Don't Miss Duo's Big Unveil: See What Attackers Will Hate & Users Will Love
[Music] He can work alone. But we're the crew so much better. [Applause] [Music] A hacker is free. With Cisco, protecting your business from cyber attackers is simple. If it's connected, you're protected.
[Music] [Music] [Music] [Music] [Music] [Music] At Cisco, our purpose is to power an inclusive future for all. And in that future, mother nature has a voice. [Music] It's a new day for the new era. AI is everywhere. So are we. [Music] We have the infrastructure AI needs. And now the breath of data AI craves. We'll use AI to help the world
see more, do more, and we'll secure it like never before. You've all heard the AI hype. Now you want AI's help. That's exactly what we'll give you. Cisco, making AI work for
you. Where will you be in 5 years? Where will we be in 5 years? In 25? In 50? Let's be here and here with her and him and they. Let's connect them. Let's connect everyone. Let's deliver technology that gives them access to power opportunity. Let's set a new standard for data security and personal privacy. Let's change the
system. Promote equality and fairness in the workplace. Let's tear down the barriers to social justice for a more inclusive world. Let's clean house. Zero carbon. zero waste because the health of our family is tied to the future of our home. Let's gather resources and partners, steer toward our greatest challenges and accelerate for the benefit for all. Cisco has made it its purpose to power an inclusive future for all. Where will we be in 50
years? Let's go see. Cisco, the bridge to possible. At Cisco, we believe inclusion isn't just the right thing to do. It's the innovative thing to do. Because every invention, every improvement, every achievement, every small step and giant leap inside our company and in the history of the world started when a different perspective was invited, a different voice was elevated, a different opinion was accepted. To us, inclusion is progress. And it's why we're reimagining
how people come together. Changing the system, tearing down barriers, respecting and honoring each other's identities, promoting equality and fairness, using technology to create more opportunities, empowering a more inclusive future for each other, for good, for all. A hacker doesn't always look like a hacker. [Music] The hacker's at home, everywhere. [Music] A hacker comes in many forms. [Music] He's interested in everything.
He can work alone. But with a crew, it's so much better. [Music] A hacker is free. With Cisco, protecting your business from cyber attackers is simple. If it's connected, you're [Music] protected. Heat up [Music] [Music] here.
[Music] [Music] [Music] At Cisco, our purpose is to power an inclusive future for all. And in that future, mother nature has a [Music] voice. It's a new day for the new era. AI is everywhere. So are we. [Music] We have the infrastructure AI needs and now the breath of data AI [Music] craves. We'll use AI to help the world see more, do more, and we'll secure it like never before.
[Music] You've all heard the AI hype. Now you want AI's help. That's exactly what we'll give you. Cisco, making AI work for you. Where will you be in 5
years? Where will we be in 5 years? In 25? In 50? Let's be here and here with her and him and they. Let's connect them. Let's connect everyone. Let's deliver technology that gives them access to power opportunity. Let's set a new standard
for data security and personal privacy. Let's change the system. Promote equality and fairness in the workplace. Let's tear down the
barriers to social justice for a more inclusive world. Let's clean house, zero carbon, zero waste. Because the health of our family is tied to the future of our home. Let's gather resources and partners, steer toward our greatest challenges, and accelerate for the benefit for all.
Cisco has made it its purpose to power an inclusive future for all. Where will we be in 50 years? Let's go see. Cisco, the bridge to possible. At Cisco, we believe inclusion isn't just the right thing to do, it's the innovative thing to do. Because
every invention, every improvement, every achievement, every small step and giant leap inside our company and in the history of the world started when a different perspective was invited, a different voice was elevated, a different opinion was accepted. To us, inclusion is progress. And it's why we're reimagining how people come together, changing the system, tearing down barriers, respecting and honoring each other's identities, promoting equality and fairness, using technology to create more opportunities, empowering a more inclusive future for each other, for good, for all. A hacker doesn't always look like a hacker.
[Music] A hacker's at home. Everywhere. [Music] A hacker comes in many forms. [Music] He's interested in everything. He can work alone.
But with the crew, it's so much better. [Music] A hacker is free. With Cisco, protecting your business from cyber attackers is simple. If it's connected, you're [Music] protected. Heat. Heat.
