A new set of 2025 HIPAA security updates are on the horizon, bringing significant changes that aim to bolster the protection of electronic protected health information (ePHI). As cyber threats intensify, these updates are more than just regulatory formalities; they are critical measures to safeguard sensitive data.

Published in early January, the 2025 HIPAA Security Amendments are set to significantly enhance the protection of ePHI. The proposed changes are based off the US Department of Health and Human Services’ (HHS) goals of both addressing changes in the health care environment and clarifying what compliance obligations look like for regulated entities.

Organizations have 180 days to reach compliance according to stricter standards of identity cybersecurity if the proposed updates pass.

In order to be prepared, here are four things your organization or managed security service provider should focus on:

1. Deployment of mandatory security controls

2. Securing against known vulnerabilities

3. Documentation for annual audits

4. Clear goals for visibility, prevention, and remediation

But first, a quick recap of how the standard has evolved.

Background on the HIPAA Security Rule

The last major revision of the HIPAA Security Rule dates back to 2013 and the “Omnibus HIPAA Final Rule,” introduced to strengthen patient privacy and security protections. Amongst other requirements, the HIPAA Omnibus Rule of 2013 made business associates of covered entities directly liable for HIPAA compliance and adopted a four-tiered civil monetary penalty structure for violations that bumped the maximum fine from $25,000 per year to up to $1.5 million. That is to say, healthcare organizations and business partners may face greater liability in case of a security breach.

Between 2022 and 2023, the HIPAA Journal reported a jump from 51.9 million to 168 million records impermissibly disclosed. In 2024, the average data breach size jumped from 225,000 to nearly 400,000, though reports are still being counted. These alarming statistics underscore an urgent need for an amendment that encourages more stringent security measures to protect patient information.

Imaged sourced from HIPAA Journal, January 20, 2025

Key proposed changes to HIPAA Security Rule in 2025

1. Deploy mandatory security controls, such as MFA

“[The Department] provides that MFA as a source of identity and access security control is an important means to control access to infrastructure and conduct proper change management control.” — HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 2025, p. 87

The implementation of multi-factor authentication (MFA) is no longer optional. While the current Secure Rule allows distinction between “required” and “addressable” implementation specifications, the 2025 update makes all implementation specifications required with only specific, limited exceptions. That makes deploying security controls like MFA to all users essential for reducing unauthorized access risks.

In the proposal, regulated entities would be required to apply the proposed rule’s specific requirements for authenticating users’ identities through verification of at least two of three categories of factors of information about the user:

• Information known by the user, including but not limited to a password or personal identification number (PIN).

• Item possessed by the user, including but not limited to a token or a smart identification card.

• Personal characteristic of the user, including but not limited to fingerprint, facial recognition, gait, typing cadence, or other biometric or behavioral characteristics.

Cisco Duo’s award-winning MFA strengthens access control, providing an additional layer of security that is crucial for protecting PHI without adding unnecessary friction for busy end-users and health practitioners. Importantly, it protects against advancing identity-based attacks by offering wide coverage of authenticators—and the option to intelligently “step-up” login security according to detected risk patterns and access behaviors.

With the widest range of supported authenticators, Duo helps organizations transition away from weaker SMS and phone-call 2FA and towards push-based smartphone apps with verified number matching and phishing-resistant or passwordless authenticators.

Learn more about the types of Duo authenticators available.

2. Defining and preparing against known vulnerabilities

With the proposed amendment, organizations must now identify potential threats and vulnerabilities with greater accuracy, and with increased frequency at least once every six months (p.385). This includes insights across the supply chain, including external contractors and any partners who may have access to ePHI.

The Department also specifically updated the Security Role to define vulnerability, identifying that: “...exploitable vulnerabilities exist across many components of IT infrastructures including, but not limited to, servers, desktops, mobile device operating systems, web software, and firewalls” (p. 99).

In addition, HHS recommended that regulated entities “install vendor patches, make software updates, and monitor sources of cybersecurity alerts describing new vulnerabilities,” (p. 99) citing the NIST National Vulnerability Database and CISA’s Known Exploited Vulnerabilities Catalog.

Outdated software and operating systems pose common challenges for organizations looking to improve security—especially in a field like healthcare with several types of devices and legacy applications. One option is to install device managers like Cisco Meraki, Jamf, or Intune onto endpoints to enforce updates. However, for healthcare practices with contractors, unmanaged and BYOD devices, or simply desiring a less-invasive option, the management and maintenance of vulnerability patching can quickly become an IT strain.

Duo’s agent-free approach enforces device trust is at every point of authentication, checking for OS patches, firewall, encryption, and other security policies before granting access into sensitive ePHI. Without heavy, permission-demanding clients to install, Duo Desktop verifies the health and security of endpoint devices. The Duo Authenticator app also picks up on mobile device telemetry like if a device is running the latest OS patch, has full disk encryption enabled, and whether the device is jailbroken or rooted.

A lightweight client application for macOS, Windows, and Linux, Duo Desktop checks for device vulnerabilities before granting access. Available in Duo Advantage and Premier editions.

Duo analyzes what’s running on all users’ devices — managed or unmanaged, without the use of an agent. With data in an actionable device health report, administrators can easily see:

• An analysis of users’ devices, including current device OS, browsers, Flash and Java versions.

• Security health trends of all devices accessing business applications, including which devices are outdated or need to be updated by end users.

• The latest security events that may result in outdated devices, including a new browser or plugin update released by a software vendor.

Rather than pushing an update to the device, Duo encourages end-users to self-remediate out-of-date endpoints by only allowing access to protected applications if the device passes an organization’s configurable policies. This also cuts down on costly and unnecessary helpdesk and IT costs.

3. Have documentation for annual audits

Annual audits will now be a requirement for ensuring ongoing compliance according to proposed updates.

While the Security Rule does not currently require regulated entities to conduct internal or third-party compliance audits, such activities are important components of a robust cybersecurity program. Cybersecurity audits for insurance and regulatory bodies typically request paper trails documenting users, the applications they access, and the devices they’re accessing resources from. This can be challenging to deliver on—especially for supply chain partners or contractors with unmanaged devices.

Duo’s identity security solution provides complete device visibility into both managed and unmanaged devices. With Duo, you can maintain an inventory of all trusted devices accessing corporate resources, identify at-risk devices, and gain a deeper understanding of your security environment. This not only helps in preparing for audits, but more importantly continuously reduces risk by verifying trust of users, patching device vulnerabilities, and minimizing instances of shadow IT.

Duo’s dashboard provides security administrators with a snapshot of the overall access activity across their organization. The Duo Admin Panel simplifies ongoing compliance processes with comprehensive audit logs and reports for all users, applications, devices, and associated authentication behaviors, facilitating easier audit preparation and certification. Admins get timely lists of access attempts and the MFA protections in place for a specific user. They can also identify how many accessing devices have out-of-date operating systems and enable self-remediation.

A view of authentication insights in the Duo Admin Panel, available in all Duo editions.

“The dashboard gives us a high-level view of our organization. Useful information such as login failures, who logged into which application and when, number of deployed licenses and inactive users are all available right there. I can then easily drill down to the details of a specific login event with just a few clicks. We did not have this level of information before Duo.” — Security Architect, on how Duo helps to meet compliance and protect private patient information for a major healthcare provider in the Pacific Northwest. Read the full case study.

See the types of reports and logs available through the Duo Admin Panel.

4. A focus on visibility, prevention, and remediation

It’s clear that identity security will be a growing priority in 2025, especially with 80% of breaches leveraging identity as a key component according to Cisco Talos incident response reporting. Having complete visibility across an organization’s entire user environment is essential to reducing the risk of compromised credentials or other vulnerabilities—and a helpful tool for generating security reports.

With a complete view of your entire user inventory – including employees, contractors, and vendors – you can significantly reduce the risk of a breach and protect sensitive PHI data. Duo and Cisco Identity Intelligence pool insights across identity providers and storages, which make it easy to clean up dormant accounts, expand multi-factor authentication usage, and reduce administrator privilege creep. It also enables continuous status checks on the compliance requirements that are important to the industry.

Cisco Identity Intelligence adds a comprehensive layer of visibility, detection, and remediation that defends against security vulnerabilities outlined by HHS:

• Filter for users and identities that do not have MFA configured across all storage locations and MFA providers

• Get detailed insights on the devices accessing organization resources on a per-user basis, and set alerts for critical resources

• Run security checks that search for known vulnerabilities and align to security frameworks including MITRE ATT&CK, NIST, and CIS

• Generate reports on common audit requirements like MFA enrollment, license utilization, device operating system information, and shared accounts

A view of the checks performed by Cisco Identity Intelligence across all identity storages. Set up automated alerts for your organization’s security priorities, including checks aligned to industry and compliance frameworks. CII is available with the Duo Advantage and Premier editions.

The financial implications of these changes are significant, with estimated costs of $9 billion in the first year according to the Department of Health and Human Services (p. 302). However, the cost of inaction—potential data breaches, compromised patient safety, and legal repercussions—could be far greater. The Security Rule updates are not just about compliance; they are about safeguarding critical infrastructure and patient data, so visibility is key.

