If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges. Have you gotten caught up in one of five authentication traps, like many of your peers? In this webinar, you will learn: Five signs you're doing authentication wrong Forrester research on key trends and generational shifts in the authentication market How to assess solution usability, deployability and security Will it ever be truly possible to "kill the password?" Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution. Eve Maler, Forrester Research Brian Kelly, Duo Security Daniel Frye, CedarCrestone

1. 5 Signs You’re Doing Authentication Wrong
March 25, 2014
#duowebinar

2. 5 Signs You're Doing Authentication Wrong
Eve Maler, Forrester Research
5 Signs You're Doing Authentication Wrong
Brian Kelly, Duo Security
Helping You Get It Right
Daniel Frye, CedarCrestone
Choosing The Appropriate Solution
#duowebinar

3. 5 Signs You’re Doing
Authentication Wrong
Eve Maler, Principal Analyst
Forrester Research
#duowebinar

4. 5 Signs You’re Doing
Authentication Wrong
A Listicle About Security And Usability
Eve Maler, Principal Analyst
March 25, 2014

5. You’re engaging in security theater

6. Yeah, we really do have a problem
© 2014 Forrester Research, Inc. Reproduction Prohibited 3

7. 2 out of 3
top data
breach types
involve the
keys to the
kingdom
Source: December 30, 2013, “Market
Overview: Employee And Customer
Authentication Solutions In 2013,
Part 1 Of 2” Forrester report
© 2014 Forrester Research, Inc. Reproduction Prohibited 4

8. Passwords (and security Qs) have a weak “UDS profile”
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-
Loss
© 2014 Forrester Research, Inc. Reproduction Prohibited
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Source: February 24, 2014, “Market Overview: Employee And
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
5

9. Passwords (and security Qs) have a weak “UDS profile”
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-
Loss
© 2014 Forrester Research, Inc. Reproduction Prohibited
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
!!!
Source: February 24, 2014, “Market Overview: Employee And
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
6

10. But password policy has become a bludgeon
We conclude that the sites with the most restrictive password policies do not
have greater security concerns, they are simply better insulated from the
consequences of poor usability.
...
Most organizations have security professionals who demand stronger policies, but
only some have usability imperatives strong enough to push back. When the
voices that advocate for usability are absent or weak, security measures become
needlessly restrictive. The watchers must be watched, not merely to ensure that
they do not steal or cheat, but also to ensure that they do not decide to make their
job a little easier at the cost of great inconvenience to everyone else.
– Florencio and Herley, Where do security policies come from? (2010) [emph
added]
© 2013 Forrester Research, Inc. Reproduction Prohibited 7

11. What compensating controls can we use
to better effect?
› Lockout policy
› Getting “securely random” closer
to “memorable”
› Risk-based and contextual
authentication
› Real-time strength checking
© 2014 Forrester Research, Inc. Reproduction Prohibited 8

12. You’re unifying on a
single login experience

13. Weird but true tales
“Since it’s hard to type passwords on mobile devices
or speak them out loud to customer service reps, we
force all passwords to be short and uppercase.”
“We want to give everyone the identical login
experience on every channel. How do we do
that?”
“We have two-factor auth: Users give a
password to log in, and if they forget their
password, we ask them security questions.”
© 2014 Forrester Research, Inc. Reproduction Prohibited 10

14. Authentication stages and tasks have
different needs
Onboarding
New account enrollment,
with users and devices
potentially never seen
before.
Recovery
Password reset and other
security profile changes,
which may require re-enrollment.
Stronger authentication
to access higher-value,
higher-risk functions.
Front-door
authentication to
access ordinary
functions.
Step-up Login
Source: December 30, 2013, “Market
Overview: Employee And Customer
Authentication Solutions In 2013, Part 1 Of
2” Forrester report
© 2013 Forrester Research, Inc. Reproduction Prohibited 11

15. Think in terms of “responsive design”
for authentication tasks per channel
© 2012 Forrester Research, Inc. Reproduction Prohibited
• Pick up risk-based
clues from the
channel and task
wherever possible
• Leverage users’
smart mobile
devices if they have
them
12

16. “Mobile first” means IT has less room to
maneuver than ever
› Business owners want in-app
registration and login
› Individuals demand user
experiences with a clear
purpose
› Security task flows on mobile
devices feel different
© 2014 Forrester Research, Inc. Reproduction Prohibited 13

17. Your authentication
chain has weak links

18. What’s your task/channel matrix?
Web Mobile
web
Mobile
app
Phone
CSR
Phone
IVR…
Register
user
Register
device
Routine
login
Account
recovery
Change
email…
© 2014 Forrester Research, Inc. Reproduction Prohibited 15

