Your corporate accounts are the gateways to your organization’s data kingdom, and your employees’ login credentials are the keys. It’s absolutely crucial these keys are kept secure, otherwise you’ll be leaving those gateways wide open to attackers trying to access your company’s data.
Authentication and access management solutions can help you secure your corporate accounts against sophisticated account takeover attacks, as well as allow you to manage user access and device health. They mitigate the risk of access-related breaches, while enabling your employees to access company data easily and securely and giving admins far more visibility over trusted devices.
In this article, we’ll explore a market leading multi-factor authentication solution: Duo Access. Duo offers a comprehensive suite of features that help businesses secure access to corporate accounts at multiple levels. The platform keeps corporate data secure while reducing the pressure on employees to safely create, remember and store complex, unique passwords for each of their accounts. Throughout the following sections, we’ll examine Duo Access’ key features, as well as its benefits, in order to help you decide whether it’s the right platform for your business.
Note that while Duo Security offers a number of access management solutions, this article focuses on Duo Access, which is their mid-tiered solution designed to offer access security for organization of all sizes, from SMBs to large enterprises.
What Is Duo Access?
Duo Access is a zero-trust user authentication and access management solution that enables secure access to company accounts by preventing the use of stolen or compromised credentials by cybercriminals. It also enables security teams to monitor and control which users and devices are allowed to access corporate applications.
Duo’s platform combines powerful risk-based MFA and SSO functionality, analyzing each user’s login behavior based on admin-configured policies, to help keep each account secure against credential-based attacks without causing user downtime.
As well as its suite of authentication features, Duo Access offers device inspection capabilities that help to protect corporate assets from vulnerability exploits. Duo does this by alerting admins to out-of-date operating systems, jailbroken devices and other security configuration issues, and providing a self-remediation prompt, which allows end users to quickly resolve those issues. Duo enables integrations with hundreds of cloud applications straight out of the box, and allows admins to set up granular policy controls for each cloud application.
Duo is a subscription-based, cloud-deployed solution, and it comes in four plans: Duo Free, Duo MFA, Duo Access and Duo Beyond. This flexibility makes it suitable for organizations of any size looking to secure access to their corporate accounts.
Why Use Duo Access?
There are a number of challenges that Duo Access can help your organizations solve:
Account Takeover Is On The Rise
In today’s working world, we rely on digital accounts more than ever. The trend of workplace digitalization has been manifesting for years, but the COVID-19 pandemic acted as a huge catalyst for rapid change. As millions of employees around the world were told to stay at home in line with national lockdowns, their organizations quickly adopted cloud technologies—from videoconferencing to security software—to enable their employees to work remotely.
Unfortunately, the rapid rate at which businesses had to provision their employees to work remotely often meant sacrificing security. Cybercriminals thrive in times of uncertainty, and capitalized heavily on businesses’ lack of security architecture and their employees’ personal worries regarding the pandemic. In fact, the FBI’s Internet Crime Complaint Center (IC3) received a record number of complaints from American citizens in 2020, with over 28,500 of those complaints being related to COVID-19. These complaints included attacks targeting the Economic Security Act (CARES Act), the goal of which was to support small business during the pandemic.
One of the most damaging security threats businesses are currently facing is account takeover. Account takeover attacks involve a cybercriminal using stolen login credentials to gain not only unauthorized access to an online account, but also ownership of that account by changing account details such as notifications, so that they can continue to re-access the account without the legitimate account owner being alerted to any suspicious activities being carried out. Successful account takeover attacks can result in data loss, financial loss, reputation damage and identity theft, and unfortunately, the threat of account takeover is on the rise, particularly amongst financial organizations. Last year, every second fraudulent transactionwas an account takeover.
