Two-Factor Authentication Evaluation Guide

What to look for when assessing and comparing two-factor authentication solutions
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Two-factor authentication
is the simplest, most effective
way to make sure users really are
who they say they are.
More than 80% of
By verifying your users’ identities before they access your But, not every two-factor solution is the same. Some vendors only

network, two-factor authentication protects your applications provide the bare minimum needed to meet compliance requirements

and data against unauthorized access. It works by requiring – and lots of hidden costs required for deployment, operation and

hacking breaches multiple factors to be confirmed before permitting access versus

just an email and a password. Authentication factors can be

maintenance. Plus, many traditional solutions are clunky, error‑prone

and require extensive user training and support – costing your

involve brute force something you know, like a password; something you have, like

your device or a security key; something you are, like your personal
employees time and productivity.

or the use of lost or

fingerprint (biometrics); somewhere you are, like your location; and

your level of access based on adaptive policies.

stolen credentials. IN THIS GUIDE, YOU’LL GET:

+ A comprehensive set of criteria to customize your evaluation to your organization’s needs
VERIZON 2020 DATA BREACH
+ An overview of the hidden costs of a two‑factor solution and how to determine your return on investment (ROI)
INVESTIGATIONS REPORT­
+ What to look for to ensure your solution can protect against the risk of a data breach

+ A list of resources needed to deploy, provision and integrate your solution

+ An overview of the different strategic business initiatives, and how your solution fits into them

© 2020 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
1
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Consider the following criteria when evaluating

different two‑factor authentication solutions:

Security Impact Strategic Total Cost

Can your solution protect against unauthorized Business Initiatives of Ownership
access and provide visibility of users and
Is your solution compatible with other business Does your solution provide upfront value, or
devices in your environment? How effectively
initiatives such as enabling remote work or incur hidden costs to your organization? Can it
does the solution reduce the risk of a data
onboarding cloud applications? Does it fulfill work with modern and legacy systems? Can the
breach? Can your solution provide access
compliance requirements? solution help consolidate multiple siloed tools?
control for managed and unmanaged devices?

Does your solution alert you to unusual or

suspicious login activities?

Time to Value Required Resources

These are some of the big questions
How quickly can you get the solution up and What kind of resources are required to deploy
you want to ask to find out if a 2FA
running in your environment? and provision users? Is the solution architected
(or multi-factor authentication/MFA)
to reduce ongoing administration tasks?
solution is truly the best solution for
your business. Let’s dig deeper into
these questions.

2
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Security Impact
The most critical security aspects of an authentication solution are 1) effectiveness against threats related to credential theft, and 2) underlying

security and reliability. The primary goal is to reduce the risk of a data breach to your organization. If a solution is easily bypassed or doesn’t provide

comprehensive protection, it’s not worth implementing (at any cost!).

Secure Everything, Everywhere

FOCUS ON REMOTE LOGINS REDUCE DEPENDENCY ON PASSWORDS
Before you implement a new security solution, take full inventory of your Passwords are a thorn in the side of enterprise security. An average Enabling a single sign-on (SSO) option along with MFA is a great way to

organization’s applications, networks and data that can be accessed enterprise uses more than 1,000 cloud apps today. That’s too many start the passwordless journey without compromising on security.

remotely. If you can log into an application or a system over the internet, passwords for IT to manage securely, and for users to remember. This
For end users, SSO provides access to multiple applications with a single
you should protect it with more than just a username and password. VPN, results in password fatigue, and it’s no surprise that weak and stolen
login (using one master set combination of username and password) —
SSH and RDP connections are gateways to your corporate networks passwords are among the leading causes of a breach. Eliminating
and reducing the number of passwords eliminates bad password habits
and therefore require added layers of protection to prevent unauthorized passwords from authentication sounds very attractive; however, as with
such as password reuse. For administrators, SSO serves as a unified
access. Wherever possible, use FIDO-based (Fast IDentity Online, an open any new technology, it is wise to take a thoughtful approach to adopting
point of visibility for authentication and access logs, and an effective
industry standard for strong authentication) security keys that leverage passwordless authentication.
policy enforcement point to apply security policies for each application
WebAuthn and provide the highest level of assurance for authentication.
Passwordless is a journey that requires incremental changes for both depending on its risk profile.

With a modern MFA solution built on zero trust principles, you can get users and IT environments. Ask security vendors how their products can

a clearer picture of the users and devices that are trying to access your help you embrace a passwordless future without creating security gaps or

network. It is no longer enough just to verify the user before granting causing IT headaches.

access. Consider verifying the device status as part of the authentication

workflow. Ensure your solution can integrate with any custom software,

VPNs, cloud-based applications and device management tools.

