Search for blog posts, documentation, or pages

The “Dude” writes in response to our duo_unix announcement:

Excessive but very cool

Of course, security never really seems necessary until you’re being stomped on by nihilists


In an era of commodity exploit kits, drive-by malware, and crimeware-as-a-service, a second login factor isn’t excessive. It’s basic blocking & tackling to protect even user accounts (e.g. Google, Facebook, Paypal, World of Warcraft, etc.), much less administrative access.

We’re not the only ones advocating this “back to basics” focus on security fundamentals. From a recent Quora post on cloud security by iSEC Partners’ Alex Stamos:

We have been involved in cloud incident response before, and I have never seen a violation of multi-tenant technologies used effectively by an attacker. What I have seen is poor protection of extremely powerful credentials leading to attacks by insiders as well as privilege escalation by attackers who gain a foothold on one hosted instance and use locally stored secrets to take over the entire infrastructure. Worry about the security of your own application and the underlying operating systems (if you control them). Then worry about where you are storing all of your cloud credentials and who can access them. Think about how you will fire a sys admin and how much trust is given to your least trustworthy system.

If you manage any Unix systems, you’re likely doing it via SSH and pubkey auth (since nobody shares root passwords these days… right?). But SSH keys (and SSL certs) are just another secret that can be lost, stolen, or shared – and potentially even harder to revoke! Some issues we’ve seen:

  • Private keys on bastion hosts used to control network-wide administrative access (hence, global service providers 0wned from a single Linux box)
  • Shared admin keys lost, or stale/backdoor authorized_keys left behind when someone gets hacked/fired/leaves
  • Hijacked private key use via ssh-agent forwarding to compromised hosts (are you using ssh-add -c + $SSH_ASKPASS?)
  • Drive-by browser exploits and remote access trojans leading to exfiltrated private keys
  • Private keys sniffed (and cracked) from NFS homedir mounts

By simply prefixing any key in ~/.ssh/authorized_keys with command=/usr/local/sbin/duo_login, you can detect/prevent/revoke the use of lost/stolen/shared keys in real-time by having them call you back:

iphone pushiphone push deny
Duo Mobile saves the day!

We’ve made duo_unix as easy as possible to deploy, and free for the vast majority of Unix shops (up to 10 sysadmins) and open-source projects (two-factor auth saved Apache’s bacon last year).

Duo abides…

Dug Song
CEO & Co-Founder

Dug has a history of leading successful products and companies to solve pressing security problems. Dug spent 7 years as founding Chief Security Architect at Arbor Networks, protecting 80% of the world’s Internet service providers, and growing to $120M+ annual revenue before its acquisition by Danaher. Before Arbor, Dug built the first commercial network anomaly detection system (acquired by NFR / Check Point), and managed security in the world’s largest production Kerberos environment (University of Michigan).


Free Guide

Two-Factor Authentication Evaluation Guide

This guide walks through some of the key areas of differentiation between two-factor authentication solutions and provides some concrete criteria for evaluating technologies and vendors.


phishing (20)  two-factor-authentication (18)  security news (17)  healthcare security (16)  passwords (15)  weekly ink (13)  cloud security (12)  mobile security (11)  malware (10)  federal cybersecurity (10)  infosec-evolution (9)  banking security (8)  rsac2015 (8)  retail data breaches (8)  duo mobile (8)  data breaches (7)  financial data breach (7)  stolen-passwords (7)  stolen credentials (7)  platform edition (6)  financial institutions (6)  remote access security (6)  remote access attacks (6)  encryption (6)  pci dss (6)  ooba (6)  2fa (6)  ios security (6)  higher education (5)  uk security (5)  media security (5)  atms (5)  pos malware (5)  transaction-level 2fa (5)  webinar (5)  healthit (4)  third-party security (4)  security research (4)  retail data security (4)  blackhat 2015 (4)  retail (4)  bank security (4)  ios (4)  flash security (4)  healthcare cybersecurity (4)  2-factor-authentication (4)  data breach notification (4)  vulnerability (4)  google (4)  hipaa (4)  rig exploit kit (4)  medical identity theft (4)  defcon-23 (4)  security threats (4)  endpoint security (4)  financial data security (4)  ssl (3)  otp bypass (3)  critical infrastructure security (3)  anthem (3)  manufacturing security (3)  outlook-web-app (3)  duo-security-summit (3)  retail data risks (3)  cisco vpn (3)  ios vulnerabilities (3)  flash vulnerabilities (3)  car security (3)  out of band authentication (3)  law firm security (3)  payment card breach (3)  target (3)  health it (3)  iot security (3)  windows security (3)  e-prescriptions (3)  byod (3)  home depot (3)  healthcare data breach (3)  strong-authentication (3)  stock market (3)  twitter (3)  defense in depth (3)  defcon (3)  hipaa security rule (3)  retail ebook (3)  two-factor (3)  social engineering (3)  end-user authentication (3)  aws security (3)  ffiec (3)  dyre trojan (3) 

Duo is hiring!

View our open positions

Subscribe to our Newsletter

Get product updates, interesting content, and invitations to online and live events.