Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. In this blog we’ll discuss enrollment options and best security practices for Duo admins, whether they are rolling out MFA for the first time or maintaining enrollment for their users.

Enrollment basics

Enrollment is the process by which users are added to a Duo account and enabled to use MFA. To be enrolled, a username must exist in Duo (i.e., be visible under the Users page in the Duo Admin Panel) and the user must have registered at least one MFA device.

Enrollment methods

Administrators have several methods to choose from for enrolling users.

• In automatic enrollment, user information is uploaded in CSV format or synced from a directory service.

• In self-enrollment, users enroll themselves either from an enrollment email or inline as they attempt to access a Duo-protected application.

• In manual enrollment, admins enter information for users one at a time.

Automatic enrollment might seem easier for users, but they still must follow up to add their authentication devices. Even when a phone number is included with automatic enrollment, enabling SMS and phone call authentication out of the gate, we recommend that users add additional methods that are more secure against attacks.

To reduce helpdesk calls and encourage the use of secure authentication methods, Duo recommends that users be allowed to self-enroll and to manage their own devices after enrollment.

New User Policy

Prior to enrollment, users’ access to Duo-protected resources is governed by the New User Policy. Like all Duo policies, this can be set globally or for specific applications and user groups.

The New User Policy has three options. The default is “Require Enrollment,” which prompts users for inline enrollment the first time they try to gain access. “Allow access” exempts new users from MFA and should be used with caution. “Deny Access” provides the tightest security control but can lead to friction for new users. For example, admins should be careful not to deny access to email accounts where users are sent self-enrollment links.

Self-enrollment risks

Duo recommends enabling users to self-enroll when possible, but there are some risks. An attacker with stolen credentials may attempt to enroll on the legitimate user’s behalf, either by stealing an emailed self-enrollment link or by initiating inline self-enrollment when attempting to access a resource. They can then register their own device, gaining persistent access to the user’s account.

Admins must weigh these risks when choosing enrollment methods and setting New User Policy. On balance, self-enrollment still can be an effective option if admins follow best practices.

Secure enrollment best practices

Organizations’ primary goal with enrollment should be to get as many users using MFA as possible, as quickly as possible. However, they must also be careful not to leave the door open to bad actors. This section will outline best practices for keeping enrollment secure.

Practice #1: Eliminate bypass access

Enrolling users is no help if an organization’s resources do not require MFA by policy. Duo Admins can exempt applications, user groups, network addresses or locations from MFA and can place individual users in bypass status. These options are powerful tools when used appropriately but can leave resources vulnerable if organizations aren’t careful.

When users can bypass MFA and inline self-enrollment is enabled, they may never encounter the enrollment prompt and will remain unenrolled or partially enrolled indefinitely. These users’ accounts are “sitting ducks” for bad actors to steal credentials and initiate the enrollment prompt themselves.

To reduce bypass access, admins can review the access policies set in the Duo admin panel. They can also check their organization’s authentication logs to gain visibility into authentications in their environment that bypass MFA.

Practice #2: Resolve inactive and overprovisioned accounts

Inactive accounts are a risk to any organization, since bad actors can take over these accounts and use them to enroll with Duo and gain persistent access. Active accounts that are provisioned to access Duo-protected resources, but where users do not access the resources and have not enrolled with Duo, are similarly risky.

To address these risks, admins should look for user accounts with access to Duo-protected resources that are not enrolled with Duo. Tools like Cisco Identity Intelligence can help with this task by bringing together user information from multiple sources.

Practice #3: Monitor partial enrollment

Users who exist in Duo but who do not have any authentication devices registered are considered partially enrolled. Partial enrollment results when no phone number is provided during automatic or manual enrollment, or when a user fails to follow up from a self-enrollment email. Admins can also return a user to this state by deleting all their authentication devices.

Partially enrolled users are a problem because, depending on the New User Policy, they may be denied access to resources or may be at risk for self-enrollment attacks. They also consume a license and contribute to the organization’s costs.

Duo provides several tools for addressing partial enrollment. Admins can view these cases in the Admin Panel’s Users table under the heading “Not Enrolled” and can send out enrollment emails. Users who were sent an enrollment email (including through automatic enrollment) can be further reviewed in the Pending Enrollments table. As a safeguard against partially enrolled user accounts persisting indefinitely, admins can elect to lock out users who have not registered a device for a period of time after appearing in Duo.

Practice #4: Detect suspicious activity

Even the best security posture does not provide 100% protection against malicious actors. Organizations should monitor for suspicious device registrations and authentication activity, which could indicate access by a malicious actor.

Duo Trust Monitor, available on Duo’s Advantage and Premier editions, detects and notifies admins about suspicious activity in their accounts, including device registrations. Activity and authentication logs can also be imported into a third-party monitoring and detection tool using the Duo Admin API.

Conclusion

Duo’s policy and configuration options give administrators lots of ways to ensure that users are broadly enrolled in MFA across their organization. The choice of enrollment method and New User Policy ultimately come down to each organization’s individual needs. Regardless of which options they choose, admins can keep the enrollment process secure by following the best practices above.

To learn more about setting up your organization’s Duo account, check out our Liftoff Guide.

It is a well-known and established point that a password alone is not enough to secure an account. That’s where multi-factor authentication (MFA) comes in. Typically, a user confirms their identity using an application on their phone and accepts a push notification. But what if an attacker can just send that authentication request to their own personal phone? Now MFA can no longer stop the cybercriminal from gaining unlimited access.

This type of attack is known as Account Manipulation: Device Registration. This is when a bad actor gains access to a user’s account through compromised credentials and push bombing or phishing a one-time passcode to get past the MFA requirement. Then, the attacker enrolls a new device to bypass MFA and gain unlimited access to an organization’s resources and data.

Mike Moran, Duo data scientist, threat researcher, and co-contributor of this MITRE ATT&CK® technique wants customers to understand how important it is to be aware of and protect against this type of attack.

“An adversary attempting to or successfully registering their own MFA device has become much more common over the last few years, yet it is still an aspect of zero trust systems that is often overlooked. This reality highlights the need for security enhancements to the enrollment process that provide real-time detection and remediation while maintaining scalable usability.”

Protecting against fraudulent device registration requires fully understanding the device enrollment process within your organization and increasing your defenses against this specific action. In addition, it is important to continuously audit and monitor your environment to detect potentially risky registrations. With Duo, there are a few different approaches to harden your defenses. You can also check out this Duo help article that provides policy recommendations and directions for how to secure your accounts.

Proactive Protection:

• Self-Service Portal Authentication: To enroll a new device on your Duo account, set up the policies in the self-service portal to limit authentication to more secure factors, like WebAuthn or Verified Duo Push.

• Trusted Endpoints: Duo’s Trusted Endpoints feature allows an organization to block all unknown or unmanaged devices from accessing your organization’s resources, preventing the trusted user from getting fraudulent push or enrollment requests in the first place.

• Risk-Based Authentication: Risk-Based Authentication can detect patterns from attackers and step up the authentication requirements to more secure factors in unknown or risky situations.

Detection & Response:

• New Device User Notifications: Set up notifications so users are informed if a new device has been added to their account. If the user does not recognize the device or action, they can report the activity to the Duo administrator.

• Duo Trust Monitor: Duo Trust Monitor uses a combination of machine learning models and security heuristics to surface events that may be a risk or threat to your organization. For device registration events, we primarily use heuristics that are defined by threat researchers based on previously observed or theorized attacks against MFA systems. The product is currently being improved to surface registration events in real time, combine intelligence from multiple data sources when making an assessment, and more.

For more information, on best security practices to protect against identity-based attacks, check out Duo’s new eBook, Securing Organizations Against Identity-Based Threats.

At Duo, we know just how important the admin experience is. Without it, features don’t get used and customers don’t get their return on investment. It’s for this reason that we’re excited to release a new view of Duo policies designed specifically to solve customer complaints and help admins manage their policies.

Policy is at the heart of deploying and managing Duo. It’s how admins customize the security experience of users and manage risk during authentications. It’s how you block untrustworthy devices or require the latest operating system versions. However, it traditionally doesn’t let admins easily understand policies they have or quickly view the contents. Instead, customers have faced long scrolling, no built-in searching or sorting, and no high-level summaries.

We’re changing that.

What’s new?

The first thing you’ll notice when exploring this new view is how compact it is. Gone are the days of scrolling and scrolling. This new screen is designed to show about 5 policies, because 90% of customers have five or fewer policies. Want to know if you’ve got policies with the same name or applied in similar ways? It’s easy to see all in one screen.

What if you want to see a few details or a summary of that policy? It’s just a click away. Click on “rules” and you’ll see a drawer designed to highlight the most important information. You can see when a policy was created, when it was last modified, what rules are enabled and how it’s been applied.

See the video at the blog post.

Want to know which policies have been applied to an application or user group? Search is now built into the page. The days of command+f are gone. You can search and the list will filter to only show policies with matching results. The layout is designed to make it significantly easier to scan and see how any particular policy has been applied.

It’s not just visual changes that we’ve added. You now have the ability to duplicate a policy or bulk delete policies. We talked to users and saw admins painstakingly recreating complex policies from scratch only to discover typos days or months later. With duplication, admins can duplicate any policy (including global) as many times as they like.

See the video at the blog post.

The policy team is very excited to introduce this new view. It’s the first big change to this page in years and it’s just the beginning of new policy features in the works. 

