Going beyond the hype, passwordless authentication is now a reality. Cisco Duo’s passwordless authentication is now generally available across all Duo Editions.
“Cisco Duo simplifies the passwordless journey for organizations that want to implement phishing-resistant authentication and adopt a zero trust security strategy.”
—Jack Poller, Senior Analyst, ESG
We received tremendous participation and feedback during our public preview, and we are now excited to bring this capability to our customers and prospects.
“Over the last few years, we have increased our password complexities and required 2FA wherever possible. With this approach, employees had more password lock outs, password fatigue, and forgetting their longer passwords due to password rotations. With Duo Passwordless, we are excited to introduce this feature to our employees to keep our password complexities in place and leverage different Biometric options whether that is using their mobile device, Windows Hello, or a provided FIDO security key.
The Duo Push for passwordless authentication feature is simple and easy and introduces a more pleasant experience overall. Using Duo’s device insight and application policies, we are able to leverage and verify the security of the mobile devices before the device is allowed to be used. To top it off, Duo is connected to our SIEM and our InfoSec team is able to review detailed logs and setup alerts to be able to keep everything secure.”
—Vice President of IT, Banking and Financial Services Customer
As with any new technology, getting to a completely passwordless state will be a journey for many organizations. We see customers typically starting their passwordless journey with web-based applications that support modern authentication. To that effect, Duo’s passwordless authentication is enabled through Duo Single Sign-On (SSO) for federated applications. Customers can choose to integrate their existing SAML Identity provider such as Microsoft (ADFS, Azure), Okta or Ping Identity; or choose to use Duo SSO (Available across all Duo editions).
“Password management is a challenging proposition for many enterprises, especially in light of BYOD and ever increasing sophistication of phishing schemes. Cisco aims to simplify the process with its Duo passwordless authentication that offers out-of-box integrations with popular single sign-on solutions.”
—Will Townsend, Vice President & Principal Analyst, Networking & Security, Moor Insights & Strategy
Duo’s Passwordless Architecture
Duo offers a flexible choice of passwordless authentication options to meet the needs of businesses and their use cases. This includes:
- FIDO2-compliant, phishing-resistant authentication using
- Platform authenticators – TouchID, FaceID, Windows Hello, Android biometrics
- Roaming authenticators – security keys (e.g. Yubico, Feitian)
- Strong authentication using Duo Mobile authenticator application
No matter which authentication option you choose, it is secure and inherently multi-factor authentication. We are eliminating the need for the weak knowledge factor (something you know – passwords) which are shared during authentication and can be easily compromised. Instead, we are relying on stronger factors, which are the inherence factor (something you are – biometrics) and possession factor (something you have – a registered device). A user completes this authentication in a single gesture without having to remember a complex string of characters. This significantly improves the user experience and mitigates the risk of stolen credentials and man-in-the-middle (MiTM) attacks.
Phishing resistant passwordless authentication with FIDO2
FIDO2 authentication is regarded as phishing-resistant authentication because it:
- Removes passwords or shared secrets from the login workflow. Attackers cannot intercept passwords or use stolen credentials available on the dark web.
- Creates a strong binding between the browser session and the device being used. Login is allowed only from the device authenticating to an application.
- Ensures that the credential (public/private key) exchange can only happen between the device and the registered service provider. This prevents login to fake or phishing websites.
Using Duo with FIDO2 authenticators enables organizations to enforce phishing-resistant MFA in their environment. It also complies with the Office of Management and Budget (OMB) guidance issued earlier this year in a memo titled “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles”. The memo specifically requires agencies to use phishing-resistant authentication method.
We understand that getting the IT infrastructure ready to support FIDO2 can be expensive and is typically a long-term project for organizations. In addition, deploying and managing 3rd party security keys creates IT overhead that some organizations are not able to undertake immediately.
Alternatively, using Duo Push for passwordless authentication is an easy, cost effective to get started on a passwordless journey for many organizations, without compromising on security.
Strong passwordless authentication using Duo Mobile
We have incorporated security into the login workflow to bind the browser session and the device being used. So, organizations get the same benefits of eliminating use of stolen credentials and mitigation of phishing attacks. To learn more about passwordless authentication with Duo Push, check out our post: Available Now! Passwordless Authentication Is Just a Tap Away.