Take Identity Security to the Next Level with Duo

“The HHS 405(d) Program’s ‘Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients’ recommends a layered approach to cyber defense (i.e., if a first layer is breached, a second exists to prevent a complete breach).” — HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 2025, p. 86

The 2025 HIPAA Security Updates mark a significant shift in healthcare security practices. While MFA is a powerful tool that offers significant benefits in protecting PHI, it is no longer sufficient for the fight against unauthorized access. Identity security features like Duo’s device trust and adaptive authentication establish additional layers of security that both protect ePHI and defend organizational liability. For example, the ability to enforce security posture on the devices accessing sensitive patient health information with system reporting can help provide evidence of device encryption if equipment is lost or stolen.

Organizations that achieve compliance avoid audit penalties and enhance their overall security posture for future requirements. Duo’s easy-to-use interface and clear pricing reduces the TCO associated with traditional security tools like hardware tokens as well as deployment costs and undue burdens on IT teams.

Duo helps protect confidential patient information by integrating with Epic’s EHR to provide secure remote access that’s tailored to the needs of the healthcare industry. Duo supports Epic's newest Hyperdrive e-prescription workflow and continues to support the original Hyperspace workflow.

When it comes to the go-live of this specific Security Rule update, stakeholders have a 60-day window to submit comments on the proposal. In the meantime, healthcare organizations should begin reviewing their security programs internally or with their security providers and prepare for upcoming changes.

• For a fact sheet on the new HIPAA Updates, visit the HHS website.

• For more details on why Duo for Healthcare, visit the Healthcare solutions page.

• If you’re a managed service provider looking to become a Duo partner, visit the Duo MSP page.

Most people understand that Multi-Factor Authentication (MFA) is important. Among the myriad of security measures, MFA stands out as a crucial control to safeguard sensitive information and prevent breaches. Despite its effectiveness, many organizations still face challenges in achieving comprehensive MFA adoption across their entire user base and applications.

The Role of MFA in Preventing Breaches

MFA significantly reduces the risk of unauthorized access by requiring users to provide multiple forms of verification. According to Microsoft, enabling MFA can block over 99.9% of account compromise attacks. This statistic underscores the vital role MFA plays in an organization's security posture, making it an essential component in the fight against cyber threats.

The Need for Comprehensive MFA Coverage

Partial MFA deployment is akin to locking every door to your house – except one. If there’s a door open, attackers will find it – it's just much easier to waltz in an unlocked door! Organizations that roll out MFA only to select users or applications inadvertently create vulnerable points. To secure the organization more fully, it is imperative to extend MFA coverage universally, ensuring no aspect of the system remains exposed.

The Importance of Strong MFA

Not all MFA methods provide the same level of security. Basic forms like SMS-based MFA are susceptible to SIM swap attacks and push-based MFA can fall victim to push bombing. Hence, organizations are advised to adopt phishing-resistant MFA options, such as Passwordless or FIDO2-based options. Don’t just take our word for it, phishing-resistant MFA is consistently and repeatedly recommended by the Cybersecurity & Infrastructure Security Agency (CISA). Research also indicates that as attackers become more sophisticated, they are increasingly able to bypass traditional MFA mechanisms, highlighting the need for stronger, more resilient authentication methods.

Introducing: MFA Adoption Dashboard

To help organizations maximize their MFA effectiveness, Duo’s Identity Intelligence functionality is introducing a pivotal tool: the MFA Adoption Dashboard. It synthesizes complex data into actionable insights, addressing the common challenges of MFA deployment:

1. MFA Hygiene and Threats: Prioritize key areas for improvement by identifying critical gaps and behaviors that may compromise security.

2. Factor Usage and Enrollment: Analyze enrollment versus actual usage to ensure MFA factors are not just installed but actively protect against breaches.

3. Passwordless Adoption: Highlight progress and areas needing attention in the transition to passwordless authentication.

These insights empower organizations to refine their MFA strategies, fortify their defenses, and maintain transparency with stakeholders through easy-to-understand reports and visualizations.

Achieving Comprehensive MFA Coverage

In conclusion, widespread and strong MFA adoption is a critical element in securing an organization's digital assets. By leveraging tools like the MFA Adoption Dashboard, organizations can gain a comprehensive understanding of their MFA posture and take actionable steps to enhance both coverage and strength. As cyber threats continue to evolve, it is essential for organizations to remain vigilant and proactive in their MFA implementation strategies, ensuring robust protection against potential breaches.

If you’re interested in learning more, reach out to your account representative or contact a Duo expert today.

Users are weird. That’s not a value judgement – it's just true that end users in an organization do all sorts of things. The job of IT and Security professionals is often to label this weirdness with value. Are these actions “good weird” (ex: taking a trip to a new location to close business)? Are they “bad weird” (ex: a user’s account has been dormant but now tries to sign in without MFA)?

The faster teams can make these judgements the better. Duo’s Identity Intelligence feature offers a powerful tool in this domain: the User Trust Level. This innovative approach helps organizations manage user-related risks more efficiently by assigning trust levels based on a comprehensive evaluation of user behavior and context.

What is a User Trust Level?

The User Trust Level is a dynamic assessment of risk associated with each user in your organization. Cisco Identity Intelligence calculates this level by analyzing various factors such as user behavior, context, and historical data from multiple identity sources.

The algorithm first sets out a framework of risk types. For example, there is “inherent risk” or the elevated risk of a powerful user like an administrator or executive. There is also “posture risk” or the risk of account takeover given the current security controls assigned to and used by the user. The algorithm maps risk to each of the various components using the data available (the more data available – the better) and then distills those components into an overarching User Trust Level. User Trust Levels range from "Trusted" to "Untrusted" and serve as indicators of how safe or risky a user is at any given time.

The Value of User Trust Levels

In an ideal scenario, User Trust Levels would be shared in real-time across all systems, seamlessly enhancing security workflows and policy decisions. Imagine a world where the slightest change in user risk is effectively accounted for and shared instantly with relevant access points like Secure Service Edge (SSE) or Firewall tools. These tools could always make the most informed decision possible about access. And, to be clear, Cisco is building this vision by integrating the User Trust Level into its broader portfolio. The philosophy of this effort is critical – because sharing enriched user context across the broader networking and security ecosystem is fundamental to an “identity-first” approach to Zero Trust.

How to Leverage User Trust Levels in Your Organization Today

While the theoretical benefits of User Trust Levels are significant, practical implementation requires some consideration. One key aspect to understand is that today’s User Trust Levels, though informed by a multitude of data points, should often incorporated into decisions as a directional variable, but not the only variable. They provide a holistic view of a user's risk profile over time and therefore should be used like IP reputation to inform actions and decisions.

User Trust Levels are best utilized in workflows where they can be assessed as part of a broader context. For example, in threat detection and response workflows, the trust level can help prioritize which users require immediate attention and remediation. An "Untrusted" user signals high priority and should prompt further investigation, especially when correlated with alerts from other security tools.

Another practical use case involves access policy decisions. As a concrete example, Cisco Secure Access can ingest the User Trust Level — and in the future, will be able to designate which resources a user can access or authentication requirements for users with a specific trust level. However, while it seems fine to use User Trust Levels for dynamic access control, the implications of doing so are important to consider.

“What happens when a user is blocked?” is a key question to answer. If access is denied based on a low trust level, there must be a clear process for users to regain access, preventing unnecessary disruptions. There are other ways to approach the problem as well. Perhaps risky users are not blocked outright – but they must perform a form of phishing-resistant MFA to gain access after being labeled “untrusted.”

On the flip side, when trust levels are "Trusted," there must also be stop gaps in case that User Trust Level calculation was missing a critical piece of information. Therefore, policy should never be so lenient such that the User Trust Level assessment is the only thing standing between an attacker and a valuable resource.

However, all this being said, User Trust Levels are still a great way to enrich all of these workflows and decisions! A User Trust Level is not a silver bullet, but it is a fantastic way to improve defenses.

Taking Concrete Steps Towards an Ideal Future

The User Trust Level is a transformative tool in the realm of identity security, offering a nuanced approach to managing user risk. By understanding its theoretical value and practical implications, organizations can better integrate it into their security strategies, leveraging it to enhance detection, response, and access decisions. As Cisco continues to innovate in identity intelligence, User Trust Levels will undoubtedly play a pivotal role in shaping the future of cybersecurity. To understand more about how to use User Trust Levels to secure your organization – contact a Duo expert.

“The best way to break in is through the front door.”

We’ve heard some version of this phrase many times over, whether it pertains to a bad actor physically breaking into a secured building or socially engineering an unsuspecting victim to provide access to protected information. The cybersecurity landscape is littered with front doors, while modern society’s reliance on digital technologies is only increasing. Inevitably, several times during the workday, employees need to enter their credentials to when they turn on or unlock their device with Windows Logon — the front door. The ability to safely access our computer plays a key role in developing trust in adopting these technologies which do more good than harm.

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., a password) and something you have (i.e., a registered device). This move made it harder for bad actors to gain unauthorized access to the endpoint device and the data on it. Consequently, these adversaries have since adapted and continue to find creative ways to pass through the metaphorical front door of our machines. The latest trends notoriously involve a cocktail of push phishing, password spraying, stolen credentials and many other nasty ingredients.

To address the burden that these attacks place on ‘all those who want to protect their local logins’, Cisco Duo is thrilled to announce that Passwordless Authentication for Windows Logon (PWL OS Logon) is now generally available (aka GA) in all editions!