If you can log into it over the internet,
you should protect it with more than a
username and password.
3
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

SECURE SENSITIVE DATA VERIFY DEVICE STATE ADAPTIVE POLICIES & CONTROLS
Check that the solution allows you to create and enforce advanced Consider a solution that offers comprehensive device verification An advanced two-factor authentication solution lets administrators define

policies and controls that you can apply to environments with sensitive capabilities across laptops, desktops or mobile devices. The solution rules and levels of access with adaptive controls, balancing security

data – whether it is internet-accessible or a private network. should ensure that devices accessing your environment are in compliance and ease-of-use based on the users, groups, devices, networks and

Examples include: with your organization’s security criteria. This includes verifying that the applications involved.

devices have critical software patches installed and enabling end-user

+ Define how users access sensitive systems, such as servers containing Examples of adaptive policies and controls include:
remediation where applicable.
financial data
+ Require admins and IT staff to perform two-factor authentication using
+ Set a stricter policy for servers with customer payment data vs. public Check that the solution can leverage telemetry from your endpoint security
biometrics or a FIDO-based security key every time they log in to protect
file servers agents and device management tools as part of posture assessments.
privileged access

+ Allow users to authenticate less often when using the same device

+ Block login attempts from foreign countries where you don’t do business,

and block access from anonymous networks, like Tor

+ Allow users to only access critical applications from corporate managed

devices

While traditional solutions such as firewalls and network access control

(NAC) can do this, they’re typically limited to protecting your on-

premises resources. But by focusing only on the local network perimeter,

these solutions leave many security gaps and zero coverage for cloud

applications. Look for a solution that offers protections beyond a

traditional network-based perimeter and truly protects access from any

device and from any location.

Check that your provider offers different

authentication methods to fit every user’s need.

4
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

VISIBILITY & ANALYTICS FLEXIBILITY AVAILABILITY

Ask your provider if your solution gives you insight into your users and It’s expensive to rip and replace a solution, so choose one that can scale A security solution is only as valuable as it is available, and resilient against

the devices they use to access your organization’s apps and data. An to support new users, integrations and devices – no matter where they are, security incidents and downtime. A cloud-based 2FA provider should

advanced authentication solution should give you an at-a-glance picture including on-premises and in the cloud. Check that your provider offers maintain their solution independent from your systems. That way, even if

of the security profile of all devices in your environment, letting you different authentication methods, including smartphone apps, biometrics, you’re breached, access to your applications is still securely managed by

take action to protect against known vulnerabilities. Because data is phone callback, passcodes and hardware tokens to fit every user’s need. your provider.

only as useful as it is accessible, make sure your dashboard provides a

To protect against downtime, your provider’s service should be distributed
comprehensive bird’s-eye view along with the ability to quickly zoom or
across multiple geographic regions, providers and power grids for
filter into more granular information.
seamless failover. Reliable vendors should demonstrate 99.99% uptime,

Ensure your solution comes with detailed logs about your users, devices, guaranteed by strong service level agreements (SLA).

administrators and authentication methods. The solution should allow

these logs to easily export to your SIEM tools and help create custom

reports, ideal for security analysts and compliance auditors.

Choose a solution that gives you visibility into authentication attempts,

including data on IP addresses, anonymous networks, blacklisted countries

and more – useful for determining where and when certain attacks may

occur. Ask if the provider can detect and automatically alert administrators

in case of risky login behavior or suspicious events, such as new device

enrollment for authentication or login from an unexpected location.

Ensure your solution comes with

detailed logs about your users, devices,
administrators and authentication methods.

5
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Strategic Business Initiatives

When evaluating a new security solution, consider how it may integrate with ongoing or future business initiatives, including legacy systems, bring

your own device (BYOD), remote work or the adoption of cloud applications. Other business drivers to consider include compliance regulation

requirements, which vary by industry and location.

CLOUD ADOPTION TODAY BRING YOUR OWN DEVICE (BYOD) —

Most of your applications and servers might be on-premises, but some REMOTE WORK PROTECTION
may migrate to the cloud in the near future. Check that the authentication Many organizations are allowing employees to use their personal devices Can your authentication solution detect potential vulnerabilities in the

solution can easily integrate with your cloud applications. Additionally, if to get work done. When evaluating authentication solutions, consider how devices your employees use? Ask your provider how you can get greater

you’re moving away from managing software and hardware on-premises, compatible they are with your BYOD environment. Can users use their own visibility and control into your cloud and mobile environment, without

then you should consider adopting a cloud-based authentication solution devices to complete authentication? requiring users to enroll their personal devices in enterprise mobility

that can scale as needed. Make sure your authentication solution protects solutions (like mobile device management/MDM).
Check that your authentication solution provides a mobile app that works
what’s important both today and in the future.
with all of the different types of mobile and remote devices your employees If it’s not easy to use, your users won’t use it. Evaluate the usability of

use, including Windows, Apple iOS and Android. For flexibility, ensure the your mobile app, for both your users (enrollment, activation and daily

solution works with other methods like security keys, mobile push, code authentication) and administrators (user and solution management).

generators and phone callback.

