tracked in the Authentication Log.

• What do the RADIUS response codes generated by the Duo Authentication Proxy mean?

Throughout the entire process, RADIUS communication uses UDP as the transport protocol, with port 1812 being used by default. The RADIUS packets are also usually encrypted between the client and server to maintain security of sensitive information, such as passwords. It's important to note that RADIUS itself does not define encryption methods for the data payload; instead, it relies on a shared secret between the RADIUS client and server for obfuscating passwords and certain attributes. Learn how to protect the shared RADIUS secret and other passwords that reside on the Duo Authentication Proxy.

Is RADIUS still relevant?

RADIUS is typically viewed as a legacy network protocol since it cannot take advantage of modern security benefits that would normally be available when using WebAuthn, such as phishing-resistant MFA, enhanced device telemetry, biometrics, and Passwordless. We typically see RADIUS deployed (to this day) in a network appliance ecosystem because (along with TACACS+) it is one of the protocols of choice for logging into routers, switches, wireless access points, and VPNs. Robust identity platforms such as Cisco Identity Services Engine (ISE) can enhance the agility, automation, and visibility of the RADIUS protocol. Although it is recommended that end-user facing applications be migrated over to a modern authentication protocol such as browser-based SAML or OIDC (that leverage Single Sign-On), the need for RADIUS-based client/server authentication is still prevalent today. For example, consider the following points:

1. Widespread Adoption: RADIUS has been implemented in a wide range of network devices and services. Many vendors support RADIUS in their networking equipment, making it a de facto standard for network access control.

2. Centralized Authentication: RADIUS allows for centralized management of authentication credentials. This means that users can be authenticated across various network services and devices from a single point of control, which simplifies administration.

3. Support for Multiple Authentication Methods: RADIUS supports a variety of authentication methods, including PAP, CHAP, MS-CHAP, EAP, and more. This flexibility allows it to integrate with various types of user databases and authentication mechanisms, including modern multi-factor authentication (MFA) systems, such as Duo.

4. Interoperability: RADIUS works across different types of networks, including wired, wireless, and VPN connections. Its ability to function in diverse environments makes it a versatile tool for network administrators.

5. Scalability: It can handle a large number of authentication requests, making it suitable for organizations of all sizes, from small businesses to large enterprises and ISPs. Compared to LDAP, RADIUS has less overhead when processing requests via the Authentication Proxy.

6. Security: Although it has some limitations in terms of encryption, RADIUS does offer a level of security that is sufficient for many scenarios. The use of shared secrets and attribute obfuscation helps protect sensitive information as it travels across the network.

7. Compatibility With Legacy Systems: Many organizations have legacy systems and infrastructure that already integrate with RADIUS. Switching to a new system using SAML or OIDC may not be (yet) feasible for an organization or the application vendor, so RADIUS remains relevant for ensuring compatibility and protecting existing technology investments.

Should I use RADIUS with Duo?

Duo supports many named integrations via RADIUS as well as a generic integration that can be used to protect virtually any RADIUS-based application. When determining when to use RADIUS, you might be at the mercy of the application to only use RADIUS (and perhaps even a specific authentication protocol, such as MSCHAPv2). Or you might have the option to choose between RADIUS and another protocol such as LDAP or SAML when integrating with Duo. For example, Cisco ASA for AnyConnect has multiple integration options as seen in the ‘What are the differences between the various Cisco ASA configurations?’ knowledge base article.

To help you choose the best option for protecting your application with Duo, note some of the key differences between RADIUS and other protocols:

• RADIUS can send the IP address of the client (user) by way of an attribute, typically when using calling-station-id or NAS-IP-Address. However, not all RADIUS devices send the IP address by default or may be able to send the address at all. Check your RADIUS application’s documentation for details.

• LDAP cannot send the IP address of a client/user to Duo, so this makes RADIUS a better choice if you plan to use the IP address to make contextual decisions regarding your user’s location at the time of logon.

• Using web-based applications and authentication methods such as WebAuthn (via SAML or OIDC) are even better because they can obtain the IP address (and other system information) directly from the user’s browser via the User-Agent string.

• RADIUS supports Append Mode (concatenation), but only when using non-MS-CHAPv2 authentication protocols.

• RADIUS supports inline password reset with the Duo Authentication Proxy but only with MS-CHAPv2.

