Do you grapple with complicated access policies, or have you experienced a failed device trust policy deployment? You’re not alone.

The truth is, zero trust access policies can be complicated to deploy, scale, and support. And organizations looking to gain ground in their zero-trust journey are forced to contend with a widening cybersecurity readiness gap. According to the Cisco Cybersecurity Readiness Index, 85% of organizations are not prepared to protect themselves against modern attacks. Security leaders, then, are looking for more efficient ways to lock down their defenses. And they want help from effective zero trust access policies. They just don’t want it to be complicated.

That’s why we at Cisco Duo offer a simple-to-deploy policy for applications, people, and devices that can help mitigate modern security threats and attacks.

Cisco Duo’s recent update to our $3 per user per month edition (now called Duo Essentials) adds an important device trust feature called Trusted Endpoints, which allows businesses to:

• Distinguish device trust easily by integrating with virtually any third-party device management solution

• Distinguish trust by application verification using Cisco Duo’s Device Health and Duo Mobile applications

• Deploy and verify device trust status at a lower cost than out competitors

Accelerate device zero trust with Cisco Duo SSO

The simplest way to implement a device zero trust policy such as Trusted Endpoints is by centralizing the SAML & OIDC Single-Sign-On (SSO) experience with a solution like Cisco Duo SSO. Duo SSO quickly connects to your identity provider of choice and integrates with ANY SAML or OIDC application with dedicated integrations for Microsoft 365, Citrix NetScaler, Cisco AnyConnect (ASA + FirePower), SalesForce, Cisco Webex, and many others.

Learn how to deploy Cisco Duo SSO

Once an application has been integrated, administrators can use Duo Trusted Endpoints to configure policies to validate device trust across a variety of device use cases such as MacOS, Windows, Android, and iOS and require phishing-resistant authentication methods such as FIDO2 Security Keys, Touch ID, and Verified Duo Push

Here’s an example of a simple policy requiring all devices to be trusted and only allowing enrolled users to authenticate using pre-approved phishing-resistant authentication methods:

Learn how to deploy Cisco Duo Trusted Endpoints

Ramp up security without sacrificing productivity

With Cisco Duo SSO, you can easily grant frictionless access to applications while simultaneously enforcing strong zero trust measures across applications, people, and devices. As hybrid and mobile workforces continue to grow, establishing a seamless way to manage multiplying endpoints will streamline security operations and minimize your attack surface.

Start closing your cybersecurity readiness gap. Contact Cisco Duo today.

Applications have grown in variety and adoption for over two decades. SaaS (Software-as-a-Service) adoption is skyrocketing. It is estimated that by 2025, 85% of business apps will be SaaS-based.

As a technology marketing professional, I use at least 20 applications every day - SaaS/cloud applications and on-premises apps - including email, web-browser based, chat/collaboration, corporate internal apps including Intranet, and mobile apps. I am so glad I don’t have to create or remember passwords for every application. That is because Duo Single Sign-On (SSO) is enabled on my work account. Duo Single Sign-On is a cloud-hosted SAML (Security Assertion Markup Language) 2.0 identity provider (IdP) and OpenID Connect (OIDC) provider (OP) that adds two-factor authentication. It offers inline self-service enrollment and authentication with Duo Universal Prompt to popular cloud services like Microsoft 365 and Amazon Web Services (AWS) using SSO protocols.

Nowadays, employees across many different industries use 10s to 100s of applications, so it is imperative that the single sign-on solution used in their organization support as many of those applications out-of-the-box so that configuration is simple and quick for admins.

What’s new: Duo SSO now supports more pre-configured applications

From the time we launched single sign-on five years ago, we have enabled Duo administrators to easily use the Duo Admin Panel for configuring cloud applications based on SAML 2.0 and OIDC standards.

Already in the first half of 2023, we’ve added many apps to the Duo SSO applications catalog, including:

• 1Password (private preview)

• Aha!

• Amazon Web Services (AWS) and CLI

• Atlassian Cloud

• BambooHR

• BeyondTrust (formerly Bomgar)

• BugSnag

• Citrix NetScaler

• CrashPlan

• CyberArk Privileged Access

• CyberArk Workforce Identity (formerly Idaptive)

• Datadog

• DigiCert

• DocuSign

• Epic mobile apps

• Expensify mobile apps

• Freshdesk

• GoTo apps (formerly LogMeIn)

• Meraki Secure Client

• Monday

• Notion

• Panther

• Remedyforce

• SAP Concur

• Sauce Labs

• Snowflake

• Udemy

Tell us what applications you would like to see added by filling out this form. This will help our Product team prioritize these.

It’s difficult to avoid the noise currently surrounding generative AI. Based on many recent conversations, this is an issue that needs to be approached with some care. Certainly, from the security and resilience perspective, we need to think about the impact of these solutions and how we can provide a useful framework for security, privacy and governance in relation to AI-driven apps. Put simply, how do we make sure we’re managing the potential risks while capitalizing on any opportunities?

“Who is Richard Archdeacon?”

To some it’s generative AI, to others it’s Machine Learning. Perhaps the most useful description for the AI solutions is simply: “the practical application of clever maths.”

In other words, we need to remind ourselves that these tools are not magic. They’re simply the interaction of algorithms with a defined data set.

To illustrate the point and prove my dedication to keeping fellow CISOs fully informed, I decided to test the new capability by asking an AI tool to generate an introductory slide for a presentation that I was giving at a conference. 

My attempt to cut corners came out with a result that was none too complimentary. But who am I to disagree? It was certainly appreciated by the audience!

This experiment did make me think. The information used to generate my introduction was taken from a set of data that was static at that time. But what if it could be manipulated? Would it be possible for me to “poison” selected online platforms with fake content about Nobel prizes, international sporting achievements and previous roles as a leading Hollywood actor? It’s an almost textbook illustration of the well-known GIGO issue and it begs an important question for the proponents of AI.  How do we know that the data trawled by these apps has not been poisoned — especially since such an attack would be relatively simple to implement? (With that in mind, expect to see an increasing recognition of the benefits that can be gained through vaccinating datasets against adversarial attacks.)

Or, as we have heard already, what if confidential information had been accidentally shared and was now in the public domain? This could pose an organization with any set of business risks from exposing vulnerabilities to compromising IP claims.

That is why there is now a growing body of commentary recognizing how the rewards of generative AI are counterbalanced by some very real security risks.

For the CISO there should be an inside/outside view. What solutions are being developed internally and what controls should be put in place?  What solutions are being introduced into the organization and how do we make sure they’re doing the job? 

There are also ethical questions to be considered, emphasizing the importance of effective data governance structures, policies and procedures.

A business-driven approach

The capabilities of a new technology and its potential for future development are key considerations that guide investment decisions for any business. Equally important for the CISO is the necessity to understand the risks a technology may pose for data governance, privacy and security.

The understanding of whether AI is the best tool for a particular job or not will depend upon whether it will support productivity and build business resilience by focusing on the practical priorities a CISO faces. 

So, just like any other technology investment, our initial questions should be about the operational capability of AI:

• What are the issues and the benefits around it?

• How do I get confidence in it?

• How do I take advantage of it?

• What might happen in the future?

• How will this make the business more successful?

When looking further into any such solutions, the risks and opportunities need to be understood. In short: will they introduce new weaknesses or vulnerabilities?

With these considerations in mind, I see a series of assessments being undertaken which may well include an extension of the current approach to third-party solutions.

More compliance for the CISO to worry about!

AI and governance

The first step for a CISO is to look for a clear list of principles to ensure that ethical data governance is built in from the start when AI solutions are implemented. Cisco has a well-established set covering:

1. Guidance and Oversight

2. Controls

3. Incident Management

4. Industry Leadership

5. External Engagement

So, a sound basis for developing trust in any solution. For example, knowing that there is governance in place, that privacy and unintended bias are recognized and addressed, and that incidents are managed mitigates any adoption risk. Privacy will be a key issue where generative AI apps store information from user inputs and use it to generate additional content.

Regulators and legislators are already reviewing new controls in most countries including the US, EU and the UK while generative AI has been banned in some countries including Italy, France and India. These developments need to be watched as it will be another area for CISOs to monitor.

Using AI (or clever maths) in practice

To understand how to use AI (or clever maths) in a practical sense, the way Cisco Duo has developed its Trust Monitor solution provides a case study. Trust Monitor creates an internal data set using AI to learn what looks like secure behaviours and then (automatically) alerts administrators when something looks risky.

"We created a data governance team to look at every use case in which we wanted to apply AI techniques. This team included all stakeholders. Not only Engineers, but we also included perspectives for legal, privacy, and ethics concerns. In that way, we could decide whether this was the right solution for the use case and, if so, we ensured we had a full understanding of how we could apply our principles." - Joe Dugan, Product Manager at Cisco Duo

This ensures a development approach which works to protect the security of users with systems that anonymize and obfuscate personal user details without impacting functionality.

In addition, policies around secure by design, data handling, retention and deletion are in place from the start.

These principles are also top of mind as Cisco Duo integrates with an increasing number of solutions across the wider Cisco Secure portfolio. So, a principled approach is embedded into the whole engineering process, increasing the opportunity to protect users whilst reducing any risk.

Asking about this type of approach may be one way in which the CISO can assess the risk of the solution being provided.

A sense of perspective

AI is going to continue making an impact, but it will never be the whole answer to every question for the business. In those situations where it is useful, we will need to have a view on how any associated risks are managed.

For security specialists, AI will remain a genuinely useful tool, automating many mundane tasks and doing a lot of heavy lifting. Without the right controls in place, however, it won’t always be the best answer.

In fact, as I’ve discovered myself, it might not even be the best tool for writing an introduction to a presentation.

Knowledge may be the wing wherewith we fly to heaven – but we better make sure it is secure.

Further Reading

• Mitigating Risks of AI Apps: Keeping Your Users Productive & Your Data Safe blog

For many Duo Security administrators, logging into the Duo Admin Panel is part of your everyday work. From unlocking a user to configuring a new policy, you need to get in quickly and securely to protect your organization. Recently, we released passkeys for the admin panel to make this workflow even easier and more secure.

What is a passkey?

A passkey is a phishing-resistant cryptographic keypair you register for web-based authentication. It’s the strongest authentication method available today, which is why you see passkeys moving to replace passwords altogether.

“Passkeys cannot be phished, so they transfer the possibility of detecting whether a link is valid away from the end user.” – Matt Brooks, Cisco Duo Product Marketing Manager

Passkeys are built on WebAuthn technology so you can use all the methods you’re used to — like security keys, TouchID, WindowsHello — as well as a few more like mobile phones and password managers. Not all browsers support all verification methods on a given operating system, so for the widest compatibility we recommend Chrome or the browser that came with your operating system.

As of July 2023

For a deeper dive into passkeys and their benefits, read 'What are Passkeys?’ by Matt Brooks.

Easier-to-use login experience

While adding passkeys to admin panel login, we also took action on your feedback to make admin login easier to use. Starting in July 2023, administrators will start to see a new login experience that more closely resembles the Universal Prompt experience. In addition, admins can choose to remember their last used login method so that they are automatically prompted after entering their password without an extra click.

See the video at the blog post.

Switching administrators to passkeys

We’re encouraging all admins to make the switch to passkeys for a more secure Duo Admin Panel. While Duo has had more secure methods like Yubikey and hardware token support for a long time, investing in hardware for your admin team can be expensive and difficult to manage. The advantage of passkeys is that they already come with devices your administrators have today. Even if your administrators’ laptops do not have biometric support, admins can use their mobile phone as an authentication device without needing to download an app.

Passkeys are enabled by default for Admin Panel access. Owners can change this setting under the Admin Login Settings page in the Administrators section of the Admin Panel.

• Admins can add passkeys during self-activation or from their profile in the Duo Admin Panel

• Owners can also add passkeys for admins through the Administrators page

Since launching, we’ve seen over 15,000 passkeys added. Register a passkey in the admin panel today for an easier and more secure login. As always, we recommend having at least two authenticators tied to your account, so that you’re never locked out. You can register up to 100 passkeys and rename them from your admin profile.

Recently, Cisco Duo sponsored a comprehensive study on Passwordless in the Enterprise led by ESG senior analyst Jack Poller. Today we will discuss the survey makeup, review key results and explain why Duo’s Passwordless technology is well positioned to meet enterprise authentication needs highlighted in the study.

In addition to this blog post, you can find more information on the study results in:

• ESG’s state of Passwordless in the Enterprise ebook

• ESG and Duo’s state of Passwordless in the Enterprise webinar

Study Overview

During the study, ESG asked questions of 377 security, IT, and application development professionals across a variety of company sizes and verticals, about both workforce (internal/employee) and customer (external/client) users. The study also covered multi-factor authentication, identity protections, identity risks and identity vulnerabilities experienced.   

Study Findings

We’ll focus on the workforce findings:

1. Multiple account or credential compromise is the norm

This result is surprising, but it’s not entirely new. Year after year, there are countless reports that a significant number of breaches occur due to lost or stolen credentials. Cybercriminals don’t break in, they just log in. There are a variety of reasons that credentials are a perennial attack vector. Some companies don’t have budget to implement MFA, they don’t have the skills to implement it, or the solution is too complex and it negatively affects user productivity.