If it’s not easy to use,

your users won’t use it.
6
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

MONITORING & REPORTING VALIDATION & COMPLIANCE

Ensure your solution comes with detailed logs about your users’ activity so If you deal with any type of sensitive data, like personally identifiable

you can create custom reports, ideal for security analysis and compliance information (PII), protected health information (PHI), customer payment

auditors. Armed with details about jailbroken statuses, patch levels, data, etc., you need to ensure your two-factor solution can meet any

browsers and more, you can also take action to prevent opening up your compliance regulation requirements.

network to known vulnerabilities. Monitoring also gives you insight into any
Additionally, your two-factor provider must be able to provide an
user behavior anomalies or geo-impossible logins – if your user logs in
up‑to‑date proof of compliance report for your auditors. Ask your provider
from one location, and then logs in from another location around the world,
if their company and solution is audited annually or regularly by an
your security team will know.
independent third-party auditor.

Every organization’s environment is unique. Check if the solution provider

offers advanced machine learning-based behavioural analytics that can

Check that the vendor’s cloud-based service uses PCI DSS (Payment
Remember, it only takes
create a risk profile for your specific organization and notify administrators
Card Industry Data Security Solution), ISO (International Organization

for Standardization) 270001 and SOC (Service Organization Controls)

one weak link in the security
of any unusual login activity.
2 compliant service providers. It only takes one weak link in the security chain for a breach to affect
chain of contractors for a breach to affect your organization.
your organization.

7
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Total Cost of Ownership

The total cost of ownership (TCO) includes all direct and indirect costs of owning a product – for a two-factor solution, that may include hidden costs,

such as upfront, capital, licensing, support, maintenance, operating and many other unforeseen expenses over time, like professional services and

ongoing operation and administration costs.

How can you be sure you’re getting the best security return on your investment? Consider:

Upfront Costs
See if your vendor’s purchasing model requires that you pay per device,
ADMINISTRATIVE SOFTWARE/HARDWARE VENDOR CONSOLIDATION
user or integration – this is important if your company plans to scale and
Is this included in the software license? Additional management While network environments with a traditional perimeter defense model
add new applications or services in the future. Many hosted services
software is often required – without this, customers can’t deploy 2FA. Does rely on a handful of key services to maintain visibility and enforce security
provide a per-user license model, with a flat monthly or annual cost
the service require the purchase and configuration of hardware within your standards, the growth of SaaS adoption has resulted in many piecemeal
for each enrolled user. When investigating licensing costs, make sure
environment? Confirm the initial and recurring costs for this equipment, solutions to cover the expanded needs of securing cloud-based data and
to confirm whether licenses are named (locked to a single user ID) or
and research the typical time and labor commitment necessary to set assets. Secure access includes strong authentication through 2FA to
transferable, whether there are add-on charges for additional devices or
up these tools. For administrative access with tiered permissions based validate users and may also include:
integrations configured, or delivery charges for different factor methods.
on license version, confirm all functionality you depend on is available, or
Estimate how much it will cost to deploy two-factor authentication to all of + Endpoint management or mobile device management tools for defending
collect a complete list of necessary upcharges.
your apps and users. against device compromise threats

+ Single sign-on portals to centralize and simplify login workflows for users

+ Log analysis tools to identify and escalate potential security threats

+ Multiple dashboards to manage disparate services and cover

unsupported applications, and more

Along with the redundant costs that can accrue from these overlapping

Look for vendors with simple subscription models, services, each added tool increases complexity and the chances of human

priced per user, with flexible contract times. error or oversight. Finding a solution with comprehensive utility for secure

access can reduce both initial and ongoing management labor costs.

8
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Upfront Costs Deployment Fees

(continued)

AUTHENTICATORS DEPLOYMENT & CONFIGURATION ADMINISTRATOR SUPPORT

Do you have to purchase hardware authentication devices? Physical Find out if you can deploy the solution using your in-house resources, or To make it easy on your administrators, look for drop-in integrations for

tokens add inventory, management, and shipping costs to consider. For if it will require professional services support and time to install, test and major apps, to cut time and resources needed for implementation. Also

mobile authenticators, confirm if there is any per-device cost for soft troubleshoot all necessary integrations. confirm the availability of general-purpose integrations for the most

tokens, or if an unlimited number of enrolled devices is permitted for each common authentication protocols to cover edge use cases, along with

user license. END USER ENROLLMENT APIs to simplify integration for web applications. See if you can set up a

Estimate how long it will take each user to enroll, and if it requires pilot program for testing and user feedback – simple integrations should

DATA CENTER COSTS any additional administrative training and helpdesk time. Discuss with take no longer than 15 minutes.