[Music] [Music] [Music] [Music] at Cisco. Our purpose is to power an inclusive future for all. And in that future, mother nature has a [Music] voice. It's a new
day for the new era. AI is everywhere. So are we. We have the infrastructure AI needs and now the breath of data AI craves. We'll use AI to help the world see more, do more, and we'll secure it like never before. You've all heard the AI hype. Now you want AI's
help. That's exactly what we'll give you. Cisco, making AI work for you. Where will you be in 5 years? Where will we be in 5 years? In 25? In 50? Let's be here and here with her and him and they. Let's connect them. Let's connect everyone. Let's deliver technology that gives them access to power, opportunity.
Let's set a new standard for data security and personal privacy. Let's change the system. Promote equality and fairness in the workplace. Let's tear down the barriers
to social justice for a more inclusive world. Let's clean house, zero carbon, zero waste. Because the health of our family is tied to the future of our home. Let's gather resources and partners, steer toward our greatest challenges, and accelerate for the benefit for all.
Cisco has made it its purpose to power an inclusive future for all. Where will we be in 50 years? Let's go see. Cisco, the bridge to possible. At Cisco, we believe inclusion isn't just the right thing to do. It's the innovative thing to do. Because every
invention, every improvement, every achievement, every small step and giant leap inside our company and in the history of the world started when a different perspective was invited, a different voice was elevated, a different opinion was accepted. To us, inclusion is progress. And it's why we're reimagining how people come together, changing the system, tearing down barriers, respecting and honoring each other's identities, promoting equality and fairness, using technology to create more opportunities, empowering a more inclusive future for each other, for good, for all. A hacker doesn't always look like a hacker. [Music] The hacker's at home everywhere. [Music] A hacker comes in many forms.
[Music] He's interested in everything. He can work alone. But with a crew, it's so much better. [Music] A hacker is free. With Cisco, protecting your
business from cyber attackers is simple. If it's connected, you're [Music] protected. Heat. Heat. [Music] [Music] [Music] [Music] At Cisco, our purpose is to power an inclusive future for all. And in that future, mother nature has a [Music] voice. It's a new day for the new era. AI is
everywhere. So are we. [Music] We have the infrastructure AI needs and now the breath of data AI craves. We'll use AI to help the world see more, do more, and we'll secure it like never before.
[Music] You've all heard the AI hype. Now you want AI's help. That's exactly what we'll give you. Cisco, making AI work for
[Music] you. Welcome everybody. My name is Matt Cfield, vice president of product for Duo and identity at Cisco. I'm here today with uh Chris Anderson, our Duo product CTO, and we're really excited for our news uh a major leap forward in innovation for Duo and for identity. If
you're watching this, you probably already know Duo, whether that's our award-winning Duo mobile experience or maybe you've adopted Duo for your company or your school. Either way, you're security conscious and you care about usability because that's what Duo is all about. And if you know Duo, you know that for the longest time, Duo has been known as just MFA, multiffactor authentication. We've helped add multiffactor or second factor off to everything from web applications to remote access VPN, the toaster ovens. But recently, something has changed. Attackers have gotten so good at stealing credentials, they no longer need to hack in. They simply log in.
They're using AI to accelerate the speed, the scale of their attacks through automation. And in 2024 alone, 60% of breaches started with identity and over 80% leverage stolen credentials. And I'll just give you one example, Matt. Attackers simply copy your sign on page. They host their own fake version to capture, you know, your username and your password of your users. That's
called fishing. And AI has made it easier than ever for attackers to execute. And if that wasn't bad enough, attackers now expect to run into MFA as well. And they know how to beat it.
We've seen a rise in techniques to bypass what was once the silver bullet adding second factor authentication. So Chris, you know, like it or not, traditional IM vendors have failed. You know, we've seen this onslaught of attacks and your choices in the market today are either insecure, too costly, or too complex to implement properly. We need a new path forward. So, I want you to meet the new Duo, Duo Identity and Access Management, or Duo AM for short. We believe in a few basic
principles. First, that your identity solution should be secure by default, not a feature that you need to turn on. Second, no passwords either on day zero or ever unless you really need them. Third, strong authentication. Strong MFA is included for all use cases. And finally, no additional cost for security features. No, no, hold on. Say the last
part one more time. No additional cost for security features. Wow. All right. It's a big deal. All right. So, with this announcement, we're launching significantly new capabilities to help organizations achieve security by default and a level of usability that your people will love, including security first identity, endto-end fishing resistance, and unified identity intelligence. All built on our award-winning worldclass user experience. So, now let's dig in.
