Multifactor Authentication from Duo
Two-factor authentication (2FA) is a specific type of MFA that strengthens access security by requiring two methods (also referred to as authentication factors) to verify your identity. These factors can include something you know, such as a username and password, and something you have, such as a smartphone app, to approve authentication requests.
2FA protects against phishing, social engineering, and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials. You can ensure users are who they say they are at every access attempt, and you can regularly reaffirm their trustworthiness. MFA is the foundation for zero-trust. Duo verifies that your users are who they say they are, before they access your data—and with multiple second-factor options, including one-touch Duo Push, users can easily authenticate in seconds.
MFA from Cisco’s Duo protects your applications by using a second source of validation, such as a phone or token, to verify user identity before granting access. Duo is engineered to provide a simple, streamlined login experience for every user and application, and as a cloud-based solution, it integrates easily with your existing technology. Figure 8-42 illustrates the Duo App MFA.
Figure 8-42 Duo App multifactor authentication
We know the most effective security solution is one your users actually use. Duo’s 2FA solution only requires your users to carry one device—their smartphone, with the Duo Mobile app installed on it. Duo Mobile is available for both iPhones and Android, as well as wearables such as the Apple Watch. With support for a large array of authentication methods, logging in via push notification is fast and easy with Duo Mobile. We strongly recommend using Duo Push or WebAuthn as your second factor because they’re secure and can protect against man-in-the-middle (MITM) attacks, but with Duo’s flexibility and customizability, you’ll be able to find the adaptive authentication method that meets the unique needs of your diverse user base.
Types of 2FA
A number of different second factors that can be used to verify a user’s identity. From passcodes to biometrics, the available options address a range of use cases and protection levels:
• SMS 2FA: SMS two-factor authentication validates the identity of a user by texting a security code to their mobile device. The user then enters the code into the website or application to which they’re authenticating.
• TOTP 2FA: The time-based one time password (TOTP) 2FA method generates a key locally on the device a user is attempting to access. The security key is generally a QR code that the user scans with their mobile device to generate a series of numbers. The user then enters those numbers into the website or application to gain access. The passcodes generated by authenticators expire after a certain period of time, and a new one will be generated the next time a user logs in to an account. TOTP is part of the Open Authentication (OAuth) security architecture.
• Push-based 2FA: Push-based 2FA improves on SMS and TOTP 2FA by adding additional layers of security, while improving ease of use for end users. Push-based 2FA confirms a user’s identity with multiple factors of authentication that other methods cannot. Duo Security is the leading provider of push-based 2FA. • WebAuthn: Created by the FIDO (Fast IDentity Online) Alliance and W3C, the Web Authentication API is a specification that enables strong, public key cryptography registration and authentication. WebAuthn (Web Authentication API) allows third parties like Duo to tap into built-in capabilities on laptops, smartphones, and browsers, letting users authenticate quickly and with the tools they already have at their fingertips.