Do you have to purchase servers? Server hosting costs can add up: your vendor the typical deployment timeframe expected with your use

power, HVAC (heating, cooling and air conditioning), physical security, case, and seek feedback from peers to validate how this aligns with

personnel, etc. A cloud-based solution will typically include these costs in their experience. Look for an intuitive end user experience and simple

the licensing model. enrollment process that doesn’t require extensive training. Token-based

solutions are often more expensive to distribute and manage than

HIGH AVAILABILITY CONFIGURATION they are to buy.

Is this also included in your software license? By setting up duplicate

instances of your software and connecting a load balancer with the

primary instance, you can end up tripling your software costs. Setting

up a redundant or disaster recovery configuration can also increase

costs significantly, and some vendors charge additional licensing fees for

business continuity.

Token-related help desk tickets can account

for 25% of the IT support workload.

9
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Ongoing Costs
PATCHES, MAINTENANCE & UPGRADES ADMINISTRATIVE MAINTENANCE SUPPORT & HELP DESK
Annual maintenance can raise software and hardware costs, as customers Consider the costs of employing full-time personnel to maintain your Live support via email, chat and/or phone should also be included in your

must pay for ongoing upgrades, patches and support. It’s often the two‑factor solution. Does your provider maintain the solution in‑house, or vendor’s service – but sometimes support costs extra. Consider how much

responsibility of the customer to search for new patches from the vendor is it up to you to hire experts to manage it? time is required to support your end users and helpdesk staff, including

and apply them. Look for a vendor that automatically updates the software troubleshooting time.
Estimate how long it takes to complete routine administrative tasks. Is
for security and other critical updates, saving the cost of hiring a team.
it easy to add new users, revoke credentials or replace tokens? Routine Gartner estimates that password reset inquiries comprise anywhere

One of the benefits of SaaS and cloud-hosted services is that servers, tasks, like managing users, should be simple. Sign up for a trial and take it between 30% to 50% of all helpdesk calls. And according to Forrester,

maintenance and monitoring are covered by the provider’s network and for a test run before deploying it to all of your users. 25% to 40% of all helpdesk calls are due to password problems or resets.

security engineers, lightening the load for your team. Depending on your Forrester also determined that large organizations spend up to $1 million

solution, you may have to manually upgrade to the latest version. per year on staffing and infrastructure to handle password resets alone,

with labor cost for a single password reset averaging $70.

You should also consider the frequency of updates — some vendors may

only update a few times a year, which can leave you susceptible to new If a solution requires extensive support from your IT or infrastructure

vulnerabilities and exploits. Choose a vendor that updates often, and teams, will you get charged for the time spent supporting your on‑premises

ideally rolls out automatic updates without any assistance from your team. two-factor solution? Estimate that cost and factor it into your budget.

10
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Modern Solutions
High value, upfront costs

+ Simple subscription model + User, device and application access policies

+ Free authentication mobile app and controls

+ No fees to add new apps or devices + Device health and posture assessments

+ No data center/server maintenance + Device context from third-party security

+ High availability configuration solutions

+ Automatic security and app updates + Passwordless authentication

+ Administrative panel included + User behavior analytics

+ User self-service portal included + Single sign-on (SSO) and cloud support

NO HIDDEN COSTS

Traditional Solutions MANY HIDDEN COSTS

Potentially low upfront costs, not much value

LOTS OF HIDDEN COSTS:

− Additional cost to add new apps or users

− Administrative software/hardware

− Authenticators – tokens, USB, etc.

− Data center and server maintenance

− High availability configuration

− Administrative support

− Patches, maintenance and upgrades

− Helpdesk support

11
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Time to Value
Time to value, or time to security, refers to the time spent implementing, deploying and adapting to the solution.

Determine how long it takes before your company can start realizing the security benefits of a two‑factor authentication

solution. This is particularly important after a recent breach or security incident.

Proof of Concept Deployment Onboarding & Training Users

Setting up a two-factor pilot program lets you test your solution across a Walk through likely implementation scenarios so you can estimate the A vendor’s enrollment process is often a major time sink for IT

small group of users, giving you the ability to gather valuable feedback on time and costs associated with provisioning your user base. Cloud-based administrators. Make sure you walk through the entire process to identify

what works and what doesn’t before deploying it to your entire team. services provide the fastest deployment times because they don’t require any potential issues.

hardware or software installation, while on-premises solutions tend to take

For enterprises, bulk enrollment may be a more time-efficient way to sign
more time and resources to get up and running.
up a large amount of users. To support your cloud apps, ensure your two-

Most security professionals don’t have time to write their own integration factor solution lets you quickly provision new users for cloud apps by using

code. Choose a vendor that supplies drop‑in integrations for all major existing on-premises credentials.