Try it out

How can you experience this new view? Sign into the admin panel, head over to policies and click on the banner. And since we know change is hard, if you don’t like the new view, you can always switch back.

Negative Outcomes of Using Security Functionality From IT Tools Instead of Dedicated Security Controls

Vendor consolidation is gaining momentum in the IT space. CIO magazine reported that 95% of IT executives polled plan to consolidate software solutions due to “architecture consolidation” and “cost.” Hypothetically, consolidating vendors could seem appealing. After all, it could decrease spending and reduce silos in infrastructure, so what could go wrong?

When it comes to securing identities, the stakes are high; Cisco Talos reported in February that three of the top five MITRE ATT@CK techniques used in 2023 were identity-based. So, what really happens when you move to consolidate identity security from a best-of-breed identity security product like Duo to a bundled “identity management with security” solution?

Today, we’ll highlight key negative business outcomes to watch out for with the new software consolidation trend, and why Duo may be the best option for your organization’s identity security strategy.

Negative outcomes of migrating off best of breed

Bundled identity security licensing may have sticker price appeal, but customers find Duo more cost-effective to implement, maintain, and support. As stated in the Forrester Total Economic Impact™ of Cisco Duo blog, “customers saved $3.23 million net present value (NPV) and had a 159% ROI.”

On paper, the positive outcomes of decreased spending and reduced software infrastructure silos sound appealing. Still, if you decrease spending on the front end, and increase total cost of ownership, it could severely impact your return on investment.

In the long term, through complex deployment, ongoing maintenance, support, process changes and enablement, bundled identity solutions could severely reduce your return on investment and create negative outcomes for your identity security strategy.

Increased total cost of ownership

To move from a best-of-breed product like Duo to a bundled identity solution, the increase in cost of ownership begins with deployment and extends into ongoing life cycle management, support, and more.

Information technology and security leadership needs to be aware of the hidden costs and the burden of a “rip and replace” migration that impacts all users, administrators and contractors. This burden falls on your team's shoulders. Due to the impact of a project that touches the entire organization, this is the type of project with the potential impact of pushing back other projects. Your team must plan to disrupt the entire user population's access routines and prepare fellow directors and c-levels for their teams to experience disruptions and delays in response from support. Your attention must then turn to your admin teams as they secure, manage and support a new solution with a plan for an increase in support tickets and complications with advanced access policies, application gaps and other single-solution weaknesses.

Your super administrator accounts are now also a top attack vector and house both identity and security in one platform, so you need to make sure policy is as strict as possible for privileged access users and monitor abuse closely.

This also creates a lot of problems for your admins, analysts and help desk teams, as they’ll have to dedicate time to address testing and configuring new product technical prerequisites, access management policies, and new authentication configurations.

First, your team will need to test, configure, and deploy any new product technical prerequisites, access management policies, and change application configurations across your environment. Your team will then need to move any custom integrations — such as Duo software development kit (SDK) use cases, API use cases, and SIEM workflows —  and address any application, logging and policy gaps in the new solution. Your team will also need to update all existing administrator and user enablement while also informing, educating, and training administrators, users, and contractors on the new solutions. This includes policy, application configuration, troubleshooting tactics, log management, configuration documentation, diagrams and more while your organization grows comfortable with the new solution.

This brings me to user experience, which will be disrupted across the organization given the change in login experience. Users, contractors and partners will need to expect delays in help desk response time and support knoweldge of the new software. They’ll also need to take any new access management training and become familiar with new access management software. There will also be changes in experience, such as self-service device management policy limitations, mobile app experience and clear user messaging when logging in or remediating issues.

“User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately.”

User self-remediation helps Duo customers decrease help desk tickets by notifying and warning users of out-of-date software at login. It also enables users to update their own devices immediately. If users do not remediate, you can enforce software policies across browsers and devices with access control policies. This allows organizations to lessen the help desk load by keeping devices up-to-date, healthy and able to meet corporate access requirements. Unlike other access policy engines, Duo manages software versions, so you don’t have to manually update.

Decreased security

Identity is the only perimeter left, and it’s a complex problem. It can be a game of whack-a-mole trying to plug every hole the identity journey creates. Identities are accessing both cloud and on-premises applications. They’re also working from anywhere, anytime, from any device, which creates an assortment of challenges that require strong, easy-to-use and deployable security. Without this kind of security, attackers simply find workarounds for existing security solutions and infiltrate.

CISA reported that “Weak Security Controls and Practices Routinely Exploited for Initial Access.” This means that advanced identity security access management policies are either being misconfigured or deliberately not configured, which allows attackers to attack gaps and weaknesses in access management policies. As highlighted by recent identity-based attacks, both scenarios are being exploited by attackers to the same effect.

Today's threat landscape requires the strongest levels of security on identities, applications and devices accessing sensitive, corporate applications. Artificial intelligence (AI) will continue to create more challenges as it continues to improve on impersonation and automatic attack generation.

With identity being the most attractive attack vector, your organization needs strong, easy-to-use and deployable identity security solutions to combat the evolving threat landscape. Bundled identity solutions have slower-to-deploy security tools with complex, strict technical prerequisites, security limitations, expensive licensing and reliance on expensive partner products to protect all workflows across identities, apps and devices. In addition, super admin account takeover attacks can have a higher impact, since identity management and access security are centralized under one login.

Once all identities, apps and devices are configured, inferior identity and device security policies and controls can lead to weak access requirements being put in place due to policy engine complexities and limitations. Reporting and logging tools typically lack security visibility and tailored usage insight, and it’s difficult to understand app, identities, and device activity over time across portals which makes it complicated to audit login issues and troubleshoot when issues arise.

Some upsold advanced security features, such as identity protection and risk-based authentication, are more reactive threat analysis tools than adaptive, real-time authentication security solutions that assess risk at the point of login and throughout the lifetime of the session. It’s also typically complex and/or expensive to protect workstations, legacy apps and servers such as SSH, RDP, RADIUS, and most do not have a software development kit or APIs like Duo.

How Duo is different

Easy to use

To begin with, Duo makes things simple for our customers:

• Simple for users to enroll, authenticate and remediate issues

• Simple for administrators to configure, deploy, protect and manage

• Simple for security operations analysts to review and analyze threat data

Scalable and flexible

Duo can adapt to your customers’ needs as your organization evolves:

• Grows with your business as your security needs change

• Offers a broad range of authentication methods for every type of identity

• Flexible, deploy-ready policy controls

Faster speed to security

Duo also provides what we refer to as “faster speed to security”:

• Duo is fast and makes it easy to deploy advanced identity security controls across any size organization

• Thanks to Duo’s self-service and user self-remediation features, end-users can resolve issues using Duo very quickly without contacting IT

• Identity security in-depth; as threats change, we enable customers to respond and block threats rapidly

Broadest coverage

Finally, Duo delivers the broadest coverage across identities, devices and applications:

• Supports all identity types (employees, contractors and partners)

• All types of devices (corporate-issued and managed and personal unmanaged devices, plus most operating systems including macOS, Windows, Linux, iOS and Android)

• Integrates with virtually any application, whether it’s off-the-shelf or custom-built, and hosted on-premises or in the cloud

Duo is just getting started

While the allure of bundled identity may be tempting, it's essential to carefully weigh the potential risks and costs associated with migrating from Duo to alternative solutions. By considering factors such as weaker security policies, deployment and training expenses, hidden costs and the value of familiarity and reliability, businesses can make informed decisions that prioritize their security and operational efficiency in the long run. In the complex maze of cybersecurity, often the best path forward is the one you're already on.

Where Duo is headed next

To learn more about where Duo is heading, please check out the Duo blog: Announcing Identity Intelligence With Duo, which highlights Duo’s available customer preview of identity threat detection and response (ITDR) and identity security posture management (ISPM) functionality and more exciting identity security innovations.

Stay tuned!

If you would like to chat more with a sales or partner specialist about identity security, feel free to contact us!

Duo Security has been a long-time supporter of the FIDO Alliance, starting in 2014 with our adoption of U2F. We remain active through 2024 in many of FIDO's working groups and continue to support the FIDO Alliance's mission of reducing the world's reliance on passwords through passkeys.

Two years ago, work began to assess Duo's commitment to this mission and consider we might more actively participate in its evolution. We are happy to announce the following changes to this strategic partnership.

First, Duo Security has successfully migrated our FIDO Alliance membership to Cisco. This will let us extend access to the FIDO Alliance to other Cisco teams like Webex.

Second, we realized that for Duo to effectively push for the improvements and changes that our customer's desire (or even require), we needed to increase Cisco's membership within the FIDO Alliance to gain a seat on the Board. The Board drives the direction of the FIDO Alliance. Additionally, as the FIDO Alliance shifts its strategy to focus on passkeys adoption guidance, we felt now was the time to leverage our extensive experience as a Relying Party and add our voice to underrepresented passkeys use cases.

“We are pleased to announce that the FIDO Alliance has approved Cisco’s application to join the Board… This will allow us at Duo Security and greater Cisco to push for the changes we and our customers desire within the FIDO Alliance.”

After months of discussing this idea with internal and external parties, a formal written application, and virtual interviews, we are pleased to announce that the FIDO Alliance has approved Cisco's application to join the Board. Matthew Miller will be Cisco's delegate on the FIDO Alliance Board with Chris Anderson serving as his alternative. This will allow us at Duo Security and greater Cisco to push for the changes we and our customers desire within the FIDO Alliance as well as continue our thought leadership within the identity and authentication industry.