Duo Access offers robust multi-factor authentication (MFA) that requires users to verify their identities in two or more ways before they’re granted access to a corporate account. The second method of authentication could be a fingerprint scan, a secure message through the Duo phone app, or a secure one-time passcode, among others. MFA helps to prevent account takeover, because even if a bad actor manages to get hold of an employee’s username and password via a phishing or brute force attack, they can’t log in to that account because they won’t be able to complete the additional verification steps.
Free MFA Isn’t Enough
There are a number of free MFA solutions on the market that also provide protection against account takeover attacks, but while these solutions offer security, they fail to offer adequate management functionality. This lack of control and visibility means that end users are given the responsibility of implementing and managing MFA themselves. This is problematic for two reasons: firstly, it simply isn’t secure—some users may not set up the solution properly and some may choose not to set it up at all, leaving unprotected accounts vulnerable to compromise. Without centralized management, security teams have no real insight as to which accounts are being properly secured. Secondly, it encourages a culture that can blame the end user for security issues, which can lead to a wider problem of people not wanting to alert their security teams to potential incidents, because they think they may have been at fault.
When the average person, according to recent research, has over 100 passwords, it’s crucial that security teams have insight into who is accessing which accounts, from which location, and when. These insights can help security teams to detect account compromise attempts, as well as better manage access to privileged accounts.
Reporting functionality can also be helpful when it comes to auditing and proving regulatory compliance.
The Future Is Zero Trust
“Zero trust” security is an increasingly popular concept based on the principle that you shouldn’t automatically trust anyone or anything with access to your data, whether that person or device be requesting a connection from outside your organization or from within. Because it’s a concept, the technologies and policies involved in zero trust security are ever evolving to focus on users and devices, rather than static network perimeters. This makes a zero trust architecture a powerful ideal for organizations whose network isn’t based in one location, i.e. those with offices in multiple locations, or those with a number of remote or hybrid-remote workers. To build this architecture, organizations must implement a combination of solutions and process that operate in tandem within the principle of zero trust.
Duo Access enables admins to configure the platform’s MFA and SSO policies at a granular level, helping to implement a zero trust approach to account access organization-wide.
The Solution: Authentication And Access Management
Despite these risks, 31% of all companies don’t require their remote workers to use a method of authentication to access corporate accounts. Of those that do, only 35% require multi-factor authentication.
User authentication and access management solutions like Duo help prevent the risk of account takeover by ensuring that only verified users can access company applications and accounts. To do this, they offer a range of security features that help to enhance account security, such as MFA, single sign-on (SSO), and detection of anomalous access attempts. These features ensure that bad actors cannot access corporate accounts, even if they manage to steal or crack an employee’s credentials.
If your organization is among that 65% not currently using robust authentication to secure your corporate accounts, it’s time you make a change. Throughout the next sections, we’ll dive into Duo Access’ key features to help you decide whether Duo could be the right authentication and access management solution for your organization.
Duo Access Feature Breakdown
Adaptive Multi-Factor Authentication
Duo Access enables secure sign-in to all user accounts via multi-factor authentication. MFA is the process of requiring a user to verify their identity in two or more ways before they’re granted access to a system or application. This could be via something that user knows, such as a PIN, something they have, such as an authentication app or a hardware token, or something they are, using biometric technologies like fingerprint scanners. The problem with using something that the user knows, such as a PIN or a password, is the fact that this factor can be guessed or copied without anyone noticing. To make it harder for the attacker, it’s better to add something that can’t be copied (because it’s an object or a unique instance of an application), or can’t be stolen without the user noticing (such as a U2F key token or even a finger!).
Duo Access supports a wide range of authentication methods, including their own Duo Push mobile app, hardware tokens, one-time passcodes, U2F USB devices and biometric controls built in to a user’s device. From summer 2021, Duo will also support passwordless authentication via FIDO as an authentication factor. This flexibility makes Duo Access a suitable option for organizations that want to enforce MFA across a diverse device fleet made up of corporate devices and bring-your-own-devices (BYOD), and maximise ease of use for end users, as it enables users to choose the most efficient authentication method for their device.