Cloud-based services cloud apps, VPNs, Unix and MS remote access points. You’ll also want

to look for a vendor that enables you to automate functionality and export
See if the solution requires hardware or software for each user, or time-

deploy faster because they logs in real time.

consuming user training. Token deployment can require a dedicated

resource, but easy self-enrollment eliminates the need to manually

don’t require hardware or Also, to save on single sign-on (SSO) integration time, check that your two-

factor solution supports the Security Assertion Markup Language (SAML)

provision tokens.

software installation. authentication standard that delegates authentication from a service

With a mobile cloud-based solution, users can quickly download the

app themselves onto their devices. A solution that allows your users to
provider or application to an identity provider.
download, enroll and manage their own authentication devices using only a

web browser can also save your deployment team’s time.

12
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Required Resources
Consider the time, personnel and other resources required to integrate your applications, manage users and devices, and maintain/monitor your solution.

Ask your provider what they cover and where you need to fill in the gaps.

Application Support User & Device Management Maintenance

Some two-factor solutions require more time and personnel to integrate Like any good security tool, your two-factor solution should give Make sure that your solution requires minimal ongoing maintenance and

with your applications, whether on-premises or cloud‑based. administrators the power they need to support users and devices with management for lower operating costs. Cloud-hosted solutions are ideal

minimal hassle. because the vendor handles infrastructure, upgrades and maintenance.

Check that they provide extensive documentation, as well as APIs and

SDKs so you can easily implement the solution into every application that Look for a solution with a centralized administrative dashboard for a Can you use your existing staff to deploy and maintain this solution, or will

your organization relies on. consolidated view of your two-factor deployments, and enables admins to: you need to hire more personnel or contractors to do the job? Ask your

vendor if monitoring or logging is included in the solution.

+ Easily generate bypass codes for users that forget or lost their phones

+ Add and revoke credentials as needed, without the need to provision and
A solution that requires many additional resources to adapt and scale may
manage physical tokens
not be worth the cost and time. Evaluate whether your solution allows

you to easily add new applications or change security policies as your

Ask your provider if they offer a self-service portal that allows users to
company needs evolve.
manage their own accounts, add or delete devices, and other simple tasks.

Can your staff deploy and maintain the

solution, or will you need to hire more
personnel or contractors?

13
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

The Duo Advantage

Duo Security’s two-factor solution combines intuitive usability with advanced security features to protect against the latest attack methods and to

provide a frictionless authentication experience.

Security Impact
TRUSTED USERS TRUSTED DEVICES SECURE EVERY APPLICATION
Duo’s authentication is built on the foundation of zero trust. Duo verifies When organizations deploy Duo, device trust becomes a part of the To secure every type of application, Duo’s solution easily and quickly

the identity of users and protects against breaches due to phishing and authentication workflow during the user login process for protected integrates with virtual private networks (VPNs) and remote access gateways

other password attacks with an advanced two-factor authentication applications. This enables Duo to provide in-depth visibility across like CA SiteMinder, Juniper, Cisco, Palo Alto Networks, Citrix and more;

solution, verifying trust in multiple ways before granting access. managed and unmanaged devices, however and from wherever the users enterprise cloud apps like Microsoft O365, Salesforce, Google Apps, AWS

Duo’s contextual user access policies let you create custom controls connect to these applications. Duo also verifies the security health and Box; and on-premises and web apps like Epic, Splunk, Confluence,

to further protect access to your applications based on type of users, and management status of endpoints before granting access to your Shibboleth and more. Duo provides APIs and client libraries for everything

devices and apps. applications, and blocks access if the device is unhealthy or does not meet else, including your custom and proprietary software.

your security requirements.

Learn more about Trusted Users. Learn more about Every Application.

You can easily ensure that users maintain appropriate device hygiene,

whether by updating the OS patch levels or browser versions, checking

for presence of device certificates, or enabling security features such as

enterprise antivirus (AV) agents and disk encryption.

Learn more about Trusted Devices.

Duo verifies the identity of your users with two-factor authentication, and
the security health of their devices before they connect to your applications.

14
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Security Impact
(continued)

ADAPTIVE POLICIES & CONTROLS

START YOUR PASSWORDLESS JOURNEY
Duo’s passwordless authentication solution will improve user experience, Security policies for every situation. Duo’s granular advanced policy
Going passwordless means establishing a strong assurance of a user’s
reduce IT overhead, and strengthen security posture. Duo uniquely takes controls provide zero trust protection to environments with sensitive data,
identity without relying on passwords, allowing them to authenticate using
its passwordless solution a step further by enabling organizations to whether on-premises or in the cloud. With Duo, you can create custom
biometrics, security keys or a mobile device. Duo will help you get to a
implement a passwordless authentication that’s secure and usable. Duo access policies based on role, device, location and many other contextual
passwordless future starting with reducing the number of logins. With
ensures that a risky device (unknown, jailbroken or out of date) cannot factors that are the bedrock of a strong zero trust security framework.
Duo’s secure cloud-based single sign-on (SSO), you can leverage your
be used to authenticate without a password. In addition, Duo continually
existing identity provider for faster provisioning and improved accuracy
Duo verifies the identity of your users with two-factor authentication
monitors logins and new enrollments to automatically detect anomalies,
whether in the cloud or on-premises, allowing your users to log in just once
and the security health of their devices before they connect to your
alerting your IT administrators to potential risks.
to securely access your organization’s applications.
applications. With Duo, IT administrators may also create complex policy

Learn more about Passwordless. rules that continuously monitor logins to identify and flag unusual activity.

