1

Just wondering if anyone is using Endpoint Security from Duo ( https://www.duosecurity.com/ ) and what your experience has been or even if you are not using it what comes to mind as an Information Security Professional as to the potential risks and implications of using such a cloud based service for two-factor authentication? Any thoughts or insight appreciated.

2 Spice ups
2

I found that pretty good secure authentication?

If we have corporate smart phones which are under heavy security policy (complex password for lock screen, short idle time, encrypted phone device , etc),

Duo pushes the authentication request to smart phone or call that number to validate. someone has to steal both our password and the phone.

3

I’m actually setting up a proof of concept demo for a client that is looking at this for its 2FA needs. In their case they need 2FA for VPN and RDS access. So far it looks like a workable solution. We setup Duo’s radius proxy server for their authentication with their VPN gateway appliance and we are reading through the docs for the RDS solution. They have a smart phone app, and a key fob (for those users who refuse to use/have a smart phone).

Their other option is the Symantec VIP 2FA product. They placed the symantec solution as a fall back option if the Duo solution doesn’t work out.

4

We use Duo’s 2FA solution. Currently working on integrating it to all of our in-house apps. Nothing but good things to say about it. It just works.

1 Spice up
5

I am considering replacing an on-premise MFA solution with Duo and looking into the added features in the Platform version (including endpoint). From a security perspective, Duo’s 2FA services cover the gambit: “hosted in top-tier, SAS70 Type II certified data centers servicing NIST 800-53, PCI, HIPAA, and ISO 27000 regulated customers with 24/7 service and physical security”.

We are in a bit of a quandary- Enterprise is shy of a few features that we’d like to implement however Platform is double the (list) price.

1 Spice up
6

Thanks for the insight! It really seems to me like for the price, one can’t run their own authentication server (and manage it, keeping it healthy, etc.) for any less money. Certainly not an authentication server that does everything this one claims to. I suppose the only real downside is if they had an a extended outage.

7

I have implemented Duo at Several Sites. You choose the failure method (allow access or deny access). It defaults to allow access keep in mind this is still quite secure because the user has already authenticated against a primary mechanism before reaching the Duo Prompt. I would worry about your site connection going down before Duo, especially if they have redundant data centers/connections.