Passwordless for Windows Logon is compatible with Duo Passport, a new capability that we announced at RSAC 2024. Together, the two capabilities deliver a true and secure single sign-on experience for the workforce right when they start their day by logging into a Windows device.

See the video at the blog post.

How does this improve the proverbial front door?

Cisco Duo’s approach to a passwordless experience at the OS enables a stronger, usable defense in variety of ways (in addition to not having to enter your password):

Stronger

Useable

Where won’t Passwordless for Windows logon work yet?

This version of Passwordless for Windows logon will not work in RDP (remote desktop) sessions. Given the crossing of the trust boundary, our research shows that a different approach will be needed in the future to assert the trust of the same user on the same device.

This version of Passwordless for Windows Logon also will not work with the Remembered Devices policy (aka ‘Remember Me’) yet. This is because the removal of passwords at the entry point will require end users to prove they are who they claim to be via proximity + biometric while logging into the workstation to resume a session. We plan to investigate this as a feature offered in future versions, however!

Passwordless Offline Mode is coming soon — it is in our roadmap, but not here yet! The current experience will default to the existing Windows Logon Offline mode.

How can I try Duo Passwordless for Windows logon?

If you’re interested in trying out the release, you can find the release note. For installation specifically, look for the GA build, Version 5.0.0.0 on the checksums page. All are welcome!

For the past few years, we’ve observed an increase in identity-based attacks across all sectors. To illustrate the point, last quarter our own Cisco Talos team saw “a surge in password-spraying attacks.” In one of their documented cases, an organization reported that 13 million authentication attempts were made in 24 hours against known accounts. In the case of password spray, looking for startling increase in authentication traffic can be vital.

However, other identity-based techniques are difficult to detect because uncovering one stolen credential in a sea of valid sessions is like finding a needle in a haystack. IT environments are increasingly complex, and applications, security products, and identity providers don’t speak the same language, leading to more silos, even when everything was designed in the name of simplicity.

The Shared Signals Framework is a standard from the Open ID Foundation that seeks to solve this problem. The framework provides a secure way for entities involved in identity management to exchange signals that help ensure the integrity, trustworthiness, and security of user activity, even post-login. Service providers can broadcast any anomalies that could indicate session hijacking, account takeover, or fraud, so that other providers can quickly take action to verify that the user account is safe.

Cisco has played a key role in the development of the Shared Signals Framework, and we plan to continue our investment in the evolution of the standard. In 2021, we launched SharedSignals.guide to help developers learn about the framework and how to adopt it. One of our principal engineers serves as a co-chair of the Open ID Foundation’s Shared Signals Working Group, where he helps with the development of the standard. Most recently, in December of 2024, we attended the Gartner IAM conference interoperability event, where we demonstrated the power of Shared Signals in detecting and preventing session theft, a top security concern for our customers.

We partnered with AppOmni and SGNL to showcase a powerful story in which AppOmni identified a risky and compromised session and transmitted that event to Duo. Duo then revoked the Duo session and required the user to authenticate with a more secure factor via step-up authentication. In the final part of the demo, Duo transmitted the event to SGNL, who revoked the user’s SaaS application sessions. This helps security teams reduce the potential for lateral movement once a user’s credentials have been compromised, and importantly, significantly reduces the time to resolution. Attackers have easy access to toolkits that allow them to exfiltrate large amounts of data faster than a human can reasonably respond to. The Shared Signals Framework allows customers to respond to threats in real-time and ensure that the user is who they say they are.

Session theft is just one threat that the Shared Signals Framework can help protect against. Many different kinds of security vendors participated in the interop event in December, highlighting the capabilities of this new framework. We saw demos from MDM products, IGA vendors, and other identity providers that showed how Shared Signals can be used to dynamically change user permissions based on risk. If risk is detected on a device, for example, Shared Signals can help an organization minimize possible damage by locking down the identity and application sessions. Today, this would take a lot of correlation and time, all the while allowing the attacker to try and gain access to more sensitive resources, but Shared Signals makes this enforcement happen in real-time.

We are also exploring how Shared Signals helps deliver a better experience across Cisco products. Customers who use multiple Cisco security products together can look forward to Duo sharing identity data to a variety of products all in real-time for better security outcomes. Imagine, for example, that Duo detects a pattern of logins that are highly suspicious from a particular user. With Shared Signals, Duo could send that data to Cisco XDR to help enrich the detections happening there. With Cisco Secure Access, Shared Signals can help Duo communicate risk to cut off access to the network. We are very excited to see how Shared Signals with Duo can help on your identity security journey.

If you’d like to learn more about how Duo and Cisco are using Shared Signals – please feel free to reach out to your account team or contact us.

With the rate that new threats emerge, it may come as no surprise that cyber liability insurance can be traced back to 1997.

In its modern iteration, cyber liability insurance mitigates the losses and business costs associated with cyber incidents and resulting downtime. CyberCube, a company specializing in quantifying cyber risk, estimates that the U.S. standalone cyber insurance market could reach $45 billion in premiums by 2034.

It remains a challenge for smaller organizations to know exactly what insurers are looking for and avoid being priced out of policies. These smaller companies won’t have the resources to implement the holistic security strategy expected by insurers. At least not alone.

Today, many now turn to MSPs to provide technical support and help advise on an insurance policy (along with their digital infrastructure). But what do they need to know?

What would an insurer do?

Supporting SMB cyber insurance requirements means MSPs need to think like an insurer; what’s their customer’s data backup plan? Are endpoints protected? Are network ports closed?

The reality is that cyber insurance isn’t too dissimilar to traditional liability insurance. Home insurance is void if you leave your door unlocked, so why should cyber work any differently? Just like home insurers will recommend access control, cyber liability insurance has its own requirements:

1. Authentication is ‘key’ and a core requirement

Considered by insurers as one of the most important security controls, multi-factor authentication (MFA) protects against stolen credentials by using two or more factors to identify the user (beyond the traditional username and password). It is the best defense against identity-based breaches, preventing over 99% of account compromise attacks. In an insurer’s eyes, this represents the foundations of a zero-trust posture, i.e., the ‘locked door’ of your digital environment.

MSPs can support this MFA requirement, ensuring important nuances like integrating advanced protection for admins (with access to sensitive information), as well as covering all applications and edge cases. It’s also important to support two-factor authentication for Remote Desktop Protocol (RDP), which allows users to remotely access and control a computer. This is typically an easy way for threat actors to enter a system – Sophos found that RDP is abused in 90% of cyber-attacks!

2. Healthy devices reduce risk and keep premiums low

Hybrid work and increasingly diverse IT ecosystems have complicated the access conundrum, with many SMBs relying on a BYOD policy today. Insurers will expect stringent policies around devices accessing an organization’s systems – managed or unmanaged, with the full range of operating systems. MSPs can offer client value by managing and reporting on device health indicators such as firewall status, disk encryption status, presence of endpoint detection and response agents, and software vulnerability updates. Help SMB customers keep device hygiene risks low by setting device health-based access policies and enable users to self-remediate without having to open a ticket.

The best practices from five years ago tend to still be the best practices. An insurer just wants you to prove that you’ve implemented those best practices. And that will be very effective in bringing your insurance premiums down.” — Webinar: CyberCube and Duo Security Answer Top Cyber Insurance Questions

For more on what insurers look for, check out our ebook Cyber Liability Insurance for Small and Medium Businesses for the essentials.

What can Duo do?

Using the right tools is crucial to help SMBs meet cyber insurance requirements and reduce premium costs by putting security best practices in place. With Duo, MSPs can:

• Support leading authentication methods, including number-matching verified push, biometrics, FIDO2 security keys, OTP hardware tokens, mobile app and SMS passcodes.

• Reduce RDP risk by adding two-factor authentication to Windows and Windows Server logon scenarios.

• Integrate across more than 200 applications out-of-the-box, as well as devices or systems using RADIUS for authentication (Cisco Duo integrates with VPN or devices by installing a local proxy service on a machine within a network).

• Allow access to only devices that meet an organization’s trust and compliance requirements, and turn on guided self-remediation for end users.

• Improve endpoint security by ensuring devices are up to date through regular automated pushes and providing the ability to monitor and set access policies.

• Ensure organizations comply with changing industry regulations — like the Federal Trade Commission’s MFA Safeguard requirements — with compliance-friendly reporting and logs.

Duo MSP makes it easy for partners to buy, manage, and grow. Learn more about the Duo MSP program and its benefits on our partnership page.

Humans aren’t machines, and naturally they make mistakes. In fact, Verizon’s most recent Data Breach Investigations Report found 68% of breaches involve a non-malicious human element.

This is a statistic MSPs know far too well. They’re aware the human factor is one of the most unpredictable within the security mix. Combine this with remote working practices, and MSPs have a lot to manage. How can they help customers get secure access right?

Security or productivity — that's not the question

A hybrid workforce typically relies on a variety of devices, and the rise of BYOD (Bring Your Own Device) policies can create problems for security. Often, these devices are unmanaged and outside of an MSPs control, restricting the level of insight for making access decisions.

But hybrid work is here to stay. It has been adopted in 62% of workplaces, according to Zoom, and has catapulted remote access security to the top of the agenda. Associated threats include:

• Password spraying — A type of brute-force attack where a hacker attempts to gain unauthorized access by systematically trying a few commonly used passwords across many accounts. We have seen an increase in this method towards Remote Access VPNs, or as a common attack vector for Remote Desktop Protocol (RDP) abuse.