The Duo Push app enables users to verify their identities quickly and easily by sending users information of the login request directly to their cell phone. If the user requested the login, they can tap “approve”; if the login was unexpected, they can hit “deny” and stop the login from being authorized. Extra layers of security can be applied on top of this, including requiring a biometric scan, or inputting the phone password to authorize account access. This is highly secure, as although phone passwords can be guessed, encrypted phone keys are stored locally on each mobile device, and so cannot be accessed by threat actors remotely.
Duo’s MFA is adaptive and risk-based. It analyzes the login behaviors of each user and creates a baseline from this data, against which it compares each login attempt in search of contextual anomalies, such as a request from a new device or location, or at an unusual time. If a login is deemed suspicious, Duo can either block it completely, or require the user to provide further verification, as per admin configuration.
Single Sign-On
Duo Single Sign-On is a cloud-hosted single sign-on (SSO) feature that adds multi-factor authentication across corporate applications, creating a seamless login experience across accounts for end users. Integrated cloud applications redirect users to Duo for authentication, prompting multi-factor authentication before allowing access, greatly reducing the likelihood of account takeover attack.
Duo Access offers cloud-based SAML 2.0 SSO that provides secure access to all cloud applications with each user’s existing directory credentials (i.e. from your corporate Azure Active Directory database). Duo SSO also accepts on-premises Active Directory and cloud or on-premises SAML IdPs as identity sources. As well as enterprise cloud applications like Salesforce and AWS, Duo supports SSO for almost any app that supports the SAML 2.0 standard.
As well as offering SSO for end user access to corporate applications, Duo Access enables SSO to secure and streamline admin access to the Duo Admin Panel. This provides an extra layer of security for privileged users trying to configure MFA rules, and prevents bad actors who may hack into a regular user account from accessing high-risk privileged information.
Duo Access also features Duo Access Gateway, which is an on-premises SSO solution. It works in much the same way and Duo’s cloud-based SSO offering, and provides SAML connectors for certain enterprise cloud applications.
Adaptive Authentication Policy And Control
Duo Access enables adaptive, risk-based MFA and, as such, offers the functionality for admins to configure granular zero trust authentication policies. These policies mean that Duo restricts access to both users and devices that don’t meet certain security requirements.
With the Policy & Control feature, admins can configure policies globally, per application or per user group, to define who is allowed access to certain applications. Global policies apply to all applications, while custom policies can be assigned to specific user groups or applications to help streamline the authentication process for end users.
Policies take into consideration who the user is and the context of their login, then work with data from Duo Trust Monitor to allow or deny access requests.
Trust Monitor
The Trust Monitor feature analyzes Duo authentication data to create a baseline of normal user and device access behavior. From this baseline, Duo scores access requests based on how much they deviate from normal login behavior and flags suspicious activity such as requesting access at an unusual time, or from a different location. If a login is considered suspicious, Duo Access either requests further verification from the user or blocks the access request, according to the policy the admin has configured.
Admins can use the Trust Monitor to configure access policies based on who the user is, which applications they’re trying to access, which device/s they’re using, at what time, from which location, and using which authentication method.
As well as restricting access based on user trust, Duo Access can restrict access based on device trust, thank to the platform’s Device Health feature.
Device Health
Duo Device Health enables admins to restrict access when devices don’t meet certain security requirements. These include the use of outdated operating systems and browsers as well as missing or disabled security controls, such as local firewalls, disk encryption, and screen locks.
When a user requests access, Duo checks the security posture of their device in line with the above requirements, and allows or denies access based on admin-configured policies. This helps to prevent users from accessing sensitive corporate data via devices with out-of-date or misconfigured security, which helps to prevent hackers gaining access to user devices through vulnerability exploits.
If a login request is denied, the Device Health feature informs the user on how they can remediate their device’s security posture to enable them to access the application they need.