• As mentioned earlier, Cisco ISE can add more functionality to the RADIUS protocol. When ISE is integrated with Duo, you can easily add MFA to all RADIUS (and TACACS+) devices that use ISE as their downstream authentication server. See the solution overviews for Cisco ISE Auth API and Cisco ISE RADIUS. 

• RADIUS does not support phishing-resistant MFA methods such as Roaming Authenticators, Platform Authenticators, and Duo Passwordless as these all require use of the WebAuthn API. You can learn more about the WebAuthn specification.

Conclusion

No matter what authentication method or protocol you choose to integrate with Duo, there will always be differences in security, useability, and compatibility that should be carefully considered. RADIUS remains an integral part of most network ecosystems and has enough use today to warrant serious consideration. As applications move toward modern protocols such as OIDC and WebAuthn, we should see a reduction in overall RADIUS usage — but there will likely remain critical use cases to support for the foreseeable future.

Access-Accept!

Duo’s Self-Service Portal (SSP), which lets users manage their own authentication devices, saves time for both Duo users and admins. However, it can also be a target for cyberattacks. Often the first step for an attacker with stolen credentials is to try to fraudulently register an MFA device, giving persistent access to the user’s account.

In a recent blog, we discussed best practices for user enrollment, including how to prevent malicious device registration when users self-enroll. In this blog we’ll share best practices for Duo admins to continue reap the benefits of self-service after enrollment while keeping their user accounts secure.

Why use the Self-Service Portal?

What’s the risk?

Self-service device management presents a similar risk to new user self-enrollment: a bad actor with stolen user credentials can attempt to access the SSP and register their own device. Once they do so, they gain persistent access to the account.

Unlike new user enrollment workflows, the SSP is protected by MFA. However, actors may try to circumvent MFA using techniques such as passcode phishing or MFA fatigue attacks. If one of these techniques succeeds against the SSP, the actor's newly registered device lets them circumvent MFA protections for future logins to other applications.

How to protect the SSP

Protecting the SSP follows the same principles as any other resource. However, secure posture exists on a spectrum and often has tradeoffs with end-user friction. A critical resource like the SSP should lean toward the secure end of that spectrum. Fortunately, users should need to access the SSP infrequently, so lockdown access controls won’t be too much of a burden.

Duo by default overrides configuration settings that allow users to bypass MFA, such as remembered device and authorized network policies and user bypass status, for SSP access. We further recommend setting custom policies for the SSP to ensure a strong posture. Specifically:

• Restrict authentication methods to the most secure one accessible by your users, such as Verified Push or WebAuthn-based methods

• Deny access from anonymous networks and from countries not typically frequented by users

• Disallow the use of tampered devices

• Consider adopting security-enhancing features such as Trusted Endpoints and Risk-Based Authentication

In addition to these application policy settings, admins can elect global settings to guard against device registration attacks.

• Attackers may target inactive accounts for takeover; to prevent this, elect to delete inactive users after a period of time

• Turn on user notifications so that users can report suspicious device registration activity

• Monitor suspicious device registrations using Duo Trust Monitor

With some or all of these safeguards in place, the SSP can be an effective way for users to manage their devices.

In Social Engineering 101, we shared the story of John, the well-meaning employee who fell victim to a phishing attack. In this scenario, John was tricked into resetting his password by a bad actor pretending to be the IT team, which gave away access to his account. In that blog, we also discussed the many ways Duo protects John, from strong authentication methods to pairing authentication with device trust policies.

But what if the email never reached John, or the phishing link was blocked? That’s why most organizations do not rely on a single security solution but layer defenses around users and sensitive resources to ensure there isn’t a single point of failure. However, the disparate security solutions meant to protect against particular threats can lead to visibility and administration challenges for organizations.

That’s why Cisco protects users from the top attack vectors targeting organizations with the User Protection Suite, which includes Duo. The User Protection Suite defends all users, devices and access to applications to reduce gaps in the attack surface.

Now, let's rethink the story of John when he is protected by the suite.

In this new story, let's assume that email protection was not in place and the malicious email made it to John. When he clicked on the bad link, Cisco Secure Access would step in and block the user from accessing the malicious destination. Cisco sees 1 million malicious domains every hour, and all that data means we have a good idea when a website should be blocked. In this new scenario, we know John could only click the link on his managed laptop because Duo’s Trusted Endpoints would block email access on unknown or unmanaged devices.