We are a very open organization and want employees to work from anywhere.
Box manages highly sensitive data for some of the largest organizations in the world.
As a result of this, we need to ensure the highest level of protection for all user
interactions with our services. We also need to meet an extremely high bar for
security standards while making it easy for users to be productive.
Duo helps us do just that.”

Mark Schooley
Senior Director, IT Operations & Engineering

15
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

VISIBILITY & ANALYTICS FLEXIBILITY AVAILABILITY

Duo’s dashboard, reports and logs make it easy to monitor every user, on As a cloud-based solution, it’s easy to provision new users and protect Duo’s Service Level Agreements (SLA) guarantees a 99.99% uptime and is

any device, anywhere, so you can identify security risks before they lead new applications with Duo as your company grows, because there are distributed across multiple geographical locations for a seamless failover.

to compromised information. Get visibility into authentication attempts, no limits or additional charges per application. We believe that if you’re Duo is maintained independently from your systems, keeping you safe

including data on IP addresses, anonymous networks, blacklisted protecting a user’s access to your most important applications, you even in the event of a breach.

countries and more from Duo’s admin panel. shouldn’t be penalized or charged more to protect them everywhere.

Easily onboard new users with Duo’s self-enrollment, bulk enrollment or

Duo gives you complete visibility and helps you inventory every endpoint
Active Directory synchronization options.
accessing your applications and provides data on operating system,

platform, browser and plugin versions, including passcode, screen lock, full There are a variety of ways Duo’s 2FA can work. You can use a

disk encryption and rooted/jailbroken status. You can easily search, filter smartphone, landline (such as your office or home phone), tablet or

and export a list of devices by OS, browser and plugin, and refine searches hardware token. Authentication methods include mobile push, biometrics,

to find out who’s susceptible to the latest iOS or Android vulnerability. time-based one-time passcodes, bypass codes, security tokens, SMS

passcodes and callback.

Duo Trust Monitor analyzes real-time authentication data to create a

baseline of normal user behavior at the point of login. Once Duo Trust Learn about User Provisioning.

Monitor observes these access patterns, it surfaces risky logins to help

the security team identify suspicious activity and aid in the investigation of

compromised accounts.

Duo gives you insight into the security posture of both

corporate and personal devices used to connect to
company applications and services.
16
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Strategic Business Initiatives

CLOUD ADOPTION BRING YOUR OWN DEVICE (BYOD) - VALIDATION AND COMPLIANCE
By leveraging a scalable cloud-based platform rather than relying on REMOTE WORK PROTECTION Duo’s full-time security team is experienced in running large-scale systems

on-premises hardware requiring setup and costly maintenance, Duo The Duo Mobile app (iOS, Android) and the Device Health app (Windows, security, and comprises top mobile, app and network security experts.

can be deployed rapidly; and it’s easy to scale with your growing users MacOS) are BYOD-friendly for remote access and can be used on many Duo’s operational processes are SOC 2 compliant. Duo’s two‑factor

and applications. Duo also supports SAML cloud apps via secure single different devices. Duo can maintain your device inventory so you have authentication cryptographic algorithms are also validated by NIST

sign‑on, including Google Apps, Amazon Web Services, Box, Salesforce clear visibility into what device is connecting, when and from where. Users and FIPS. Duo has achieved ISO (the international security standard)

and Microsoft Office 365. can download the app on their personal device without enrolling in device 27001:2013, 27017:2015 & 27018:2019 Certification.

management solutions, ensuring user privacy.