“We enthusiastically welcome Cisco to our board of directors,” said Andrew Shikiar, executive director and CEO of the FIDO Alliance. “Cisco has been a longtime and valuable contributor to FIDO Alliance and its authentication specifications first through Duo Security and now formally as Cisco.”

Shikiar continued, “We look forward to Cisco’s expertise and direction as a relying party at the board level, which is critical now as FIDO technology has matured and we’ve shifted our focus to the usability of passkeys and enabling relying parties to implement them effectively.”

Here's to passkeys in 2024 and beyond!

In cybersecurity, the constant emergence of new vulnerabilities keeps organizations on their toes. A recent development is the discovery of the Silver SAML attack, a sophisticated vulnerability that targets Security Assertion Markup Language (SAML)-based authentication systems. Let's delve into what this means for organizations and how solutions like Duo SSO are designed to mitigate such risks.

What is the Silver SAML vulnerability?

Cybersecurity researchers have uncovered a new attack method known as Silver SAML. This technique can exploit SAML-based single sign-on (SSO) services, even when measures against similar Golden SAML attacks are in place. The vulnerability centers on the use of self-signed or externally generated certificates for signing SAML responses. If attackers obtain the private key of an externally generated certificate, they can forge SAML responses and impersonate any user, gaining unauthorized access to applications and services.

Duo SSO’s mitigation approach

Duo SSO has a security architecture that inherently mitigates this type of vulnerability. Unlike some identity providers that allow the use of externally generated certificates for SAML response signing, Duo SSO exclusively uses self-signed certificates. This design choice significantly reduces the risk associated with the Silver SAML attack in the following ways:

• Controlled Certificate Lifecycle: Self-signed certificates are generated and managed internally within the Duo SSO ecosystem. This control over the certificate lifecycle minimizes the risk of private keys being compromised.

• Integration Segmentation: Each Duo SSO integration has a dedicated signing key that is only ever stored in encrypted form and backed by a Hardware Security Module (HSM). The HSM provides an additional layer of protection by managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device.

• No External Exposure: By not allowing externally generated certificates, Duo SSO ensures that the signing process is less susceptible to external threats. There's no risk of an attacker obtaining a private key from a certificate generated outside the protected environment.

• Regular Auditing and Monitoring: Duo SSO includes robust auditing and monitoring features that help detect and alert on any suspicious activities, including unauthorized changes to configurations that could indicate an attempted security breach.

• Best Practice Enforcement: Duo SSO encourages and enforces security best practices, such as strong authentication measures, which provide an additional layer of defense against various attack vectors, not just Silver SAML.

Remaining vigilant

While Duo SSO's approach to using self-signed certificates for SAML response signing effectively mitigates the specific risk presented by the Silver SAML attack, it's a stark reminder of the need for organizations to maintain constant vigilance. Cyber-based threats are constantly evolving, and defenses that are secure today may be challenged by the threats of tomorrow. To stay ahead of potential risks, it's crucial for organizations to target three essential processes:

• Implement comprehensive security strategies that go beyond reliance on a single mitigation technique. Remember, a multi-layered approach to security is essential in creating a resilient defense against a variety of threats.

• Stay up to date with the latest security advisories and updates. Keeping informed about new vulnerabilities and emerging attack vectors is the first step in a proactive defense.

• Educate users and IT teams on potential threats. Knowledge is power in cybersecurity. Regular training and awareness programs can empower users to recognize and respond to security incidents.

When thinking about a comprehensive security strategy, increased visibility and monitoring around the identity perimeter is indispensable. Solutions like Duo’s identity security capabilities powered by Cisco Identity Intelligence play a pivotal role in enhancing security posture. By offering continuous monitoring and advanced analytics, Duo equips organizations with the capabilities necessary to detect and respond to anomalous behavior and access patterns in real-time. This level of insight is critical for identifying and mitigating potential compromises before they escalate into more significant breaches.

With features such as endpoint visibility, anomaly detection, automated alerts, and dynamic policy enforcement, Duo serves as a steadfast guardian, safeguarding the identity perimeter. It's a robust layer of security that complements the inherent strengths of Duo SSO, creating a unified front against identity-based threats.

As we traverse the complexities of the security landscape, it's clear that the partnership with trusted and proactive security providers like Duo is more than a convenience—it's a strategic imperative. By leveraging advanced solutions like Duo’s identity security, organizations can achieve the heightened level of security vigilance required in today's digital age.

Conclusion

The Silver SAML vulnerability highlights a landscape where threats constantly evolve and demand agile and robust defenses. Duo SSO's use of self-signed certificates sets a strong defensive baseline against such threats. However, to truly stay ahead, organizations need to augment foundational security with advanced protections.

Duo’s identity security capabilities powered by Cisco Identity Intelligence offers this next level of defense, providing the necessary visibility and proactive monitoring to identify and thwart potential threats swiftly. By choosing Duo Advantage or Duo Premier plans, organizations gain access to these enhanced capabilities, reinforcing their security posture in the face of sophisticated attacks like Silver SAML.

Act now to fortify your organization's defenses. Duo SSO is available in all Duo editions, allowing you to securely protect your SAML, OIDC, and OAuth applications. Explore the Duo Advantage and Duo Premier plans to unlock the full potential of Cisco Identity Intelligence and ensure your organization's resilience against the ever-changing threat landscape.

Remote Desktop Protocol (RDP) enables much of today’s hybrid workforce, allowing employees to remotely access desktop computers regardless of their location. Like any remote access tool, however, it is susceptible to security threats, including brute force attacks.

Attackers can gain unauthorized access to an RDP connection via several brute force methods, the most common of which is credential spraying. In this attack method, a small number of commonly used passwords are tried over many user accounts in succession. Many free and open-source tools, including NLBrute, Crowbar and Hydra, currently exist to allow attackers to automate these efforts over many user accounts at once. Once access is gained, even to a single user account, the results can be devastating. Malicious actors can potentially access any files on the desktop, install and operate malware, exfiltrate user and customer data, and access other devices on the same network. Research by Sophos estimates that 95% of all attacks in the first half of 2023 involved RDP access and emphasizes taking steps to further secure RDP applications.

"Research by Sophos estimates that 95% of all attacks in the first half of 2023 involved RDP access."

While securing RDP applications with multi-factor authentication (MFA) is an essential first step, we have seen a recent uptick in large-scale RDP attacks that can successfully subvert traditional MFA depending on the account policies and configuration. We will detail how these attacks appear in Cisco Duo authentication data, as well as outline simple and practical steps that you as an administrator can take to configure Duo to prevent this type of attack from infiltrating your environment.

Identifying RDP Brute Force attacks in MFA logs

As part of ongoing threat hunting efforts in collaboration with Cisco Talos Intelligence Group, we on Duo’s Security Data Science team sought to identify IP addresses that were responsible for RDP attack attempts on Duo customers. Over authentication data from 2023, we analyzed any IPs meeting the conditions of at least 100 authentication attempts to RDP applications over at least 3 organizations deploying Duo, with at least a 70% rate of failure. After vetting these IP addresses with the assistance of Talos, we identified 52 IP addresses confirmed or highly likely to be associated with RDP brute force attack patterns.

Observed behavior from one such IP can be seen below, with the vertical axis representing individual customers. With this visualization, we can see the attackers crawling customer environments, sending repeated failed attempts to a group of customer networks. All attempts shown here are failures. (Note that this is only a sample of the impacted customers).

The individual IPs and their corresponding active protocols varied widely, as we observed using Censys Search. Of the 25 hosts with active protocols at the time of our hunting efforts, 15 were running file-sharing protocols such as SMB and FTP, indicating file exfiltration as a possible primary goal of these attacks. The remaining active hosts were running a variety of VPN protocols, including OpenVPN, IKE (IPSec), and PPTP, likely in an attempt to obfuscate the true source of the attacks.

Most hosts belonged to cloud hosting providers, the most common being the Panamanian provider “Flyservers”. A small number of hosts appeared to be residential or commercial hosts that had been captured by the attackers and used to send malicious requests.

Duo has since added all IPs suspected of RDP brute force attacks to our global block list, preventing them from any further access to our service across all Duo customers. As it is trivial, however, for attackers to rotate IP addresses, we will outline ways in which long term prevention can be achieved through improved security posture and policy configurations.

Prevention

Deny unenrolled users

Among the roughly 80,000 attempts from these RDP brute force networks, only 2% of authentications were successful. Many of these successes were potentially preventable via policy configurations within the Duo Admin Panel. The first of these relates to the way that new users enroll in Duo, particularly the ability to allow unenrolled users (those without any user account in Duo) to bypass MFA upon initial access. Of the successful accesses by the attackers in this case, 53% were to user accounts which had this MFA bypass policy configured. By contrast, over half of all malicious attempts were stopped via denying access to users not enrolled in Duo.

If possible, we recommend the following prevention measures to reduce the attack surface area.

Good

Enable monitoring on authentication logs to be notified when access to an application occurs as a result of allowing unenrolled users, particularly upon access to RDP applications. Repeated successes from a single IP address with no further user enrollment following the authentication may indicate an RDP attack and that user credentials have been compromised.

Better

Deny unenrolled users access to RDP applications by setting a per-application policy. Unenrolled users can still be allowed to enroll via other applications you have configured, just not through RDP applications for which access can be easily automated by attackers.