We’ve now seen John’s credentials protected by Duo and his access protected by Secure Access. But now let’s consider if John never received the attacker’s email because Email Threat Defense recognized signs of malicious intent: there was an urgent request, from an unknown sender, with a malicious link. Email Threat Defense uses multiple AI detection engines to determine the difference between true threats and false positives. It would block the email from reaching the end user and quarantine the link to provide the organization’s administrators with the context to better understand the nature of the threats targeting their organization.

When protecting users against threats, we can never assume there is one silver bullet or singular solution. Attackers are constantly finding new ways to target users and get access to an organization’s resources and data. This is not a new story. However, when Cisco security solutions bring email, web, endpoint and authentication to work together to layer the defenses around the user, that makes our users, and organizations, safer.

To learn more about how the User Protection Suite can protect your organization today, see the Cisco User Protection Suite webpage and connect with an expert today.

Identity remains a key target of attackers. Breaches leveraging identity for initial access or even privilege escalation and lateral movement are on the rise. The increased complexity of modern identity systems only intensifies the challenge of securing the identity perimeter. Organizations are grappling with a stark reality: Without contextual insights into their multi-vendor identity ecosystems, they are often blind to gaps in their defenses.

As a part of Duo’s new Continuous Identity Security solution, our deep integration with Cisco Identity Intelligence is here to bridge these gaps and deliver a new standard of protection. In the current climate of diverse Identity Providers (IdPs), hybrid workforces, and a mix of managed and unmanaged devices, Duo and Cisco Identity Intelligence organize identity perimeter data and make it easier to defend and protect.

Here's the essence of the solution: Cisco Identity Intelligence amplifies the value of your identity and security tools, including industry standbys Microsoft Entra and Okta. By integrating data from various sources, including HR systems like Workday and customer relationship platforms like Salesforce, Cisco Identity Intelligence constructs a comprehensive identity landscape. With this enriched data, Cisco Identity Intelligence organizes identity-related activity, encompassing all accounts and devices across your IdPs. This panoramic view can then be leveraged by Duo to inform enforcement points, perform Identity Threat Detection & Response (ITDR), and proactively harden your Identity and Access Management (IAM) posture.

The advantages are clear and twofold. First, you receive actionable intelligence on IAM posture gaps, enabling proactive fortification against identity-based attacks. Second, access decisions are enriched with multi-vendor identity context.

Consider the practical implications: Cisco Identity Intelligence enables administrators to significantly enhance their organization’s identity posture through critical insights into dormant accounts, gaps and vulnerabilities in MFA deployment, admin activities, and more. By coupling these insights with Duo's robust access management capabilities, organizations can modify access experiences — stepping requirements up or down – based on identity enrichment. For example, if Cisco Identity Intelligence detects a compromised session — it can seamlessly pass that information to Duo to provide enforcement like stepping up authentication requirements or revoking a session.

A CISO from a leading healthcare company expressed the tangible benefits of the integrated solution: "Cisco Identity Intelligence provides us with precise insights into identity threats. We're able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo."

“Cisco Identity Intelligence provides us with precise insights into identity threats. We’re able to identify and address MFA adoption rates and other identity vulnerabilities, allowing us to proactively strengthen our defenses in Duo.”

Next steps

The most exciting news is that Duo’s integration with Cisco Identity Intelligence is available in Public Preview to most customers today. For Duo Advantage and Premier customers, follow the documentation here to activate your integration today.

If you’re an Essentials customer or a prospect interested in learning more about the power of Duo + Cisco Identity Intelligence, the best path forward is signing up for an Identity Security Assessment. This assessment is effectively a free trial of the new functionality and will showcase a variety of valuable features and use cases.

This is just the beginning. The integration between Duo and Cisco Identity Intelligence will only improve over time — so stay tuned for product updates. Here’s to helping defend the identity perimeter!

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now in Private Preview!

See the video at the blog post.

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

How does this improve the proverbial front door?

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Stronger

Useable

Where won’t Passwordless for Windows logon work yet?

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.
Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

How can I try Duo Passwordless for Windows logon?

For an opportunity to participate in the Private Preview this summer, please reach out to us here! And if you are interested in trying Duo, signup for a free 30-day trial.