• Fraudulent Device Registration — An attack where an attacker uses stolen credentials to register a new, fraudulent device to an adversary-controlled account with access to MFA to gain persistent access.

• Push spamming — An attack where attackers repeatedly push second-factor authentication requests to the target victim's email or phone, frustrating them to the point where they accept the false request.

Other MFA-targeting attacks include push phishing and MFA interception, where an attacker steals a one-time code that is sent through an SMS (short message service) or email and proceeds to log in with the user’s credentials and MFA code.

Yet when protecting against these risks and managing access securely, it’s crucial that it’s not a security vs. productivity argument. The two do not have to be mutually exclusive. Organizations still want a seamless experience to access their digital environments, and an MSP shouldn’t simply be adding more barriers to entry.

A three-step process

To provide both positive and secure experiences for organizations, MSPs can focus on three areas. The good news? Duo can help MSPs deliver quality security practices with all of them.

1. User trust

We always hear the saying, “never trust, always verify.” This starts with Multi-Factor Authentication (MFA) and should evolve to include continuous verification, to stop attackers even after the point of login. Following the principle of least privilege, MSPs can create custom remote access policies and controls, defined by roles and user groups to prevent lateral movement.

For Duo MSPs: MFA is one of the strongest security protections, but not all MFA is created equal. Breaches demonstrate instances where traditional MFA like SMS and phone calls have been subverted. Duo protects against MFA-targeting attacks with anti- push-spamming features and a wide range of authentication types, including number matching and phishing-resistant FIDO2 options to help you transition clients away from the less secure methods.

2. Device trust

MSPs need to establish trust in the devices requesting access, whether this be remote employees, contractors or other third parties (when these unmanaged devices are outside their control). Identify risky devices and regularly report on device health to make this possible.

For Duo MSPs: The Duo Admin dashboard helps busy administrators see the whole picture while minimizing the administrative steps. IT admins can understand with just a few clicks which employees are using risk devices with unprotected endpoints and set up access policies tailored to clients’ risk tolerance with Duo Trusted Endpoints.

3. Security from anywhere

If an organization has embraced hybrid working practices, they’re likely running applications across a mixture of cloud environments. For consistent security, MSPs can’t miss security across VPNs, cloud apps, web apps and any custom services.

For Duo MSPs: Duo secures remote access protocols (VPN, RDP, SSH) by providing flexible access solutions used in conjunction with existing VPN solutions, reverse proxies and bastion hosts. When managing security remotely, MSPs can use tools like Duo’s free Helpdesk Identity Verification to ensure they’re talking to the right person on the other side of the phone.

Show your clients that stronger security doesn’t have to be cumbersome and improve productivity with a more straightforward administrative experience. Duo MSP helps service providers buy, sell, and grow Duo’s leading access security solution. To learn more or get started with a free demo, visit our Duo MSP page.

For more ways to protect remote work for your customers and solve other common client pain points, get the partner-ready Duo MSP Sales Playbook.

Over the last few years, identity-based attacks have become increasingly prevalent. This is in part due to the increasing complexity of identity and access management systems and their configurations and, in part, due to the rapidly evolving techniques employed by attackers. Identity-based incidents often begin with malicious actors gaining a first access foothold into a corporate environment.

CISA tracks evolving initial access techniques

Organizations like the Cybersecurity & Infrastructure Security Agency (CISA) have been diligently tracking the techniques employed by attackers to infiltrate systems. As cyber threats continue to adapt, it's essential for businesses to stay one step ahead.

Last year, CISA identified several key methods attackers use to gain initial access to corporate resources. These include exploiting service and dormant accounts, leveraging token authentication, enrolling new devices, and utilizing residential proxies.

Let’s take a moment to review each of the techniques:

How Duo and Identity Intelligence can help detect and prevent these techniques

Duo Security offers a suite of features designed to combat these emerging threats effectively:

The advantage of cross-platform correlation

The real advantage of Duo and Identity Intelligence lies in their ability to correlate activities across disparate identity systems to a single user and their activity. By analyzing cross-platform data components and building a full picture of a risky activity, Duo enables defense-in-depth against identity-based techniques. For example, Duo and Identity Intelligence can see when a dormant account attempts to enroll a new device from a personal VPN.

Duo can then adjust the User Trust Level of the implicated account accordingly, giving security teams the context they need to act effectively.

If you're interested in learning more about how Duo can help you address evolving initial access techniques, check out our Securing Organizations Against Identity-Based Threats ebook. Or, reach out to your account team or get in touch with sales today.

Staying ahead of threats requires proactive measures, and Duo is here to help secure your organization's future.

The phone rings. You answer, and the person on the other side claims to be Employee Joe from one of your clients. He’s asking if you can help him with a password reset and he’s calling from a recognized number…do you trust it?

MSPs will typically recognize warning signs, yet threats are becoming more sophisticated and effectively throw the hymn sheet we’ve all been singing from out the window.

In recent webinar “Preventing Helpdesk Phishing with Duo and Traceless”, Duo PMM Katherine Yang sat down with Gene Reich, Co-founder of Traceless to discuss why stronger identity verification is critical for MSPs and helpdesk teams—especially with the increased accessibility of AI technologies driving identity fraud. Prevention is key, and as Katherine argues, “if verification isn’t present, it really can’t be a trusted interaction.”

Protecting your MSP — The threats

Identity is a growing, and vulnerable, perimeter. The user is often the first and last layer of defense an organization has, and scams are becoming increasingly convincing.

In the 2019 MGM cyber-attack, in which a threat group found its way in through helpdesk impersonation, the hackers were, “young, savvy, and familiar with basic IT workflows, they knew identity and access management protocols and [were] native English speakers.” — Preventing Helpdesk Phishing with Duo and Traceless Webinar

Helpdesk impersonation is a big concern today, with MSPs contending with fraudulent attempts from attackers pretending to be clients. Simultaneously, customers are also targeted by hackers pretending to be their IT team. This includes methods like:

• Vishing: Voice phishing through fraudulent phone calls to trick victims into providing sensitive information, often login credentials or financial details.

• Number spoofing: Pretending to be a legitimate source — a business, colleague or trusted contact to access personal information, money or spread malware.

• Phishing Kits: To make phishing campaigns more efficient, attackers will often reuse their phishing sites across multiple hosts by bundling the site resources into a phishing kit.

The worry is that AI is lowering the barrier to entry for cybercrime, with emails and voice cloning becoming increasingly convincing. Traceless, an advanced threat protection solution for securing modern communications, was founded when Gene realized the risks his own MSP faced in sending and receiving sensitive information. When threat actors figure out how to automate defense evasion techniques, organizations cannot respond and remediate quickly enough. According to Gene, “the automation [and] the tool stack improvement on the attacker side is going to rapidly accelerate and increase.”

Protecting your MSP — The solution

Solving the problem of helpdesk phishing requires preventative action and a tested plan in place to mitigate the fallout if a breach does occur. So how do we bridge that trust between an MSP and client? Gene argues “we need to start thinking critically about MFA securing communications. We are in a world where voice calling is not enough to confirm transactions.”

In a quick poll during the webinar, MSP attendees shared that they use a few mechanisms for verifying identity: security questions, PINs, employee IDs or phone number call-back. For the savvy, an app-based MFA push enabled smoother helpdesk interactions.

It’s all about identify verification. More traditional methods for helpdesks might have been a callback but this can be time-consuming and in the era of ‘vishing’, it is no longer effective.

Watch the full webinar for more security insights, tips and best practices for verifying identities and securing communications with customers.

How can Duo MSP help?

Duo aims to provide a holistic identity security solution with multi-layered defenses and features like device trust and centralized access controls to help MSPs keep their clients safe. This includes:

• Free push verification to check user identity real-time before granting access or making changes, while customers are still on the phone

• Granular role-based controls so employees can still access their data, while keeping more sensitive information secure/reducing risk of lateral threat expansion

• Segmented access policies to keep track of who is accessing from where for greater visibility and to create a baseline for identifying abnormalities

• MFA for an extra layer of security and an audit trail, along with single sign-on and passwordless authentication for more advanced access security protections

A solution worth your time is one that focuses on security efficacy but is also designed for better customer and management experience.

Preventing helpdesk phishing is more than just adding a solution; it's all about layering preventative and responsive measures that will keep pace with modern attacks.

Traceless is a security tool and Duo technology partner that offers advanced threat protection for communication platforms including ticketing and chat. Traceless has prevented thousands of phishing attacks and protects some of the largest MSP and IT departments in North America, ensuring maximum security against phishing, Voice AI attacks, account takeovers and data exfiltration. To learn more about identity verification and secure data transfers with Traceless, visit the Traceless website.

If you’d like to learn more about the Duo MSP program and get started as a partner, visit the Duo MSP web page.

The holiday season is in full swing, and that means cybercriminals are busy building and launching attacks to steal user credentials. Their ultimate goal? To use those valid credentials to gain network access and steal data, employee and customer information, and other valuable resources. They may even use compromised privileged credentials to launch a ransomware attack and hold your organization hostage for a hefty ransom.

Phishing is still one of the most common attack vectors, and the holidays provide an especially appealing time to launch an attack that’s been supercharged by modern natural language processing models and novel QR codes. While we tend to associate phishing emails more with our personal accounts, attacks targeting our work identities whether through socially engineered phishing, brute force, or another form, are very common.