The writing is certainly on the wall that username and password credentials are a menace to secure environments, and moving to strong authentication is the solution. Yet, enterprises are faced with a trade-off between enabling a great user experience and deploying strong security.

Duo does not subscribe to that choice. Founded in a world-class design-led philosophy, Duo offers a great admin and user experience behind cutting edge authentication security for unmatched value.

2. Workforce authentication failures are common and MFA is still not mandatory

Duo has always focused on meeting customers where they are. Depending on the situation, authenticator options may be limited. Therefore, Duo supports a wide variety of authentication options. However, at the same time, we also enable our customers to implement the strongest multi-factor authentication (MFA) options available in the industry.

Some include Verified Duo Push with number matching, Risk-Based Authentication that steps up authentication strength based on risk signals, Trusted Endpoints to limit the scope of acceptable endpoints to known devices, or phishing-resistant factors like FIDO2 WebAuthn that is a foundational Duo Passwordless component.

3. Two-thirds of enterprises have started their workforce passwordless journey

Based on this stat, we can infer that passwordless has been beneficial to overall security efforts for most companies. Therefore, as enterprises develop plans to strengthen their security postures in the future, we can expect growth in the use of passwordless authentication.

Duo brought its Passwordless solution to market last year and has seen a steady rise in adoption and expansion from production pilots to full production in various functional groups across a broad set of verticals. Since it’s available in all product editions, all Duo customers have the capability to get started using passwordless immediately on the heels of completing their rollout plans.

4. Investment in strong authentication is growing

Top 3 “Areas expected to benefit from an increase in authentication technologies over the next 12 months.” include:

• Adding or improving passwordless authentication for workforce users – 24% of enterprises

• Adding or improving passwordless authentication for partners or suppliers – 18% of enterprises

• Adding or improving passwordless authentication for customer users – 17% of enterprises

Duo Passwordless provides enterprises with broad options to strengthen security and improve the user experience by eliminating the use of passwords. Our Passwordless solution supports flexible authenticators including:

• Passkeys that are single device bound or synced across multiple devices

• Platform authenticators built into access devices

• Security keys attached to access devices

• Duo Push on mobile devices

With Duo Passwordless, users can log in securely with a single gesture that provides the security based on “something you have” + “something you are” factors and doesn’t rely on the plagued “something you know” factor used for password-based authentication.

There’s no time like the present for starting your passwordless journey

Weak authentication with passwords and phishable MFA is putting enterprises at risk. So many are making passwordless a high priority to enable them to benefit from the increased security and improved user experience it offers. Get more insight into key survey takeaways by reading ESG’s ebook on the state of Passwordless in the Enterprise.

Also, be sure to register for the state of Passwordless in the Enterprise webinar with Jack Poller and I on July 19th at 1:00pm EDT. Jack will discuss key result from the survey and share his extensive industry experience. I will complement his observations by highlighting why Duo is well positioned to shore up enterprise authentication needs raised in the survey, while guiding organizations on their journey to passwordless authentication.

Show me the money!

The number-one reported motive for a cyber breach is financial gain, and ransomware 3.0 is the newest preferred tool to get there.

Tightening cybersecurity has become an increasingly important issue for organisations and individuals around the world. In Australia, the threat of ransomware attacks has been growing, with the Australian economy reportedly losing up to $2.59 billion annually from these incidents.

Twenty-nine per cent of incidents reported to the Office of the Australian Information Commissioner (OAIC) were attributed to ransomware between July and December of 2022, making it the most reported type of security breach of the year. Compromised credentials and phishing attacks, our previous two points of focus in the series, are two of the most common entry paths to ransomware deployment.

In the final instalment of this series, we cover the rise of ransomware 3.0 in Australia and the secure access innovations that make tangible differences in preventing a breach, mitigating the spread, and keeping organisations moving forward.

The Rise of Ransomware 3.0 in Australia

What is Ransomware 3.0?

While ransomware has been around for many years, it has continued to evolve. According to the 2022 Verizon Data Breach Investigations Report, ransomware has increased by 13% over the previous year — a jump greater than the last five years combined. Ransomware 3.0 is the latest iteration of this type of malware, and it differs from its predecessors in several ways, first and foremost in scale.

Unlike earlier versions of ransomware that targeted individual users, Ransomware 3.0 targets large organisations and critical infrastructure. It is also more sophisticated, using advanced encryption algorithms that make it more difficult to decrypt files that have been encrypted by the malware, moving laterally to disrupt cloud applications and taking advantage of inconspicuous crypto-mining schemes.

One innovation driving the proliferation of ransomware is Ransomware-as-a-Service (RaaS) or fully integrated out-of-the-box attack solutions, giving powerful access even with low technical literacy for a small cut of earnings. While Ransomware 2.0 evolved the double-extortion technique of threatening data release in addition to locking systems, Ransomware 3.0 double-downs on monetisation through organised crime and layered extortion methods.

How much does a ransomware attack cost an organisation in Australia?

The cost of ransomware on business is also mounting higher, with Australian organisations paying an average of $250,000 per incident. Cash aside, businesses and individuals must also deal with the costs of lost and compromised data — especially when it comes to personally identifiable information (PII) and personal health information (PHI).

A big target on the healthcare industry

The healthcare industry is particularly vulnerable to malicious attacks such as Ransomware 3.0. The Australian healthcare sector holds a significant amount of PII and PHI, making it an attractive target for cybercriminals and one of the largest reported targets for malicious software by the Australian Cyber Security Centre (ACSC). 

Strong cybersecurity in highly digitised healthcare is essential to save lives, where every minute matters. This belief is likewise reflected in compliance and insurance demands, with strict demands for PHI under the Commonwealth Privacy Act and regional legislation (e.g., the Health Records Act in Victoria or the Health Information Privacy Act in New South Wales) and reporting under the critical infrastructure bill.

Rather than temporary patching of security potholes, a strong cybersecurity strategy should evolve with business needs. Ever-increasing regulatory requirements force providers to be ready for current regulations and those that might be enforced shortly. Implementing a model of secure access with solutions like Duo can help mitigate the risk of cyberattacks today and the Ransomware 4.0s of tomorrow.

A Pacific Northwest healthcare provider uses Duo to protect against attacks and enable remote work

A large nonprofit healthcare provider serving over 600,000 residents in the Pacific Northwest is one organisation looking to increase remote work security, improve administrative overhead, and prevent future breach attempts.

In addition to a hospital, the healthcare provider operates a network of more than two dozen primary care, urgent care, and specialty clinics. The administrators wanted complete visibility of all users and devices accessing their Office 365 environment (whether in the hospitals or accessing remotely) and granular access controls through role-based policies for each application.

Multi-factor authentication (MFA) is a critical component of their security program, but the solution that was packaged with the existing enterprise suite did not meet the requirements of the IT security team. After evaluating several market-leading MFA solutions, the team chose Duo because it provided strong multi-factor authentication, complete visibility for workforce access, role-based access controls and the added benefit of ease of use for both administrators and end users.

"When users get phished, bad guys start attempting to use the stolen credentials within 10 minutes. Duo stops these login attempts and provides the details of the login failures so we can take the necessary action. In the last. 90 days, Duo has protected against three instances of account hijacking," said one Security Architect

Duo’s dashboard provides the security administrators with a snapshot of the overall access activity across the organisation, minimising the administrative overhead in user management, monitoring and reporting

“The dashboard gives us a high-level view of our [organisation]. Useful information such as login failures, who logged into which application and when, the number of deployed licenses and inactive users are all available right there. I can then easily drill down to the details of a specific login event with just a few clicks. We did not have this level of information before Duo,” the Security Architect explained.

The healthcare organisation leveraged Duo Care’s expertise to ensure success in deploying and migrating users to Duo with minimal impact on business. Duo’s premium support program, Duo Care, tailored support to the hospital’s unique needs and helped maximise business value. “Duo’s native integration with ADFS gave us the flexibility we needed and made it very easy to deploy in our environment. The rollout was complicated, but we were able to customise the deployment using scripts and we executed it very well,” said the Security Architect.

Migrating to a high-touch solution such as MFA can be daunting and complex as it impacts business productivity. However, using a combination of scripts and user self-enrolment, Duo was rolled out to a group of test users for a month and then to the entire organisation in four days.

Device trust and mitigating Ransomware 3.0 propagation

As with phishing, a layered approach is one of the best tactics against advanced attacks like ransomware.

Duo can help protect organisations from ransomware attacks—including Ransomware 3.0—on three fronts:

1. Preventing ransomware from getting an initial foothold in an environment

2. Mitigating or stopping the spread of ransomware if it manages to infiltrate an organisation

3. Protecting critical assets and parts of the organisation while an attacker still has a presence in the environment and until full remediation is achieved

Strengthening multi-factor authentication is a critical step to protect against ransomware.

Healthcare, alongside education (covered previously when we discussed how dangerous phishing is), is an industry that tends to teeter below the “security poverty line” due to legacy programs and systems; over half of the browsers measured by Duo’s 2022 Trusted Access Report were out-of-date in healthcare.

With Duo Device Health App, organisations can perform health and posture checks at the time of authentication to ensure the device meets set security policies before granting access. Without using an agent and keeping user privacy intact, Duo can check whether the OS is up to date, if disk encryption is enabled, if a password is set and more.

Cyber attackers are increasingly targeting gaps in weaker multi-factor authentication implementations. That’s why Duo is bringing protection previously available only in Duo's most advanced edition to every Duo customer. Now included in every tier, Duo’s  Trusted Endpoints distinguishes registered or corporate-managed devices from unmanaged BYOD (bring your own device) — with the option to block when an unknown device is attempting to access resources on the network.

Duo's admin panel provides a single-pane-of-glass solution, making it easy to manage policy and monitor security status across all devices. For the aforementioned healthcare provider, Duo helped the team implement role-based access policies per application with ease. While role-based access per application was possible with the incumbent solution, it was cumbersome to implement and manage because each application required a separate instance of the solution.

With just a few clicks, administrators can enact new policies or create a Risk Profile in Duo Trust Monitor that prioritises and surfaces security events that match profile elements. Trust Monitor surfaces suspicious logins and alerts administrators when a new enrolment event matches attack patterns seen in the wild.

The bottom line

Yes, Duo and other security solutions reduce the risk and impact of attacks like Ransomware 3.0, but taking a step back reveals the larger goal of strong cybersecurity practices like zero trust in the first place: To keep critical infrastructure online, to launch a new product to market, to move the business forward, or even to keep people healthy and cared for.

“We were able to implement strong security controls without disrupting the business of helping patients, and Duo has helped us to do it easily and securely,” said John Zuziak, CISO of the University of Louisville Hospital (UofL) where over 500,000 patients are served every year. “Our long-term vision is to adopt a zero-trust security framework, and we have taken our first step.”

UofL Hospital deployed Duo and was immediately able to consolidate several projects — including MFA, single sign-on (SSO) and mobile device management (MDM) — which reduced its overall total cost of ownership by more than 50%.

However, the biggest advantage was ease of use and continuation of the users’ day-to-day roles: “... Multiple clinician leaders recommended Duo. It was an easy choice for us. It was the first-ever security solution recommended by the users and by clinicians. This never happens in healthcare.”

"Multiple clinician leaders recommended Duo. It was an easy choice for us. It was the first-ever security solution recommended by users and clinicians. This never happens in healthcare." - Jason Zuziak, CISO of University of Louisville Hospital

Wrapping up: Organisation resiliency

In a few months, cybersecurity professionals will convene at Cisco Live Melbourne to learn and discuss the latest and greatest across security. Last year saw subjects like Secure Access Service Edge, new technological innovations, and the best security practices take centre stage. One theme emerged consistently: resilience and protecting the integrity of business amidst unpredictable changes.

A mere 15% of organisations globally have the 'Mature' level of readiness needed to be resilient against today's modern cybersecurity risks, according to the Cisco first-ever Cybersecurity Readiness Index. Developed against the backdrop of a post-COVID, hybrid world, the report highlights where businesses are doing well and where cybersecurity readiness gaps will widen if global business and security leaders don't act. In Australia, that proportion of mature readiness is 11%.

Cisco Cybersecurity Readiness Index is based on a double-blind survey of 6,700 private-sector cybersecurity leaders in 27 global markets. Read the Australia Market Snapshot

Every seven minutes, a cybercrime is reported in Australia. The threat of phishing, compromised credentials, and ransomware attacks are growing concerns around the world. Luckily, stronger security solutions exist — ones that don’t impede user productivity and can prove their investment value.

Cybersecurity will continue to be a priority. More than ever, it is essential to embrace the idea of cyber resiliency and continue to evolve security solutions. Today, we can start with securing user access.

Looking for more information?

• Protecting Against Ransomware: Zero Trust Security for a Modern Workforce ebook

• Healthcare Shifts in Cybersecurity ebook

• The State of Information Security in the Healthcare Industry ebook

• Healthcare Provider in the Pacific Northwest case study

Confidence in data can be a lot like having a good friend. When we trust the source, our confidence in the truth of the information we receive grows. And like any relationship, there’s room to develop that trust.

Originally built to support contractors using personal devices, the Duo Device Health application (DHA) took on an expanded role to help establish device trust by checking both the health and management status of endpoints before granting application access. Increasingly, it’s being used to differentiate managed devices from unmanaged BYOD (Bring Your Own Device). Now, we’re moving forward with enhancements that will further increase confidence in the truth of the data the DHA reports.