Duo has long been the most loved company in security. But here’s the thing: That’s despite MFA being the most grumbled-about part of many end-users’ day. While our customers love us for our ease of use, flexibility and focus on security, a lot of end users think of Duo the way they think of floss, bike helmets and low-sodium foods. Secure authentication isn’t fun, but you put up with it as part of your day because you know it’s keeping you safer.

At Duo, we are constantly pushing the envelope — how can we deliver the security that our customers need, with less inconvenience for end users? Can we make secure access a positive experience for our end users? That’s why we’re so excited to bring to market Duo Passport — a new capability that drives secure, seamless access to all the permitted applications with just one interactive authentication.

Over the past decade, MFA adoption has increased across organizations of all sizes. This is a great thing and a huge achievement for the security teams. However, it’s led to an unfortunate side effect: lots of workers, through no fault of their own and without presenting any particular risk, end up authenticating again, and again and again throughout their day. It’s normal to use an email client, a VPN, a browser, and maybe a handful of other apps in your to-do list; so why do authentication vendors put up so many walls for you?

Duo Passport reduced end-user authentication by more than 65% in one customer, who tested it over several months.

Enter Duo Passport: A better way forward

When Duo Passport is enabled, a user’s authentication is remembered for a specified time period by Duo’s cloud services across all of their applications. It leverages device binding, facilitated by Duo Desktop, to deliver a Remembered Device experience, even as the end user moves across web applications and client-based applications. Unlike other solutions, Passport does not rely on just the cookie store in the browser, or each application’s settings, to deliver a seamless experience for end-users and minimize repeated authentication requests.

Duo meets the user wherever their day starts and works behind the scenes as they move through their tasks.

Here’s where Passport gets cool: it’s customizable to your environment and compatible with all other strong security features that Duo offers. Let’s look at some examples!

One of the customers in our private preview program is an enterprise electronics company. They protect Windows Logon in their environment, as well as hundreds of applications. Some of these applications are browser-based SaaS applications, and many of them have their own clients. By rolling out Passport to more than a thousand users in their trial, they’ve saved tens of thousands of authentications that their end users didn’t have to complete interactively, while resting assured that Duo was still enforcing security through these integrations. This customer plans to roll Passport out to more than 18,000 users, and had this to say:

“The experience with Duo Passport has been really good and the feedback from all 1300 pilot users has been extremely positive. In the past, our use of MFA has been very strict and this has eased up on the end user friction that we were inadvertently putting on users.”

In another example, let’s look at Cisco’s own implementation of Duo. Cisco has deployed Passwordless widely, uses Risk-Based Authentication, and enforces Trusted Endpoints as well as Device Posture using Duo Desktop. Passport works seamlessly with all of these features! Passport adoption here is well under way, with plans for a company-wide rollout.

“With Duo, we are able to strike the right balance between User Experience and Security. It is rare that these words are used together in one statement when it comes to security related enforcements. Our User Experience satisfaction score is increasing every quarter and at the same time our security team is happy with the enforcements we are able to implement.” — Sarabjeet Rana, Information Security Architect at Cisco

A great litmus test for any balance of security and end user experience is understanding how Managed Service Providers feel about it. We’ve had a great partnership throughout our preview program with several MSPs, which speaks to the improved end user experience that Passport delivers.

“Duo Passport is an essential step on our road to making secure access the default for our customers. We selected Duo as our partner because of their attention to ease of use and their expertise across platforms. We are accelerating our deployment of Duo Passport to maximize the strength of our customers’ defenses while we keep interruptions of their workflows to the minimum.” — JustWorks, a pure play MSP founded in 1996

Duo Passport is available today, to all Duo Advantage and Premier customers. You can enable it yourself now.

We’re really excited to get this in your hands and are already hard at work on what’s next. We’re bringing Passport to multi-user scenarios, which has been requested by all our healthcare customers in preview. And if you thought that we didn’t like too many authentications…just wait until we tell you about our thoughts on passwords and remember-me cookies!

User experience and security protocols have historically been at odds. To improve security outcomes, users are forced to jump through more hoops to gain access to sensitive resources. Duo is rethinking this paradigm with the launch of Session Trust’s continuous policy.

Challenge with sessions

When a user logs in to a new application, the website sends a cookie that is stored in the browser. This enables the website to remember you. Without these cookies, users would have to re-login with every click. Imagine if you had to enter your username and password for your account every time you added a new item to your shopping cart or clicked on a new webpage.