Duo can also help your business meet various compliance requirements
WORKFORCE PRODUCTIVITY
Since 2020, working remotely has evolved from an office perk to a priority, and regulatory framework guidelines. Duo Push satisfies Electronic
Duo provides a better end user experience for accessing applications by
Duo Push can reduce the risk of automated credential theft by more Prescription of Controlled Substance (EPCS) requirements for two-factor
reducing workflow friction and increasing workplace productivity. Duo
than 99% (other methods Duo supports can be less effective, like SMS authentication in the healthcare industry, while Duo’s one-time passcodes
offers low-friction authentication methods such as Duo Push, biometrics
authentication). The Department of Homeland Security recommends MFA meet FIPS 140-2 compliance for government agencies.
and FIDO security keys. Duo also offers the ability to apply intelligent
as a crucial cybersecurity preventative measure.
policies to reduce how often a user is prompted to authenticate, using
Duo Federal Editions are built to enable customer compliance with FIPS
features such as remembered device. Together, this enables a productive
140-2 compliant authentication standards and align with National Institute
MONITORING AND REPORTING
work environment without compromising on security.
of Standards and Technology (NIST) SP 800-63-3 guidelines. Duo Federal
Duo’s detailed user, administrator and telephony security logs can be
editions meet Authentication Assurance Level 2 (AAL2) with Duo Push
easily imported into a security information and event management
or Duo Mobile Passcode for both iOS and Android devices out of the box
(SIEM) tool for log analysis, or viewed via Duo’s Admin API for real‑time
and by default with no additional configuration required. Duo also supports
log access. In addition, Duo Trust Monitor employs machine learning
AAL3 authenticators such as the FIPS Yubikey from Yubico.
and behavioral analytics to simplify risk detection in case of anomalous

login activity.
Duo Device Trust enables organizations to check and enforce the device

security and compliance posture prescribed by standards such as

PCI‑DSS, HIPAA and the NIST cybersecurity framework.

Duo’s security team includes some of the world’s foremost experts in Learn more about Security & Reliability

modern mobile, application and network security research and technologies.

17
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Total Cost of Ownership (TCO)

While traditional security products require on-premises software or hardware hosted in a data center, Duo offers security in a software as a

service (SaaS) model through a cloud-based platform.

NO UPFRONT COSTS Other solutions may appear to come with a lower price tag, but the layers

With Duo’s two-factor authentication, you get the most upfront value with no hidden costs such as upfront, capital, licensing, support, maintenance, of hidden costs can add up fast, rapidly tripling TCO and offering less

operating and many other unforeseen expenses over time. Duo offers a simple subscription model priced per user, billed annually, with no extra fees for value overall. With Duo’s 2FA, you get the most upfront value with no

new devices or applications. hidden costs, including:

+ Easy deployment with the help of Duo’s drop-in integrations for + Conext leveraged from endpoint security agents and device ADMINISTRATIVE SOFTWARE/HARDWARE
all major apps and APIs, and an administrative panel for user and management systems Duo’s subscription-based model eliminates hefty software licensing fees

solution management + Self remediation to ensure devices meet your security requirements and includes administrator management tools, meaning there’s no need to

+ Automatic application updates, with patch management, maintenance + Insight on user login behavior in your environment and the ability to flag pay for top-dollar management software to use it.

and live support at no extra cost anomalous login attempts

+ Advanced features that let you customize policies and controls, as well + First steps on the journey to eliminate passwords and improve security AUTHENTICATORS
as get detailed device health data with passwordless authentication Users can download the Duo Mobile app to any device, eliminating the

+ A secure single sign-on (SSO) and authentication solution in one need to shell out for a fleet of devices to deploy to your workforce. Duo

also offers several authentication methods based on specific use cases;

along with mobile push, end users can authenticate via U2F, biometrics,

tokens, passcodes and more.

NO DATA CENTER COSTS

Because Duo is cloud-based, you don’t need to buy servers and absorb all

Other solutions may appear to come with of the costs that come with running a data center.

a lower price tag, but the layers of hidden

costs can add up fast, rapidly tripling TCO
and offering less value overall.
18
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

HIGH-AVAILABILITY CONFIGURATION PATCHES, MAINTENANCE & UPGRADES BUDGET CONSOLIDATION

Where some vendors require you to purchase additional licenses for Duo offers automatic application updates, with patch management, With Duo, you can replace the need for multiple different hardware

business continuity and high availability, Duo offers high availability maintenance and live support at no extra cost. and software security solutions that solve for isolated use cases, like

configuration, disaster recovery and data center management tools authentication, network access control, endpoint security, vulnerability

without busting your budget. ADMINISTRATIVE MAINTENANCE assessment tools, etc. with a single cloud service that provides

Duo makes routine tasks like adding new users, revoking credentials or two-factor authentication, device trust, single sign-on and

DEPLOYMENT & CONFIGURATION replacing tokens quick and easy, meaning your administrative resources adaptive policies and controls.

Duo makes deployment and configuration a snap. Your in-house resources won’t have to do another full-time job to maintain your Duo deployment.
Duo’s trusted access solution provides a comprehensive security platform
can install, test and troubleshoot Duo in just minutes.
that eliminates the need — and budget — for many disparate access
SUPPORT & HELPDESK
management tools that may prove difficult to fully integrate. The value is
END USER ENROLLMENT Duo has an extensive library of free resources to answer any and all
in consolidation, filtering out as much noise as possible and leveraging
With Duo, end user enrollment is a breeze — end users can simply questions you may have. Duo also offers live support at no extra cost, and
a comprehensive dashboard that gives a bird’s-eye view along with the
download the Duo Mobile app for free, enrolling themselves to get started with Duo Care premium support, you can receive 24/7 white glove service
ability to quickly assess granular details where attention is needed.
with Duo in seconds. for a small fee.