Best

Deny all access to unenrolled users and enroll users in Duo MFA via either automatic enrollment or a manual user import.

User lockout mechanisms

For users enrolled in MFA, there is still a risk of RDP account access by an attacker. The most common attack pattern seen against enrolled users were methods known as push harassment (in which a single user is sent many push attempts in the hopes that they will eventually accept) or push spraying (in which push attempts are sent across many users). A visual example of this is shown below, in which a user was repeatedly sent push requests from an RDP attack IP until they accepted.

One way of preventing a malicious actor from sending repeated pushes to a user is by enabling a lockout threshold in the Duo Admin Panel. Roughly 11% of recent RDP brute force attempts from the IPs analyzed were prevented by user lockout mechanisms, the majority of which having a threshold of 10 repeated failures before locking out a user. 10 is the default number of failures before a user’s account is locked out, however, a more aggressive threshold can be customized in your Duo Admin Panel.

For increased visibility, administrators can configure Duo to notify them in the instance that a user is locked out, to further monitor suspicious activity. If this occurs, and users cannot account for the repeated failures, this may indicate user credential compromise.

User location restriction

To prevent malicious requests from reaching users in the first place, admins should configure Duo to block requests from countries that they do not expect to see traffic from. Of the IPs studied in these attacks, they originated from countries including Iran, Russia, Hong Kong, the Netherlands, Ukraine, Estonia, Romania, Pakistan and Nicaragua, all of which accounted for less than 1% of the benign traffic of the impacted customers. If it is conducive to your organization’s setup, consider denying access or limiting available authentication factors for requests that originate somewhere other than your organization’s expected locations.

Users that live in countries atypical to the majority of an organization’s users or who may need occasional access from a country that is otherwise blocked can be added to a user group with a specific policy exemption if necessary.

Summary

Basic MFA is a necessary first step in securing RDP applications. Without proper configuration, however, it’s still possible for attackers to subvert security measures and gain access to critical data and infrastructure. While attacks are constantly evolving, taking essential steps such as blocking unenrolled access and enabling user lockout functionality on RDP applications can help to prevent users from receiving malicious requests.

Identity-based cyberattacks are a challenge across all organizations, regardless of size, industry or technology. And every time organizations put up a new defense, cybercriminals seem to find their way around it. This becomes a constant cycle of organizations introducing new protections and attackers finding ways to exploit them.

Recently, attackers have targeted multi-factor authentication (MFA). MFA is a common second line of defense against compromised passwords. Even if an attacker has access to a username and password, they still need access to the second authentication factor to break into the organization.

However, attackers are finding ways around MFA. They can take advantage of the less secure methods of authentication, like one-time passcodes, and socially engineer a user to hand over codes or intercept them before they reach the end user. They can engage in MFA fatigue attacks where a trusted user might absentmindedly accept a push request because they’re so used to doing it or might accept the push requests to get the endless notifications to stop.

While attackers are finding new and creative ways to victimize users, organizations can deploy many tools to protect against these types of attacks. In Duo’s new eBook Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats, we summarize the top attack vectors targeting users and what organizations can do fortify their defenses.

So, what can organizations do to better protect themselves? Some of the solutions are easy policy changes that organizations can turn on immediately, like Duo’s Risk-Based Authentication (RBA). RBA analyzes risk signals at the point of login and can remove barriers for trusted users, while requiring more secure factors when new risk is identified (like multiple denied push requests being sent to the same user).

Other solutions are more of a journey, like rolling out passwordless across your organization. Passwordless login removes the “something you know” (e.g., the password) from the login process and instead uses “something you are” (e.g., a biometric) and “something you have” (e.g., a device). A user accesses an application with an asymmetric key exchange — a public key (that is held by the application), unlocks a private key that is secured on the device (so it cannot be stolen). While passwordless offers a phishing-proof solution, there are requirements to deployment, like ensuring all users have access to a biometric on their device or a security key.

And finally, organizations can combine a risk-based and phishing-proof authentication approach with device trust policies, like Duo’s Trusted Endpoints. Trusted Endpoints enables an organization to only let in managed or known devices so fraudulent MFA requests on an unknown device never even reach the end user.

To learn more about the current identity-focused attacks and how you can better protect your organization today and in the future, be sure to read Attack Vectors Decoded: Securing Organizations Against Identity-Based Threats today.

If you’re interested in a deeper dive into this topic, also check out our new Duo labs piece that provides detailed, research-backed insight into identity threats and how to protect against them.

The choice of authentication methods plays a key role in defending against identity threats. In the first two blogs of this three-part series, we discussed the MFA methods available to users and their strengths and weaknesses in defending against five types of cyber attack. In this blog, we’ll discuss how end-users and administrators can select the best methods to keep themselves and their organizations secure.

The importance of user experience

Authentication methods’ technical properties in addressing cyber-threats are part of the security picture, but not the whole picture. The convenience of the end-user experience also plays an important role.

A frictionless user experience can help ensure that MFA is widely adopted within an organization, and that once it is adopted, users comply with best practices. Users that are frustrated by the authentication experience are more likely to fall prey to MFA fatigue attacks, or to seek workarounds that avoid the need to authenticate at all.

When setting MFA policies for their organization, administrators must consider the human element, which plays a role in 74% of breaches.

Budget considerations

Cost is another factor influencing which authentication methods organizations should adopt. Methods that leverage users’ existing devices, for instance, offer cost advantages over methods requiring specialized hardware such as tokens and security keys. Conversely, adopting platform authenticators may require costly upgrades to enterprise hardware and software to support biometrics.

Administrative and service costs must also be considered. Telephony-based methods require the purchasing of telephony credits, while the personnel costs of deployment and helpdesk support for some authentication methods can be significant.

Organizations must weigh the total cost of ownership of MFA against the considerable, but uncertain, cost of a breach.

What authentication methods are right for you?

To decide which methods to use, organizations must balance security, user experience, and budget considerations to meet their unique needs. To conclude this blog series, we’ll discuss each method in turn and why you may choose to adopt it.

WedAuthn-based authentication

WebAuthn-based authentication is a clear winner for threat protection, with strong defenses against a variety of threats including phishing and AiTM (adversary-in-the-middle) attacks. WebAuthn-based methods also offer superior user experiences using biometrics and passwordless authentication.

Despite these advantages, organizations often face challenges when adopting WebAuthn. Legacy software often must be upgraded to support this relatively new protocol, while upgrading employee endpoints to support biometrics or purchasing and distributing security keys can incur significant costs. Organizations must also incentivize users to register WebAuthn-based devices and train them to adapt to new authentication workflows.

The journey to WebAuthn, passkeys, and passwordless can be well worth it, and organizations can learn from the success stories of their peers.

Push-based authentication

Push-based authentication provides a good balance between security and user experience. It protects against many threats while allowing users to authenticate conveniently using their own phones. While it does not defend against AiTM threats as WebAuthn does, this gap can be addressed by other measures, such as adopting device trust policies.

Security against MFA fatigue attacks can be enhanced for push-based methods by enabling numeric code matching (e.g., Verified Duo Push). However, this security comes with additional user friction.  Organizations that want the security benefits of code matching but with minimal friction can try a policy like Duo Risk Based Authentication in which codes are required only for suspicious authentications.

Token-based authentication

Token-based authentication provides a third-tier option for threat protection behind WebAuthn-based and push-based methods. Passcode phishing and physical compromise are concerns for tokens but may partially be addressed by end-user training. Tokens remain popular for organizations where users cannot use their own phones to authenticate or where offline access is needed.

Telephony-based authentication

Telephony-based authentication is widely used due to its administrative convenience, since end-users can use their own phones without any specialized hardware or software. Hardware costs savings may be offset, however, by telephony costs. Telephony-based methods are also less secure than other methods, with SIM swapping adding a distinctive threat vector alongside common physical and social engineering concerns. Despite these drawbacks, telephony is an effective way for some organizations to ensure that MFA is widely adopted.

Conclusion

No matter what your authentication needs, Duo provides a variety of options to choose from. Duo’s adaptive access policies make it easy for administrators to customize settings by user group and application type, so that every authentication is as secure and frictionless as possible. End-users may further select from the methods allowed by their organizations to best suit their needs and preferences.

To learn more about authentication with Duo, sign up for a free trial today.

The choice of which authentication methods to use is individual to every organization, but it must be informed by a clear understanding of how these methods defend against common identity threats.

In the first part of this three-part blog series, we discussed the various methods available to MFA users. In this part, we’ll evaluate each method’s effectiveness in defending against five common types of cyber-attack. The table below summarizes the findings.

How MFA methods stand up to threats

Threat type #1: Physical compromise

Many authentication methods use device possession as a factor (i.e., evidence of a user’s identity), making physical security a concern. Devices can be stolen or temporarily accessed by an attacker to subvert MFA.

Varied protection: WebAuthn-based authentication, push-based authentication, token-based authentication

When used by WebAuthn-based authenticators, biometric user verification provides a strong layer of defense against physical compromise. However, some security keys do not support biometrics, while many authenticators fall back to passwords or passcodes when biometrics fail.

Physical security for push-based authentication relies on the access protections of the user’s phone. For best security, administrators should require that users implement screen lock on their devices when authenticating with Duo Mobile. They can additionally require biometric verification every time that a user approves a push.

Physical security of token-based authentication depends on the device. Some software tokens, like Duo Mobile, can be configured to require screen lock. However, many hardware tokens do not provide any protection. Furthermore, attackers with even temporary access to an HOTP device may memorize or write down a passcode and use it later. Users must take care to safeguard devices attached to keyrings and in other vulnerable locations.

