Cisco Duo MFA Solution in Practice

According to Verizon in their 2022 report, over 82% of security incidents were related to human-side negligence, such as password leaks or phishing. Moreover, passwords being stolen have various lengths and degrees of complexity. Considering the scale and improvements in methods used by malicious actors, it’s not that difficult to see even a strong password surface somewhere. And from there it takes only one extra step to use it in dictionary attacks.

Whether we’re talking about the surfacing of a password safeguarding access to a social media app, web store, or company’s finances or manufacturing systems, the results can be disastrous.

What can we do, if logging in with a username and a password is not enough for the safe use of IT systems? We should start thinking of alternative ways of securing access to the company’s assets, especially when we connect to them from home offices more and more often.

Multi-Factor Authentication (MFA) comes to the rescue. It enables the use of an additional factor during the authentication process to confirm the identity of a user. The general idea behind MFA is the use of something that a user owns, that is external to the thing that they already know (a password). The thing that a user has forced a physical interaction on them, and this allows unequivocal confirmation of their identity at a given time.

How Does Multi-Factor Authentication Work?

Multi-Factor Authentication (MFA) is already a well-known approach to get a more secure authentication process. The aim of this type of authentication is to provide an additional level of security, with which a user getting authenticated has to prove their identity by means of various, independent factors.

The MFA paradigm involves the user confirming their identity by entering information that they know (e.g. user credentials) and then providing information based on something that they own (e.g. a hardware or software token). This procedure increases the possibility of genuine authentication and gives confidence that it’s not fraudulent.

In a hypothetical scenario, a malicious actor could steal the authentication data of a user by spying, bugging or guessing, whether the password is sufficiently secure. The MFA service makes such attacks more difficult, as the malicious actor does not own a second authentication factor. A second (or third) factor can take various forms, for example physical, app-based, connected or standalone. It can be a physical or logical token, a phone call, a text message or a push notification.

How Does the Second Factor Authentication Work?

Let’s go over some popular types of various authentication factors.

Login Credentials

The most popular – users know their username and password, and enter them during authentication.

Certificates

Another popular factor – users are registered with their personal certificates and use a X509 structure for authentication. If you’d like to learn about the certificate authentication process in detail, read about the ITU standards.

Tokens

A token provides a one-time password that changes after a set period of time, e.g. every 60 seconds. A One Time Password (OTP) is displayed during synchronization with a reference server, often called a token server. Synchronization takes place between an internal token clock and a token server clock. Both sides generate a pseudo-random number using the OATH algorithm or any other variant of an OTP generation algorithm. Tokens can be hardware (e.g. RSA SecureID hardware) or software (e.g. iOS or Android mobile apps). The drawback of tokens is that they’re expensive to deploy.

Push Notifications

The method of push notifications is a good choice for large deployments (often more affordable than hardware tokens), where a user is actively prompted by the mobile app to confirm or deny authentication. This method is used in combination with a smartphone with an installed mobile app. We use this kind of authentication factor in our case study.

SMS Codes

Another type of factor is sending an SMS code that a user has to enter for authentication when prompted. This process requires an SMS gateway.

Callback

Some solutions on the market enable “callbacks”, which are automatically processed upon a successful pass by the first factor. The user is able to press the requested key after completing the phone call. This method works well for offline users, such as those that do not use smartphones.

The Duo Security Solution Allows You to Use All of the Channels Above.

When is MFA Worth It in Corporate Systems?

VPN Remote Access – Scenario #1

The first architecture and scenario that is often used by IT teams, is VPN Remote Access. It routes a digital tunnel between the remote worker and the company’s intranet. This solution enables the worker to use the systems in the same manner, as they would in the office.

By adding Multi-Factor to the authentication process, we allow for the integration of an alternative confirmation channel.

The scenario involves the use of a Duo Proxy component, which, upon correct authentication on the basis of, e.g. Active Directory, sends Duo Cloud information requesting confirmation by an alternative channel. When the user enters their user name and password, they’ll immediately receive a request for confirmation with another channel, which will automatically route it with a Remote Access encrypted tunnel that enables remote work.