Beyond passwordless: Thinking about Zero Trust Access and continuous verification
In addition to going passwordless, many organizations are looking to implement zero trust access in their IT environment. This environment typically is a mix of modern and legacy applications, meaning passwordless cannot be universally adopted. At least not until all applications can support modern authentication.
Additionally, organizations need to support a broad range of use cases to allow access from both managed and unmanaged (personal or 3rd party contractor) devices. And IT security teams need visibility into these devices and the ability to enforce compliance to meet the organization’s security policies such as ensuring that the operating system (OS) and web browser versions are up to date. The importance of verifying device posture at the time of authentication is emphasized in the guidance provided by OMB’s zero trust memorandum – “authorization systems should work to incorporate at least one device-level signal alongside identity information about the authenticated user.”
Duo can help organizations adopt a zero trust security model by enforcing strong user authentication across the board either through passwordless authentication where applicable or thought password + MFA where necessary, while providing a consistent user experience. Further, with capabilities such as device trust and granular adaptive policies, and with our vision for Continuous Trusted Access, organizations get a trusted security partner they can rely on for implementing zero trust access in their environment.
To learn more, check out the eBook – Passwordless: The Future of Authentication, which outlines a 5-step path to get started. And watch the passwordless product demo in this on-demand webinar .
Many of our customers have already begun their passwordless journey. If you are looking to get started as well, sign-up for a free trial and reach out to our amazing representatives.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
Share:
As a seasoned expert in cybersecurity and authentication technologies, my extensive experience allows me to delve into the intricate details of the passwordless authentication landscape. Over the years, I've closely monitored the evolution of authentication mechanisms, keeping a keen eye on advancements, industry trends, and real-world implementations.
Now, let's break down the key concepts and technologies discussed in the article on Cisco Duo's passwordless authentication:
1. Cisco Duo's Passwordless Authentication Overview:
The article introduces Cisco Duo's passwordless authentication as a reality, emphasizing its availability across all Duo Editions. The goal is to simplify the passwordless journey for organizations seeking phishing-resistant authentication and adopting a zero-trust security strategy.
2. Customer Testimonials and Feedback:
The inclusion of feedback from a Vice President of IT in the banking and financial services sector highlights practical benefits. It addresses challenges associated with traditional password management, such as lockouts, fatigue, and forgetfulness. The integration of Duo Passwordless is praised for maintaining security while enhancing user experience.
3. Starting the Passwordless Journey:
The article suggests that organizations often start their passwordless journey with web-based applications supporting modern authentication. Duo's passwordless authentication is facilitated through Duo Single Sign-On (SSO) for federated applications, integrating with popular Identity Providers like Microsoft (ADFS, Azure), Okta, or Ping Identity.
4. Passwordless Architecture by Cisco Duo:
Duo offers a flexible range of passwordless authentication options, including:
- FIDO2-compliant, phishing-resistant authentication using platform authenticators (TouchID, FaceID, Windows Hello, Android biometrics).
- Roaming authenticators such as security keys (e.g., Yubico, Feitian).
- Strong authentication using Duo Mobile authenticator application.
5. FIDO2 Authentication and Phishing Resistance:
The article emphasizes FIDO2 authentication as phishing-resistant, explaining how it removes passwords from the login workflow, establishes a strong binding between browser sessions and devices, and ensures secure credential exchange between devices and service providers.
6. Duo's Role in Implementing Zero Trust Access:
Beyond passwordless authentication, organizations are urged to consider zero trust access. Duo's capabilities, such as device trust and granular adaptive policies, contribute to a consistent user experience while implementing a zero trust security model.
7. Continuous Verification and Device Posture:
The importance of continuous verification and checking device posture at the time of authentication is highlighted. Cisco Duo assists organizations in verifying user identities through passwordless authentication or password + Multi-Factor Authentication (MFA), aligning with zero trust principles.
8. Additional Resources:
The article provides additional resources for those interested in exploring passwordless authentication further, including an eBook outlining a 5-step path to get started and an on-demand webinar featuring a passwordless product demo.
In conclusion, Cisco Duo's passwordless authentication represents a significant step forward in the realm of cybersecurity, addressing the challenges of traditional password management and aligning with modern security paradigms such as zero trust.