An email containing a QR code constructed from Unicode characters (defanged) identified by Cisco Talos.

For example, this looks legitimate. What if it’s that nice swag box everyone on the team has been getting for the holidays? According to research by Cisco Talos, malicious QR codes are bypassing spam filters in increasingly clever ways. Scanning an unknown QR code is the modern equivalent of clicking on a suspicious link.

No industry is spared this phishing season, though some are targeted more often than others. According to the Cisco Talos Incident Response Team, organizations in the education, manufacturing and financial services verticals were the most affected by identity-based attacks during the third quarter of 2024. Combined, these sectors accounted for more than 30 percent of account compromises. 

What you may not know is that once a user’s identity is stolen, bad actors don’t always use the credentials straight away. They’ll wait until a time when your IT and SOC (security operations center) teams are reduced such as over a holiday break or weekend.

In its 2024 Ransomware Holiday Risk Report, Semperis found that 86% of study participants who experienced a ransomware attack were targeted on a weekend or holiday. Why? Staffing during those times is lighter which means identifying and responding to threats will be slower.

In that same report, 85% of respondents stated they reduce their SOC staffing by as much as 50% on holidays and weekends. It’s easy to see why cybercriminals view this as a good time to strike. After all, why attack when it’s convenient for your victim?

Beyond staying extra vigilant over the holiday season and weekends, how else can you protect against attacks targeting your users’ identities? Here are five actions you can take with Duo to stop threats, with direct links to documentation to get started:

• Deploy Phishing-resistant MFA — According to the CISA advisory on implementing phishing-resistant MFA capabilities, SMS and voice-based MFA are vulnerable to phishing, SS7 and SIM swap attacks.

Duo supports the only widely available phishing-resistant FIDO/WebAuthn authentication through Duo Passwordless, encompassing “roaming” physical token authenticators and “platform” authenticators embedded into laptops and smartphones. But we know that going completely passwordless is a journey. To level up mobile app MFA, turning on Verified Duo Push number matching is an excellent way to protect against MFA fatigue and push bombing attacks.

Bonus Tip! Since MFA/Push notifications are prompted after users enter their credentials, system administrators are advised to investigate fraudulent pushes as well as issue new user credentials. In Duo, see how to easily generate a Denied Authentications report through the Duo Admin Panel.

• Reduce Your Reliance on Passwords — Fewer, stronger passwords can reduce the likelihood of re-used credentials or your users adding an exclamation point to the end of their password leaked one month ago.

Duo’s single sign-on solution (SSO), available in every edition, secures all your organization’s applications and offers inline user enrollment, self-service device management, and support for a variety of authentication methods. Combining passwordless and SSO decreases end-user login fatigue while still maintaining powerful security and incorporating frequent device health checks. With the newly announced Duo Passport, experience just one login and MFA prompt from the beginning of your day to the end.

• Adapt and Respond — With Risk-Based Authentication, you can dynamically respond to changes in risk level by requiring a more secure authentication factor such as a Verified Duo Push or biometrics before granting access.

• Verify Device Trust — Control access to resources on your network by allowing only devices that are part of your inventory of trusted devices — whether managed or unmanaged and company-issued or personal— and that are up to date and have a healthy security posture.

• Gain Deeper Visibility — A key component of Duo’s Continuous Identity Security solution, Cisco Identity Intelligence provides deep visibility into identity-based attacks while also helping reduce gaps in your security coverage before, during, and after login.

This holiday season, spend less time on phishing training and more time perfecting your secret eggnog recipe. Try Duo at no cost with our free trial, or learn more about how to turn on Duo’s advanced identity security features with our on-demand value-maximizing webinar More Bang for Your Buck: Duo Advanced.

The dissolution of the traditional security perimeter and the increase in identity-based attacks has come with its fair share of new risks for security practitioners to consider. From MFA bombing to adversary-in-the-middle (AITM) tactics, there are a variety of ways attackers are targeting weak spots in identity and access management (IAM) infrastructure and processes.

One that has been highlighted by CISA in many of its recent briefs is the Help Desk Attack. This technique involves an attacker contacting the help desk, often with relevant context regarding a high-profile employee, and then demanding a password and MFA factor reset. Typically, the attackers will use urgency and feigned authority to put fictional pressure on the help desk worker (ex: “I am boarding a flight with the CEO, and I need this now”). However, in some cases, attackers will pretend to be a naive worker who does not know how to use technology (ex: “I never understand this MFA stuff”).

The fundamental problem the attacker is exploiting in either case is identity verification. It is difficult to virtually verify a caller is who they say they are in a timely manner.

If the help desk worker complies, the attacker will have gained initial access and will typically reset the account credentials, both password and MFA devices, to be under their control. This first foothold is a dangerous step towards attackers gaining more malignant access and control of internal systems.

So, how should we think about preventing, detecting, and responding to help desk attacks?

Preventing Help Desk Attacks

There are two key components to prevention:

1. Reduce the number of tickets associated with authentication and MFA addressed by the help desk.

2. Equip help desk workers with the proper training and tools to identify and prevent active attacks.

Reducing help desk tickets

Let’s begin with the first component: reducing the number of help desk tickets associated with authentication. This may seem like a round-about way to solve the problem of help desk attacks, but if there are fewer overall tickets associated with the authentication and MFA then help desk professionals have more time to consider each request. There is less urgency for any given ticket, and if an MFA-related request is rare then it will fall under something that should be given more scrutiny. In the end, we’re hoping for this type of reaction from the help desk: “Hey, this type of request isn’t common — perhaps I should double-check it.”

So, how do we reduce help desk tickets associated with MFA? At Duo, we have been working on this problem from three angles.

1. Invest in simple, intuitive design

2. Securely reduce the number of times users are asked to authenticate

3. Empower users to remediate security and IT issues themselves

There are many ways that Duo emphasizes these three pillars in our product, but there are a few examples that should be highlighted. Duo’s Universal Prompt provides a sleek UI that makes it easy for a user to understand their options and how to engage. The Universal Prompt also has customization functionality so organizations can implement their own branding and coloring to make it even easier for users to understand that they’re in the right place.

To securely reduce the number of times users are asked to authenticate, we introduced Duo Passport. Duo Passport securely passes trust between authentication scenarios so that if a user remains in a trusted state, they will not have to authenticate repeatedly.

Finally, to empower users, Duo has features like self-service password reset — instant restore — to get Duo running on new devices, and the device management portal so that users can attempt to solve problems on their own first before reaching out to the help desk.

Equipping the help desk with training & tools

To start, help desk workers should be trained on this type of attack. They should understand that even though asking for a password reset or MFA reset might be a common ask — it is always a big ask. They should also be trained to understand certain signals (e.g., like urgency, fear, and anger) that might indicate a user is trying to pressure them into resetting credentials.

“Even though asking for a password reset or MFA reset might be a common ask — it is always a big ask”

However, even if a help desk worker is trained perfectly, there may be an attacker that sounds legitimate! They may have done research on the potential target and know to sound typical. Most employees asking for help desk assistance probably sound confused and slightly annoyed. A clever attacker will probably take on this tone and attitude. An advanced attacker may utilize novel voice-changing technologies in what’s known as vishing.

Therefore, it is also important to equip the help desk with tools and mechanisms to try and verify the identity of the caller. Traditionally, Duo has done this with our help desk push functionality, which sends a Duo Push to a phone a user controls. However, an attacker will almost certainly claim they’ve lost their phone as well.

One method to confirm the identity of callers is with Duo Push Verification

Therefore, we also recommend the help desk have other tools they can use to quickly validate a caller’s identity. One mechanism to do this with Duo is to use our Identity Intelligence functionality. With Identity Intelligence, a help desk employee can quickly see a user’s typical access activity (e.g., which applications they tend to log into, from where, and with which devices). This information can provide some helpful context in a reset credentials conversation — the help desk worker can now say things like:

• "I see you have a second device registered for MFA. Can I send a verification there?"

• "Name 3 applications you used yesterday."

• "I see that you logged in from an unusual location a week ago. Where did you log in from?"

Identity Intelligence is just one way to verify user identity at the help desk. There are also more traditional mechanisms like knowledge-based authentication (KBA) questions that a user may have set. However, given that the attacker may have also stolen the KBA answers if they are easy to research or steal (e.g., mother’s maiden name), we suggest using data that is more dynamic and specific like the examples above.

Detecting & responding to help desk attacks

Now, even if help desk workers are trained well and equipped with proper verification tools, there still may be a case where an attacker slips through. In these instances, it’s important to detect the compromise as quickly as possible.

Detecting help desk attacks

Again, Identity Intelligence has some powerful features to equip security professionals with context regarding help desk attacks. The tool comes with dozens of alerts built to detect identity-based risk. In the case of help desk attacks, there are specific features and checks that may be most beneficial.

1. Feature: User Trust Level

2. Check: Users Sharing Authenticators

3. Check: Admin Role Assigned to User

Identity Intelligence recently released a feature called a User Trust Level. This takes data on user role and activity to establish how trusted a user is at any given time. While it won’t explicitly detect a help desk attack, the User Trust Level is a helpful tool to see a subset of riskiest users in an environment at any given time. By reviewing and remediating the list of “Untrusted” users, security professionals will heavily improve their susceptibility to identity threats.