That's why sessions are so important. However, a lot can change over the course of a session. At the beginning, session trust is high because the application can verify it’s the right user accessing the right resources. But over time, that trust might degrade as users move locations, devices become infected with malware, or new signals show that the current user is not the same one that initially logged in. Despite changing risks, access today is binary: it’s granted once at the start of a session and never re-evaluated until hours, or even days, later when the session expires.

So how can we enable organizations to evaluate risk throughout the session and take action beyond the point of authentication? What other tools can we provide organizations beyond setting session length?

Introducing continuous policy with Session Trust

Session Trust now makes access safer by continuously evaluating device health policy over the entire lifecycle of the session. There are three parts to this new functionality — device posture heartbeats that are collected continuously, ongoing evaluation of posture against the organization’s policy and web session enforcement to terminate an incompliant session.

Whereas device health policy was previously evaluated once at the time of login, continuous policy now leverages Duo Desktop heartbeats to evaluate posture constantly. Once a change is detected, a heartbeat is sent to Duo. If the device no longer complies with policy, the Duo browser extension revokes the session by removing the login cookie, prompting users to remediate device issues and re-establish trust.

By protecting sessions throughout their lifecycle, administrators can confidently increase session time, knowing that sessions can be revoked the moment risk levels change. End users can stay logged in longer, and administrators no longer need to face the hard choice of frustrating end users or attackers.

Duo’s vision for Continuous Identity Security

The Session Trust continuous policy feature is an important milestone for Duo as we seek to achieve our goal of providing Continuous Identity Security for our users and organizations. We see a world where trust is neither binary nor permanent, where Duo works continuously so you don’t have to.

As we look to the future, we are working to expand the signals that Duo can collect and process—providing a more cohesive view of risk — and giving organizations more tools to better protect their users. Additionally, we are working to make Session Trust available for more application types, ensuring that every session maximizes user experience and security.

To learn more, sign up for a free trial of Duo or reach out to your sales rep to sign up for private preview today.

Cisco Duo plays pivotal role in safeguarding identities for organizations of all sizes and industries, providing a simple way to defend against identity-based attacks. However, challenges to zero trust security still exist; organizations must maintain strong security in mixed-IT environments while balancing increases in staffing, spending and agent fatigue.

In collaboration with Google Chrome Enterprise, Cisco Duo is excited to introduce the general availability of Duo's native Device Trust integration with Chrome Enterprise and ChromeOS to address these concerns, empowering organizations through agent-free device trust across all three major platforms: Windows, Mac and ChromeOS. Want to learn more? Check out the end-user demo!

Announcing Duo Device Trust Connector for Chrome Enterprise and Chrome OS

According to Duo’s 2024 Trusted Access Report, 62% of desktop authentications were made from Chrome. With many users already utilizing Chrome browser to get work done, Duo’s partnership with Chrome Enterprise strikes a balance of security and user experience.

With a Chrome Enterprise-managed browser, the browser itself provides device posture signals. Traditionally, establishing device trust often involved deploying and managing endpoint agents, a process that could slow down onboarding and add administrative overhead. Duo’s Device Trust integration with Chrome Enterprise eliminates this pain point with an out-of-the-box, cloud-delivered integration. Duo's integration with Chrome Enterprise provides attestation of the device identity using Duo Trusted Endpoints policy before enabling access. This is Duo’s second Chrome Enterprise Recommended solution and an updated solution of Google Verified Access.

“Traditionally, establishing device trust often involved deploying and managing endpoint agents, a process that could slow down onboarding and add administrative overhead. Duo’s Device Trust integration with Chrome Enterprise eliminates this pain point with an out-of-the-box, cloud-delivered integration.”

Let’s take a look at how it works!

How Duo’s Device Trust integration protects your organization

As enterprises continue to become more reliant on the browser, more sensitive data is being stored in the cloud. It is more important than ever to protect your user identities and ensure your resources are only being accessed by managed devices.

Advantages of Duo and Google Chrome Enterprise

• Agentless Deployment — Simplify deployment and reduce risks of transitional downtime through tested cloud delivery.

• Stronger Security — Verify device trust at every login attempt, and limit access to only known devices and browsers.

• Enhanced User Experience — Streamline user experience and boost productivity with an integration that secures access from any location.