Stop the spoof

The enhancements to the Device Health application address two security challenges. The first is to make it even more difficult for a bad actor to “spoof” the DHA and its data. This improves confidence that the data reported by the Device Health app is valid, comes from a legitimate source and has not been tampered with during transmission. 

The second is to make it more difficult for that bad actor to cause a device that should not be trusted (in the context of Duo Trusted Endpoints) to appear as though it should be trusted. Let’s take a look at the enhancements and how they overcome these challenges.

Device Health application enhancements

Automatic Device Health Application Registration, Payload Signing and Device ID Pinning are a set of capabilities that, when combined with Duo Trusted Endpoints, make it even more difficult for a bad actor to use a fake version of the DHA in place of the legitimate application or to tamper with the data reported by the app. With all three enabled, IT teams can more confidently depend on the source, authenticity and legitimacy of the Device Health app’s reports which are used to determine the trustworthiness of the access device and enforce a Duo access policy.

Automatic Registration

If the Device Health app is not already registered, Automatic Registration will occur when a user accesses a Duo-protected application and successfully completes multi-factor authentication (MFA). The DHA will generate a cryptographic keypair, store the private key on the access device and send the public key to Duo, where it is stored and associated with the user, account and access device.

If any of those three attributes change, say someone else uses the same access device to log into an application owned by the same Duo account, the registration process will repeat. This allows for many-to-many scenarios where multiple users can utilize the same device, a single user can use multiple devices, and any or all of them can register with multiple Duo accounts.

Payload Signing

The private key that was generated during registration is used to cryptographically sign the data payloads sent by the Device Health app. The signature is verified by Duo’s back end using the public key that was sent at the time of registration. If the payload’s signature is invalid, either because it did not come from a legitimate DHA or it has been tampered with, the access attempt will be blocked.

Device ID Pinning

This feature works best when coupled with the Device Health-app based Trusted Endpoints feature. Device ID Pinning makes it more difficult for a bad actor to capture device-identifying information used to determine whether an endpoint should be trusted and make their own access device look like an endpoint that should be trusted. For example, it is theoretically possible for a determined bad actor to identify device IDs such as the UUID (Universally Unique Identifier) or CPUID (CPU Identification) that Duo considers to be trusted, enable their access device to represent itself with the same device IDs and therefore cause an access device that should be untrusted to appear as though it is trustworthy.

Device ID Pinning prevents devices that have already registered with a set of unique device IDs from registering again. Once enabled, the feature blocks any attempt to register a Device Health app where the access device has already been registered for that user and account. That way, a bad actor attempting to spoof a trusted endpoint will be blocked. If a legitimately registered device attempts to register again because the private key was removed (re-image, OS reinstall, etc.) an administrator has the means to de-register a device so that it can be registered again.

Feel confident

Having trust in the source of the data we receive gives us confidence that it’s accurate and reliable. With the security enhancements we’ve made to the Duo Device Health application, you can be confident the source, authenticity and legitimacy of the data reported by the Device Health app is trustworthy and not being spoofed by bad actors.

If you’d like to try the Device Health application and experience the new security enhancements for yourself, sign up for a free 30-day trial.

Third party security risk is an issue that frequently comes up in my discussions with clients. The topic is usually raised through questions like these:

1. “I have a contractor starting on Monday. How do I give them the access they need to get the work done while still keeping our environment secure?”

2. “How do I enable secure access for a third party if I want them to maintain a particular asset?”

3. “How do we restrict access to protect our IP when working with a third party?”

Snapshots like these indicate a much bigger picture, with most organizations at the center of a vast ecosystem sharing data with service providers and subcontractors to improve service delivery and reduce costs. Effectively, these third parties are trusted with the client’s corporate crown jewels – key information that may concern its employees, solutions, end users, company strategies, and much more besides. Safeguarding the privacy and security of that information is a business-critical responsibility.

How serious is the challenge?

There’s plenty of objective proof to support this anecdotal insight.

The Sunburst attack showed just how broadly based and deeply damaging an attack involving third parties can be. 

Meanwhile, Prevalent noted that companies are currently big on exposure but small on preparation, with a staggering 45% still relying on manual spreadsheets to assess third party risk. This renders risk audits more time-consuming and less effective.

That lack of preparation is particularly disconcerting at a time when KPMG is calling on security leaders to respond to increased threats by making a step change in their operating models and approach to third-party risk.

How simple is the solution?

In this situation, taking effective action starts with a simple statement of the problem.

Most third-party breaches feature two vulnerabilities:

1. Device vulnerability due to lack of patching

2. A lack of security on a client’s edge

An effective security solution to protect against these breaches must therefore be built on three essential pillars:

1. Identity assurance: We need to be sure that third parties are who they say they are by implementing phishing-resistant authentication. This is particularly important now that many bad actors are attempting to bypass MFA with tactics such as MFA fatigue.

2. Device posture: We need to make sure that third parties will be alerted when the devices they’re using need updating to protect their security posture. This protects the corporate apps third parties will need to access in order to do their work.

3. User behavior: We need to create a historical baseline of user behavior and surface unusual access attempts by looking at variables. These include who typically accesses which applications from which devices at what times from what locations using which authentication methods. Visibility into abnormal access attempts then enables admins to detect suspicious activity and tighten access policy. Deploying a secure access solution that is able to identify whether a device is registered or managed versus not known or personally owned is a huge benefit, mitigating the escalating threats which customers of all sizes face.

How quickly can it be done?

So far, so secure.

In the real world, though, security is not the only consideration for organizations working with third parties.  Speed of response and speed to business impact are also critical in keeping costs down and maximizing competitive advantage.

In this respect, not all security solutions are equal. Some will indeed deliver security but cost you precious time in doing so. For instance, if you’re obliged to build a hierarchy of policies to accommodate your third-party requirement it means that you’ll likely be tackling a job with many moving parts. The downside of that isn’t just the resources it ties up and the budget it consumes. It’s the lag time between starting the job and being protected — time during which your network remains vulnerable.

Similar considerations apply with speed to impact. If an organization is working with third parties, it probably wants to control costs and have those partners add as much value as quickly as possible. That equation can quickly become unbalanced if IT is tied up for days making sure the network is safe before the third-party work can begin.

The right solution can also make regulatory compliance and cyber liability insurance easier too. But those are possibly separate topics for a different day.

Control the risk. Fast.

The good news for hard-pressed CISOs and IT admins is that the ability to create policies very rapidly for particular scenarios and apply them almost instantly has been built into Cisco Duo from the beginning.

Cisco Duo’s critical capabilities — such as strong authentication, phishing-resistant MFA, Passwordless, Single Sign-On (SSO), and Trusted Endpoints — offer an all-in-one package comprising essential secure access management for third parties and internal users alike. Equally important, this high level of security is delivered unobtrusively with minimal user friction thanks to Duo’s Risk-Based Authentication solution automatically evaluating risk signals, responding dynamically, and then adjusting secure access as required.

Managed centrally, the Duo Policy engine means admins can almost instantly reduce risk by enforcing precise policies and control, defining and enforcing rules on who can access what applications and under what conditions.

Duo Single Sign On also accelerates the third-party journey without compromising security, saving time and cost for onboarding to applications, password resets, device management and more while also providing a way forward to a Passwordless future supported by biometrics, security keys and specialized mobile applications that make access highly secure yet virtually friction-free.

Similarly, Device Trust makes it easy to enforce access control across both managed and unmanaged devices so organizations can be as confident as possible about authorizing third-party access.

I’ve seen what these capabilities mean in the real world on many occasions.

Thinking back to the scenarios I mentioned at the start of this article, I’ve seen situations where clients have told us they have a team of contractors starting a program of works imminently and we’ve been able to deliver a secure environment rapidly in response, sometimes within hours rather than days and certainly within days rather than weeks.

Or they’ve told us they need tighter controls to protect their IP with a third party working on a specific asset, and Cisco Duo has been able to spin up bespoke policies and controls almost instantly without interrupting day-to-day work.

Of course, that doesn’t happen by luck or accident.

It happens because the Cisco Duo solution is purposefully designed to build resilience for the entire business rather than simply help IT implement security.

Next steps

With the ongoing tech skills shortage plus a challenging economic environment, it’s likely that organizations will be relying on their third-party ecosystems to plug the gaps and cope with change for a long time to come.

Taking a free trial of Cisco Duo today is a quick and easy way to find out how those relationships can be secured in a way that effectively accelerates their ability to deliver value so the organization can achieve its goals.

Want to learn more?

Check out some other blogs:

The Bigger the Party, the Bigger the Risks

Healthy Device? Check With the Duo Device Health App Before Granting Access

June is LGBTQ Pride Month: a month-long celebration of visibility, solidarity and perseverance for the worldwide LGBTQ+ community. As we commemorate Pride and celebrate our legal recognitions and rights, it’s important that we acknowledge that not all queer people, a term to describe anyone who is a Gender and Sexual Minority, experience the same challenges or privileges.

The struggles faced by our most marginalized queers demand our attention and concerted efforts; their struggles relate to and represent all of our struggles. In this post, we delve into the hardships faced by marginalized queers, the power of unity, and how we might change our systems, technologies, and teams to empower instead of oppress.

I’m Christi Volny, a transgender lesbian, and I work as an Engineering Technical Lead on our Duo Single-Sign On (SSO) team. My experiences as a queer woman inform how I do my work: how I recruit and mentor teammates, how I lead engineering and organizational efforts and even how I design and deliver new features. If building inclusive culture, teams and products is important to you, visit our open opportunities.

The struggle of marginalized queers

For many in the LGBTQ+ community, we face a difficult journey toward acceptance and self-expression in the face of bias and oppression. Transgender individuals, people of color, and those with intersecting identities face unique and nuanced challenges that are often not represented in our histories and stories.

Discrimination, violence and systemic oppression impact their lives disproportionately, and it is important we continue to fight for liberation and equity until we are all elevated. This state of inequity demands that we actively address these challenges and work toward creating safer spaces that foster inclusion, empowerment and well-being for everyone.

Unity for a better world

Our communities’ progress lies in collective action and unity. Pride Month serves as a reminder that by standing together against injustice, we can affect positive change. Allyship extends beyond just our heterosexual friends and colleagues — it includes anyone with dimensions of privilege that can amplify and support marginalized voices. My role as a white queer is to amplify the voices of queer people of color; the role of my cisgender (a person whose gender identity corresponds with their sex assigned at birth) peers is to amplify the voices of transgender people like myself. We all have our roles and dimensions in creating a more inclusive society.

The role of systems and technology

Our systems, processes and technologies wield significant influence over our day-to-day lives. They can codify and perpetuate existing biases and cultures of oppression, or they can be retooled to empower and include previously excluded experiences.

“Our systems, processes and technologies wield significant influence over our day-to-day lives. They can codify and perpetuate existing biases and cultures of oppression, or they can be retooled to empower and include previously excluded experiences.”

Recognizing that we have inequity, we must critically analyze why and how we build these systems to ensure that our technologies, teams and organizations are inclusive and sensitive to diverse perspectives. Much like the proliferation of the Internet connected and amplified a world of diversity, we can provide our users with platforms that enable self-expression, dignity and respect, and empower them to flourish.

Building more inclusive teams

Designing better systems necessitates the assembly of better, inclusive teams. Hiring transgender individuals, among other underrepresented groups, crucially informs our organizations’ perspectives and offerings.

When I joined Duo SSO in 2021, I felt empowered to share my experiences navigating our systems and using our products that previously weren’t experienced by my teammates. One example of how that has looked is our use of name information in products and how this can be an opportunity to empower our users.

Transgender people will often change their given names to reflect their gender identity, but the legal process of making that change can be tedious and expensive. When I log into an information system that uses my legal name instead of a display or “preferred” name (for transgender people this is often called “dead-naming”), this exposes me to risks not faced by my teammates with gender-congruent names; it’s a problem they don’t face in their lives and hadn’t considered until our team included my perspective.

With that information and understanding our role in reducing harm, my team built a Cisco Hack-Day project to demonstrate a name override feature so that end-users can update their names supplied through Duo SSO rather than rely on integrations to support their own display name feature. Now we’re folding that into our software engineering process to be included in a future release. Our diverse, lived experiences bring valuable insights that shape our products and services to include a wider range of users.

That said, we cannot snap our fingers, perform lip service to inclusion and allyship, and expect diverse teams to manifest themselves. As organization and industry leaders, we must actively listen to peers and cultivate inclusive workplaces where our teammates can excel and thrive. This means providing employee resources, platforms and support in ways that our organizations don't traditionally offer. This ensures our marginalized teammates can recognize people like themselves in leadership, can safely ask for accommodations, and can grow their careers like everyone else.

Prioritizing user experiences and feedback

While striving for inclusion is crucial to building better products, we must also recognize that it is impossible to represent every intersectional class on every product team. Therefore, it is important that we prioritize soliciting diverse user feedback and evolving our products to include those experiences.

We must work to reduce friction and enable our customers to share their needs and concerns, particularly when our products misrepresent them (identity) or misuse their information (sensitive information such as legal name). Establishing trust amongst our leadership, customer support, technical writers, product managers, product designers, and engineering teams is essential for addressing and prioritizing these change requests.