Weak protection: telephony-based authentication

SMS passcodes and phone call authentication are vulnerable to physical compromise because text messages and phone calls often may be received without unlocking a phone. While users can elect secure screen lock settings, administrators cannot easily require them to do so.

Threat type #2: Logical compromise

Attackers may sometimes take virtual possession of authenticators without gaining physical access to a device. For example, by gaining access to a cryptographic key or taking possession of a phone number, they may be able to emulate the behavior of an authentication device.

Strong protection: WebAuthn-based authentication, push-based authentication, token-based authentication

While key theft is possible for these methods, most devices provide strong protections. WebAuthn-based authenticators use private keys that are not shared publicly and that can be stored securely on tamper-resistant hardware protected with strong encryption. Platform credentials (passkeys) that are synced using services like iCloud Keychain are encrypted in transit.

Duo’s push-based authentication uses private keys that are stored in encrypted form and never leave the device. Default Duo policy further prevents exfiltration of keys from Duo Mobile by requiring that user devices are not rooted or jailbroken.

Token-based authenticators use a secret key, called a seed, to generate passcodes. These seeds are encrypted when stored on both the device and on Duo servers.

Weak protection: telephony-based authentication

SIM swapping is a common technique that allows attackers to subvert telephony protections without physically stealing a phone. An attacker calls the phone carrier posing as the legitimate user and has the user’s phone number transferred to their own device. Then, they can authenticate via SMS passcode or phone call.

Threat type #3: Phishing and MFA fatigue

Phishing attacks and MFA fatigue attacks are related threats in which a user is given a fraudulent prompt to authenticate. In phishing, the attacker directs the user to a fake website with a login prompt that collects their password and/or single-use passcode. In an MFA fatigue attack, also known as push phishing or push harassment, the attacker uses stolen credentials to send the user repeated push requests in hopes that the user will inadvertently approve one.

Strong protection: WebAuthn-based authentication

WebAuthn-based authentication is sometimes referred to as “phish-proof” because it eliminates the need for shared codes, removing the risk that those codes could be intercepted. The browser also tells the authenticator what site the user is on, so credentials can only be used on the site they were created for. Authentications are verified locally on the login device, so the attacker cannot enlist the user’s help remotely in their authentication attempt via an MFA fatigue attack.

Varied protection: push-based authentication

Push-based authentication is vulnerable to MFA fatigue attack, but this threat can be mitigated through the use of numeric code matching, as in Verified Duo Push. Because the numeric code must be entered by the user, there is no risk of the attacker phishing the code (though other forms of social engineering are possible, see below). Admins can require that codes be entered for all push-based authentications, or they can use an approach like Duo Risk Based Authentication in which only risky authentications require the code.

Weak protection: token-based authentication, telephony-based authentication

Token-based and SMS passcode methods are vulnerable to passcode phishing, though the risk can partially be mitigated by adoption of TOTP rather than HOTP based tokens. Phone call authentication is vulnerable to MFA fatigue attacks.

Threat type #4: Social engineering

Social engineering is a class of techniques in which the attacker manipulates the legitimate user into aiding them in the attack. While phishing and MFA fatigue may be considered examples of social engineering, they are not the only ways that user behavior can be manipulated. For example, attackers will sometimes pose as fellow employees or IT team members to convince users to follow directions. Social engineering is often preceded by reconnaissance on professional social networks to make the engagements more personal and believable.

Varied protection: WebAuthn-based authentication, push-based authentication

While WebAuthn-based authentication is typically considered a strong protection against social engineering, the recent trend on many operating systems toward synced passkeys has opened the door to passkey sharing attacks. If a legitimate user is convinced to share their passkey, then the attacker can use the passkey on their own system. Biometric requirements do not mitigate this threat because once a passkey is stolen, it may be used by the attacker with their own biometric. Fortunately, many platforms implement additional measures to secure passkeys, such as requiring that sharing happens between devices in physical proximity.

Use of a numeric code with push-based authentication helps guard against MFA fatigue and passcode phishing attacks, but it does not close the door to other types of social engineering. An attacker can attempt to log in using a stolen password, then send the numeric code to the legitimate user and convince them to enter the code and confirm the push.

Weak protection: token-based authentication, telephony-based authentication

Token-based and telephony methods are subject to a wide array of social engineering techniques in which users are convinced to share a physical device, transfer a phone number, or enter a code.

Threat type #5: Adversary in the Middle

Adversary in the Middle (AiTM) is a sophisticated attack in which the attacker establishes a proxy server between the legitimate user and their login destination, allowing the attacker to steal credentials and cookies during an authentication attempt. Because the login is proxied to the legitimate destination, the user may be unaware that the attack is happening, while the adversary gains full access to the account.

Strong protection: WebAuthn-based authentication

WebAuthn-based authenticators protect uniquely against AiTM attacks. WebAuthn verifies the identity of the login site (e.g. duosecurity.com) and therefore will not work via a proxy connection. This property, known as origin binding, contributes to WebAuthn’s status as a “gold standard for MFA.”

Weak protection: push-based authentication, token-based authentication, telephony-based authentication

All these methods are vulnerable to AiTM attack. Even when second-factor authentication is out-of-band with the login, as in a push, the delivery of the session cookie can still be intercepted by the proxy.

What’s next

Understanding the threats affecting MFA is important, but the choice of authentication methods also depends on factors like cost and ease of use. In the next blog in this series, we’ll discuss how organizations can choose the methods that best suit their needs.

Administrators and end-users of a multi-factor authentication (MFA) product like Duo’s face a variety of options for how to authenticate. Each method has distinct tradeoffs of convenience, user experience, and security.

In this first blog of a three-part series, we’ll define four categories of authentication methods encompassing a broad array of device types. In future blogs, we will discuss identity threats facing MFA users and how to choose the best methods to protect yourself and your organization.

Background: MFA methods

MFA requires that users present multiple pieces of evidence, or factors, proving their identity. These factors typically belong to one of three types:

• Knowledge (“something you know”): Memorized information like a password

• Possession (“something you have”): A physical device that the user has access to

• Inherence (“something you are”): A biometric indicator like a fingerprint

Most commonly, a password (knowledge factor) is combined with a second authentication method representing one or more additional factors. We’ll categorize the methods supported by Duo in the following ways.

WebAuthn-based methods

Factor type(s): possession (computer, phone, or security key), usually paired with inherence (biometric) or knowledge (passcode)

WebAuthn, or Web Authentication API, is a standard for securely authenticating users using public key cryptography. Users register their device and receive credentials from a server like duosecurity.com. These credentials can then be used to authenticate, without the need for a password. Because the credentials cannot be used on sites other than their origin (e.g. on fake webpages like bad-duosecurity.com), WebAuthn-based authentication is said to be phishing-resistant.

Some WebAuthn-based authenticators, known as platform authenticators, are integrated into device hardware and operating systems and confirm user identity using biometrics such as iOS Touch ID, iOS Face ID, or Windows Hello. Many platform authenticators additionally support syncing WebAuthn credentials, known as passkeys, across multiple devices. Other WebAuthn-based devices, such as Yubikey security keys, are roaming authenticators and must be physically plugged into the device where a user is authenticating.

Push-based methods

Factor type(s): possession (phone with authenticator app installed), sometimes paired with knowledge (numeric code)

In push-based authentication, users receive a push notification on their phone when they try to log in on another device. They can review authentication details in a mobile app (such as Duo Mobile) and confirm or deny the authentication. The push notification typically happens out-of-band (i.e., on a different communication channel) from the login device, which makes it harder for attackers to tamper with the authentication.

Duo offers two options for push-based authentication. A Duo Push is an ordinary push in which a user confirms or denies authentication via the Duo Mobile App. A Verified Duo Push adds additional security by presenting a numeric code in the login prompt, which must then be entered in Duo Mobile when confirming the push. Both Duo Push and Verified Duo Push transmit the user’s response securely using an HTTPS connection.

Token-based methods

Factor type(s): possession (security token), or knowledge (passcode generated by the token)

In token-based authentication, a hardware device or software application is used to generate a single-use passcode, which must be entered into the login prompt to proceed. The Duo Mobile app can serve as a software token, while third-party hardware and software tokens of various types may also be registered with Duo.

The security properties of tokens depend on the algorithm used to generate the passcodes. The HMAC-based One-Time Password (HOTP) algorithm generates passcodes that expire only after they have been used, which opens the door to attackers stealing the codes and using them later. By contrast, the Time-Based One-Time Password (TOTP) algorithm produces passcodes that expire after a short time, which adds some extra security.

Telephony-based methods

Type: possession (phone with registered phone number), or knowledge (a passcode from SMS)

SMS (Secure Message Service) passcode and phone call authentication are methods that allow users to authenticate using their phones, without any specialized hardware or software. SMS passcodes work similarly to token-based authentication methods, except that the single-use passcode is transmitted as a text message to the user’s phone. In phone call authentication, the user receives an automated call and confirms the authentication by pressing a key on the phone.

The ubiquity of mobile phones makes telephony-based authentication a popular choice for many organizations. However, communications via cell networks may be less secure than other methods, leading to a risk of MFA interception.

What’s next

Now that we understand the ways that MFA users can authenticate, we can examine how each of these methods stands up to specific cyber threats. The next blog in this series will discuss some of the most common threats affecting MFA and how the different authentication methods can protect against attacks.

