Three years ago, I wrote about the different criteria to consider when choosing a modern two-factor authentication (2FA) solution, in What to Look for in a Modern Two-Factor Authentication Solution.
But the areas of access security and identity have evolved quickly since then. Here are a few updated aspects to look for in a (more) modern 2FA solution, to address the latest risks:
Easy & Fast for Users
It still holds true that the most secure technology is one your users actually want to use. Choose a 2FA solution that has minimal impact on end users, and provides:
- A lightweight 2FA mobile app that doesn’t require users to carry a separate device
- Easy authentication in seconds via push notifications sent to their phone
- Or, a secure USB device plugged into a laptop that only requires one tap to verify their identity
If you choose to use a 2FA mobile app, assure your users that the app will never store their passwords, view their data, or otherwise invade their privacy.
Low-Touch for Admins
A modern 2FA solution is a cloud-based one that doesn’t require hardware or software to install, and no servers to set up for deployment. Admins should be able to deploy the solution quickly – in a matter of hours or days, not weeks or months.
User provisioning should be made as easy as possible, too. While smaller deployments can allow users to sign themselves up using self-enrollment, larger groups with thousands of users can enroll via Active Directory synchronization and bulk user imports.
Finally, ongoing management of your modern 2FA solution shouldn’t require dedicated in-house security staff or hours of help desk support. A modern 2FA solution should give admins the capability to easily manage users, phones, tokens (if you choose to use them) and integration’s from a single dashboard.
Built-In, Secure Design
Protect Against a Breach – A modern 2FA solution uses asymmetric cryptography to protect against the risk of stolen shared secrets. Attackers can steal shared secrets used to generate token numbers, which they can use to compromise user accounts and organizations. A modern 2FA provider should only store public keys on their servers, and private keys on your users’ devices.
Secure, Compliant Methods – Check to make sure your 2FA provider supports U2F (Universal 2nd Factor), one of the most secure methods that protects against phishing and man-in-the-middle (MitM) attacks. The National Institute of Science and Technology (NIST) recommends against using SMS-based 2FA that can be easily bypassed by attackers.
Fast, Easy Security Patching – To protect against new vulnerabilities, a modern 2FA solution should send frequent, automatic updates directly to your users’ devices in order to ensure they have the latest security patches.
A modern 2FA solution should also give admins access to authentication logs for reporting, analytics and compliance requirements. With detailed user and device reports, you should get visibility into the security health of your users’ devices with an at-a-glance security dashboard.
Your 2FA solution should also allow you to use APIs to export security logs to your security information and event manager (SIEM) for customized reporting and security analysis, and to meet industry compliance, such as for PCI DSS that requires tracking and monitoring security events and all access to network resources.
User Access Policies
More advanced 2FA solutions give your administrators the capability to create user access policies to further strengthen your security profile. Examples of user access policies might include:
- Block authentication requests originating from countries you don’t do business in
- Block requests from anonymous networks, like Tor
- Customize which authentication methods your users can use – require only the most secure methods, like U2F, and restrict the use of weaker methods, like SMS-based 2FA
A modern 2FA solution allows admins to create role-based access policies; organizing users into functional groups based on their job role and amount of access they need.
Low Total Cost of Ownership (TCO)
New 2FA solutions are offered as software as a service (SaaS), eliminating many upfront installation and maintenance costs associated with older solutions, including hardware, software, token, server and data centers.
Remember, 2FA technology that is difficult to deploy, use and maintain requires more work from your IT team and help desk support. Ongoing maintenance costs should be covered by design – a modern 2FA solution is managed by full-time security professionals that frequently roll out the latest security updates automatically to users, lessening the load on your IT team.
Plus, 2FA customer support should be responsive and proactive, helping your team through deployment, provisioning, integration and maintenance to reduce the resources needed to support a 2FA solution.
More Resources: Duo vs. Traditional 2FA
How does Duo stack up against traditional two-factor authentication solutions? Find out how to upgrade your security and lower your costs in Duo vs. Traditional Two‑Factor.
Two-Factor Authentication Evaluation Guide
Get more in-depth information by downloading the Two-Factor Authentication Evaluation Guide. In this guide, you will learn how to evaluate a solution based on:
- Security – Does your solution reduce risks, and can it provide visibility into your environment?
- Strategic Business Initiatives – Does your solution support cloud, mobile and BYOD initiatives? And can it fulfill compliance?
- Total Cost of Ownership (TCO) – Does your solution provide more upfront value, or more hidden costs?