Account listed as “Untrusted” after logging in from new location without MFA

Identity Intelligence also has an alert for sharing authenticators. This is a helpful tool when detecting identity threats because often an attacker will target multiple users in an organization. If the attacker uses the same phone number/mobile device with each compromised user, Identity Intelligence will highlight this trend with the Users Sharing Authenticators check. Then, a security professional can remediate the compromised users.

Finally, attackers will almost always look to elevate the privileges of the accounts they now control. Therefore, the Admin Role Assigned to User is a great check for detecting privileges being added to an account. And, Admin Activity Anomaly checks are great for understanding if administrator accounts are acting unusually.

To be clear, detection is always a tricky game — but, by combining User Trust Level with the power of the checks that Identity Intelligence offers, security teams will have a powerful set of tools to identify a potential Help Desk compromise.

Remediating help desk attacks

Once compromised accounts and users have been detected, it’s important to establish a secure remediation process. To start, the accounts should be constrained or blocked from further access until the compromise is resolved. Identity Intelligence has a variety of response mechanisms available depending on the integrations set up. For example, a user can be locked out or quarantined via an action in Identity Intelligence. If the security team leverages a SIEM or SOAR for their response workflow, Identity Intelligence can seamlessly integrate there.

However, one thing to note here - there are many processes in place today that may give control to accounts right back to an attacker. Resetting passwords and MFA factors are only viable controls once trust has been accurately re-established with the account holders. We highly recommend putting in place a mechanism to re-verify users via a strong form of identity verification (ex: a phishing-resistant form of MFA or biometric authentication).

Hopefully, by combining strong mechanisms for prevention, detection, and remediation, organizations can attain a defense-in-depth against help desk attacks. If you’d like to learn more about establishing a robust identity security program from the ground up, check out our eBook Building an Identity Security Program.

Our spurs are jingling and jangling — it's time to hitch our saddles and ride on down to Texas for the Gartner Identity and Access Management Summit. Gartner's IAM Summit is an essential event for IAM and security leaders. Held in Grapevine, Texas, from December 9-11, 2024, the summit gathers thousands of attendees to discuss the evolving landscape of identity, which is crucial for both business operations and cybersecurity.

The summit is always an excellent melting pot of practitioners, analysts, and solution providers — coming together to discuss current IAM industry trends — from the overhyped to the overlooked. If you work in IAM or security, we highly recommend the conference as a place to hear both cutting-edge research and concrete strategies for building a resilient, secure approach to identity.

Why Cisco Duo is excited to attend

Duo has been at the forefront of identity and security since our inception. This year, we are excited to showcase how our product and vision are expanding beyond multi-factor authentication to deliver identity-first security solutions for organizations of any size. Our aim is to provide robust identity security controls that effectively counter identity-based attacks, all while maintaining a user-friendly experience.

However, it’s not just about our product and solutions, but the IAM community building and working together as well. This is why we’ve committed to participating in an interoperability demonstration utilizing the Shared Signals Framework. The goal of which is to showcase how IAM and security tools can more effectively and seamlessly share relevant data across systems.

Visit us at booth #323

Cisco Duo will be at booth #323, centrally located in the vendor exhibit hall.

For any current Duo customers, we invite you to reach out to your account team to set up a meeting with our product and engineering executives who will be on-site:

• Matt Caulfield, VP of Product, Duo & Identity at Cisco

• Didi Dotan, Sr. Director of Engineering, Identity at Cisco

• Chris Anderson, Product CTO, Duo at Cisco

We are eager to hear from you! We are open to any and all feedback: the good, the bad, and the ugly.

Join our talks and demonstrations

We are thrilled to present four talks throughout the summit:

• Strategic Session: "The Evolution of Securing Identity" by Matt Caulfield on December 10 at 3:15 PM CT

• Service Provider Session: "How I Learned to Stop Worrying and Love Identity Security" by Ted Kietzman on December 9 at 11:45 AM CT.

• Theater Session: "How to Both Secure and Delight Your Users with Duo" by Charles Kim on December 10 at 6:00 PM CT.

• Theater Session: "Leveraging Identity Analytics to Bolster Defenses with Duo" by Ivor Coons on December 11 at 1:35 PM CT.

And, we'll be a part of the Shared Signals Interoperability demonstration, which will take place at 12PM CT on both Tuesday and Wednesday during the conference.

Ya’ll come round now; you hear?

We would love to connect with you at the Gartner IAM Summit. Visit us at our booth, attend our sessions, or reach out to your account team to schedule a meeting with one of our executives.

We look forward to seeing you in Texas!

Stepping up to a better, more feature-rich product or service can seem challenging. In the end though, it’s worth the effort, especially when it addresses areas of need. For example, my TV is 14 years old. Although the picture quality is still excellent and there are some decent capabilities I can use, it’s missing many of today’s modern features that deliver a much better viewing experience than what I have now. So, I’ve got a plan to a get a new model that offers the advanced features I want, and frankly need. And yeah, I’m pretty excited. Figuring out how to set up and use some of the advanced features will be challenging, but I’m up for it. I can see the benefits and the value.

More features, more value with Duo Advantage Edition

For organizations on the Duo Essentials edition, stepping up to Duo Advantage edition offers a slew of modern identity security and user experience features that add value to their Duo investment. Let’s take a look:

1. Cisco Identity Intelligence (CII) — One half of Duo’s Continuous Identity Security solution, Cisco Identity Intelligence adds a powerful security layer for any identity infrastructure. CII addresses organizations’ need for comprehensive visibility into multi-vendor identity sources and high-fidelity threat protection. It also reduces coverage gaps by providing a broad range of MFA options for all your use cases plus added security layers using device trust and risk-based policies.

2. Duo Passport — The other half of Continuous Identity Security, Passport enables organizations to provide their workforce with an exceptional user experience by dramatically reducing the number of times users are asked to authenticate. After logging in and authenticating just once on a trusted device, users get uninterrupted access to permitted applications across browsers and thick clients, minimizing repeated authentication requests throughout their workday and increasing productivity.

3. Device Health Checks — Allowing a device that’s running outdated software — like an operating system, browser or plug-in — to access your network is risky. Duo Desktop, Duo’s native client application for macOS, Windows and Linux endpoints, removes that risk by assessing an endpoint’s health posture at the point of authentication to make sure it complies with your access security policy. Devices that fail a health check are blocked from accessing an application. Fortunately, Duo provides guided self-remediation with step-by-step instructions to help end-users bring a device that fails a security check back into compliance without the need to contact IT so they can immediately access the application from the newly compliant device.

4. Risk-based Authentication — If you have a mobile workforce or you like to work from a different location every now and then, Risk-based Authentication evaluates risk signals such as location at the time of login and then adjusts the authentication requirements based on risk level. If the risk is low and trust is high, the user can complete a basic Duo Push. However, if trust is low, the user is asked to step up to a more secure authentication method like a Verified Duo Push or passwordless authentication to re-establish trust.

5. Trust Monitor — If you’ve ever had to sort through mountains of log data to identify anomalous access events that could be threats to your network, you know it’s tedious and time-consuming. Trust Monitor does the work for you by sorting through your organization’s authentication logs and surfacing unusual access and device registration attempts, enabling you to detect and remediate compromised accounts proactively.

6. More Reasons — I know I said there were five reasons, but I’ll add in a bonus round. Stepping up to Duo Advantage also unlocks more of what you get with Duo Essentials — more adaptive access policies, more customizable reports and more insight into devices connecting to your network. In other words, Duo Advantage “Goes to 11.”

Making the move to Duo Advantage

Moving from Duo Essentials to Duo Advantage might seem like a big step up, but for those that do, the benefits are many. Everything I discussed earlier is included in a Duo Advantage subscription. And when it comes to configuring these features, you don’t need to go it alone. Duo Care Premium Support provides customers with the opportunity to work directly with a dedicated Customer Service team to roll out their Advantage deployment.

If you’re interested in test driving the features in Duo Advantage, contact your local Duo reseller or managed service provider (MSP). You can also sign up for a Free Trial which includes 30 days of Duo Advantage edition.

In addition, we encourage you to see what your peers are saying about Duo. You can read customer reviews on sites such as TrustRadius, which just announced Duo as a Buyer's Trust Award winner in the Authentication category for 2025.

The rise of multi-factor authentication (MFA) has been good for security. The merits of MFA have been so widely accepted that governments recommend it, cyber insurance providers often require it, and companies like Microsoft and Google are now mandating MFA for a variety of login use cases.

However, the rise of MFA has come with a correlated challenge: authentication fatigue.

Employees often struggle to navigate the complex web of passwords, authentication prompts and multi-factor authentication (MFA) requirements, leading to frustration and even bad behavior. Repeatedly entering credentials and performing MFA across multiple applications not only wastes time but can also incentivize employees to subvert authentication controls, eroding their security efficacy.

The problem of authentication fatigue is exactly why we introduced Duo Passport about six months ago. By enabling users to log in just once to their work device and gain secure access to applications throughout the day, Duo Passport eliminates the need for repetitive authentication. This frictionless approach to authentication not only boosts end user productivity, but also ensures strong authentication security is in place across diverse IT environments.