A time to reflect and amplify

As LGBTQ+ Pride Month unfolds, let us reflect on the struggles that our most marginalized community members face and commit ourselves to building a more inclusive future for all of us. By uniting as a whole community, challenging oppressive systems and embracing diversity in our teams, we can create technologies that empower all users to express themselves authentically and with safety.

“By uniting as a whole community, challenging oppressive systems and embracing diversity in our teams, we can create technologies that empower all users to express themselves authentically and with safety.”

Prioritizing diverse user feedback and ensuring diverse voices are heard will allow us to correct shortcomings and strive toward a world that celebrates and uplifts every individual, regardless of their sexual orientation, gender identity and intersectional experiences.

Together, we can pave the way for a future where the entire LGBTQ+ community can thrive and flourish. Happy Pride!

Interested in working for a company that values diversity?

Cisco offers a range of benefits for LGBTQ+ employees including medical support, employee resource groups, parental benefits and more. As we learn together, we also listen to our teammates’ concerns and improve these offerings. We strive to ensure Cisco is an inclusive workplace for all and are proud to have a score of 100 on the Human Rights Campaign Corporate Equality Index.

Visit our open roles to contribute to cultivating inclusive culture while building for the future.

Before we can discuss passkeys, we need to lay some groundwork and discuss authentication, Passwordless and WebAuthn.

What is authentication?

Authentication is the process of verifying your online identity. This ensures the right people get access to the right online resources. It also prevents bad actors from doing bad things to your company, including:

• Stealing (exfiltrating) important data, like user social security numbers

• Installing malware and holding intellectual property (like software code) ransom

• Destroying servers or PCs, preventing employees from working

"Over 80% of the breaches categorized under web application attacks can be attributed to stolen credentials, allowing attackers to outright log in rather than break in." - Verizon, 2022 Data Breach Investigation Report (DBIR)

Authentication has been evolving as cybercrime has become more sophisticated. We started with usernames and passwords – something you know. We added multi-factor authentication (MFA) – something you know and something you have or are. We’ve gotten to passwordless (something you have + something you are).

What is passwordless?

Passwordless is the modern authentication method that does not rely on passwords, eliminating the risks that come with weak, lost, or stolen credentials. It is MFA Phishing Resistant. At the foundation of passwordless technology is the FIDO Alliance and the WebAuthn protocol they’ve developed with input from industry giants like Cisco Duo.

Duo Passwordless uses platform authenticators, security keys from access devices, or Duo Push to secure application access without passwords, reducing the risk surface and administrative burden associated with passwords while improving the user experience.

Explore the Administrator's Guide to Passwordless to learn more technical details about it.

"It was exactly what I was looking for, which was a simple and elegant way to use YubiKeys or Windows Hello or Touch ID to replace the password. It simultaneously simplifies a user's life and takes the risky password off the table." - Jason Watts, CISO Inductive Automation

According to the 2022 Duo Trusted Access report:

"...the adoption of passwordless authentication continues to rise. The number of authentications using Duo increased 41%." - Duo, The 2022 Duo Trusted Access Report

What is WebAuthn?

Web Authentication API (also known as WebAuthn) is a protocol and API which allows websites to register and authenticate users with public key cryptography instead of a password. It also allows them to integrate with strong biometric authenticators like Windows Hello or Apple’s Touch ID.

According to Gartner®:

"Digital identity hinges on authentication that can provide credence in an identity claim (sufficient to bring account takeover risks within an organization’s risk tolerance), ideally without adding unnecessary friction to the user journey. FIDO authentication protocols, particularly FIDO2, promise phishing-resistant passwordless authentication as a robust alternative to widely used multifactor authentication (MFA) methods, and with better user experience (UX).” - Gartner®, Hype Cycle for Digital Identity™, 2022

What are passkeys?

Passkeys are still “just” WebAuthn credentials. However, passkeys enhance the benefits of WebAuthn-based authentication by offering users the ability to recover from device loss without having to re-register their new device. Passkey “providers” achieve this by securely synchronizing passkey private keys between devices.

Passkey benefits include:

• Phishing-resistance and lowered breach impact and cost

• Reduced helpdesk load related to forgotten passwords

• A more flexible and streamlined authentication flow for users

• Increased user satisfaction from an overall better authentication experience

• Greater accessibility for users with disabilities through the use of biometrics

• A standards-based way for developers to quickly and securely build authentication features into their applications

10 things to know about passkeys

1. Passkeys are poised as the unique and final solution to eliminate passwords and the pitfalls that come with them

2. Passkeys have been supported through Apple keychain from September 2022, when Apple released iOS 16

3. Google added passkey support for Chrome and Android through Password Manager a few months after Apple

4. Passkeys are created by users on their device and copied across their Apple, Google, or Microsoft accounts on their phones, tablets or laptops

5. Cross-platform support for passkeys is a stated goal of Apple, Google, Microsoft and the FIDO Alliance, yet it does not exist today

6. Passkeys do not yet meet the possession requirement noted within the Strong Customer Authentication (SCA) standard, which is a European regulatory requirement to reduce fraud and make online and contactless offline payments more secure; it is under review by the FIDO2 working group

7. A passkey is a FIDO credential comprised of a cryptographic public-private key pair that’s generated for each target website; the public key is stored on the website’s server, while the private key is stored securely on the user’s authenticator

8. To sign in, the target website sends an assertion challenge to the user’s authentication; the user enters a pin or verifies their biometric, and their authenticator then signs the authentication with their private key before sending it back to the website; the website verifies the signed authentication assertion using their copy of the user’s trusted public key, and the user is granted access

9. Passkeys are access using the open FIDO2 WebAuthn API standard, while the cross-device sync of passkeys is managed transparently by the operating system

10. Passkeys cannot be phished, so they transfer the responsibility of detecting whether a link is valid away from the end user

Current Duo passkey requirements

Use of passkeys as platform authenticators currently requires:

• Windows 11 and Chrome 108 or later

• macOS 13 and Safari or Chrome 108

• iOS 16 or iPadOS 16

• Android 10 and later

Duo supports the use of passkeys synchronized across devices within a platform vendor’s ecosystem (for example: iCloud Keychain if the user is using an Apple products or Google Password Manager if the user is using Android).

Passkeys for the Duo Admin Panel

As broad access device support for biometrics continues to grow, SaaS site support for WebAuthn spreads and standards for cross-platform passkey support are defined, passwordless will remain a journey. Throughout that journey, multi-factor authentication (MFA) will remain an important security measure. While the goal is for passkeys to replace passwords altogether, in the Duo Admin Panel, you can use a passkey for MFA to strengthen login security.

Getting started with passkeys for Duo Admin Panel access

Admins can add passkeys during self-activation or from their profile in the Duo Admin Panel. Owners can also add passkeys for admins through the Administrators page.

Passkeys are enabled by default for Admin Panel access. Owners can change this setting under the Admin Login Settings page in the Administrators section of the Admin Panel.

Gartner® offers the following passkey guidance:

"A 2022 update to WebAuthn to: (1) support multi-device FIDO2 credentials, enabling a user to automatically access their FIDO “passkey” on all their devices without having to separately enroll each device for every service provider (relying party); and (2) enable a user to use their phone as a FIDO2 roaming authenticator to login to an app or website on a nearby device, regardless of the OS and browser that the two devices run. Gartner projects that this update will foster wide availability of fully transportable “phone-as-a-FIDO2-authenticator” apps.” - Gartner®, Hype Cycle for Digital Identity™, 2022

How do you get started with Duo Passwordless?

It all starts with the Duo cloud-hosted console. Enable Duo Passwordless. Pick your Passwordless authentication methods, and apply it to an individual, or pilot group of users. Limit it to users in specific locations or to trusted endpoints which can limit access to verified corporate managed endpoints. And verify that your users' browsers are supported.

Get started with passkeys on your passwordless journey today! They’re available in Duo Essentials, Advantage, and Premier editions. Increase your security posture while increasing your user satisfaction – a win-win solution!

I love where I work, and between that and my general lack of fashion sense, I wear Duo t-shirts all the time. This means that, on a somewhat regular basis, I get unsolicited feedback from Duo users in grocery store check-out aisles, coffee shops, and on the sidewalk. Some of it is positive, but the general consensus is that people don’t love multi-factor authentication (MFA); they see it as a necessary evil at best. They will often ask some version of “How can I Duo less often?”

During the workday, on the other hand, I spend a lot of time talking to systems administrators, security operations analysts, and IT professionals who do love MFA. They’ve seen it drive down incidents and help desk tickets, reduce their risks, and make compliance programs a lot easier. They often share goals of expanding the MFA coverage in their environment and improving their policies to further prevent initial access and lateral movement.

Here at Duo, we’ve long been proponents of the idea that security and end user experience go hand in hand, and we work hard to develop the technologies that make that happen. That’s why I’m so excited to announce our vision to streamline Duo’s authentication workflows, a feature that will deliver seamless, secure login experiences.

We are building on our existing Device Health Application to extend remembered devices functionality between all of the areas that your end users see Duo in a given day: When they access their endpoint via Windows Logon, when they connect to your network via VPN, when they access resources via applications using embedded browsers, and when they access web applications across different browsers, including the Duo SSO service. Simply put: We want end users to just authenticate once, when they start their day, and then forget that Duo is even there.

See the video at the blog post.

We’ve seen a lot of customers feeling pressure to compromise the security posture they’d like to have for the sake of the end user experience they need to have. Duo helps you deliver on both of these goals by reducing the friction associated with granular access policies, which we have seen help mitigate initial access, lateral movement, and persistence techniques in historic customer incidents.

Duo is building this capability from the ground up to integrate with the rest of the functionality that our customers find so helpful: Trusted Endpoints (now available in all Duo editions!), Passwordless Authentication, Risk-Based Authentication, and Policy & Control.

"We want end users to just authenticate once, when they start their day, and then forget that Duo is even there."

With enhanced authentication experience, your end users can login once with a convenient, secure passwordless authentication to their work device and then move on with their day. Compare this to climbing the hill of Windows Logon, VPN logon, and web application logon - all with username, password, and Duo prompt - just to get to work in the morning. And with the enhanced authentication experience, you get to enforce granular policy - so if that’s the experience you want for most of your users, but you want your privileged administrative accounts to complete an authentication each time they access a sensitive resource, you can now do that! All of this is continually evaluated by Duo’s trust engine and analytics.

This capability is in active development right now, and we intend to deliver incremental feature updates through early availability programs as we work to a full release. Sign up to get updates regarding the product development. If you are a current customer and would like to participate and provide feedback on this feature, please reach out to your sales representative.

The world has changed. Cybersecurity threats have evolved, and new challenges present themselves. In Verizon’s 2022 Data Breach Investigations Report (DBIR), although the category of “Social Engineering” has gone down from 2021 for “External” threats, the “Hacking” category from “External” threats for both the “Person and User Device” category has doubled from the previous year.

Why is that? 

Users and their devices are easy targets. In Verizon’s 2022 DBIR infographic, 82% of breaches involved a human element.

Hackers understand this. For example, hackers exploit people by targeting their passwords, and application/service access in order to gain a foothold into the organization. They also understand that personal devices often have significantly weaker security controls than company-issued managed devices as users find some security controls intrusive and annoying. Hackers use this weakness to gain incremental access into an organization by attacking the weakest link, a user and their personal devices.

What are criminals interested in?

A personal device holds a lot of value for cyber criminals. These devices typically do not have a high level of device health. They can have out-of-date software, operating system, or browsers which increases the attack surface and opens the door to additional attack vectors. These risks are just a stepping stone for the real prize, which is a local password repository or vault. It doesn’t matter if these are personal or corporate password collections, because criminals are well aware of password reuse in the workplace, as well as the often predictable password generation techniques many organizations use.

How can organizations counter this threat?

There are several steps organizations can take to stop hackers from gaining access to their vaults and the valuable data they’re storing. One recommendation is to configure policies that go beyond just multifactor authentication, by identifying which devices are trusted in a non-intrusive manner.

Device trust policies provide another layer of security by blocking application access to anyone on personal devices and thus isolating access to only a trusted corporate issued device which is running much stricter security policies.

Available in every paid Duo edition, you can now deploy device trust policies to detect if a device is a trusted corporate issued device and allow access to critical applications only from a trusted device using Duo’s Trusted Endpoints feature.

 Have any follow-up questions? Duo Care can help.

For interested customers who would like to continue the conversation with a trusted advisor, please contact your respective Duo Care team or designated sales representative about what Duo Care can offer you.

Duo Single Sign-On (SSO) is a cloud-based service that provides secure access to your applications, without requiring multiple usernames and passwords. It’s a powerful tool for organizations that want to streamline their authentication process and improve security. But did you know that Duo SSO also comes with a feature called Bridge Attributes?

Bridge Attributes allows you to pass in an attribute from multiple Authentication Sources and “bridges” them to a single Duo SSO attribute name that can be easily referenced when mapping attributes to an application. When working with multiple domains, such as after an acquisition or with an internal test domain, Bridge Attributes ensures that you are sending the correct First Name attribute whether it is stored as [first.name], [NameFirst], or [GivenName] in your different directories. Today we’ll expand on this new feature and how it can enhance your Duo SSO experience.