• Wide OS Support — Deploy Duo Device Trust across Windows, MacOS and ChromeOS from a single Google Admin panel (Chrome Enterprise).

• Ease of Management — Less to manage in a centralized Duo dashboard, with granular policy adjustments for organizations of any size.

Duo Trusted Endpoints with DTC offers a powerful, agentless approach to device trust. Start customizing your zero trust strategy by enforcing device trust on your most sensitive application(s) or a particular group of users with Duo’s granular policies. Leverage Google Chrome Enterprise Core to effortlessly configure your devices, and manage access for your Windows, Mac and ChromeOS devices centrally through Duo's intuitive Admin Panel.

Read our documentation page to get started setting up Duo with DTC or check out the end-user demo. And to see additional ways Duo customers can secure their users across Google’s ecosystem, please visit our Cisco Duo + Google partner page.

Want to learn more about additional Cisco Security Chrome Enterprise Recommended solutions?

• Splunk’s Chrome Enterprise Recommended Chrome Security & Reporting connector provides additional security insights.

• Cisco Security for Chromebook — part of Cisco Umbrella and Cisco’s Security Service Edge (SSE) product family — provides DNS-layer security for the entire ChromeOS and secure web gateway (SWG) protection for the Chrome browser.

The security industry has diligently battled compromised credentials, evolving from passwords to multifactor authentication (MFA) to passwordless — our most secure and phishing-resistant method to date — and one that is fully supported in Duo. Despite these advancements, we still see many identity-based breaches year over year. Why?

For one, MFA coverage is still vastly incomplete, with weaker forms of MFA now easily bypassed by attackers. And second, organizations still face practical challenges deploying passwordless solutions. Despite their remarkable security value, our 2024 Trusted Access Report reveals that passwordless methods still account for less than 5% of authentications.

This means there are serious holes in our authentication armor today. To duct tape over these gaps, we’ve often demanded our users repeatedly prove their trustworthiness — a cumbersome and frustrating experience.

To simultaneously address the increase in identity-based attacks and ease the frustration of repeated authentication, Cisco Duo is proud to announce our new solution: Continuous Identity Security. Continuous Identity Security minimizes these gaps today in chaotic real-world environments with multiple identity providers (IdPs), hybrid workforces, unmanaged devices and legacy applications. With Continuous Identity Security, you can be safer while working towards a passwordless future.

“Continuous Identity Security minimizes these gaps today in chaotic, real-world environments with multiple identity providers (IdPs), hybrid workforces, unmanaged devices and legacy applications. With Continuous Identity Security, you can be safer while working towards a passwordless future.”

To deliver Continuous Identity Security, Duo has developed two new pieces of functionality: deep integration with Cisco Identity Intelligence and a seamless new access experience, Duo Passport.

Our integration with Cisco Identity Intelligence adds value on top of your identity and security investments like Microsoft Entra and Okta. It uses AI to analyze all identity-related activity across all accounts, all devices and IdPs to provide deep visibility into identity infrastructure and continuously inform Cisco Duo enforcement points.

The benefit is twofold. Organizations get a strong understanding of what’s happening in their identity environments, enabling them to improve posture by increasing MFA coverage, decreasing dormant accounts and controlling administrator privileges more concisely. Additionally, Duo access decisions are now enriched with identity data. For example, if an administrator takes a risky action or a dormant account attempts access after months, Duo can increase authentication requirements.  

If Cisco Identity Intelligence enhances security, Duo Passport dramatically enhances user experience. Passport takes the promise of traditional Single Sign-On (SSO) solutions (i.e. one login, many use cases) and expands it beyond SaaS apps to multiple browsers, operating systems and thick clients. Now, a user can login securely to their laptop and that trust will be seamlessly brokered to the web, but also to thick client logins like a VPN. The experience is seamless and secure for end users, drastically reducing the repeated authentication requests they face daily.  In fact, a preview customer reduced authentications by 66% in their environment.

“In fact, a preview customer reduced authentications by 66% in their environment.”

However, the expedited experience only persists in trusted scenarios. Duo will continuously assess the risk throughout the user’s session — before, during, and after login. In suspicious situations, Duo will dynamically increase authentication requirements, or even block a user.