Duo Network Gateway – Scenario #2

If we lack sufficient VPN Remote Access resources, we can use access based on Duo Network Gateway. It’s a scenario that is often used for granting access to workers, contractors, partners or business customers. The Duo Network Gateway component is a proxy server that helps authenticate the attempt to access an internal app with a second factor. What does it look like?

1. The user routes a web-based session with Duo Network Gateway as part of an HTTPS session (encrypted session in a browser).
2. Next, the user selects an internal application that they wish to use.
3. Network Gateway sends Duo Cloud a request for user authentication with a second factor.

Duo Network Gateway can also be used for SSH access, so in a case, when the system admins, DevOps engineers or other specialists connect to our resources using an SSH protocol.

They can do so without a VPN, using a lightweight Duo Connect app, with which they route the SSH tunnel through the Network Gateway up to the SSH server, and the Gateway Network queries Duo Cloud for the second authentication factor, just like with the web-based app.

Duo Access Gateway – Scenario #3

Unlike Network Gateway, the Duo Access Gateway does not transfer production traffic inline, but is used for authentication of a particular user session. It is used in Software as a Service type apps, e.g. Salesforce.

1. In order to access the application, the user enters their login credentials.
2. Integrated with Access Gateway, the app sends an authentication request.
3. Access Gateway authenticate the user on the basis of an Active Directory-type repository, and sends information to Duo Cloud for second-factor authentication.
4. Upon authentication with the second factor, the user automatically starts a session in the app.

When Should I Use Duo Access Gateway?

A popular option is using Active Directory, another user repository located on-premise or in cloud resources (e.g. Microsoft Azure or Google G-suite), and then using Duo Access Gateway within the authentication process, based on a Cloud Directory Provider.

The mechanism itself works in the following manner:

1. We log in to the app with user credentials and a password.
2. The app sends Duo a request to confirm the authentication.
3. Duo sends us back a push notification.
4. We confirm and get authenticated in the app.

The range of the most popular application picks is given at duo.com/docs#cloud.

The entire portfolio is much more robust.

Cisco Duo Licenses

As you would expect from a cloud solution, Cisco Duo is a subscription-based product and has three license levels.

MFA License – Basic

· The MFA License allows you to enable the Duo Push functionality, i.e. concerning the mobile app, as well as One Time Passwords, Phone Call Back, SMS token and Harbor token channels.

· If you set up the phone callback authentication policy, you’ll also get one hundred phone credits per user, per year.

· The MFA license lets us view the devices, used for logging in based on Duo Cloud.

· You can create global policies and an authentication policy for a specific application.

· You have access to Duo Access Gateway in the SaaS Single Sign On (SSO) app mode, as described in the Scenario #3.

Access License

· Includes all of the MFA features, and grants you insight into the state of computer and phone security.

· It enables you to create global policies for a specific app, but with the use of user groups. This lets you make the access conditional on the Active Directory group, to which the user belongs.

· You can also amend your policies with elements, such as forcing OS updates if the user has a specific, outdated version.

Beyond License

· Has all the features of Access and MFA.

· It’s able to use information related to the Antivirus and Anti-Malware agents. It can verify, whether the end station has Windows Defender or Cisco AMP (Anti-Malware Protection) installed.

· Beyond also enables you to identify devices and separate the company devices from private ones that have been imported to the system during the BYOD process.

· You can integrate it with Microsoft Intune and other available MDMs – or Mobile Device Management – that is software used for managing and securing mobile devices, working in the company network.

The architecture #2 that I’ve described above, is an architecture that uses Duo Network Gateway. This is the one that is available on the Beyond license.

Improve Security of Access to Your Key Assets

With the use of multi-factor authentication, the user is relieved of the obligation to remember long and complicated passwords. In practice, it eliminates the issue of writing down long and complicated passwords on post-its, or using one password everywhere, where possible.