How to use Bridge Attributes

Suppose your organization has different security clearance levels for employees, such as confidential, secret, and top secret. You may want to provide access to a classified application that requires users to have the appropriate security clearance level. Say that your organization has a kicker, though: The organization hosts multiple domains. Each domain may store the security clearance as a different attribute, with the value pointing back to the security clearance level. Using Duo SSO with Bridge Attributes, you would map these security clearance attributes from each domain to a shared attribute that the application can understand. This way, users with different security clearance levels in differing domains can be granted access to the application based on their security clearance no matter the domain they are coming from.

For example, you could map the security clearance level attribute for employees with confidential clearance to the database's "Confidential Access" attribute while mapping the security clearance level attribute for employees with secret clearance to the database's "Secret Access" attribute, and so on. By doing so, users with the appropriate security clearance level can access the database without manually assigning access rights for each user. This helps improve security by ensuring that only authorized users with the appropriate security clearance level can access the classified database as well as lowering the burden for domain administration.

If you use Duo SSO, you can utilize Bridge Attributes today! Here at Duo, we provide detailed documentation on how to set up Bridge Attributes, including how to create mappings between Duo attributes and attributes in your applications.

Duo Single Sign-On is a powerful tool for organizations that want to simplify their authentication process and improve security. With Bridge Attributes, you can map the user attributes that are passed from Duo SSO to your applications, giving you more control over access and improving security. By using Bridge Attributes you can customize your authentication system to meet your organization’s specific needs.

Oh no! Your passwords are on the internet.

Talks of passkeys, passphrases, and even passwordless all point in one direction: eroding faith in the previously trusty password tucked under your keyboard. Passwords are a weak point in modern-day secure authentication practices, with Verizon highlighting that almost 50% of breaches start with compromised credentials.

In our previous two features, we covered the dangers of phishing (one method of credential compromise) and how to mitigate its impact on users. Today, we cover best practices for an environment that has been compromised.

Compromised or stolen credentials (method unknown) is the second most common type of cybersecurity incident accounting for 27% of reported breaches, according to the Office of the Australian Information Commissioner (OAIC). However, a whopping 59% of cyber incidents involved malicious actors exploiting compromised or stolen credentials, including through phishing and brute-force attacks. If not properly prevented or even detected, losing the “keys to your kingdom” can unlock even more doors for attackers.

What to do when your credentials are compromised

How are credentials compromised in the first place? The answer, like most other cybersecurity-adjacent answers, lies in a combination of factors including social engineering, weak passwords, and other risky security moves or attacks.

Whether it was an accidental phishing link click, news that your password manager was breached, or a depressingly robotic text from your telecom company, compromised credentials and data leaks can quickly become a vector for larger attacks.

1. Immediately let the IT or security team know of a potential credential compromise

According to the OAIC, a key objective of the Notifiable Data Breaches (NDB) scheme is to protect individuals by enabling them to respond quickly to a data breach to mitigate the risk of harm. Delays in identifying, assessing, and notifying breaches make it more challenging to prevent harm.

Luckily, the average time taken between an incident occurring and being reported has decreased, with 77% of compromises identified within 30 days. But the 33% of compromises not detected immediately can take more than 200 days to discover. That gives attackers roughly 6 months to establish a foothold on a network, access sensitive data, and disrupt business activities.

Immediate notification can also help trace other potential compromises. Aside from the possibility that attackers may not immediately turn around and use the data or credentials, the Privacy Act requires Australian entities to notify individuals about an eligible data breach, including certain information about the incident, as soon as practicable.

From the OAIC Notifiable Data Breaches Report

2. Change your passwords and upgrade to stronger authentication methods

Passwords have long been the primary method of authentication for online accounts, but as cyber-attacks become more prevalent, it's clear that they alone are not enough to protect against modern threats.

User-generated passwords can be deceptively weak, with less caution given to password management as remote and hybrid work become more common. But no matter the frequency employees are pressed to reset, add some numbers, and inevitably forget their new password, the shift to ditching them completely is not yet a path fully paved. Oftentimes, the journey to passwordless starts with providing this functionality to a few key functions within the organisation - IT Admins, for example - or nominating a few critical apps that will have passwordless access. Until a fully password-free environment is deployed, accepted, and adopted by all users, less secure methods of authentication will still be relied on.

These habits highlight the need for more modern password technology and stronger authentication methods.

Types of stronger authenticators

Biometrics and FIDO2 are both examples of stronger authenticators that can help to secure online accounts from the impacts of credential compromise. While passwords can be easily guessed or stolen, biometrics provide a more secure method of authentication. In fact, the 2022 Trusted Access Report measuring 49 million devices reported that 81% of phones have biometrics enabled, presenting the potential for a stronger security posture for Australians.

Will we ever get rid of passwords completely? Likely not immediately. Cisco CISO Wolfgang Goerlich highlights the case for why passwords are kept around in The Life and Death of Passwords:

“In an ideal world, we say goodbye to passwords altogether. They don’t work. We’ve got six decades of proof of that. But along that way in six decades, we’ve built up a lot of systems, a lot of systems that have passwords, a lot of infrastructure. When organizations go through modernization, they don’t replace everything. There are use cases that will still need passwords into the near future — such as shared accounts, system accounts, service accounts — and so for a variety of reasons, a password is going to persist.” - Wolfgang Goerlich

Of course, the answer to stronger authenticators doesn’t have to be so black and white. While passwordless rises as a strong but novel secure access option, one cybersecurity measure has already become an enforced default.

3. Enable multi-factor authentication

As best described by Global Advisory CISO Dave Lewis, “We have now arrived at a turning point with respect to cybersecurity. It has become clear that MFA is basic ‘you must be this tall to ride the rollercoaster’ for any [organisation].”

Duo reported 13 billion authentications worldwide in 2022, an increase of 41% from the year past. In Australia, authentications increased by 14.1%. Whether by pre-emptive risk-reduction or compliance-driven action (case-in-point: the latest Essential 8 guidelines and rising cyber liability insurance costs), multi-factor authentication (MFA) is quickly becoming a standard tool in our security toolkit.

What some people miss, however, is that corporate-mandated authenticators can and should also be enabled for personal accounts. For example, the Duo Mobile app can easily be set up as an additional layer of security for your social media, email, password managers, investment apps, and even third-party video game accounts. Because the app acts as a secure container for authentication codes, no credentials are shared with either Duo or your company.

Picking on someone…credential compromise in Australia

It goes without saying that a lack of MFA puts your company or personal accounts at risk.

In 2022, a large-scale data breach was reported at a major Australian health insurer resulting in the compromise of sensitive personal information belonging to millions of customers. The breach allegedly gained initial access through high-authority credentials that were compromised and then sold on the dark web and hadn’t been stopped by an additional MFA check. It is believed the attacker took their time after gaining access, performing reconnaissance.

As a result, about 3.9 million records including details such as names, addresses, dates of birth, and other sensitive information were exposed. In addition to the hefty $25 to $35 million cost to the affected health insurer, the breach now puts individuals at risk of identity theft and other fraudulent activities. Though not infallible, having effective MFA in place can be both a preventative pre-breach measure and a protective post-breach security layer.

Two-factor authentication is a foundation, not a silver bullet

The risk of credential compromise is no longer an if but a when.

MFA, once a step-up method of security around mission-critical assets, has now become a baseline for secure access into and within an organisation. However, that's not to say that a second factor, say an SMS passcode, suddenly becomes an impenetrable line of defence.

Despite the benefits, some employees may still resist MFA, believing it places an unnecessary or annoying barrier between them and the information they’re trying to get. Adding to our phishing list, push-phishing is a rising method of attack that takes advantage of a user’s MFA fatigue intending to circumvent the additional identity-confirming methods in place. Users are tired of alerts, and their push fatigue can create security vulnerabilities.

While FIDO2 offers the gold standard for authentication, not everyone can implement this today. Shipping security keys to all users can be expensive and an organisation’s users may not have access to devices with biometrics.

Therefore, Duo has taken steps to put businesses in the best possible position to prevent these common attacks by meeting them where they are, today.

Options for stronger MFA

Authentication methods have a gradient of security—methods like biometrics and number matching verified push outranking simple push notifications or SMS.

Verified Duo Push requires users to enter a code in the Duo mobile application to better protect against push phishing attacks enabled by compromised credentials. With a standard push-based MFA solution, a persistent bad actor could still gain access to the company network. However, with Verified Duo Push that same attack is immediately stopped because the bad actor is unable to complete the transaction - they cannot enter the unique code in the Duo mobile app, and the employee is encouraged to alert their IT team with a fraud report.

Risk-Based Authentication

Any new end-user security deployment plans must also consider: how many hours do I want to spend on set-up, complaints, and help desk tickets?

Higher-friction authentication methods are impactful when used intelligently; after all, the goal is to frustrate push-fatigue attackers, not punish an employee for working out of a coffee shop. Risk-Based Authentication (RBA) focuses on this philosophy.

To address how attackers have evolved, Duo RBA assesses user and device telemetry to make decisions about which logins are most suspicious and present a credible risk to an organisation even after the initial login.

Known attack patterns such as push spray, unrealistic travel, and MFA fatigue flag only the highest-risk authentications without causing undue friction for users

• Patent-pending Wi-Fi Fingerprint protects user privacy while also reducing friction and saving time, using anonymised Wi-Fi network information instead of less reliable IP addresses

• Use machine learning to surface risky authentications and device registrations that need security teams’ attention

• Step up authentication requirements for users when they are enrolling new devices

Only with higher-risker logins are users prompted to step up and prove their identity. On average, a step-up to a more secure factor is required about twice in every 1,000 authentication attempts.

Duo also makes investigating and reporting potential breaches straightforward and easy to access.

• Duo’s API solution allows increased visibility into enrolment actions, fraud and threats, such as registering a new phone or hardware token or creating a WebAuthn credential

• The Duo Admin Panel enables IT admin to generate reports through by-the-minute log data on device health, impact of granular access policies, and authentication patterns

• Duo Trust Monitor evaluates data from real-world attacks to highlight potential risks by parsing through security events and surfacing those that appear fraudulent

Risk-Based Authentication plays a key part in continuously evaluating and adapting to a user’s behaviour as they go about their workday. This builds towards continuous trusted access—a security practice of assessing and responding to risk at different points in the user journey, from enrolment and beyond, and even within a user’s day.

MFA plays a preventative role in keeping unauthorised users and devices out of the network, but continuous visibility and analytics into authentication and network behaviours fosters proactive detection of potential breaches. Finally, the ability to generate logs and records assists in decreasing incident response times.

What’s next?

The persisting practise of keeping passwords around poses not just a technical, but also a very human and habitual hurdle in the journey of adopting passwordless and protecting against cyber-attacks. However, with the adoption of stronger authentication methods, such as biometrics and passkeys, and the implementation of smarter secure access solutions, Australians can improve their cybersecurity posture and protect themselves from the increasing threat of cyber-attacks.

Phishing and compromised credentials reveal the importance of strengthening the “keys to the kingdom” and equipping users with security best practices. But once the keys are compromised, what are attackers ultimately looking to achieve? In the final instalment of this series, we cover one of the most dangerous and rapidly scaling financial motivators for cyber attackers: ransomware.

Learn more:

• New Duo Feature Guide: Strengthening Your MFA

• Duo for RBA

• Webinar: Eliminate Passwords and Achieve Phishing-Resistant Authentication with Duo

As the 2023 Major League Baseball (MLB) season commences, it is remarkably interesting to learn that according to Sportico.com and Forbes.com, collectively, MLB franchises are worth more than a whopping $70 billion. The Yankees alone are worth north of $7.13 billion, but when you consider the reigning American League home run champ resides in the Bronx, that number starts to become plausible.

Though you may be wondering, what does the value of MLB have to do with Cybersecurity? Well, as large of a number that represents the collective value of MLB, it pales in comparison to $600 billion, which according to Gartner, represents targeted global end-user spend on cloud computing, including Software as a Service (SaaS) business model projections for 2023.

While MLB and Cybersecurity are not as synonymous as peanuts and crackerjacks, both share some obvious parallels contributing to impressive financial forecasts.

Common characteristics

• Consumption

• Flexibility

• Experience

• Collaborative approach in customer success delivery

When we think of common characteristics in relation to Major League Baseball, items such as ballpark admission, tickets, premium seating, merchandise, and concessions, as well as Regional Sports Network (RSN) television rights all contribute to how the fans interact, experience, and consume those features and services. And whether it is the parking attendant, the stadium usher, the beer sales concession distributor, or the network analyst calling the game, the objective is driving a successful, seamless, collaborative experience rooted in customer experience.

Those same common characteristics mirror core concepts when it comes to cloud computing, Software-as-a-Service (SaaS) consumption models, especially when considering cybersecurity and those solutions and services that Cisco and Duo provide. Core concepts include:

• Focus on providing and enabling an improved experience

• Implementing subscription pay-as-you-go business models

  • Providing a flexible variety of subscription/pricing options

• Leveraging technology to deliver and scale innovation

• Deploying new feature adoption quickly

• Increasing customer intimacy

But this doesn’t happen in a vacuum. Coordination of roles and responsibilities becomes even more important when executing Cisco’s customer lifecycle approach. Just as Billy Eppler, Brian Cashman, Buck Showalter, and Aaron Boone have specific functions respective to their team, the same is illustrated in Cisco’s lifecycle approach.