To review, Duo Passport delivers a seamless access experience by making the authentication process invisible to users. Upon login, Duo verifies the user's identity and the trustworthiness of the device, whether it's a corporate-managed device or registered with Duo. Once authenticated, Duo continually verifies trust for every access request based on adaptive and risk-based policies behind the scenes — without re-prompting users for authentication. This eliminates the need for users to constantly prove their identity, reducing authentication fatigue and streamlining their workflows.

Since its introduction, Duo Passport has been adopted by hundreds of customers and garnered positive feedback from users and administrators alike.

Here are the top 3 reasons customers are loving Duo Passport so far:

1. Simple Setup: Administrators have been pleasantly surprised by the ease of setting up Duo Passport, with only two clicks required. This simplicity translates into reduced administrative burden and faster implementation.

2. Serious Time Saved: So far, Duo Passport has seamlessly and securely saved users from hundreds of thousands of authentications, equivalent to literal months of time spent authenticating. This time-saving capability demonstrates the significant impact Duo Passport has on user productivity.

3. Minimal Support Cases: Once Duo Passport is up and rolling, the ongoing care and feeding of the feature is minimal. In the last month, there have been 0 help desk tickets associated with using Duo Passport.

As more MFA mandates are put in place, the importance of using a tool like Duo Passport only increases. By reducing authentication fatigue and providing a frictionless experience, Duo Passport empowers users to focus on their work while maintaining the robust security of MFA. The remarkable adoption rates, time saved and minimal administrative burden highlight the tangible value of implementing Duo Passport.

As organizations strive for a secure and seamless user login experience, Duo Passport emerges as the solution that bridges the gap between security best practice and delightful user experience.

Ready to enhance your organization's security and user experience? Explore Duo Passport today and unlock the power of seamless authentication or reach out to sales to learn more.

In today's digital age, the concept of security has evolved far beyond the traditional boundaries of firewalls and antivirus software. With the ongoing movement towards digital transformation, cloud adoption, hybrid work environments and increased business interconnectivity, workforce identity tools have emerged as the new perimeter. This shift has made identity-first security a core component of modern security initiatives, such as zero trust architecture and cloud-first strategies.

The identity crisis: Breaches leveraging employee identity

According to Cisco Talos, 80% of security breaches today leverage compromised employee identities. The trend continued in their most recent quarterly threat trends report which highlighted identity and improper use of MFA as key vectors for attack. These findings are not surprising, given that identity technology, which originated in IT, has become increasingly complex over the past decade. Identity sprawl, where organizations have a diverse array of users, including employees, contractors and partners accessing corporate resources, is a common issue. Managing these diverse sets of users with multiple accounts can be challenging, especially if multiple identity stores and identity providers are involved.

Attackers are exploiting this complexity to gain unauthorized access to company environments, bypassing commonplace security measures.

Traditionally, organizations have relied on strong authentication requirements, such as multi-factor authentication (MFA), to address compromised access. However, attackers have become adept at finding the gaps where MFA is not required or subverting MFA altogether through technical mechanisms like adversary-in-the-middle or even just particularly nuanced social engineering.

The need for a holistic identity security program

To effectively combat identity-based threats, organizations must implement a comprehensive identity security program. The first step in this program is gaining visibility across the entire identity ecosystem. This is a larger ask than may seem apparent — identity infrastructure has many components and the relationships between accounts and access is often hard to parse. But the benefits of investing in cross-platform visibility are tangible and measurable.

To start, this visibility enables proactive measures known as Identity Security Posture Management (ISPM). ISPM initiatives include efforts like ensuring widespread adoption and usage of MFA and cleaning up dormant or inactive digital identities to prevent their exploitation by attackers. According to Cisco Identity Intelligence, 24% of user accounts are inactive or dormant, and 40% of accounts lack strong MFA. Addressing these posture gaps is crucial for strengthening defenses and reducing the risk of breaches.

Identity Threat Detection & Response: Limiting the blast radius

A robust identity security program also includes dedicated Identity Threat Detection & Response (ITDR). The problem with traditional Threat Detection & Response solutions is their generality and primary focus on non-identity infrastructure components. Typically, security operations tools focus on the endpoint or network without the context they need to effectively detect identity threats. Moreover, the detection logic leveraged within these tools often assumes endpoint or network compromise and can miss the patterns associated with identity-based threats.

By implementing threat detection and response that is dedicated to identity as a vector, organizations will limit the blast radius and accelerate remediation actions. ITDR ensures that organizations can quickly detect and respond to identity-based threats, minimizing the impact on their operations.

Moving beyond authentication

In conclusion, the rise of identity security necessitates a shift beyond relying solely on authentication to address compromised identities. Organizations must implement robust and holistic identity security programs that encompass visibility, posture management, and threat detection and response. By doing so, they can effectively protect their digital frontiers and ensure the security of their operations in an increasingly complex and interconnected world.

As identity continues to be the most important perimeter, it is imperative for organizations to stay ahead of attackers by adopting comprehensive identity security strategies. This approach not only enhances security but also improves user experience and delivers significant financial benefits. The time to act is now, and the path forward is clear: Embrace identity security as a cornerstone of your organization's defense strategy.

To learn more about building a comprehensive identity security program, learn more in our ebook Building an Identity Security Program.

Winning an award, especially one based on feedback from users of your product or service, is gratifying. It’s validation that you are designing and delivering solutions that address your customers’ needs.

“Cisco Duo winning the TrustRadius Buyer's Choice Award is a testament to their critical role in security for organizations across the globe,” said Allyson Havener, SVP of Marketing & Community at TrustRadius. “This award, based on vetted customer reviews, highlights how Duo makes it simple for businesses to implement strong, reliable multi-factor authentication and safeguard their digital environments. Congrats Cisco Duo for delivering a solution that not only enhances security but also builds deep trust with its users through ease of use and dependability."

Earning the Buyer’s Choice Award is significant because it’s based on peer reviews written by practitioners, consultants, decision-makers and others who have experience using Duo. Reviewers are authenticated and their experience with the product is verified through a multi-step process prior to writing a review on the TrustRadius website. This ensures technology buyers are reading opinions they can trust. According to TrustRadius, "During the review process, we don’t just ask reviewers if they liked or didn’t like the product — we dig deeper. Reviewers are asked if products and their support teams live up to expectations; and if they would buy the product again. These candid answers shape whether or not a product is chosen as ‘best’ in each of the key areas."

Here's what customers who have written a review on the TrustRadius site are saying about Duo.

“Duo Security is a simple low friction way to solve the problem of compromised accounts. At our organization, we had dozens and dozens of these. Users would fall for a phish and surrender their passwords. The hackers would then have access to their accounts to use them for their own purposes. Duo solved that problem.” — IT Analyst, Higher Education

“Cisco Duo also gives us flexibility with how 2FA is set up, whether it be an app push, SMS or telephone call, we can provide a variety of options to our end users. It's a great security option to add into an environment and easy to do so, with great support and online documentation.” — Information Technology Manager, Transportation

“We used Cisco Duo for three years now, and we are very satisfied with this product. Our organization faced brute force attacks, and we really needed a security product to solve that problem.” — Information Technology Manager, Military

This is not the first time Duo has received an award from TrustRadius. The 2025 Buyer’s Trust Award follows on the heels of Duo being named Top Rated for 2024 in three TrustRadius categories.

Visit us online to learn more about how Duo can help your organization protect against identity-based threats while delivering an exceptional user experience with solutions such as Continuous Identity Security. You can also check out Duo reviews on TrustRadius or sign up for a free trial to try Duo for yourself.

Hey there, Fortinet FortiGate users!

Let's talk about how Duo SSO is revolutionizing FortiGate VPN access.

Picture this: You're securing VPN logins in under an hour, authenticating users in seconds and saying goodbye to those pesky stolen credential risks. Sounds too good to be true? Well, it's not, and thousands of Fortinet firewall customers are already reaping the benefits.

"But wait," you might be thinking, "I'm already using Duo with my FortiGate VPN through RADIUS. Why should I bother switching to SSO?" Great question! While RADIUS has served us well, it's starting to show its age. Plus, why settle for 'good enough' when you can have 'great', at no extra cost?

Why Duo SSO is the superhero your FortiGate VPN needs

Security for superheroes

• Passwordless authentication: Leverage methods like passkeys and biometrics

• Verified Duo Push: An extra layer of verification to stop push fatigue attacks

• Risk-based authentication: Adjust security measures based on contextual risk factors 

Simplicity is the ultimate sophistication

• Intuitive interface: A redesigned, user-friendly authentication process

• Self-service capabilities: Empower users to manage their own devices and authentication methods

• Multi-language support: Cater to your global workforce with localized experiences

Control freak (in a good way)

• Device trust policies: Easily manage access based on endpoint security posture

• Advanced security protocols: Move beyond traditional frameworks to more robust solutions

• Comprehensive accessibility: Ensure strong authentication is available to all users, regardless of ability

Modernize your FortiGate VPN logins with Duo SSO

Setting up Duo SSO with your FortiGate VPN is a breeze. It's like following a recipe, but instead of a delicious meal, you end up with ironclad security (which, let's be honest, is delicious in its own right):

1. Open your Duo SSO configuration in the Admin Panel.

2. Connect your FortiGate VPN to Duo SSO using SAML 2.0 (it's like introducing two friends who are destined to become besties).

3. Sprinkle in some Duo Policy requirements.

4. Taste-test with a pilot group.

And voilà! You've got yourself a security masterpiece.