ADMINISTRATIVE SUPPORT
Duo offers easy deployment with the help of drop-in integrations

for all major apps and APIs, and an administrative panel for user and

solution management.

Duo is flexible enough to scale quickly, letting you easily add

new apps, users, or change security policies as you grow.
19
I NTR O D U C TI O N S EC U R IT Y I M PAC T STR ATE G I C I N ITI ATI V E S C O ST O F OW N E R S H I P TI M E TO VA LU E R EQ U I R E D R E S O U R C E S TH E D U O A DVA NTAG E

Time to Value Required Resources Dedicated, Responsive Support

To answer your questions before, during and after your Duo deployment,
PROOF OF CONCEPT APPLICATION SUPPORT
you can count on our fully staffed, in-house Duo Support team.
Duo lets you try before you buy, helping you set up pilot programs before Some two-factor solutions require more time and personnel to integrate

deploying to your entire organization, with extensive documentation with your applications, whether on-premises or cloud-based. Check Our responsive support team members have the security expertise to

and knowledge articles to help guide you through the evaluation stage. that they provide extensive documentation, as well as APIs and SDKs quickly assist you with any specific integration needs. Duo’s customer

View Duo’s documentation. so you can easily implement the solution into every application that your support service is included with your solution at no extra charge, with no

organization relies on. support contracts required. In addition, we offer extensive knowledge base

DEPLOYMENT articles to help troubleshoot and quickly fix known issues.

For faster and easier deployment, Duo provides drop‑in integrations for USER & DEVICE MANAGEMENT
Our end-user guide and detailed documentation are frequently updated
all major cloud apps, VPNs, UNIX and MS remote access points, as well Duo’s administrative panel allows admins to support users and devices
and helpful resources available on Duo.com. For more advanced
as support for web SDK and APIs. Quickly provision new users with bulk using one centralized dashboard. Log into the web-based portal to
deployments and specific SLA requirements, we provide Duo Care,
enrollment, self-enrollment, Microsoft Active Directory synchronization, or manage user accounts and devices, generate bypass codes, add phones
a premium customer support service with extended coverage and a
with the use of Duo Access Gateway for cloud-based applications. to users and more.
dedicated Customer Success team.

ONBOARDING & TRAINING USERS MAINTENANCE

The Duo Customer Success team equips you with everything you need
Duo’s authentication app, Duo Mobile, allows users to quickly download As a cloud-hosted solution, Duo covers the infrastructure and maintenance,
to roll out your Duo deployment, including a customized launch kit to help
the app onto their devices, while a self-service portal also lets users letting you focus on your core business objectives. Because security and
with security policies, user training, solution architecture design and more.
manage their own accounts and devices via an easy web-based login, other updates are rolled out frequently and automatically to patch for the

reducing help desk tickets and support time. latest vulnerabilities, you don’t need to hire a dedicated team to manage it. Duo is flexible enough to scale quickly, letting you easily add new apps,

Duo’s solution is flexible enough to scale quickly, letting you easily add new users, or change security policies as you grow.

applications, users or change security policies as needed.

Duo increased our security and was an easy tool to deploy;

every organization should consider it immediately.”
Chad Spiers
Director of Information Security, Sentara Healthcare

20
Secure Everything,
Everywhere.

At Duo, we combine security expertise with a user-centered philosophy Duo Security makes security painless, so you can focus on what’s Duo Security, now part of Cisco, is the leading multi-factor authentication

to provide two-factor authentication, endpoint remediation and secure important. Duo’s scalable, cloud-based trusted access platform (MFA) and secure access provider. Duo comprises a key pillar of Cisco

single sign-on tools for the modern era. It’s so simple and effective, you addresses security threats before they become a problem, by Secure’s Zero Trust offering, the most comprehensive approach to

get the freedom to focus on your mission and leave protecting it to us. verifying the identity of your users and the health of their devices securing access for any user, from any device, to any IT application or

before they connect to the applications you want them to access. environment. Duo is a trusted partner to more than 25,000 customers
Duo is built on the promise of doing the right thing for our customers
globally, including Bird, Facebook, Lyft, University of Michigan, Yelp,
and each other. This promise is as central to our business as Experience advanced two-factor authentication, endpoint visibility, custom
Zillow and more. Founded in Ann Arbor, Michigan, Duo also has
the product itself. Our four guiding principles are the heart of user policies and more with your free 30-day trial. You’ll see how easy it is
offices in Austin, Texas; San Francisco, California; and London.
the sensibility: Easy, Effective, Trustworthy, Enduring. to secure your workforce, from anywhere on any device with Duo 2FA.

Duo.com