In today’s SaaS based subscription engagement model, there is a shift from a linear or finite sales approach to a focus on the customer relationship as infinite and ongoing. The longer and deeper provider teams work with their customers, the greater the value to the organization and customer directly. Value realization is an ongoing process rather than an event and it takes two different sets of objectives and mindsets to succeed.

SaaS-Based Lifecycle Approach

Sales and Marketing will continue to own the activities on the left, but Customer Success now steps in to lead the activities on the right. The primary focus of Customer Success is the experience segment of the customer’s journey. Executing on the experience momentum naturally accelerates and strengths the relationship with the customer.

Through this view, Customer Success, and relationship management is not seen as a linear progression, but rather as a figure-eight motion that focuses on generating an experience that does not begin or end, but a continuous motion together.

Customers who subscribe to Duo Care have access to a Customer Success Manager (CSM) and Customer Solutions Engineer (CSE) who help drive key principals in providing exceptional experiences, contributing to a successful customer life-cycle engagement. This lifecycle approach creates improves the value of a Duo subscription for customers, since they can rest easy knowing that they have a partner who’s consistently working closely alongside them to ensure the solution helps them achieve their long-term cybersecurity goals.

Critical to the role, Customer Success helps customers to achieve and recognize the value of their cybersecurity investment. CSMs and CSEs will always anchor efforts to the outcomes that their customers strive to achieve. These objectives may include:

• Improving quality of service

• Lowering costs

• Managing risks

To do this, Customer Success will prioritize:

• Driving adoption and usage

• Solving problems

• Recommending resources, solutions, and training (including Level Up)

• Making connections

• Listening to feedback and being the customer’s champion

The Duo Care team works with their customers every day, ensuring they’re achieving the expected value from their Duo technology investment.

When preparing for engagement, building trust, and maintaining credibility as an expert and trusted advocate are crucial in the development of the customer relationship and lifecycle approach. Customers are looking for improved experiences aligned to successful business outcomes. To help deliver these experiences, Customer Success has extensive expertise with the following to drive customer business objectives and outcomes through:

Success Plans

Identifying, documenting, and sharing deep-dive discoveries helps us understand customer goals and desired outcomes. This allows us to align outcomes through data sharing and close, ongoing customer collaboration.

Key Performance Indicators (KPIs)

These quantifiable measurements allow us to track, evaluate, and gauge performance with customers over a given period. KPIs should define each of the following: Measurement, goal, source, frequency (which can include leading and lagging indicators), and RACI matrix.

Addressing Barriers

To deliver value to customers, successful organizations use some combination of the following three key ingredients: People, processes and technology. Always plan how your solutions impact customer strategy and desired business management outcomes.

Change Management

We help communicate a logical case, optimize conditions for change, and create stakeholder buy-in.

Quarterly Success Reviews

We provide updates on project status, success plan status, KPIs, business initiatives, critical action items, barriers, and additional areas for value.

Exploring Expansion Opportunities

We drive expansion and renewal opportunities and leverage data analysis to resolve risks.

Working together to achieve customer success

Measuring success is critical to the customer lifecycle approach. This process supports current customer engagement activities and interaction and validates success and progress towards established customer business goals and objectives.

Three key points in measuring success include:

• Collecting and tracking customer data

• Taking action to improve customer experience and business growth

• Aiding CSMs to focus on most critical activities

The Duo Care team is here to make sure that customers get the most from their Duo subscription, helping them meet alignment milestones and long-term goals. Achieving desired outcomes is highly dependent on coordination and execution of a collaborative life cycle team approach, and this concept does not change when pursuing continued customer business or a 28th or 3rd World Series Title.

Good luck!

Last year, Duo announced the General Availability of the new Duo Universal Prompt. Next year the legacy Duo Traditional Prompt will no longer be supported. Steps to migrate from the latter to the former vary by application, but most involve a handful of steps. Until then your company is missing out on many new security features, improved user experience, and various other features only available with Universal Prompt.

What is Duo Universal Prompt?

The Universal Prompt is Duo's next-generation authentication interface that delivers a better experience for every user. Upgrading to Universal Prompt helps organizations:

• Modernize Authentication – Go from legacy authentication protocols, like Radius and LDAP, to modern ones, like SAML and WebAuthn, and get started on a journey towards a passwordless future.

• Strengthen Security – MFA attacks like phish bombing, unauthorized device enrollment, and adversary in the middle can wreak havoc on your network; Universal Prompt guards against these with Verified Duo Push and Risk-Based Authentication.

• Simplify Secure Access – Modernizing security can be disruptive for users, but Universal Prompt makes it painless with a smooth authentication experience, intuitive web-based design, and several self-service options.

Since its release early last year, we’ve been adding support for a broad set of applications. Last month we added support for Citrix NetScaler Single Sign-On (SSO), and this month we’ve added support for Microsoft Outlook Web Access (OWA) to the long list of Universal Prompt-ready applications.

Universal Prompt for Outlook Web Access (OWA)

When users need to check their inbox for new email and don’t have access to a device with the Outlook Client, they turn to a browser and the Outlook Web Access (OWA) portal to their Exchange email server. OWA has long been a popular interface for users in Microsoft environments, yet it still requires strong authentication to verify user trust, especially for companies that make it available externally.

Cisco Duo has provided strong multi-factor authentication (MFA) for many customers using OWA for many years. Now, those environments can move to the Duo Universal Prompt and enjoy many security and experience benefits.

Duo protects OWA by performing a redirect to the Duo Universal Prompt URL, passing context for authentication and the current OWA URL to return to when authentication completes. Once the user is authenticated by Duo, the browser redirects to the passed OWA URL to complete the authentication and store a Duo session cookie.

The Duo OWA Integration is compatible with Exchange Server 2013, 2016, and 2019 running on Windows Server 2012 or newer. Update Duo for OWA in just three steps, shown on Update Duo for OWA. Then Cisco Duo can continue to provide MFA for OWA as outlined below from the Duo documentation page

For more information see the Duo for OWA FAQ and Duo documentation for OWA.

Universal Prompt for Citrix NetScaler SSO

Citrix NetScaler is a popular application delivery controller for Citrix Workspace environments. Cisco Duo has provided MFA for those environments for several years and recently has added support for NetScaler SSO.

Duo SSO is our cloud-hosted SSO product, which layers Duo's strong authentication and flexible policy engine on top of Citrix NetScaler logins. Duo Single Sign-On acts as an identity provider (IdP), authenticating your users using existing on-premises Active Directory (AD) or another SSO IdP. Duo SSO prompts users for two-factor authentication and performs endpoint assessment and verification before permitting access to Citrix NetScaler.

Duo Single Sign-On is available in Duo Premier, Duo Advantage, and Duo Essentials plans, which also include the ability to define policies that enforce unique controls for each individual SSO application. For example, you can require that Salesforce users complete two-factor authentication at every login, but only once every seven days when accessing Citrix NetScaler. Duo checks the user, device, and network against an application's policy before allowing access to the application.

Before configuring Citrix NetScaler with Duo SSO using Security Assertion Markup Language (SAML) 2.0 authentication, you'll first need to enable Duo Single Sign-On for your Duo account and configure a working authentication source. Once you have your SSO authentication source working, continue to the next step of creating the Citrix NetScaler application in Duo.

We've already updated the Duo Citrix NetScaler application hosted in Duo's service to support Universal Prompt, so there's no action required on your part to update the application itself. You can activate the Universal Prompt experience for users of new and existing Duo Citrix NetScaler applications from the Duo Admin Panel.

For more information see Duo documentation for NetScaler.

Universal Prompt-ready applications

Here’s a list of some of the many applications that are currently ready for admins to enable Universal Prompt as part of user’s authentication experience. Click links for applications used in your environment to learn more:

Get to know the Duo Universal Prompt

Migrate to Duo Universal Prompt as soon as possible. It’s supported by a broad set of applications, it provides a better user experience, you can implement stronger authenticators, and Duo Traditional Prompt will no longer be supported early next year.

For more information on Duo Universal Prompt, see how in may be utilized in the Duo Guide to Two-Factor Authentication. Or for specifics on its implementation, see documentation on in the Duo Universal Prompt Update Guide. For templates to help roll it out to your users, see Duo Universal Prompt Project End-User Education Communication Templates. For end user guidance on using Universal Prompt see Duo End User Guide on the Universal Prompt.

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.

Today: Ted Kietzman, a former product marketing manager for Cisco Duo, ponders passwords as a lost cause, the value of feedback for usability, and how passwordless technology is evolving.

Problems with password-based security

Chrysta: What are some of the functional problems with passwords from the user’s perspective?

Ted: Passwords have a bunch of problems from a user perspective. They’re really annoying to remember. You have to keep them in your brain, which ends up being a pain. And over time, it’s been a requirement that they have to get more and more complex, or you have to rotate them more often. All those things make it harder for me. And then I also just don’t like to type them. It’s annoying for my fingers.

Why is a shift to passwordless necessary? Couldn’t we just fix passwords instead?

Passwords are kind of a lost cause in a way in terms of trying to fix them. They had a use for a long time, which is that your brain is portable and you can bring it to different places. But they’re so replayable, and they’re very easy to attack on a grand scale. That defect is always going to be true.

And passwordless takes [away] that massive attack or being able to do it remotely at a grand scale away because it’s individual, it’s linked to devices, it’s linked to your personal being and those things make it much more secure. So why try to fix something that’s inherently flawed by this ability to attack it at scale when you can move to something that’s much more secure and also easier to use?

Usability is something that is getting talked about more. But for a long time, it wasn’t a central focus in the conversation around what’s important for security to design. What makes functionality or usability – intuitive design – so important for functional security?

I think there was this onerous iron-fist attitude about security for a long time where somebody would say, “Hey, you have to do this.” If somebody has to do something and it’s annoying, smart people in particular tend to say, “I’m going to get around that. I’m going to do something else. I’m going to figure out a sneaky way to make this easier for me in my day to day. I’ll log in from somewhere else, I’ll do something where I don’t have to go through this gate.”

And so if you can make the secure way to do something also the easy way to do something, it’s this two birds with one stone where you both increase the adoption of security and the value of those securities and make people actually want to do it.

Can you give a couple of examples of what that manifests in terms of passwords? So, the iterative passwords, the minimum viable, then adding “1, 2, 3”?

I think the one that we all know is there’s a security control that says reset your password a lot. Or rotate your password, because we want you to have a new one and if an attacker got your last one in some breach somewhere else, maybe they’ll try to use it here. And so you should change your password here.

Everyone goes, “Well I’m going to use my same address and I’m going to add on a new digit to the end. I’m going to use my mother’s maiden name and I’m going to add on a different date at the end.” And so it doesn’t really change the security value of that password because it’s pretty easy to guess that next, but it’s easy for us to remember. This requirement, the security control that’s adding friction, ends up actually decreasing the security because it doesn’t add any security value and you’re adding friction for the end user.

Making passwordless work

Chrysta: What are the behind-the-scenes improvements or technological developments that the average person may not know about that have taken passwordless from aspirational to a more achievable solution?

See the video at the blog post.

Ted: What it’s doing is it’s replacing that “something you know” factor with something you are and something you have. Or, in the authentication 101, something you know, something you have, something you are. And to do that, to bind your authentication and your identity to something you have. So that’s one thing: The rise of the FIDO2 protocol, binding your authentication identity to a device via cryptographic keys in the background.

The second part is the improvement of biometrics, which we now know on our phones, whichever type of phone you’re using. And on many laptops, you have touch IDs, face IDs, biometrics that are usable for a long time. They’re not perfect yet, but we’re betting the reason that we think passwordless will be more and more viable is they’re only going to get better. Moore’s law: Only get better over time. Whereas 10 years ago they were practically unusable, now they’re pretty usable and in 10 years from now, we see them as being highly efficacious and something that you can use super easily.

Talk us through a typical passwordless login flow. How does it differ from a traditional password use, and what makes it easier for the user?

Passwordless login flow is exceedingly easy [...] and the reason is that it’s just: You touch a TouchID, you do FaceID, and you’re logged in. And people go, “That sort of seems like magic.”

What’s cool about passwordless is the login flow feels like one step, but what’s really going on is that the biometric is unlocking the key on the device. So the device is one of the factors and the biometric is the second. The other big part of it is you’re not typing that much. You’re not typing a password and you don’t have to remember a password. You’re maybe looking down at your phone or placing your finger on something.

So to make that all short, you go to a site, you touch something on your phone or device, and you’re through. Very secure.

What are some of the most common myths or misconceptions that you run into about passwordless technology and what do they get wrong?

One would be that it just removes the password and doesn’t add anything else to it. But passwordless is much more than just removing a password from the flow. It’s actually adding in that cryptographic key and the secondary factor of the biometric or pin.

Another myth is around the security or privacy with biometrics. Basically, what I tell people is the authentication provider never needs to see your biometric. We don’t store any of them. And the reason for that is it’s performed locally at the device you’re using as an authenticator.

Let’s shift gears a little bit and talk about engineering and usability. Why is it so important to gather user feedback throughout the development and refinement of security changes like a shift to passwordless?

User feedback is really important generally. I think in the case of authentication, it’s even more important because an authentication technology is in the hands of a lot of people. We work in security.