Self-Service Portal
Duo allows users to manage their authentication devices with a self-service portal that can be accessed across corporate and personal devices to manage authentication access and remediate issues. With this feature enabled, admins give their users the power to manage their own authentication devices. It also saves help desk time and resources by reducing the need for users to contact IT staff to make changes to their authentication process; users can add, edit and remove authentication methods themselves, such as choosing between an SMS message or a phone call to verify identity.
In addition to managing their own authentication methods, users are able to troubleshoot their devices themselves. To mitigate the risk of attackers exploiting operating system (OS) vulnerabilities, Duo’s Device Health feature regularly scans each device for OS, browser and software updates and informs the device’s user of any updates that are due. It also advises the user on how they can remediate the issue themselves, by updating the device or more.
One of the challenges that organizations often face when trying to roll out security across mobile devices is the pushback from users with privacy concerns. These might include worries about a device being wiped, or the organization having access to messages and photos stored on the device, and this is often a concern among remote workers using their own personal devices for work. Duo Access’ self-service security updates through the Device Health feature help to remediate these privacy concerns, by allowing users to be responsible for the management of their device’s security posture without admin intervention. Admins don’t make any changes to the device; the end user does.
Duo Admin Panel
From an administration perspective, Duo Access gives security teams deep insights into authentication and application access organizations-wide via the Duo Admin Panel. From the dashboard, admins receive an immediate overview of their authentication solution, including the total number of users and endpoints connected and the number of successful and failed authentication attempts in the last 24 hours. Admins can also use the centralized portal to drill down further and:
- Manage their Duo Access subscription
- Add and manage applications
- Enroll, activate and remove users
- Issue and manage offline, one-time passcodes
- Configure adaptive authentication policies via the Duo Trust Monitor
- View and manage mobile device health, including generating reports on the security status of each device’s operating system, browsers and plugins
Deployment And Integration
Duo Access deploys in the cloud, though SSO is also available on-premises via the Duo Access Gateway.
To help streamline the onboarding process, admins can import existing users and user groups directly from their existing directories into Duo without installing any on-premises software. Duo Directory Synchronization supports directory sync with Microsoft Active Directory, OpenLDAP directory and Azure Active Directory. If users are removed from the external directory, they’re automatically removed from the Duo subscription, too.
Via Duo Security’s API, Duo Access also offers useful out-of-the-box integrations with hundreds of popular cloud- and web-based applications, such as Microsoft Office 365, Salesforce, Google, Dropbox and Slack. Admins can also create custom integrations with SAML 2.0-enabled cloud applications. This enables admins to secure user access to all corporate applications, and to have visibility over that security from one central location – the Duo Admin Panel.
Support
Although Duo makes it easy for both users and admins to remediate any issues themselves, including falsely denied login attempts, you may still need to contact them should you run into any challenges.
Duo’s website offers extensive support through their documentation pages, which include guides on set up as well as policy configuration and general management.
All Duo products include email, live chat and telephone support from 9-5 ET/PT, Monday to Friday, and 24/7/365 support via these channels for critical issues.
With the Duo Access plan, organizations can benefit from the Duo Care Premium Support. Pricing for this feature varies according to the number of users on your Duo subscription.
Expert Insight
Duo Access provides powerful, zero trust MFA and SSO, as well as basic device health monitoring functionality, all via one intuitive platform.
Because Duo deploys in the cloud and offers native integrations with such a wide variety of applications, it’s easy to roll out and flexible enough to scale up as your organization grows. This makes it suitable for both SMBs and larger enterprises.
One of the most common reasons for Duo’s popularity is its ease of use. Both end users and security technicians praise Duo for its user-friendly interface. System admins also praise Duo’s granular configuration and reporting capabilities, which provide deep, customized insights into application security across the organization and at a per-user level.
We recommend Duo as a strong authentication and access management solution for any organization looking to mitigate the risk of account takeover attacks and gainer deeper insights into account usage across their business.
