1 Introduction
Authentication is at the heart of securing access to devices and systems. Once a digital identity and credential are established for a user, an authentication system will use that identity credential to validate the user before they can gain access to the applications or other resources they are attempting to use.
How well an identity credential can be trusted is measured by its Level of Assurance (LoA), which are the technologies and processes used in identity and credential creation. The LoA of user authentication can be increased by adding the number of authenticating factors used when logging into a device. For example, a single authenticating factor may be a password, which is something you know. To increase the LoA of that credential, you can add a second authenticating factor such as something you have like a mobile phone with a secure application installed that receives out of band push notification as verification. A third type of authenticating factor can verify a biometric aspect of who you are by using things like fingerprint readers, retina scanners or voice recognition applications to name a few of the most popular biometric verification methods. Using more than one authentication factor is what is known as Multi-Factor Authentication (MFA).
Using only a single factor such as a password is the weakest form authentication and is strongly discouraged from use when accessing more sensitive resources. By adding a second authenticating factor, you can significantly increase the assurance that a user is who they say they are. Two-Factor Authentication (2FA) can provide the LoA for most organizations authentication needs.
As organizations start to move from a perimeter-based security model to a perimeterless one, greater emphasis will be placed on what you know about the user and the devices they use. The vetting of users and their identity metadata are readily handled by well-established security guidelines reflected in an organization’s policies, process, and procedures, but knowing the state of user device has not been given as much attention. Gaining better insight into a user’s device is needed to reduce the risk of attacks through the vulnerabilities exposed by out-of-date versions of software, as an example.
Some desired features of a 2FA solution include:
- Support for multiple types of authenticating form factor
- Simple user onboarding process and user management
- Easy to use administration functions and integration tools
- User and device metric reporting
- Security risk reduction capabilities
- Ability to improve user experience through ease of use
Duo Security is a privately held company based in Ann Arbor, MI with offices in San Mateo, CA; Austin, TX and London, UK; employing over 500 team members. Founded in 2010, Duo Security has grown significantly, more than doubling their annual recurring revenue (ARR) for the last four years in a row. Their products are used by more than six million users in over 100 countries. Duo has over 10,000 customers using their products that include the finance, government, security, travel, consumer, TV/Mobile, and cloud technology sectors.