With Continuous Identity Security, organizations can protect themselves against the sharp rise in identity-based attacks — all while maintaining a seamless access experience for their end users. Security is better because organizations now have deep visibility into identity environments and access decisions are enriched with both device and identity context. Yet, user experience is also improved because Passport and continuous analysis means trust can be shared between authentication checkpoints, reducing authentication frustration.

While the ultimate goal is a fully passwordless landscape, the journey there is complex. Duo offers a powerful new solution for today's security challenges. With Continuous Identity Security, we make a large step forward in our commitment to frustrating attackers while delighting users. If you’d like to learn more about Continuous Identity Security, register for our webinar, read more at our solution page, or just drop us a line.

If you’ve been wondering what the plan for Microsoft Custom Controls is, wait no more! We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, now in Public Preview!

External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set. We know our customers love using the power of Duo’s identity security solution together with Microsoft Entra ID (previously Azure AD) to make it easy to set-up SSO, deploy passwordless, or create and manage granular access policies and ensure that only trusted users and devices are given access to their applications. Duo is now a fully integrated MFA and advanced identity security provider within Entra ID.

Want to learn more about this integration? Check out our end-user demo!

“At Microsoft Security, we're always looking for ways to help our customers stay ahead of the curve when it comes to security. The integration of Entra ID External Authentication Methods with Duo is a prime example of this commitment, as it allows our customers to leverage the MFA solution they already have in place to protect against increasingly sophisticated phishing attacks.” — Natee Pretikul, Principal Product Management Lead, Microsoft Security

Benefits of Duo and Microsoft Entra ID EAM

Heterogenous infrastructure and mixed-vendor IT environment add complexity to managing policies, users, and devices. This can lead to confusing sign-in processes or security loopholes. Switching between multiple MFA providers can cause confusion for organizations and friction for their users. Duo’s new integration with Entra ID through EAM enables authentications through Duo to be recognized by Entra ID as a strong security factor that meets MFA requirements. Now, Duo works even more seamlessly across all Microsoft and non-Microsoft workflows, allowing customers to consolidate their identity security and MFA while delivering a consistent and frictionless experience to end users.

Duo and Microsoft for Managed Service Providers

“Duo and Microsoft EAM is a killer combination. Using them together allows Tigunia to have a single MFA system for all protected applications, while still satisfying the MFA requirement in Microsoft 365. Previously with Custom Controls, we would have to switch to MS Authenticator to perform DAP/GDAP operations or Verify Apps, but with EAM and Duo we can use a single system to require MFA for everything. The efficiency, user experience, and security gains of using EAM with Duo are incredible.” — Martin Twerski, Director of Internal Systems at Tignunia

Get started with Duo as a Microsoft Entra ID External Authentication Method

Microsoft Entra ID External Authentication Methods is available now in Public Preview, and you can dive in, begin testing and plan your migration from Custom Controls to EAM. Stay tuned, as we'll be providing further updates and support to assist customers in the transition to External Authentication Methods, like self-service password resets.

Without having to worry about transitional downtime risks, customers can experience seamless cloud delivery and set-up of Duo’s stronger access security solution. Start integrating Duo with Microsoft Entra ID External Authentication Methods for an even better security experience!

Read Microsoft’s announcement for more to learn more about this integration. And check out Duo’s technical documentation for guidance on making the switch.

Want to see what it looks like in action? Be sure to check out our EAM end-user demo!

Duo is a Microsoft Intelligent Security Association partner (MISA) and continues to strengthen our commitment to providing customers with best-in-class security experiences. See Duo on Azure Marketplace.

Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. In this blog we’ll discuss enrollment options and best security practices for Duo admins, whether they are rolling out MFA for the first time or maintaining enrollment for their users.

Enrollment basics

Enrollment is the process by which users are added to a Duo account and enabled to use MFA. To be enrolled, a username must exist in Duo (i.e., be visible under the Users page in the Duo Admin Panel) and the user must have registered at least one MFA device.

Enrollment methods

Administrators have several methods to choose from for enrolling users.

• In automatic enrollment, user information is uploaded in CSV format or synced from a directory service.

• In self-enrollment, users enroll themselves either from an enrollment email or inline as they attempt to access a Duo-protected application.

• In manual enrollment, admins enter information for users one at a time.

Automatic enrollment might seem easier for users, but they still must follow up to add their authentication devices. Even when a phone number is included with automatic enrollment, enabling SMS and phone call authentication out of the gate, we recommend that users add additional methods that are more secure against attacks.