Back in November, 2019, Duo achieved a key milestone with its FedRAMP Authorization as a Cloud Service Provider (CSP), and launched its federal products that are FedRAMP Moderate with the sponsorship from the Department of Energy (DOE). Our federal editions are the first standalone cloud-based MFA offerings that are FedRAMP authorized.

Duo’s Federal editions enable federally compliant cloud-based MFA completely aligned to NIST, OMB, and FedRAMP out-of-the-box. It’s essentially an ‘easy button’ for our Public Sector customers for Federal Authentication and Access Control.

Duo Federal MFA and Duo Federal Access

The Duo Federal editions were added to Duo’s product line and aligned specifically to the security needs and requirements of federal customers.

One of the things we’ve done inside Duo’s Federal editions is to make it pre-configured for compliance. This includes: FedRAMP, FISMA, FIPS 140-2 compliant authentication standards, aligns with National Institute of Standards and Technology (NIST) SP 800-63-3, DFARS/FARS, OMB ICAM policy and more.

These Duo Federal editions support Authentication Assurance Level 2 (AAL2) with Duo Push or Duo Mobile Passcode for both Android and iOS devices by default out-of-the-box with no additional configuration required. Duo also supports AAL3 authenticators such as FIPS YubiKey from Yubico.

Additional information on the Duo Federal edition with its available features and comparison to our Commercial editions can be found in our Duo Federal Guide.

Duo Care Premium support available for Duo Federal

The Duo Care premium support program is available for our customers that are utilizing the Duo Federal editions.

This offering provides a dedicated team of Customer Success experts that ensure your deployment is smooth, and work with you through the lifecycle of your subscription to make sure you are maximizing the value of your Duo investment as your organization and business needs evolve.

In addition to the team of dedicated trusted advisors that serve as your strategic point of contact and technical experts - the Duo Care premium support program also includes extended support services such as: 24x7 phone availability, priority ticket SLA, VIP support line and more!

Download the Duo Care Information Sheet

Get started with a free trial of Duo’s Federal Editions

Duo Federal MFA and Duo Federal Access editions are listed on FedRAMP Marketplace, and can be purchased via DHS’ CDM or by visiting the Duo Federal Editions page.

If you would like to get started with a free trial of Duo’s Federal MFA and Federal Access editions, signup through our Federal editions page and we’ll reach out to get you started!

Duo Labs is back!

Well, not exactly in the same form — but the sentiment, heart, and function of Duo Labs is back. For the curious, the original Duo Labs was a team of amazing security researchers, tinkerers, and thinkers that published their findings, experiments, and explorations on the Duo Labs site.

Perhaps most famously, the team sent a phone equipped with Duo mobile into space — attempting to complete a Duo push from 90,000 feet. There are still many other examples of cool security research or contributions to the security community live on the Duo Labs site.

Over the last few years, the official labs team was disbanded, moving on to new projects, teams, and gigs — and the Duo Labs site was left to face the digital sands of internet time without much attention or thought. There hasn’t been a Duo Labs post since 2021. Not every project continues forever, and it’s okay to be at peace with an effort ending — conclusions and closure are a part of any story.

However, internally at Duo, we realized that by disbanding the Labs team and discontinuing writing for the Labs site, we lost something special about Duo itself. That special thing was a forum for Duonauts to be nerdy, expansive, and inquisitive about all things at the intersection of access management and security. It’s one thing to have the company blog (look, I’m writing here right now!). But it’s another to have a place to post that doesn’t need a product tie-in or an ask to contact sales.

The truth is, there are still a bunch of security scientists lurking within Duo. Folks thinking about the future of authentication, from passkeys to decentralized identity. Folks researching the identity threat landscape and which parts of the identity infrastructure attackers will strike next. Folks using the massive Duo dataset of authentications to uncover new attack patterns and techniques. And, folks thinking deeply about the next generation of security protocols and frameworks.

This type of work doesn’t necessarily coincide with the scope of Duo’s mainline blog. There often won’t be a clear right answer, and certainly won’t always be a product demo of a solution. Therefore, to showcase the work of Duonauts thinking about the big problems of authentication, access, identity, and security, we're re-opening Duo Labs. The first piece will be a “nigh-comprehensive” overview of identity threats with a look at their prevention and detection. From there, we’ll produce new content monthly, diving deep into the brains of Duo’s engineers, product leaders, and data scientists.

If this effort sounds interesting to you, meet us over at Duo Labs or follow the back online @DuoLabs on Twitter. We’re excited to tinker again

Every organization will face challenges at some point. Often, these challenges are the reason vendors exist. Their purpose is to sell you something that’s hopefully going to solve an issue or fulfill a need, so you can get back to what you do best. It’s sort of like buying a Band-Aid for a cut. I just need it to solve a particular issue now. Other than fixing the immediate issue I don’t have any long-term expectations.

What’s a Vendorship?

Search online and you’ll find a lot of similar definitions for vendor. It’s typically something along the lines of “An individual or company that sells goods and services to businesses or consumers.”

The relationship we have with vendors tends to be more transactional in nature. It’s what I refer to as a “vendorship.” Honestly, vendorship isn’t even a real word, but it’s useful to illustrate a point. In a vendorship, I’m not looking for a long-term commitment with the seller. I just need a solution to address a particular challenge. It’s a summer romance. Once I have the solution in place, we probably don’t need to keep in touch unless there is a problem with the product or service. My expectations for a deeper relationship are low. A lot of the time this is sufficient for both parties.

Moving from Vendorship to Partnership

See the video at the blog post.

But what if I want more from my vendor? My organization may have greater needs that require a deeper, longer-term commitment from both sides. This can be especially true if my organization is investing a lot of time and money in a solution. I want to make sure I’m getting value for my investment. If you’re looking for any — or all — of the following from a vendor, then it’s time to move from a vendorship to a partnership.

• Configuration and Deployment Resources — Does the vendor provide resources to help me properly configure the solution and deploy it into my architecture or to my users?

• Future Product or Service Updates — I’m buying something today, but how is the vendor adding value to it tomorrow?

• User Training — Does the vendor make training available so my users are prepared to engage with the product or service?

• Opportunities to Preview Upcoming Releases and Provide Input — Before a new release is available, is there an opportunity to try it out and provide feedback?

• Strong Customer Support — At some point my organization will need support, so how good is the vendor’s customer service?

• Vested Interest in My Organization’s Success — Beyond the product or service, does the vendor have an interest in helping my organization succeed?

Depending on your need, a vendorship may suffice. However, if you’re looking for more than a summer fling, why settle for a vendorship? Consider taking that relationship to the next level with a vendor who is also interested in partnering for the long term. Yes, it requires investment from both parties, but your organization will benefit over time.

In it for the long term

In an earlier blog, I talked about how building a long-term partnership with a vendor enables customers to realize greater value for their investment. At Cisco Duo, we want to help our customers get the most out of their Duo subscription by engaging in a long-term partnership. That’s why we continually add new features to our Access Management offerings, provide opportunities to test drive new features before they’re launched, deliver hands-on workshops and webinars, help our customers grow their Duo knowledge and expertise through online training, and more.

And for customers who want an even deeper relationship from a trusted partner, there’s Duo Care, Duo’s premium support program. With Duo Care, you'll work together with a team of Duo experts who guide you through the life of your subscription so you maximize the value of your Duo investment as your organization and business needs evolve.

When it comes to vendor relationships, don’t settle for a vendorship when you can have a lasting partnership and reap the long-term benefits. Let Duo show you how. Speak with your local Duo sales rep or partner today to learn more.

The Cisco Duo team is filled with excellent researchers, designers, product managers, engineers, and more who know what we are doing when it comes to building a great product - but we also know that we are better together with input from our customers.

Most people are generally familiar with the product release cycle, but for the sake of a quick refresher, below is the multi-step release process that Duo follows:

Any organization utilizing a paid edition of Duo is used to being notified about features that have become Generally Available (GA) through subscribing to updates from the Duo Release Notes section of the Cisco Community page, but today we want to highlight the other stages and how much we care about getting organizations involved.

This blog is part of the Duo Care Trusted Advisor series. Duo Care Premium Support was created because we really do care. The dedicated Customer Success Managers and Customer Solutions Engineers who make up Duo Care help with initial rollouts, but we also guide you through the life of your subscription — ensuring you maximize your investment.

One of Duo Care’s favorite ways to provide additional value is through getting our customers involved in Active Development Programs and Private Previews. Think of it like having a dedicated advocate behind the curtain who is highlighting the ideas that you’ve submitted as feature requests and proactively looking out for new functionalities that might be of interest to you or that might help you better achieve your security goals.

Active Development Program (ADP)

Duo prioritizes feedback from customers at every stage of the product process — even when we are just getting started developing features. An ADP might look like connecting you with a Product Researcher for an informational interview about a particular topic that we are exploring. An ADP could be a Product Manager walking you through the mock-up of a feature from a design perspective and gathering preferences for the admin experience before we start building. It could be a combination of conversations and demos.

Mostly, Duo Care loves it when we can find and deepen the alignment between our customers and our product team. We especially love to find those opportunities through the Active Development Program stage. The focus of an ADP might be a topic that you mentioned on a previous call that could make your life as an admin easier or something that relates to a security goal you mentioned during the previous year’s planning session or something that we know you are already thought leaders on where we could learn too. Duo Care is always actively listening and eager to connect the dots to build things together.