- Resources Required – Determine what kind of resources it’ll take to deploy and provision your users.
Jul 27, 2017 – Duo Mobile
If you’re heading to Las Vegas for a week of back-to-back conferences, well, we are too. And we’ll be there with new tool demos, book signing, plus several parties & awesome DJs. Check out Duo in Las Vegas for a full list of our events and where you can find us.
BSides is a community-driven information security conference held in 100 cities across 26 countries, with the Las Vegas event as the original and largest BSides conference.
Stop by the Duo & Queercon suite at Tuscany Suites during BSides Las Vegas this year to take a break and grab snacks/beverages. We’ll be there on Tuesday, July 25 and Wednesday 7/26 from 12-5:00 p.m. PT, both days – check our Duo in Las Vegas page next week for our suite number.
Additionally, on Wednesday, July 26, at 3:00 p.m. PT, Duo’s Director of R&D Rich Smith will be signing free pre-release copies of his O’Reilly book, Agile Application Security: Enabling Security in a Continuous Delivery Pipeline at our suite.
Black Hat has run for more than 19 years, providing the latest information security research, development and trends, holding conferences in the U.S., Europe and Asia.
Don’t miss Duo’s security researchers’ demo at Black Hat Arsenal this year – come learn about our new phishing tools, including IsThisLegit and Phinn.
IsThisLegit is a free, open-source Chrome extension and web application dashboard designed to support phishing response management for end users and admins. Phinn is a Chrome extension that uses convolutional neural networks (machine learning) to analyze web page content and alert users of suspected phishing attacks.
The demo will be presented by Duo’s Jordan Wright, Senior R&D Engineer, and Mikhail Davidov, Principal Security Researcher of Duo Labs.
This demo is unique for Arsenal as it covers the full lifecycle of phishing mitigation using tools developed by the Duo Labs team. Jordan and Mikhail will be demoing the new tool on Wednesday, July 26, from 1-2:20 p.m. PT at Business Hall, Level 2, Station 1 as part of the Human Factors track.
Learn more about the IsThisLegit demo at Black Hat.
DEF CON is one of the world’s longest running and largest “underground” hacking conferences, originating in 1992. Last year, more than 20,000 attended, making lines unbearably long and sessions impossible to attend (I’m not bitter). The conference brings together hackers, IT professionals, government agencies and many more to share the latest research and engage in hacking contests.
Duo’s representing at DEF CON 25 this year, throwing the DEF CON 2nd Annual N00b Party and Queercon Kickoff Party.
DEF CON 2nd Annual N00b Party
Join Duo for drinks, dancing (or not dancing) with DJ Keith Myers on Thursday, July 27 from 6:30-8:30 p.m.
Keith Myers at Duo’s DEF CON Party in 2016
The party’s at the Octavius Ballroom 25 within Caesar’s Palace, located on the Promenade South Level. Here’s a PDF map to help you get less lost.
It was pretty bumping last year, so make sure you get in line early!
Queercon Kickoff Party
Originating a decade ago as a hacker party at DEF CON, Queercon grew into the largest social network of LGBT hackers around the world.
Join us on Thursday, July 27 from 8:30-3:00 a.m. PT for drinks, dancing and music – no registration required. Head over to the Forum Tower located at Caesar’s Palace, and tag your party photos #queercon. Check our Duo in Las Vegas page next week for the suite number.
Jul 19, 2017 – Duo Mobile
For the last 18 years, every role I’ve committed to and every job I’ve had has helped shape who I am and taught me to be stronger. I’ve had great mentors who lifted me up through tough times, but there was always a whisper in my ear, a gut feeling that kept pushing me to find a place where I could express myself, be comfortable in my own skin and grow without restrictions.
Just as I was starting to question what it takes to be part of the tech industry, I found unexpected inspiration. It came when I was thinking about changing the course of my career and I reluctantly went to a job interview with my mind made up that I wasn’t going to join yet another security company. After many weeks of discussions, I was in for a surprise.
The surprise? I joined Duo early this year. It seemed fitting to celebrate my first 90 days here by telling my story, my reason why I chose me, why I chose kindness, why I chose quality of life for my family and above all why I chose Duo.
There are 10 reasons why I joined Duo and how being part of this team has allowed me to fully embrace who I am — a Muslim, a woman in technology, someone who’s passionate to learn and succeed, give back to the community, and bring kindness and compassion into everything I do.
#10 – Culture builds behavior. Behavior builds people. People build companies.
