If you're like many IT security professionals, you're on a quest to do a better job of authenticating users in the face of new security and business challenges.
Have you gotten caught up in one of five authentication traps, like many of your peers?
In this webinar, you will learn:
Five signs you're doing authentication wrong
Forrester research on key trends and generational shifts in the authentication market
How to assess solution usability, deployability and security
Will it ever be truly possible to "kill the password?"
Join the following guest speakers as they comment on the virtues of a thoughtfully deployed authentication solution.
Eve Maler, Forrester Research
Brian Kelly, Duo Security
Daniel Frye, CedarCrestone
2. 5 Signs You're Doing Authentication Wrong
Eve Maler, Forrester Research
5 Signs You're Doing Authentication Wrong
Brian Kelly, Duo Security
Helping You Get It Right
Daniel Frye, CedarCrestone
Choosing The Appropriate Solution
#duowebinar
3. 5 Signs You’re Doing
Authentication Wrong
Eve Maler, Principal Analyst
Forrester Research
#duowebinar
4. 5 Signs You’re Doing
Authentication Wrong
A Listicle About Security And Usability
Eve Maler, Principal Analyst
March 25, 2014
31. 100% 94% 416
of victims have up-to-date
anti-virus software
of breaches are reported by
third parties
100%
median number of days
advanced attackers are on the
network before being detected
of breaches involved stolen
credentials
(2013)
All Breaches Involve Stolen Passwords
32. Helping You Get Two-Factor Authentication Right
1. Avoid Security Theatre
2. Deploy Responsive Two-Factor Authentication
3. Remove Weak Links In Your Authentication Chain
4. Embrace Your Extended Enterprise
5. Don’t Annoy Your Users
33. 1. Avoid Security Theatre
‣ Your employees and users don’t want to
change their passwords every 90 days
my.vt.edu (Mar 2014)
34. 1. Avoid Security Theatre
‣ Your employees and users don’t want to
change their passwords every 90 days
‣ Maintain a reasonable password policy
and require two-factor authentication
xkcd.com/936/
35. 2. Deploy Responsive Two-Factor Authentication
‣ Your sales team probably doesn’t have the
same risk profile as your IT administrators
≠
!
⋆
!
36. 2. Deploy Responsive Two-Factor Authentication
!
‣ Your sales team probably doesn’t have the
same risk profile as your IT administrators
‣ Allow sales team to self-enroll and
leverage Duo’s Trusted Device policy
37. 2. Deploy Responsive Two-Factor Authentication
⋆
!
‣ Your sales team probably doesn’t have the
same risk profile as your IT administrators
‣ Allow sales team to self-enroll and
leverage Duo’s Trusted Device policy
‣ Require admins
‣ to use 2FA on every login
‣ not rely on phone callback or SMS OTP
‣ manually enroll
38. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
39. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans: Prove Identity
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
# #
# #
40. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll: TOFU (self-enrollment), batch, manual, sync
‣ Authenticate
‣ Migrate
‣ Deactivate
41. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate: policy, bypass
‣ Migrate
‣ Deactivate
42. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate: change phone, token
‣ Deactivate
43. 3. Remove Weak Links In Your Authentication Chain
Know Your Humans
‣ Enroll
‣ Authenticate
‣ Migrate
‣ Deactivate
44. 3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Understanding all points of access
‣ Fail safe (open) v. fail secure (close) tradeoffs
45. 3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Added 2FA for SSH access to your
UNIX servers? Great!
‣ Did you remember turn off port
forwarding and tunneling?
# Duo UNIX 2FA - sshd_config:
PermitTunnel no
AllowTcpForwarding no
ForceCommand /usr/sbin/login_duo
duosecurity.com/docs/duounix
46. 3. Remove Weak Links In Your Authentication Chain
Remote Access Security Hygiene
‣ Duo 2FA for Windows RDP locks
down remote, interactive sessions
‣ “Run as” & non-interactive logins do
not invoke credential provider
‣ Understand limitations for local auth
duosecurity.com/docs/rdp-faq
47. 4. Embrace Your Extended Enterprise
Integrate with everything that matters
‣ On-premises: VPN, servers, web apps
‣ Cloud: Google Apps, Office 365,
Salesforce, Box, and more (SAML)
‣ API: Duo Web and REST
48. 4. Embrace Your Extended Enterprise
Authenticate users with any device
‣ Duo Push: iOS, Android, BlackBerry,
Windows Phone
‣ Offline Passcodes
‣ SMS Passcodes
‣ Phone callback
‣ Tokens: HOTP/TOTP & YubiKey
49. 4. Embrace Your Extended Enterprise
Manage from anywhere
‣ Cloud-accessible management console
‣ Manage users, devices, integrations and
access logs all from web interface
‣ Admin REST API for automation
50. 5. Don’t Annoy Your Users
Your users are smart
‣ Explain why 2FA is important
(and better than archaic password policies)
‣ Give them choice
‣ Provide personal security value
‣ Get out of the way
guide.duosecurity.com
53. About CedarCrestone
‣ Formed in 2005
‣ Merger of Cedar Enterprise Solutions (founded 1981)
and Crestone International (founded 1995)
‣ Global consulting & managed services
company
‣ Support 2,000+ employees for
CedarCrestone & affiliated companies Headquarters
Atlanta, GA
54. Business Challenge
‣ Evaluated susceptibility to password
phishing via internal pen-testing &
social engineering testing
‣ Hundreds of consultants on the road
that need VPN access
‣ Needed application-centric multi-factor
solution as an option for
managed services clients
55. Choosing The Appropriate Authentication Solution
‣ Why two-factor authentication vs. other security solutions?
‣ Defining authentication solution success
‣ Protect critical resources
‣ Make it easy on users and staff
‣ Evaluation and competitive bake off
56. Decision: Duo Security
‣ Protect critical resources
‣ Drop-in integrations for Juniper and more
‣ Flexible API for custom integration or
enhancement
‣ Make it easy on users and staff
‣ Easy To Use: Duo Push, self-enrollment
‣ Easy To Deliver: Minimal training, factor choice
‣ Easy To Trust: Secure by design
Duo API
$
57. Results
‣ Password-related vulnerabilities mitigated since Duo
deployment
‣ Feedback from 3rd party pen-testing team very positive
‣ Feedback from staff who have used other 2FA solutions:
Duo Push is much better
‣ Flexibility of mobile apps, SMS, phone callback, and YubiKey
support has proven integral to success
58. Questions + Answers #duowebinar
Eve Maler, Forrester Research
emaler@forrester.com @xmlgrrl
Brian Kelly, Duo Security
bkelly@duosecurity.com @resetbrian
Daniel Frye, CedarCrestone
dan.frye@cedarcrestone.com @CedarCrestone