Private Preview

In the next stage, a select group of customers are invited to experience a particular product feature before it has officially been released. Private Previews are the “kick the tires” stage where you have a chance to test out how a feature actually works and provide feedback.

One key advantage of being a Duo Care customer is getting early access to features. Duo Care has a close relationship with our product team, and we are always looking for opportunities to collaborate. We want to make sure access management is simplified, easy to use and effective — and customer feedback is incredibly important to make sure that the features we build are in line with helping you meet your security goals. 

Every Private Preview runs a bit different, but it might look like Duo Care doing a demo of a new feature during a Product Roadmap Review, facilitating a call with the Product Manager of that feature for any questions about set-up, or giving you some time to poke around and test things out on your own. After an organization has agreed to participate with us, there are always a few follow up conversations to gather opinions, thoughts, desires — and circle back on any updates that have been made from previous feedback.

Public Preview

The final stage before a feature will launch to GA is a public preview. Those customers without a dedicated Duo Care team can gain access to the product or feature either directly from the Duo Admin Panel and an “Early Access” button or by contacting Duo Support. The features will remain in this stage until they are ready for full release.

There are plenty of other smaller stages that happen behind the scenes to take an idea all the way through launching as part of the Duo product, but we hope that this overview has re-enforced how much we care about your participation, investment and feedback.

Looking to get more involved?

If you are interested in adding Duo Care Premium Support to your current contract to take advantage of additional previews and development programs, please send an email to your Cisco Cybersecurity Sales Specialist or Cisco Account Manager.

If you are brand new to Duo, welcome! Please Contact Us to start the conversation!

For managed service providers (MSPs), navigating the ever-evolving landscape of access security can be a daunting task. With complex identity stacks and a constant influx of new devices and endpoints, ensuring secure access across your clients' infrastructure requires comprehensive data-driven insights.

Duo’s latest annual Trusted Access Report, aptly titled "Navigating Complexity," peels back the layers on the ever-evolving world of access management and analyzes real-world data from 16 billion authentications across millions of devices and users. Coupled with key findings are available levers you can turn on today — because we know that if customers aren’t using all the features in their Duo subscription, they’re not getting the full security value.

5 data-driven access security best practices for managed service providers

1. SMS and phone calls as a method of second-factor authentication decreased by 22%, reaching an all-time low at 4.9%.

It’s well-documented that SMS and phone call-based second factors are not as foolproof as once thought, with multi-factor authenticator apps appealing to both demand for higher security and ease of use. However, today’s landscape sees push-targeting MFA attacks increasing. Enabling Verified Duo Push can disarm push harassment and MFA fatigue attacks, with the bonus of putting your clients on the path towards passwordless.

2. Authentication failures due to out-of-date software surge by 74.7%, with most accounts only seeing 20%-40% of browsers operating with the “latest” updates.

Devices that are no longer supported or have not been updated with the latest security patches are often riddled with vulnerabilities that can be exploited by cyber attackers. For example, we found that mobile Safari is most likely to be used for successful authentications but also most likely to be out-of-date or end-of-life.

Granular, adaptive security policies can be designed to detect such devices based on device posture—including the operating system version, installed security patches, and other critical security configurations. To avoid an influx of helpdesk tickets, Duo’s Endpoint Remediation can notify users when it’s time to update, help self-remediate, or block access completely if posture conditions aren’t met. Meanwhile, admins have visibility on who’s accessing what with which device, all without having to install any agents.

3. Mobile and non-traditional operating systems platforms show steady adoption, making up 61.8% of measured authentications.

Complex supply chain operations, third-party partnerships, and contractor devices heighten the risk of unmanaged devices and unknown endpoints — adding complexity to ensuring trusted access. This variability challenges visibility and trust, necessitating a dedicated layer of security.

Reinforce your clients’ security by combining strong authentication requirements with device trust policies. Duo Trusted Endpoints, available to all your Duo clients, adds an extra layer of security even if an organization cannot manage the device directly. Administrators can define a trust policy for every endpoint — whether managed or unmanaged, company-issued, contractor-owned, or personal — and stop attacker’s unknown devices even if they are able to bypass MFA.

4. In 23% of engagements observed by Talos IR, attackers were able to abuse compromised credentials to access valid accounts.

Here’s one for the administrators: Improper access controls can increase the potential for security incidents or unauthorized access to sensitive information. This is especially true for privileged roles like IT admins and helpdesk.

Duo helps multi-tenant partners manage their operations more efficiently with role-based access controls. Enable subaccount roles and access tags to ensure least privileged access and avoid unsecure credential practices. Curious? Get the infographic.

5. More than 24% of an organization’s total identities are inactive accounts that experience over 500 attacks every month.

Identity security is a high priority for organizations of all sizes, especially evaluating identities and login attempts for context and risk. But with several accounts and various risk appetites, it can be overwhelming for MSPs to manage so many controls.

Data-informed user authentication policies can consider your client’s risk levels and focus points. Take advantage of solutions that assess user and device telemetry to identify known threat patterns and anomalies without impeding user productivity, like Trust Monitor and Duo Risk-Based Authentication. In the event of an attack, Duo’s RBA can step up the authentication to a Verified Duo Push.

Duo wants to make strong security feel simple for administrators, security teams, and end-users alike, most recently announcing advanced identity protection to provide immediate security value and response to today’s most common attacks in real-time such as session hijacking, inactive account abuse, and more.

Get the report

The 2024 Duo Trusted Access Report is packed with data-driven findings on existing and emerging IAM trends across 16 billion authentications, 52 million browsers, 58 million endpoints, and 21 million unique phones. Learn more about the trends and recommendations that can bring impactful value to your MSP clients today.

 Download the 2024 Trusted Access Report.

Become a Partner

Now more than ever, Duo’s MSP program helps you eliminate complexity and grow your business with industry-leading secure, scalable, and flexible access management.

Visit Duo’s MSP Program page or reach out to msp@duo.com to start your Duo MSP partnership today.

What are OTPs (one-time passcodes)?

As organizations have improved their security posture, cybercriminals have found new ways to circumvent those controls. Multi-factor authentication (MFA) is a well-known and well-established protection that many organizations rely on. And that also makes it a target for cybercriminals. Therefore, it is not enough to have MFA turned on, organizations must also deploy secure policies to ensure their users are protected.

Several common authentication methods include the use of one-time passcodes (OTP). Normally these codes are sent through “out-of-band communications,” meaning it is sent through a different channel than the website you are trying to access. For example, if you are logging into an application in a web browser, the OTP might be sent through to your email, through SMS text (short message service), delivered as a voice message, or through a dedicated application. The benefit of these codes is that they are random numbers, so they can be difficult to guess, and they cannot be reused across a user’s different accounts (like passwords typically are).

Problems with OTPs:

However, MFA Interception is a way for bad actors to exploit the passcode and gain access. There are different ways bad actors have intercepted MFA passcodes. Some methods include:

• SIM Swapping: The attacker uses social engineering to convince a cell phone provider to switch the number to the attacker’s SIM card to gain access to the OTP sent to the trusted user.

• Brute Force Attacks: Since there is a one in a million chance to guess a random six-digit code, attackers can automate scripts to speed up the process and do it across many users to increase their odds. If the OTP only requires two digits (which can be configured by your organization), that increases the odds to one in one hundred chances of successfully guessing.

• Phishing: An attacker sends a user a link to a fake website to capture the user’s username and password. The trusted user enters the OTP in the fake website while the attacker simultaneously enters the same OTP into the real website, gaining full access.

• Social Engineering: An attacker logs in with a user’s credentials and the real user gets sent an OTP. The attacker then calls the user, and says "This is your helpdesk, I need to confirm your account, can you please confirm your OTP?" The user then reads the OTP to the attacker who gains full access.

To make matters worse, much of these capabilities can be purchased or contracted out, where launching an attack to capture and use OTPs codes is as simple as sending bitcoin and providing an email address to target.

How to secure MFA

While there are many problems with OTPs, they are still better than no MFA and there should be some form of additional authentication across all users and applications. There are also alternative options to consider if you are looking to improve your organization’s security posture.

Verified Duo Push is one option that might seem like an OTP but operates in a more secure manner. Rather than sending the user a code to their phone that they enter on their computer, a Verified Duo Push shows the code on the access device (e.g., a computer) and the user inputs that code in the Duo Mobile application. In an attack scenario, the code is presented to the attacker, and not the trusted user, so there is no risk of the attacker stealing it from the trusted user. For the attack to succeed, the trusted user would have to know the code and enter it in the Duo application that is associated with the account.

While a Verified Duo Push requires a user to enter the code at every login, organizations can also deploy Duo’s Risk-Based Authentication solution that analyzes contextual signals at the point of login and can step up to a Verified Duo Push if there is a potential attack on a user.

Passwordless authentication, which uses WebAuthn credentials, is another safe alternative to OTP. This removes the password from the equation and requires you to use a biometric or security key to authenticate. The private key, stored on your computer, unlocks a public key stored in the application. Since the private key lives on the device, it cannot be intercepted by an attacker.

Finally, Trusted Endpoints ensures only safe and known devices can log in. This prevents an attacker on their device from even beginning a login in the first place. It combines both authentication and device policies to provide holistic protection for users.

To learn more about Duo’s secure MFA solution, sign-up for a free trial today.