To reduce helpdesk calls and encourage the use of secure authentication methods, Duo recommends that users be allowed to self-enroll and to manage their own devices after enrollment.

New User Policy

Prior to enrollment, users’ access to Duo-protected resources is governed by the New User Policy. Like all Duo policies, this can be set globally or for specific applications and user groups.

The New User Policy has three options. The default is “Require Enrollment,” which prompts users for inline enrollment the first time they try to gain access. “Allow access” exempts new users from MFA and should be used with caution. “Deny Access” provides the tightest security control but can lead to friction for new users. For example, admins should be careful not to deny access to email accounts where users are sent self-enrollment links.

Self-enrollment risks

Duo recommends enabling users to self-enroll when possible, but there are some risks. An attacker with stolen credentials may attempt to enroll on the legitimate user’s behalf, either by stealing an emailed self-enrollment link or by initiating inline self-enrollment when attempting to access a resource. They can then register their own device, gaining persistent access to the user’s account.

Admins must weigh these risks when choosing enrollment methods and setting New User Policy. On balance, self-enrollment still can be an effective option if admins follow best practices.

Secure enrollment best practices

Organizations’ primary goal with enrollment should be to get as many users using MFA as possible, as quickly as possible. However, they must also be careful not to leave the door open to bad actors. This section will outline best practices for keeping enrollment secure.

Practice #1: Eliminate bypass access

Enrolling users is no help if an organization’s resources do not require MFA by policy. Duo Admins can exempt applications, user groups, network addresses or locations from MFA and can place individual users in bypass status. These options are powerful tools when used appropriately but can leave resources vulnerable if organizations aren’t careful.

When users can bypass MFA and inline self-enrollment is enabled, they may never encounter the enrollment prompt and will remain unenrolled or partially enrolled indefinitely. These users’ accounts are “sitting ducks” for bad actors to steal credentials and initiate the enrollment prompt themselves.

To reduce bypass access, admins can review the access policies set in the Duo admin panel. They can also check their organization’s authentication logs to gain visibility into authentications in their environment that bypass MFA.

Practice #2: Resolve inactive and overprovisioned accounts

Inactive accounts are a risk to any organization, since bad actors can take over these accounts and use them to enroll with Duo and gain persistent access. Active accounts that are provisioned to access Duo-protected resources, but where users do not access the resources and have not enrolled with Duo, are similarly risky.

To address these risks, admins should look for user accounts with access to Duo-protected resources that are not enrolled with Duo. Tools like Cisco Identity Intelligence can help with this task by bringing together user information from multiple sources.

Practice #3: Monitor partial enrollment

Users who exist in Duo but who do not have any authentication devices registered are considered partially enrolled. Partial enrollment results when no phone number is provided during automatic or manual enrollment, or when a user fails to follow up from a self-enrollment email. Admins can also return a user to this state by deleting all their authentication devices.

Partially enrolled users are a problem because, depending on the New User Policy, they may be denied access to resources or may be at risk for self-enrollment attacks. They also consume a license and contribute to the organization’s costs.

Duo provides several tools for addressing partial enrollment. Admins can view these cases in the Admin Panel’s Users table under the heading “Not Enrolled” and can send out enrollment emails. Users who were sent an enrollment email (including through automatic enrollment) can be further reviewed in the Pending Enrollments table. As a safeguard against partially enrolled user accounts persisting indefinitely, admins can elect to lock out users who have not registered a device for a period of time after appearing in Duo.

Practice #4: Detect suspicious activity

Even the best security posture does not provide 100% protection against malicious actors. Organizations should monitor for suspicious device registrations and authentication activity, which could indicate access by a malicious actor.

Duo Trust Monitor, available on Duo’s Advantage and Premier editions, detects and notifies admins about suspicious activity in their accounts, including device registrations. Activity and authentication logs can also be imported into a third-party monitoring and detection tool using the Duo Admin API.

Conclusion

Duo’s policy and configuration options give administrators lots of ways to ensure that users are broadly enrolled in MFA across their organization. The choice of enrollment method and New User Policy ultimately come down to each organization’s individual needs. Regardless of which options they choose, admins can keep the enrollment process secure by following the best practices above.

To learn more about setting up your organization’s Duo account, check out our Liftoff Guide.