In the last year I’ve come across an authentication company who has also put its foot into device detection and web application security.
That company is Michigan-based Duo Security, and its premise is that if your account is accessed by someone that is not you, it can alert you to that as well as offering two-factor authentication (2FA) in the middle (after the password is entered). The technology supports any application and offers VPN support. A user is enrolled on the first add, and asked what they want the token to be.
Ash Devata, VP of products at Duo Security said that “Duo means security and usability. It will send a confirmation that it is me accessing the account, and send a login request and ask for information if it seems to be fraudulent.”
As well as that, it can detect any vulnerabilities using the Duo dashboard and will still work if the device is rooted or jailbroken. “We can tell you the inventory and configuration of your devices, so there is a lot of good hygiene without agents and this is a big area for us,” he said.
While it’s good to get the word from the vendor, the user experience is often more valuable and I got the chance to speak with Richard Gough, group IT operations and security manager at financial services firm Punter Southall. With 850 people to manage, Gough decided to move from a UserID and password approach for remote authentication, to a multi-factor approach.
“I wanted a cloud-based, hosted two-factor authentication service that was flexible enough to offer an array of different authentication methods like SMS passcode, phone call backs, traditional hardware tokens and - although we didn’t realize it at the time, we particularly like Duo’s smart phone app approach to authentication,” he said.
“We wanted a simple solution from an established vendor, which was compliant with Remote Authentication Dial-In User Service (RADIUS) to ensure we weren’t locked into one vendor.”
In conversation with Infosecurity, I asked Gough what stood out about Duo and having described it as “a Rolls Royce in comparison to a mini”, he said that it was about being better at security than your adversary and using 2FA to enhance systems was a logical step forward.
“I had used it in an old job and having used a token-based technology, I wanted something fresh and hosted offsite and delivers technology that is simple and secure,” he said. “It’s about regulation and I want to be sure I am doing my job properly.”
He also pointed at the costs associated with tokens as being “extortionate” and with a staff of 850 people, at his busiest time he observed 200 connected remotely on a busy day and with a cloud-delivery model this has helped provide security.
He said: “It is useful to identify where users are, and geolocation products look at everything. Security is not just one solution and we have IDS/IPS and authentication with Duo and it is a complete suite of products. Once we were running it we did our due diligence on the solution and we look at it with our own security products and I am happy with the privacy. “
Gough admitted that he had looked at other products and he was won over by the security offering and ease of use, and said that being software, rather than hardware, means that access to Outlook Web Access on a mobile device or tablet will work with Duo’s technology.
Was this something that the board embraced? “They want to enhance security and I found this vendor and did testing and pulled this out, but it is a joint initiative and the board governance team wanted to enhance what we do, and it is a constant thing as we look at what to do next and once we had the brief we did it and they liked it, especially when we said it could be deployed quite quickly.”
He concluded by saying that this was “only one part of our arsenal of tools”, and security is present all the time and the ‘human firewall’ is one of the most important factors, but he had given them something easy to work with.