So you have to do two things on the user feedback: Address anything that might be causing them friction or drag their feet, and stay with the old thing that they know really well. And then also show them what the benefit is and make it easy for them to take that step into something that’s new.

What are some examples of surprising feedback that you received from user research, whether that is users finding a process easier or harder than you expected or running into a roadblock that you hadn’t anticipated?

People are sometimes unfamiliar with their biometrics still. It’s also just the truth of the matter that some people don’t even think about MFA as a thing yet. So if you think about the user population and the feedback that we get, we’re trying to build for the most people that we can, we want the solution to be accessible and understandable, but some people are still just using a username and password and they think that’s fine and they don’t understand... So you’re educating them on the security of adding a second factor generally.

The future of passwordless

Chrysta: Where do you see passwordless evolution going from here? What do you see the average user’s experiences looking like five to ten years from now?

Ted: Right now, passwordless is bound by biometrics in one way. They’re improving drastically, that is true, but not every device has them and not every device has them in a way that’s really easy to use. And so, as biometrics increase their prevalence on devices that are used for work, devices that are used your home life, that’s going to make passwordless adoption easier in the next two to five years.

Passwordless is really good at authenticating to web applications and really good if you have a mobile device or a device that has a biometric on it that’s pretty effective. But that footprint will need to expand for a passwordless to really take off.

A last piece would be the idea of what happens when you lose your device? So what happens to your passwordless credential that’s bound to your device, because this is how this works, if you lose it? The case of enrolling or registering or re-registering is still a friction point for passwordless. And as a solution to that improves, we’ll also see more passwordless adoption, I think.

Looking at these inflection points and how passwordless is evolving and becoming more common, obviously the prevalence of biometrics is a really big step. The availability of these standards like WebAuthn is a really big step. Do you see any particular use cases that will be another one of those pivotal steps?

See the video at the blog post.

FIDO2 just came out with an announcement that I think is really big for passwordless, which is multi-device credentials and cross-platform credentials. Right now you can use the touch ID on your Mac to log into a bunch of web applications on your Mac. What they’re saying - and that’s limited to one case - you have to be on this Mac and then you’ve created a credential here you can log into a bunch of web applications that wouldn’t normally take passwordless.

Where the technology is going is you can use a credential that’s been created on your mobile device, on your phone - maybe it’s Apple or Android - and you can use that whether it’s a Mac device, a Chromebook, a Windows device.And that makes it really easy because you’re carrying around basically a wallet of credentials that you can use at any device that you walk up to. The portability of a passwordless credential, I think, is going to be a big step in adoption.

Another piece is this, where does the passwordless authentication happen? To get that passwordless login at the point of the OS or operating system, and then transfer that trust through to the web applications therein, you get this really seamless experience of: Log in once to my computer and everything behind that, I’ve transferred the trust from one really secure passwordless login to all of those things. So I think that will also be an inflection point that will make people really want to use passwordless and it will make it really effective in our day to day lives.

What are you most excited about as these methods become more common and a part of everyday security for organizations and users?

I’m excited about not having to remember passwords anymore. It’s a really annoying thing to feel like I have these passwords, and even me as a security professional, I reuse or add on a word. Maybe I know not to just add on one number at the end, so I’ll add on a phrase or something like that, but my memory only works so well, and I know I’m flawed that way. So not having to remember passwords, not having to have one for here and one for there, and then rotate this one, and I’ve forgotten and resetting them because I’ve forgotten. I’m really excited about that.

I’m also really excited for passwordless to be more prevalent. I understand now that the technology is still expanding its footprint and for it to be in that area where I can do it once on my mobile phone and get into my login here on my work computer, log in here on my personal computer, because I’ve created a bunch of passwordless credentials on my mobile device that’s holding it as a wallet, I’m really excited about that.

Will we ever be fully rid of passwords, or how close do you see us getting?

The idea that we get rid of the password fully is something that customers come to me today about, or people in the industry are really interested (in). In order to get fully rid of passwords, we’re going to need solutions that help us register, transfer trust between devices, and make all of that happen without a password being used to bootstrap trust. Until those use cases move into this modern protocol era, or we have a really good solution for the bootstrapping of trust and transferring of trust in the passwordless world, passwords will still be around.

For an average user who’s currently stuck using passwords for some of the most important and private personal information, what tools or best practices do you recommend?

If you’re a user today who’s just using passwords on something and you’re like, "Why would I take that only factor away? Or what is passwordless at all?" there are some things to start doing generally. And I think one is to place traditional multi-factor on anything where it’s just a password. Do that today, add a second factor. It just adds security to those accounts. After that, I think it’s really starting to do things like have a vault where you store your passwords, pre-filling passwords. And then trying, wherever you can, start adopting passwordless.

One thing I’ve been really heartened to see is on the consumer side, passwordless is coming along a little quicker than in your working life sometimes. A lot of people can use their biometric on their device to log into their banking application. And I’m actually excited by that because I think it’ll make somebody, with the consumerization of IT, which we’ve seen basically the idea that people, what they see in their personal lives, they want to have their working experience or their working resources be like. If you adopt passwordless in your personal life and then get excited about that, and maybe even complain a little bit in your working life, passwordless will start to happen in your working life as well.

With advanced language-based AI tools like ChatGPT growing increasingly accessible, the battle to prevent phishing attacks from impacting users is no longer answerable with just one security solution.

Why is layered security essential against phishing?

Effectively protecting complex networks against sophisticated phishing attacks involves a comprehensive security stack including multi-factor authentication (MFA), single sign-on (SSO), and domain name system (DNS) security.

As mentioned in our previous post breaking down what modern-day phishing attacks look like, experts recommend that a layered approach to security can prevent single-point vulnerabilities and catch the most phish.

However, it isn’t easy for security programmes to go from zero to one hundred in any organisation, especially when it comes to the people impacted. In an environment with constant turnover of thousands of users, Australian educational institutions like Deakin University and others around the world turn to multiple solutions to secure against phishing.

Reduce reliance on passwords with single sign-on and MFA

Nobody ever appreciated opening an exciting email just to find out their company had bamboozled them with a fake phishing test. In a study of corporate phishing training conducted over 15 months with 14,000 participants, researchers found that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing. In fact, it instead can have unexpected side effects that make employees even more susceptible to phishing.

A shifting IT environment also contributes to complexity and expanding attack surface. An increasing number of authentications are attributed to cloud applications, with a 24% rise in the percentage of cloud app authentications in 2022. As a result, organisations have turned to single sign-on solutions to decrease the number of credentials needed to access various cloud and on-premises applications.

The University of Queensland, for example, used Duo to secure their single sign-on portal to safeguard the cloud and on-premises apps users needed to access. At the University of Louisville, deploying Duo helped UofL Hospital protect sensitive protected health information (PHI) data without impeding clinicians’ productivity.

Rather than making users feel guilty for being gullible, single sign-on (SSO) solutions like Duo SSO complement MFA to mitigate phishing risks by enabling users to use a single set of credentials to access multiple applications. Additionally, Duo SSO helps:

• Reduce the risks associated with credential compromise and breaches by decreasing the number of credentials a user needs to access the applications they need

• Enable users a secure and stress-free login experience to permitted cloud and on-premises applications, including those built on SAML 2.0 and OpenID Connect (OIDC) standards

• Adopt self-service capabilities to help IT and helpdesk teams save time and costs related to onboarding to applications, password resets, device management and more

• Enforce least privileged access through granular access policies to limit user access to just the apps they need, preventing lateral movement

• More easily adhere to regulatory compliance requirements (e.g., PCI DSS, HIPAA, etc.) for verification of users

Duo’s single sign-on solution helped UofL Hospital increase user productivity. Instead of entering credentials each and every time they need to access an application, with Duo’s SSO, students, faculty, and hospital staff log in just once to gain access to various cloud applications from a single dashboard, using their existing credentials and strong MFA.

Reducing the number of credentials by adopting SSO ultimately minimises the risk of losing those credentials to phishing attacks.

Stepping up: How email, DNS, and MFA security can protect users from phishing

Phishing links are commonly sent to the target through email messages. Case-in-point, we’ve all heard of the classic Nigerian prince scheme. However, these messages, powered by natural language AI models, are getting craftier—prompting users with false but convincing “you received a comment on your last document” and “please download this update ASAP” polished correspondences.

Luckily a secure email gateway like Cisco Secure Email Threat Defense can prevent these messages from even landing in your inbox. With Email Threat Defense, all inbound, outbound, and internal email is scanned for spam, viruses, and anomalies that might indicate incidents of compromise or phishing attempts.

But if a user’s personal email or just unguided surfing leads them to click on a phishing link, a DNS-layer security solution like Cisco Umbrella will block the connection, log the threat, and notify the user appropriately. Domain name system security (DNS) is another layer of protection that stops users from ever opening fraudulent links. Cisco Umbrella (DNS solution) secures all the outbound traffic from an organisation to determine where it is going on the internet.

Umbrella also includes threat intelligence, remote browser isolation (RBI), data loss prevention (DLP), and cloud malware detection, all while acting as a secure onramp to the internet to provide protection against threats for users anywhere they connect.

When combining these defences with Duo’s secure authentication solutions, businesses can prevent unauthorised access, decrease the risk of lateral movement, and protect their users and data wherever they are.

Deakin University catches a malicious attack attempt

Faced with rising audit demands, 100,000 devices and users accessing the network daily, Deakin University looked to Cisco to implement solutions to improve their security posture.

“We are a small team, coming from a very low-maturity security function and ad hoc processes here and there,” explained Fadi Aljafari, information security and risk manager at Deakin University. “We didn’t have a reliable security capability or any sort of architecture for our security offering.”

The team began building out an architecture including Cisco Umbrella, Cisco Email Security, and Cisco Duo. As they added new solutions, they could identify security weaknesses and develop a defence-in-depth, integrated approach to information security. And with Cisco’s XDR threat response integrated across their security solutions, analysts have unified visibility and can investigate threats from a single console.

Altogether, the University reduced response time to malicious emails from an hour to as fast as five minutes, even catching a nationwide attack one week prior to the prime minister’s alert. Previously, it would have taken at least a week to investigate.

“Using the security products from Cisco, in one hour we were able to search all our network and block all the indicators of compromise from a single application. We didn't even need to switch screens.”

As an additional result, Deakin University saw improvements in compliance with the NIST cybersecurity framework and Australia’s ACSC Essential Eight Maturity Model. After implementing Cisco solutions, Deakin went from 20% compliance with NIST to 68%, with a target of 85% by 2022. Likewise, the university raised its ACSC model maturity level for most of the strategies on mitigating cybersecurity incidents.

With a combination of email security, DNS protection, and advanced MFA, these universities have been able to reduce their phishing attack surface area whilst ensuring compliance with data protection regulations.

Zero Trust: Everyone is the perimeter in a hybrid world

An increasing number of authentications are coming from crevices of the web, around the world, and across the cloud. It's clear that the hybrid world of on-premises and cloud-based services is here to stay, and so the expanded attack surface requires expanded protection—especially when it comes to users.

When there are no borders, everyone is an insider, which dramatically increases risks across every aspect of business. This is the fundamental “why” for a zero-trust security strategy, built on the following principles:

1. First, accurately establish trust. Strongly verify user and device trust before granting access.

2. Second, consistently enforce trust-based access based on the principle of least privilege.

3. Third, because change is inevitable, continuously verify trust, and instantly adjust access based on risk.

4. And fourth, dynamically respond to change in trust, and then investigate and orchestrate incident response.

In higher education institutions, one user can have several different (and shifting) roles that complicates assigning user-based access policies. For example, a research assistant may be both a student and a faculty member—just to become an alumnus the following year. Enforcing the principle of least privileged access through features like group-based granular application access policies is much more of a challenge.

User experience must be top-of-mind for security changes, especially as identity is the new perimeter. Duo’s user-friendly and strong access management solution kicked off the University of Queensland’s zero-trust strategy, whilst Deakin University bolstered protection with Cisco’s security portfolio. Customisable multi-factor authentication and a comprehensive DNS security solution are fast to cloud-deploy and quick wins towards a zero-trust security strategy.

What’s next?

From our passwords leaked (and, accordingly, for sale on the dark web), to phishing emails (with PII on the hook), to ransomware (we all know this one) — it feels as though the list of cyber scaries grows longer by the day.

While more sophisticated anti-phishing techniques evolve, two other breach types still make up a significant proportion of cybersecurity headaches. In the next instalment of this series, we’ll break down the second most common breach according to the OAIC: When users bite the hook and credentials are, unfortunately, compromised.

Want to learn more about how to prevent phishing?

Check out the University of Queensland and Deakin University customer stories to see how these organisations deployed Cisco Security solutions to protect users from phishing attacks. Then, check out our ebook Duo for Essential Eight to see how Duo can help your organisation reach ACSC Maturity Level 3.

Trying to understand how to roll out a layered approach to cybersecurity? Be sure to download our ebook Why Multi-Factor Authentication Demands Single Sign-On.

Principal Product Designer Jake Ingman feels lucky that he’s been able to find a role that combines his passion for cybersecurity, design and engineering. Bringing Minnesota nice to a kinder than necessary culture that values design has allowed Ingman to infuse Duo products with empathy while defining his product design career path. If that’s the way you want to innovate, check out our open roles.

What unique opportunities exist for product designers working on Duo at Cisco?