Every company says that they value culture and toot their horns about it during interviews, but at Duo culture is people. From the first time you walk into the office and meet people, watch how they treat each other. You can’t help but notice and admire the openness. We come from different backgrounds and might not agree on everything, but for us culture means being open enough to embrace everyone, warts and all.
#9 – Duo’s brand isn’t just about the product, but also the people.
In an industry where many companies foster fear, uncertainty and doubt, Duo’s brand is unique. The color green signifies calm, as opposed to the alarming red and yellow widely associated with information security. And when we call ourselves the Most Loved Company in Security, it’s just as much about who we are as it is what we are. Our human-centered focus and positivity promotes confidence among our customers and empowers us individually within the company.
#8 – Appreciation for doing a good job and giving each other validation is ingrained in every Duo employee.
Every company has a formal awards and recognition program that sets rules and recognizes people… but how many have one where the CEO hands out the microphone to his employees at a companywide event, giving them an opportunity to thank anyone they want, building a line out the door, and resulting in heart-melting stories? That’s a big way we like to thank and recognize each other, but we also find small ways to show our appreciation every day.
#7 – We win or lose as a team, our teammates’ goals are our goals, and we’re kinder than necessary.
While the desire to win is in everyone’s DNA, winning while working with others, and lifting others through both good and bad times, doesn’t come as easily. Duo is committed to moving in that direction, even when it’s hard. When we have a challenge or concern, we bring it out in the open and figure out how to work through it and support each other. For most of the 18 years of my career my email signature has been, “Collaboration is the key to success,” and the drive and passion with which Duo pushes that statement downstream is remarkable.
#6 – We don’t hire people because they fit the mold. We hire because we want people to be themselves.
Before a job interview, people often diligently plan everything: what to wear, what to say, how to say it. Typically, they prepare by reading about the company and tweaking answers to show how they fit in, because conventional wisdom is that companies hire people who are the right fit for the culture. What makes Duo unique in this way is how we hire people for being themselves. And the variety and diversity of Duo team members showcases that we connect with people who are comfortable in who they are and recognize their unique contributions.
#5 – We spend as much time developing a product as we do on making it easy.
As I mentioned in #9, a common theme in our industry is fear. This fear compels some companies to sell like they’re the only ones that can help their potential customers — which is counter to everything we do at Duo. To understand Duo’s product strategy, you need to understand the core belief of our CEO, Dug Song. We believe in making security that’s easy to use and works well, and in radically simplifying security to a point where people can secure themselves without having to rely on a security team or expertise. In Dug’s words, “We are roadies, not rock stars. Mission control, not astronauts. Guardians, not warriors.” We make security simple, and our product exemplifies that.
#4 – I’m not a Diversity statistic for Duo. I have a seat at the table.
Celebrating diversity is increasingly a part of work culture. It’s become common for companies to flaunt their diversity statistics to showcase how inclusive they are. And yes, I’ve been part of these statistics in the tech industry. At Duo, diversity isn’t a metric that we track and trend to pat ourselves on the back. Rather, it means that I’m truly given the space to share my unique voice.
#3 – My creativity and skills aren’t put in a box. I’m encouraged to do what I excel at, but also to extend my reach.
Something that’s always driven me in my career is a love for problem solving. I get a great joy from examining challenges and seeking solutions. Understanding that preset processes and practices can stifle creativity and new ideas, the freedom to think for yourself and think outside of the box is key to Duo’s culture.
#2 – We don’t have to grow because we can. Our growth is intentional and in preparation for a real future.
I’ve worked in companies where change was the only constant, and it caused me to experience change fatigue. Pace is the name of the game in tech, and if we’re unable to run with it, we can become extinct. At Duo, the environment is similarly prone to change and making quick moves, but the difference here is that every change is carefully considered. That, along with communication, transparency and follow-up, helps discourage change fatigue among ourselves.
#1 – Genius doesn’t have to come at the cost of kindness or happiness.
Often as a company grows, you have to make certain compromises to reach your goals. One compromise I’ve seen too many companies make is overlooking the importance of empathy in team members. They shift toward making hiring choices just for people’s minds and forget their hearts. At Duo, “Be kinder than necessary” is a mantra that resonates not only with customers, but also in action across our internal teams. Of course, it isn’t all rainbows and unicorns, and bad days happen, but as a group we support each other and remind each other of this way of thinking.
Of course, I don’t hold a crystal ball. I don’t know what the future holds or how Duo will evolve. What I do know is that as I grow in my career and work toward my goals, Duo will always be the benchmark of what an employer should be. #WeAreDuo!
Jul 12, 2017 – Duo Mobile