Wrapping Things Up

But wait, there's more! Duo Single Sign-On plays well with others. Whether you're juggling Microsoft 365, Salesforce or a smorgasbord of other apps, Duo's got your back!

So, what are you waiting for? It's time to give your FortiGate VPN the upgrade it deserves. Your IT team will thank you for the simplified management, your security folks will sleep better at night and your users? They'll wonder how they ever lived without it.

Ready to join the Duo SSO revolution? Reach out to us today, and let's make your FortiGate VPN the Fort Knox of the digital world — but way easier to get into (for the right people, of course).

Identity security is more crucial than ever. In a recent survey of IT and security leaders, Cisco found that 65% of them see Identity & Access Management (IAM) as a top priority for the next 2-3 years. This makes sense — as businesses face an increasing array of threats like phishing, social engineering and even MFA bypass, it becomes critical that organizations build a comprehensive identity security program. By developing a dedicated identity security practice, organizations can arm themselves against hackers looking to login with forged, stolen or spoofed credentials — pretending to be the very workers we’d like to protect.

As we discuss in our Identity Security Blueprint, this is where the four pillars of identity security — Identify, Detect, Protect and Respond — come into play. When implemented as part of a robust strategy, they offer a strong foundation for securing your organization’s digital environment.

In this blog post, we’ll dive deeper into what those four pillars look like, how you can implement them and how Duo can help you get there.

1. Identify: Know your users and assets

The first step in any identity security program is knowing who your users are and what they have access to. This requires accurate user identification and a clear understanding of each user’s role within the organization. Ensuring that only authorized users have access to sensitive information reduces the risk of unauthorized entry and data breaches.

• How Duo Helps: Duo’s Identity Intelligence functionality can create an inventory of users and devices. This visibility helps set a baseline for normal access in an environment and enables proactive posture improvement work (i.e., ensuring that everyone is using strong MFA).

2. Detect: Monitor for suspicious behavior

After identifying users, it’s essential to monitor their behavior. Anomalous activity — such as failed login attempts, unusual locations or abnormal behavior patterns — can be a sign of compromised credentials or insider threats. Continuous monitoring helps detect these warning signs before they escalate into major security incidents.

• How Duo Helps: Duo has a variety of ways to detect anomalous behavior and provide context to security and IT teams. Moreover, Duo’s adaptive authentication can react to risk signals in real-time. If an action is flagged as high risk, Duo can automatically enforce additional authentication steps or block access entirely.

3. Protect: Safeguard against attacks

Prevention is key when it comes to identity security. By putting proactive protections in place, organizations can minimize their exposure to threats. This includes securing endpoints, enforcing strong authentication measures and ensuring the overall health of devices that access the network.

• How Duo Helps: Duo not only provides MFA but also includes industry-leading Device Trust functionality. Duo can invoke these features in granular access policies, ensuring that all users and devices meet security standards before they access corporate resources.

4. Respond: Take action against threats

Even with the best defenses, no system is 100% immune to attacks. This makes a strong response plan critical. Responding quickly and effectively to incidents helps minimize damage and recover more quickly. This involves having automated responses in place to block compromised accounts and tools to investigate and remediate issues.

• How Duo Helps: Duo provides real-time insights into login activity, device health and risk levels, allowing IT teams to respond immediately to potential threats. By quickly locking down accounts or enforcing new security measures, organizations can limit the spread of an attack.

Building Your identity security program with Duo

By implementing the four pillars — Identify, Detect, Protect and Respond — into your organization’s identity security strategy, you’re building a comprehensive defense against modern threats. Duo’s portfolio of features supports each of these pillars and forms a unified identity security platform that safeguards your users and keeps your organization secure.

Ready to get started? Read our in-depth look at how to develop a world-class identity security program by downloading our 2024 Identity Security Blueprint.

A brand-new tool has landed in Duo. The policy calculator is here to simplify policy like never before. It’s your new go-to feature for effortless policy management and evaluation.

What is the Policy Calculator all about?

Managing multiple security policies in Duo is a crucial and complex task.  Our rule-based policy engine brings flexibility, but figuring out exactly how all those policies combine can be a real head-scratcher.

That's where the Policy Calculator comes in. This tool is designed to take the guesswork (and stress) out of policy. It allows you to see exactly which policies apply when a user accesses an application, providing a clear, rule-by-rule breakdown of the final policy in effect. Not only does it give you the final calculated policy, but it also shows which specific policy each rule originates from. It's like having X-ray vision for your policies!

How does it work?

Spoiler alert: it's super easy!

You’ll find the Policy Calculator nestled under Policy in the Duo Admin panel. Input a user and application name, the key details needed to calculate the policy.

And then the magic happens! You'll see the groups the user belongs to and all the policies that apply.

You will also get a detailed, rule-by-rule breakdown of the final policy, complete with the origin of each rule. It's like having a personal policy detective at your fingertips.

Continue exploring by entering different usernames and applications to see how the calculated policy changes.

Wondering when you might use the Policy Calculator?

• Verify if the policy changes you made are doing what you think they are. The Policy Calculator lets you see how these modifications affect the final policy for a user accessing an application. No more policy surprises!

• Understand why a user was denied access. See the breakdown of policies leading to the denial, helping you troubleshoot and make necessary adjustments.

• Got a complicated policy stack? In Duo, group-level policies override application and global-level policies. The Policy Calculator looks at rules from each of these policies and picks the rules from policies with higher precedence for the final policy. It untangles the complexity, so you don’t have to!

Get started today!

The Policy Calculator is now available in your Duo Admin Panel. Start using it today to ensure that your security policies are working exactly as intended. Go ahead, give it a whirl!

Available now in all paid Duo subscriptions

The launch of Duo Mobile in the early 2010s changed how businesses enabled secure authentication. Still, we have always known that there are industries and use cases that cannot rely on smartphones (or hardware tokens, SMS, and phone calls). Enter Duo Desktop authentication, which allows users to authenticate from a single laptop or desktop seamlessly when more secure forms of authentication are not available (restricted sites like clean rooms) or allowed (call centers or manufacturing sites). Duo Desktop authentication can be the solution for your edge use case:

Duo Desktop authentication isn’t a replacement for more secure authentication methods such as passkeys and Duo Verified Push. A secondary authentication device will be more secure, and your organization should always strive for the strongest protection against identity-based attacks. However, Duo Desktop authentication was developed to serve specific use cases such as call centers, manufacturing sites, clean rooms and scenarios where stronger authentication forms are unavailable. In restricted environments, employees often do not have access or cannot have access to devices, landlines, or tokens. Duo Desktop addresses this precise issue by allowing employees to authenticate using their desktops efficiently:

Reduce IT spend

For many organizations, particularly those with strict compliance or regulatory requirements, using personal devices for work is not an option and purchasing a device for every employee to authenticate can be costly. Telephony, SMS and hardware tokens, are either expensive, vulnerable or simply archaic to use across the wide variety of use cases in the market.

Duo Desktop reduces the cost of organizations needing to purchase devices, telephony credits and tokens, across use cases. Duo Desktop also reduces the administrative costs and complexities that physical device management or telephony requires. In restricted sites with high-security measures or in international territories with high shipping costs or logistical challenges, Duo Desktop authentication provides a streamlined solution that reduces administrative overhead and enhances the use case experience.

Reduce credential risk

As mentioned, Duo Desktop authentication is not a replacement for more secure forms of authentication such as passkeys or Duo Verified Push. However, Duo Desktop's registration process does help mitigate the risk of bad actors trying to pass off their own devices as ones with privileges to corporate resources by blocking devices presenting already registered device identifiers.

Duo Desktop authentication can be paired with additional security measures including Duo’s Trusted Endpoints or device health policies with Duo Desktop, which helps to bolster the security of authenticating from the desktop. This streamlined identity security approach ensures minimal disruption to operations while maximizing security and efficiency to help mitigate compromised credential attacks for the edge case where a more secure form of authentication cannot be used. It also enables administrators to implement Duo Desktop authentication quickly, empowering employees to authenticate securely without delays.

Reduce user friction

Duo Desktop authentication also serves as an efficiency driver for your organization’s edge use cases. Imagine supporting a critical service or role such as a call center for a hospital network, where authenticating faster allows critical issues to be resolved more efficiently. In this scenario, you need to limit the user friction by reducing the time to log in. By authenticating at the endpoint instead of an external authentication device like a phone call, SMS code or token OTP, Duo Desktop drives efficiency for your edge use case.

This flexibility is a plus for scenarios where traditional multi-factor authentication (MFA) methods fall short and organizations struggle with time-to-login issues during the sign-in process. Duo Desktop authentication helps Duo embody the principle of securing identities on any device, from anywhere and we are excited to hear feedback during public preview.

Experience Duo Desktop authentication today

Duo Desktop authentication is a step forward in secure access, providing organizations with a secure authentication method for use cases that are typically challenging to deploy, maintain and support. By offering a solution that eliminates the need for smartphones or tokens, Duo addresses the need of organizations across industries including security, compliance, cost management and operational efficiency.

Duo Desktop authentication is available now in all paid Duo subscriptions. You can test by deploying the Duo Desktop app and enabling Duo Desktop authentication in your Duo Policy stack to your preferred applications and identities. Review more on how to use Duo Desktop authentication on the Duo Docs page and reach out to your Duo contact to learn more today!