Login – the problem that never disappears. Now there is a possibility!

By Mikael Gustafsson, CCIE Security #51822, CISSP, Senior Security Architect at Conscia

Credentials cause a lot of problems. With Duo Security, not anymore.

Credentials, credentials, a lot of authentications happen in a day. But Conscia’s security architect Mikael Gustafsson has seen the light, and it’s called Duo Security. He is telling us about it here.

Credentials cause a lot of problems. They are too complicated, too weak, they cost too much to handle. And last but not least, there are too many passwords that a person must handle every day, and many people have difficulties managing passwords safely. The typical example of this is the many Post-its with passwords that can be found under keyboards in offices all over the country.

But the biggest problem is that passwords do not always meet their purpose, they are simply too “weak” by them self, passwords represents only one factor in an authentication, and it is very easy to trick a person to disclose the passwords. The universal solution to this problem is to use multifactor authentication (MFA). Or to keep it simple, a login consists of several procedures, for example a password and a code sent via SMS (which many people consider to be a bad solution.) Or a password and a hardware token, and so on.

One aspect, that’s easy to forget, is that the requirements for strong, and yet simple, login solutions are increasing. This is not at least because more applications, and cloud services, can be described as business-critical today than a few years ago. Of course, this is related to the currently strong digitalization trend. Although GDPR regulations play a major role, it is becoming increasingly important to manage sensitive information in a secure way.

Following the acquisition of the company Duo Security a year ago, Cisco has now presented a password solution that has great potential. The solution is known as Duo Security and handles a wide range of different technology solutions, for example two-factor authentication (2FA), vulnerability analyzes for, among other things, phishing and more. Secure authentication is thus an integral part of a larger security solution. Among the managed login technologies are hardware tokens, passwords sent to mobiles, SMS solutions, telephone dialing and biometrics, such as fingerprints à la Touch ID included.

2FA – part of the Zero Trust

That’s nothing new, you’ll probably think. No, not in principle. What is new is how the solution is designed, and that it is a well devised part of a more comprehensive security strategy (Cisco Trusted Access). This is Cisco’s proposed solution of the established security strategy Zero Trust.

Secure login regardless of provider or location

Worth noting in terms of design is that Duo Security is not linked to a supplier’s software, hardware or other resources. It is often here it crashes: a multifactor authentication solution from company X works well with its own products, but not with other suppliers’ products. Duo Security offers a very large number of variants for integration with applications, cloud services, and other resources.

A wide range of application and system support simplifies matters in many ways, perhaps mainly by minimizing the number of parallel login solutions. The support is obtained through the basic design of Duo Security through the use of “reversed proxy”, which is relatively easy to implement. Another sign of flexibility is the support for different login methods, which means that the strength of the login solution can be optimized for each case.

Most significant is perhaps that Duo Security works well for both local installations (on prem) and cloud services. Many login solutions in the market specialize in one or the other. Again, the need for multiple multifactor authentication solutions is minimized.

In the opinion of an IT department, the highlight of Duo Security is the simple and thoughtful administration with the appertaining tools. The consequences of this combination are obvious: cheaper operations, fewer problems, and the fact that IT staff can take on more sophisticated tasks than cleaning up the password swamp.

Policy management, based on flexible rules, is also worth mentioning. You manage a large number of different types of policy for both users and entities.

But most important, of course, is simple authentication for end users. What’s really more important for IT staff, including CIO, IT Manager and CTO, than having happy users?

Firstly, it should be the guiding star in the work, and secondly, life will be more comfortable.

How does authentication work with Duo Security?

So how does Duo Security work? Here is an example:

  • The user logs in as usual to an application with username and password. Subsequently, a push message is sent to the user’s mobile phone, which he must respond to in order to approve his login. Instead of a message to a mobile phone, you can verify using for example fingerprints or facial recognition.
  • The client device, which users log in from, is authenticated to check if it is approved for use according to the policy that exists. An example of rejection may be that the client device does not have the latest update required. In this case, the user may update the device and log in again.
  • When it is appropriate, VPNs (virtual private networks), cloud services (SaaS) and more are managed with DUO Security. There is already built-in support for the most popular application and services in DUO Security.

You often hear about “the death of the password”. It’s nonsense, it’s not a reasonable strategy. I’d rather talk about better authentication, which come with smart multifactor authentication. I am really expecting a lot in terms of better security with Duo Security.