19. What’s
your
population
and
scenario?
Large
benefit
Benefit
in
sharing
credentials
Social
network
user
Degree of
freedom to
walk away from
relationship
Greater
benefit
Baseline
Privileged
employee
Contractor
Employee
of partner
Regular
employee
Paying
affiliate
Payout
beneficiary
Bank
customer
Nonpaying
affiliate
Service-paying
customer
Retail
customer
None (captive) Some at cost A lot
© 2014 Forrester Research, Inc. Reproduction Prohibited 16

20. It’s intractably hard to stamp out all
passwords
› Back-end privileged accounts
› API client credentials and access tokens
› PINs to unlock MDM-protected devices
› Passwords as a required first factor of many
third-generation strong authentication solutions
© 2014 Forrester Research, Inc. Reproduction Prohibited 17

21. You’re pretending your
enterprise is unextended

22. The extended
enterprise needs
Zero Trust
authentication
Source: December 30, 2013 “Market Overview:
Employee And Customer Authentication
Solutions In 2013, Part1 Of 2” Forrester report
© 2014 Forrester Research, Inc. Reproduction Prohibited 19

23. Zero Trust and the cloud have affinities
Access control is
on a “need-to-know”
basis and is
strictly enforced.
Source: November 15, 2012,
“No More Chewy Centers:
Introducing The Zero Trust
Model Of Information Security”
Forrester report
All resources are
accessed in a
secure manner
regardless of
location.
Verify and never
trust.
Inspect and log all
traffic.
The network is
designed from the
inside out.
© 2014 Forrester Research, Inc. Reproduction Prohibited 20

24. You annoy real users
as much as fraudsters

25. Adding contextual cues can be a great booster shot
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-
Resilient-to-Theft
Loss
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Source: February 24, 2014, “Market Overview: Employee And
© 2014 Forrester Research, Inc. Reproduction Prohibited 22
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report

26. Mobile-fueled third-gen solutions can add UDS strength
Usability Deployability Security
Memorywise-Effortless Accessible Resilient-to-Physical-Observation
Scalable-for-Users Negligible-Cost-per-User Resilient-to-Targeted-Impersonation
Nothing-to-Carry Server-Compatible Resilient-to-Throttled-Guessing
Physically-Effortless Nothing-to-Provision-to-User Resilient-to-Unthrottled-Guessing
Easy-to-Learn Mature Resilient-to-Internal-Observation
Efficient-to-Use Multiple-Purposes Resilient-to-Leaks-from-Other-Verifiers
Infrequent-Errors Available-Offline Resilient-to-Phishing
Easy-Recovery-from-
Loss
© 2014 Forrester Research, Inc. Reproduction Prohibited
Resilient-to-Theft
No-Trusted-Third-Party
Requiring-Explicit-Consent
Unlinkable
Source: February 24, 2014, “Market Overview: Employee And
Customer Authentication Solutions In 2013, Part 2 Of 2” Forrester report
23

27. Leverage “adjacent uses” for employees
and consumers alike
Source: June 12, 2013,
“Introducing The Customer
Authentication Assessment
Framework” Forrester report
© 2014 Forrester Research, Inc. Reproduction Prohibited 24

28. Thank you
Eve Maler
+1 425 345 6756
emaler@forrester.com
Twitter: @xmlgrrl

29. Helping You Get It Right
Brian Kelly, Sr. Product Marketing Manager
Duo Security
#duowebinar

30. Passwords
The security problem we all share

31. 100% 94% 416
of victims have up-to-date
anti-virus software
of breaches are reported by
third parties
100%
median number of days
advanced attackers are on the
network before being detected
of breaches involved stolen
credentials
(2013)
All Breaches Involve Stolen Passwords

32. Helping You Get Two-Factor Authentication Right
1. Avoid Security Theatre
2. Deploy Responsive Two-Factor Authentication
3. Remove Weak Links In Your Authentication Chain
4. Embrace Your Extended Enterprise
5. Don’t Annoy Your Users

33. 1. Avoid Security Theatre
‣ Your employees and users don’t want to
change their passwords every 90 days
my.vt.edu (Mar 2014)

34. 1. Avoid Security Theatre
‣ Your employees and users don’t want to
change their passwords every 90 days
‣ Maintain a reasonable password policy
and require two-factor authentication
xkcd.com/936/

35. 2. Deploy Responsive Two-Factor Authentication
‣ Your sales team probably doesn’t have the
same risk profile as your IT administrators
≠
!
⋆
!