Background

This problem really came to a head when the internet rapidly grew from a government project to a major medium for electronic commercial transactions. Thanks to the application of advanced math and science, Public Key Cryptography was used to develop a means of securing ecommerce over the internet.

WebAuthn

Public Key Cryptography allows a merchant or customer to send a 'secret' encrypted message using a public key and only the owner of that public key can decrypt it with their private key. Then, in turn, they can digitally sign that message and use that secret to set up an encrypted session to send it back and then both parties can communicate bidirectionally securely.

However, while this allowed the merchant or customer to send information securely, it did not verify their identity and make sure the person sending the secure transmission was who they said they were. So, we began with the use of passwords. Skip ahead several years, and it’s widely known that they are problematic. Using concepts from Public Key Cryptography WebAuthn was born to verify identity securely.

Web Authentication API (also known as WebAuthn) is an open standard developed jointly by the FIDO Alliance and the World Wide Web Consortium (W3C) in 2019. It was conceived as a means of providing secure authentication to web sites using a private-public keypair, using public key cryptography techniques, instead of problematic passwords.

Passkeys

Passkeys are the credentials derived from WebAuthn public and private key pairs. Originally, they were static and bound to the secure enclave on the device where they were generated. Then to support recovery in the event of a lost or stolen device, and drive their growth, they were designed to be synced securely. Apple iCloud enables this today allowing their distribution securely between supported endpoints.

Future

The use of passkeys on consumer sites has grown rapidly, yet questions remain about their use in the Enterprise. While the passkeys are stored securely and enable verified session access, how do you know the endpoint is a trusted device and will not put the organization at risk? This requires identity and access management vendors to provide extra protection to establish device trust before they can be used.

Trusted Endpoints

Cisco Duo can enhance the security of passkeys with its Trusted Endpoints functionality. A user preregisters and has Duo Desktop (Windows and macOS) or Duo Mobile (iOS and Android) installed, which uniquely identify their trusted devices. Then, at authentication time, the user’s device must be known or “trusted,” otherwise they are not be allowed to use it to authenticate.

Summary

Passkeys are here to stay and it’s important for Enterprises to plan to invest in them. They are strategic to identity security and represent a win-win-win for companies-admins-users. See Duo documentation to learn how Duo Passwordless, Trusted Endpoints, and passkeys can help protect user identities and secure access to your environments today!

The idea that “identity is the new perimeter” is not new. It has been a foundational component in many approaches to zero trust. However, over the past 18 months, there has been an unprecedented wave of identity-based cyberattacks with devastating consequences. According to Cisco Talos, three of the top five MITRE ATT@CK techniques used in 2023 were identity-based.

Traditionally, credentials (such as usernames, passwords or security tokens) have been the gatekeepers of access. Each user’s identity is a potential door into an organization’s environment. Given the affordability and scalability of identity-based techniques, attackers have been quick to target these doors. So, while the statement “identity is the new perimeter” is true, it must be followed with “and identity context is critical in order to grant secure access.”

Even before the high-profile attacks in 2023, the trend in adopting zero trust security principles already showed that identity security must be a major priority for organizations of all sizes.  

Addressing identity-based attacks

Duo has made a number of significant investments in identity security over the last several years with the release of Duo’s Trust Monitor, Duo’s Risk-Based Authentication, and moving Duo’s Trusted Endpoints feature into Duo’s Essentials edition.

In a world where identity has become the most attacked perimeter, Cisco & Duo are doubling down on a security-first approach to identity and access management.

Today, we are announcing a private preview of Duo’s identity security capabilities powered by Cisco Identity Intelligence. Cisco Identity Intelligence is a powerful, cross-platform identity graph that will inform and infuse identity context into the Cisco Security portfolio.

Cisco Identity Intelligence will help Duo customers with unmatched visibility across their full identity and access management stack while helping to detect and prevent identity-based attacks. This will help to overcome fragmented and inferior approaches to identity which leave organizations vulnerable to attacks.

“…we need the identity data…but we can’t just send the SOC an ocean of data without context…” — Duo Customer, Technology Sector

Cisco customers have been asking for this type of intelligence, and we wanted to provide actionable identity insights without the noise. As one administrator put it: "...we need identity data…but what we don’t want to just to send the SOC an ocean of data without context and they don’t know what to do with it.”

Context is king and organizations have a need for contextualized identity insights that are actionable, and we can’t agree more. Most solutions in the market today are either too noisy, plagued by false positives, hyper-focused on legacy infrastructure, or tailored for one specific identity solution.

Reducing the risk of identity-based attacks

Picture a scenario where an attacker acquires a list of dormant accounts, performs credential-stuffing, and gets the necessary credentials to log-in.  Given that the average company has 40.26% of accounts with either no MFA or a weak MFA[1], getting through the hoops to exfiltrate sensitive data is not overly complex.

Having an identity security solution which provides visibility into misconfigured and unused accounts by comparing with identity sources (such as your identity provider and HRIS system), including employees, contractors, and service accounts, is a necessity.  To help minimize chances of successful identity-based attacks, such a solution should also offer holistic coverage across identities and applications.

To address identity-based attacks with greater efficacy, Identity & Access Management (IAM) analytics need to be an inherent part of such a solution. This way, IT Administrators can quickly address any security gaps by migrating from weak authentication to strong, phishing-resistant, multi-factor passwordless deployments across a customer’s entire enterprise stack.

In the video below, Duo Product leader, Josh Terry, highlights how Duo powered by Cisco Identity Intelligence will provide immediate security value and response to today’s most common attacks in real-time such as session hijacking, inactive account abuse, and more:

See the video at the blog post.

Enhanced user and breach protection

This move will help Duo’s customers to streamline security operations, improve security posture by protecting both access and identity infrastructure, address compliance requirements more effectively, and ultimately, fast-forward their journey to zero trust.

Cisco Identity Intelligence’s capabilities are available now in a private preview for select Duo customers. It will be packaged in Duo Advantage and Duo Premier editions for all customers once generally available.

What is coming next?

Whether it is helping customers secure their identity tools or making sense of enormous identity data with data analytics and AI, Cisco is putting identity security at the core of its security strategy.

This private preview is just the beginning as we continue to gather feedback and offer more identity security capabilities to help customers meet additional identity security outcomes.

Stay tuned!

• Review Duo’s new Trusted Access Report

• Register for Cisco Duo’s Identity Webinar

• If you are interested in participating in the private preview, please fill out this form

If you just want to talk about identity security with a specialist or aren’t sure where to start, please contact us here!

[1] Based on a report we issued in 2023.

The 2024 Duo Trusted Access Report: Navigating Complexity, gives us a chance to use the topic of complexity as a backdrop to examine trends (existing and emerging) in both access management and identity.

Complexity is covered from multiple angles - from the complexity of identity stack to the complexity of managing digital identities and access rights – providing practical recommendations to help organizations navigate the more sophisticated cybersecurity landscape.

In partnership with the Cyentia Institute, Duo analyzed data from more than 16 billion authentications, spanning nearly 52 million different browsers, on 58 million endpoints and 21 million unique phones across regions including North America, Latin America, Europe, the Middle East, and Asia Pacific.

Here’s a quick look at a few of our top findings:

• Passwordless adoption continues to rise — Even though it began on a small scale, account adoption of WebAuthn-enabled factors, including security keys and biometric technology like Touch ID, increased by 53%.

• MFA usage continues to expand globally — The number of MFA authentications using Duo rose by 41% in the past year.

• SMS and phone calls as a method of second factor authentication decreased by 22%, reaching an all-time low at 4.9%.

• The percentage of failures due to out-of-date devices increased by 74.7% in 2023 — Organizations are putting in stricter controls, reducing risk of out-of-date software.

• Less than 4% of organizations implement explicit geography-based deny or allow policies.

In addition to looking into the past, we wanted to give our readers a sense of what the future might bring. To do this, we have also delved into identity sprawl and protection, a concept that might still be considered emerging to some.

Why should you care about identity sprawl?

Identity sprawl is a growing challenge and occurs when users have numerous accounts and identities managed by multiple systems that are not synchronized. This presents a continuous security risk and operational challenge for many security and IT teams.

Focused on identity security challenges, the report aims to answer the following questions:

• Identity is the new perimeter; why are we struggling to protect it?

• How can we maintain the visibility of our workforce identities?

• How can we secure workforce identities?

The future of identity security

When Identity & Access Management (IAM) hygiene is poor or inadequate, organizations' identity attack surface increases. As more relationships are created between devices, attributes, identities and permissions, it becomes increasingly difficult to monitor which users are doing what.

Investigating incidents is also challenging without a solution that brings identity-related data together from multiple sources or helps pass contextualized posture information from IT to SOC. Visibility into misconfigured and unused accounts, including employees, contractors, and service accounts is also vital.  

Having identity threat detection and response capabilities under one roof with access management is becoming a necessity. In tandem, these capabilities can help minimize chances of successful identity-based attacks while offering holistic coverage across identities and applications.

To address identity-based attacks with greater efficacy, IAM analytics needs to be an inherent part of such a solution. It builds context for the policies, strategies, and prioritizations necessary to fill visibility gaps and move the needle towards strong least privilege access controls and a zero-trust security strategy.

This year’s Trusted Access Report provides a comprehensive analysis of trends in authentication and access. With the growing complexity of identity sprawl and increasing concerns about identity security, it is more important than ever to add context through data.

Download the 2024 Duo Trusted Access Report: Navigating Complexity today to learn more about these trends.