Jake: Cisco and Duo have been very deliberate and intentional about building a path for product designers to remain individual contributors, this kind of quote unquote “IC track.”

"It takes a lot of respect for design and acknowledgement of the importance of design to build out that career path and put design as this equal partner all the way up within the organization.”

Leading without managing is another way to say it, and that’s not something that just happens automatically. It takes a lot of respect for design and acknowledgement of the importance of design to build out that career path and put design as this equal partner all the way up within the organization.

If you look at the organizational chart, you can see the value that the company puts on design. I feel really lucky to be in this position where I get to continue to be an individual contributor. I like being very close to the product and close to the design work and working directly with different teams. This company values the role that design plays in product development; designers are very well empowered here.

As Duo’s first principal product designer, what are your goals?

Jake: Part of my role is to be an advocate for design and user experience. So what does that mean? Well, a big part of that is understanding all of the tools and capabilities that we’re building here at Duo and in Cisco. Then, the goal is to figure out how to connect the dots across these projects to either improve the experience for our users or to improve their security in some way while also guarding their time and attention.

What brought you to Duo and Cisco Secure?

Jake: I had joined a startup that was co-founded by Sally Carson and about a year into my being there, Carson announced that she was going to go work for some company in Michigan called Duo. When Duo was acquired by Cisco, she worked up to being head of design at Cisco Secure.

So I spent about five more years at that startup and then when I was starting to look for a new role, Carson told me about this opportunity to work on a new product that Duo was building called passwordless. Then, I started talking to my now manager, Fraser Marshall, about what this project was about.

I couldn’t believe my luck that so much of my seemingly unique experience in design, engineering and security lined up so well with what this passwordless product was trying to achieve and what a lot of Duo’s core values are around designing and security. It was really the perfect fit.

[Editor’s note: to learn more about Ingman’s passion for design and how it intersects with cybersecurity, check out From Robots to Human Needs: How to Become a Cybersecurity Designer]

What distinguishes your experience on this team, at this company and doing this work compared to other work that you’ve done?

Jake: Cybersecurity is this really unique opportunity for design and for a designer. I really feel like it’s my job to do everything I can to genuinely improve someone’s quality of life. I know that the product that I’m working on is a requirement for them. It’s not something they asked for. I’m lucky to be able to use design to actually make someone's life a little bit better. It’s funny because a lot of the time, that means removing my product from their day-to-day life.

"It’s pretty rare that you get to work on something that the literal job of the product is to protect someone from a threat that they might be facing and not know about.”

That’s where a lot of the design happens, really, is designing some of these behind the scenes components in a way that removes this security burden from our users. It’s pretty rare that you get to work on something that the literal job of the product is to protect someone from a threat that they might be facing and not know about.

"I get to use the craft of design to protect someone’s time and attention and improve their quality of live because of that.”

I know that it’s quote unquote “just a security product,” or we’re just helping someone log in, but I really do feel like I get to use the craft of design to protect someone’s time and attention and improve their quality of life because of that.

Another thing that differentiates being at Cisco working on Duo is the scale of that impact. The little things that we do to improve the experience get multiplied millions and millions of times. There are literally tens of millions of people who are affected by the design decisions that we’re making here at Duo.

How does our company culture impact your work?

Jake: Everyone here is just very talented and impossibly kind. Of course, one of our core values as an organization is to be kinder than necessary. I remember hearing that when I was interviewing and researching Duo. Being from Minnesota, the whole Minnesota nice vibe, that’s important to me. That’s a real thing.

Being kinder than necessary, that sounds nice. Of course before working here you don’t really know if that's just a thing that the company says or if it’s something that they live. Now that I’ve been here for almost three years, it’s honestly true. We really are kinder than necessary, not only to each other, but we try to be kinder than necessary to the people that we serve.

Especially in this position of designing for Lee (our end user persona), I really feel like part of my job is to bring that kinder than necessary principle to the product design work that I do. How can we ease this particular burden on Lee? Or how can we make this part easier, or get them unstuck faster?

Security isn't something that has to be nice or is typically thought of as being kind, but I really feel like this kinder than necessary value is something that has made its way into the product. My job is to make sure that it continues to show up in the product.

How would you describe your team?

Jake: Everyone here just cares so much about each other, about the work that we’re doing, about the people that our product impacts and protects. If you look at a message thread, you wouldn’t necessarily know who is the engineer, who is the product manager and who is the product designer.

Everyone is very engaged in talking about all of these decisions that we have to make and trying to make the best change to the product or trying to find the most elegant way to solve the problem. You wouldn’t get that if people didn’t care.

"Everyone here just cares so much about each other, about the work that we’re doing, about the people that our product impacts and protects.”

Every conversation tends to take maybe three to five times longer than it would if people didn't care. The fact that so many people care and there’s so much attention and care paid to these decisions that we're making has a really big impact and influence on the product that we're making.

Learn more about a product designer’s career path

If you also care about carving your path as a product designer or someone who contributes to a kinder than necessary culture, check out our open positions.

Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.

Today: Nick Steele, research lead at Superlunar, weighs in on the weaknesses of password-based systems, the difference between a traditional login versus a passwordless one, and how WebAuthn is driving passwordless forward.

The problems with passwords

Chrysta: Why was passwordless needed in the first place? What sort of problem does it solve?

Nick: Humans are really bad at creating randomness. So when it comes to creating passwords and remembering passwords, the passwords are generally, if they’re made by humans, not very strong. And humans also tend to use heuristics and elements that they can reuse over and over. So even passwords that are created by humans that are slightly different, still tend to be pretty easy to crack.

See the video at the blog post.

Passwordless is this next paradigm in authentication where we don’t have to rely on human-created passwords and credentials. We can rely on credentials that are created by the computer, controlled by the computer, and controlled in a secure manner. And then passed on or really authorized to be released to a website or a service via biometric or a local PIN, something that doesn’t have to leave the device, and that the user has on them or in their brain.

What are the main weaknesses of password-based auth systems that attackers will exploit?

The primary weakness in a lot of these passwords is the amount of randomness and really the length and the amount that a human can really remember in a password. Your average eight-character password can be cracked in fractions of a fractions of a second by machines nowadays. Your average at-home PC desktop could go through creating and trying millions of passwords in seconds. So if your password is something like ABC123, it can be almost instantly uncovered.

Now that being said, the second probably most common way is through phishing and credential stuffing. So once a user has had their password stolen, an attacker could come along and start trying that password on different websites with maybe the user’s email address or username. And start going through different websites, trying to crack those accounts as well.

So the weakness comes from this fact that we have a shared key that can be shared across multiple systems, and with multiple people without tying it physically or even biometrically to the user.

Securing passwordless with WebAuthn

Chrysta: How does the process of a passwordless login differ from a traditional password-based one from the user’s perspective? What changes?

Nick: Generally in modern websites where you have a second factor activated, you’re going to first navigate to your password login where you enter your password. And then you’re going to follow up with that second or third factor.

In the passwordless flow, we’re eliminating that first factor where you’re entering the password. I’m going straight to that second factor where you interact with a key or a biometric device in order to log into the site. So for most users on more of these modern systems, it’s still pretty much the same. People have already gotten pretty comfortable with these flows because of mobile devices having biometric support over the past five, almost 10 years now, at this point. So being able to acclimate users and get users comfortable with it is already something that’s really well underway because these passwordless flows are going to look a lot like logging into your phone now.

What got you interested in auth systems and involved with development of the WebAuthn spec?

I got interested in authentication systems pretty early on in my career, actually when I was still working at Etsy, which was a sort of craft marketplace website that helps connect buyers and sellers while selling mostly craft goods. But when I was there, one of the first projects I worked on was auth systems for mostly DNS. And figuring out how we could route sellers’ custom websites to our website, and have the DNS records match up, and handle SSL.

Where it gets more interesting and more complex is once you start adding the human element, which is honestly probably the more interesting side of most computer systems is once they kind of come out of the screen.

So when I moved over to Duo Security, before they were acquired by Cisco Systems, I was working in a research lab there. And one of the first projects that I was asked to work on was to figure out what was next for second factor, because Duo is a pretty heavy second factor company. So I went out trying to look at all these projects that were focused on what the next steps in authentication were. And I finally came across WebAuthn, which kind of started in 2016 off the back of a different spec called UAF, which is the universal authentication factor being worked on by the FIDO Alliance.

What really differentiated WebAuthn as a standard and it made it seem really promising was that it was the simplest form of passwordless authentication that I’d seen. It was the most straightforward. A lot of different standards required specialized hardware, required using QR codes, or had elements within their construction that were potentially insecure.

In fact, when compared to just about any other form of authentication, including first factor authentication with passwords, it’s extremely secure.

Why was WebAuthn such a major technological step in the feasibility of widespread passwordless use?

In terms of providing passwordless to the masses, WebAuthn was a framework that was transparent. It was open source. Everyone was allowed to collaborate on the standard. And on top of that, you had the browsers agreeing on a lot of the elements of how the standard should be an interface in their browsers, which is just really unheard of.

You mentioned that typical WebAuthn implementation is going to be a lot more secure than a traditional first factor, like a password. But is passwordless auth less secure because it removes the password from that flow? Isn’t removing any password going to be some reduction in security versus that same method with a password as well?

TL;DR [too long; didn’t read] is no.

To interact with your Touch ID means that you physically need to be next to your computer. You touch your YubiKey, to touch your FEITIAN token, to interact with this hardware key that releases the credential. You need to be next to your computer.

So in the case where you actually have to enter a password, anyone can enter your password from anywhere. This is why it’s so great for attackers. You or anyone else can enter it from anywhere in the world.

Once you add that WebAuthn layer, once you add the second factor, you need to be within proximity of the device that is in charge of your credential.

Aside from the biometric methods that we talked about, what other ways do you see a user being verified through a WebAuthn prompt without being challenged for that password?

If your password is not leaving your local device, generally that’s going to mitigate the vast majority of attacks, right? Where passwords really get weak is when they’re being shared or stored across someone else...once it leaves your device and it’s on someone else’s device. If an attacker breaches their database, which has your password in it, well, now it could be used in a lot of other places.

The journey towards passwordless adoption

Chrysta: What are the top three misconceptions or myths that you run into about WebAuthn, or passwordless authentication more generally, and what do they get wrong?

Nick: I would say actually that the top myth isn’t directly related to WebAuthn or passwordless authentication outright, but it’s kind of related to biometrics. People always really assume that the biometrics that are being used to unlock their device or being used to log into their website via WebAuthn, or other passwordless services, they tend to think the biometrics are being sent elsewhere. And in the vast majority of cases, your biometrics are never sent anywhere. They’re only being used by the local authenticator to release a credential.

See the video at the blog post.

The second biggest misconception around WebAuthn is it’s more complex than it really is. It’s really just a set of guidelines around this API that allows your browser to access secure hardware on your device, or potentially just go grab credentials or make credentials on your behalf.

See the video at the blog post.

The other big misconception with passwordless is that credentials can still be stolen, which is totally outside of biometrics. I feel like this it’s two separate things, right? Because if people think if their biometrics can be stolen, then their biometrics can be used on multiple websites. This is really not how that kind of cryptography can work. And in a similar way, the credentials that you produce for passwordless services also can’t be reproduced and reused across multiple sites.

What’s the biggest speed bump or headwind today preventing wider adoption of passwordless methods?

The biggest thing right now is there really isn’t a great story or experience that allows users to really understand what’s going on.

While this is easy to talk about, users will probably be pretty confused by this change. So being able to socialize and normalize this process of not providing passwords on websites is a really hard process. Creating a coherent story and creating an ergonomic experience for the user around these security properties and principles is going to be a little difficult.

Ultimately, do you think that passwordless authentication is going to have a greater impact on large organizations, like corporations, schools, government, or the individual user in the consumer-level services that they use daily?

I think it’s going to affect organizations first, and then consumers second. A lot of new technology seems to go this way. But organizations are already making use of WebAuthn, and there’s already a lot of use in the consumer space. If you use login.gov, which is one of the biggest login portals for the US government right now, they’ve actually begun to use WebAuthn for handling second factor authentication. And more and more consumer-side companies are making it available, because it doesn’t only help the user to have passwordless authentication.

It also is compelling for your bank to have better authentications. It’s compelling for services where losing money will erode trust or prevent you from using their service again. So it’s really a two-way street, right? It doesn’t just benefit the user to have no passwords. It benefits the organization that they’re doing business with to provide better security as well.

When do you think we’ll be completely rid of passwords? Or will we ever?

I think passwords are always going to have some use cases. I mentioned that local passwords are still fairly secure. And there’s a lot of use cases where having a shared key is actually pretty useful. I don’t see them really going away anytime soon, especially given the long tail of technology on the internet. But I definitely see more and more people and organizations getting comfortable with the adoption and inclusion of passwordless.

For users that still do have to rely on passwords for a lot of their important accounts, what do you recommend as some of the best practices to keep themselves safe?

I would say use a password manager. Definitely don’t reuse passwords. When a second factor or WebAuthn is available, you should definitely be using that on top of a password. But really the biggest thing that you could do with passwords is keep them secret and keep them safe.

Next in our extended interview series: Ted Kietzman, a former product marketing manager for Duo Security at Cisco Secure, ponders passwords as a lost cause, the value of feedback for usability, and how passwordless technology is evolving.