36. 2. Deploy Responsive Two-Factor Authentication
!
‣ Your sales team probably doesn’t have the
same risk profile as your IT administrators
‣ Allow sales team to self-enroll and
leverage Duo’s Trusted Device policy

37. 2. Deploy Responsive Two-Factor Authentication
⋆
!
‣ Your sales team probably doesn’t have the
same risk profile as your IT administrators
‣ Allow sales team to self-enroll and
leverage Duo’s Trusted Device policy
‣ Require admins
‣ to use 2FA on every login
‣ not rely on phone callback or SMS OTP
‣ manually enroll

38. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate

39. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans: Prove Identity
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
# #
# #

40. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll: TOFU (self-enrollment), batch, manual, sync
‣ Authenticate
‣ Migrate
‣ Deactivate

41. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate: policy, bypass
‣ Migrate
‣ Deactivate

42. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate: change phone, token
‣ Deactivate

43. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate

44. 3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Understanding all points of access
‣ Fail safe (open) v. fail secure (close) tradeoffs

45. 3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Added 2FA for SSH access to your
UNIX servers? Great!
‣ Did you remember turn off port
forwarding and tunneling?
# Duo UNIX 2FA - sshd_config:
PermitTunnel no
AllowTcpForwarding no
ForceCommand /usr/sbin/login_duo
duosecurity.com/docs/duounix

46. 3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Duo 2FA for Windows RDP locks
down remote, interactive sessions
‣ “Run as” & non-interactive logins do
not invoke credential provider
‣ Understand limitations for local auth
duosecurity.com/docs/rdp-faq

47. 4. Embrace Your Extended Enterprise
Integrate with everything that matters
‣ On-premises: VPN, servers, web apps
‣ Cloud: Google Apps, Office 365,
Salesforce, Box, and more (SAML)
‣ API: Duo Web and REST

48. 4. Embrace Your Extended Enterprise
Authenticate users with any device
‣ Duo Push: iOS, Android, BlackBerry,
Windows Phone
‣ Offline Passcodes
‣ SMS Passcodes
‣ Phone callback
‣ Tokens: HOTP/TOTP & YubiKey

49. 4. Embrace Your Extended Enterprise
Manage from anywhere
‣ Cloud-accessible management console
‣ Manage users, devices, integrations and
access logs all from web interface
‣ Admin REST API for automation

50. 5. Don’t Annoy Your Users
Your users are smart
‣ Explain why 2FA is important
(and better than archaic password policies)
‣ Give them choice
‣ Provide personal security value
‣ Get out of the way
guide.duosecurity.com

51. Thousands Doing It Right, Today
duosecurity.com/success-stories

52. Choosing The
Appropriate Solution
Daniel Frye, SVP Corporate Security
CedarCrestone
#duowebinar

53. About CedarCrestone
‣ Formed in 2005
‣ Merger of Cedar Enterprise Solutions (founded 1981)
and Crestone International (founded 1995)
‣ Global consulting & managed services
company
‣ Support 2,000+ employees for
CedarCrestone & affiliated companies Headquarters
Atlanta, GA

54. Business Challenge
‣ Evaluated susceptibility to password
phishing via internal pen-testing &
social engineering testing
‣ Hundreds of consultants on the road
that need VPN access
‣ Needed application-centric multi-factor
solution as an option for
managed services clients

55. Choosing The Appropriate Authentication Solution
‣ Why two-factor authentication vs. other security solutions?
‣ Defining authentication solution success
‣ Protect critical resources
‣ Make it easy on users and staff
‣ Evaluation and competitive bake off

56. Decision: Duo Security
‣ Protect critical resources
‣ Drop-in integrations for Juniper and more
‣ Flexible API for custom integration or
enhancement
‣ Make it easy on users and staff
‣ Easy To Use: Duo Push, self-enrollment
‣ Easy To Deliver: Minimal training, factor choice
‣ Easy To Trust: Secure by design
Duo API
$

57. Results
‣ Password-related vulnerabilities mitigated since Duo
deployment
‣ Feedback from 3rd party pen-testing team very positive
‣ Feedback from staff who have used other 2FA solutions:
Duo Push is much better
‣ Flexibility of mobile apps, SMS, phone callback, and YubiKey
support has proven integral to success

58. Questions + Answers #duowebinar
Eve Maler, Forrester Research
emaler@forrester.com @xmlgrrl
Brian Kelly, Duo Security
bkelly@duosecurity.com @resetbrian
Daniel Frye, CedarCrestone
dan.frye@cedarcrestone.com @CedarCrestone