Starting with security first identity. If you take away nothing else from this presentation, I want you to remember this. You can now run Duo standalone with our new Duo directory.
Additionally, our identity routing engine makes it possible to use Duo as your identity broker. And third, you can use Duo side by side an existing IDP for your contractors or third parties or other use cases. So, let's break this down. On the first piece, you can run Duo Standalone. We've added a complete
built-in directory custom attribute store so that Duo through Duo directory can serve as your one and only identity stack. Single sign on, user provisioning, all the basics that you need. But if that doesn't fit your environment or you're not ready to take the leap, that's fine. Duo can also now act as an identity broker in front of your existing identity systems to help provide a consistent security layer and a consistent user experience in complex environments with multiple IDPs. If
you've ever acquired a company or been acquired, you know how messy it can be to deal with these kinds of integrations. Or if you're ever worried about the problem of identity resiliency, we can do that too as a layer in front. Finally, if you don't want to go that far, you can put us in side by side with your primary IDP. Uh maybe for just a subset of your
user population, whether that's contractors, vendors, partners, third parties, whoever might not belong in your main directory. So, Duo now has with this announcement three deployment models for maximum flexibility. In fact, we've heard that Duo Directory was being put to the test at the Black Hat security conferences with testing in Europe as the primary IDP in Singapore and moving forward for Black Hat North America in August. But to speak to the real experience of using Duo, I want to bring in Ryan McClennon, security operations engineer, and Steve Frink, principal security architect for the black hat sock in the Knock. Ryan Frink, over to you. Thank you, Matt. Hello, everyone. My name is Ryan Mclennon and
I'm the uh Cisco architect and person that brings innovation uh from the Cisco side over to Black Hat. I'm mainly responsible for working with the Black Hat team around uh Duo and uh their IDP and right now I'm joined here with uh Steve Frink. Uh he's the principal architect at Black Hat. And our goal at
the uh black hat sock in the knock is to make sure that we provide a highly available and robust network while also providing our attendees with the uh best security uh possible. Originally we're doing some onrem solutions which was very annoying for us to manage. We'd have a ton of issues. It take a few hours sometimes even a day for us to get up and running uh that make sure everyone had access to everything that they should. Um, and then when we
swapped over to Duo Directory, um, it really significantly streamlined our process and brought our time from hours to minutes to making sure that everyone is able to get in, access the products that they're supposed to, and have the change control that we're looking for. It's always there. It's always on, uh, and it's ready for us every time we need to roll out a new Black Hat conference.
Yeah. And at each of these conferences, I know that we're having constant turnover of who's actually at it, who's administering a product, who needs access to be able to threat hunt using different products. We've really enjoyed using the uh Duo groups that are built in because we are able to map users to those groups and then those groups are then mapped to a specific role in the products. Some of the additional security benefits that we get is the behavioral analytics. So when a user is logging in, which we often do from other countries, uh that behavioral model understands and does a step up authentication request. Uh are you really in Europe? Are you really in Singapore? Uh and I believe it makes our identity stronger every day. At the
Black Hat Network Operation Center, uptime is the most important thing. Uh we also have to secure the attendee data. The attendee data nobody wants that to get out. Uh so we protect all of these things uh with Duo Duo MFA Duo SSO uh and now Duo directory. My dream is
everything through the Duo directory. I don't want to have to work with another onrem directory service again or a third party. I just want it all in one UI. It's nice. It's clean. Um, and it makes my life easy. Well, if that isn't enough, we're making life even easier for our admins with the new Duo AI assistant for identity. A built-in AI assistant in the Dual Admin Console that can help you simplify configuration if you're new to Duo.
set more effective policy for controlling access or accelerate help desk tasks like figuring out why a particular user is struggling to log in without having to click through and find that information within the admin console. So Chris, security first identity is great, but you know what about this fishing resistance piece? Um, specifically endtoend fishing resistance. What's that all about? First of all, what do we mean by endtoend fishing resistance? You may have heard of fishing resistant authentication. Uh
but end to end by end to end we mean that we've considered every aspect of the identity life cycle from enrollment to operating system login to application login midsession security and even help desk recovery use cases. Uh end toend fishing resistance ensures that your users are protected at every step along the way and not just at one point in their journey. And so let's take a specifically a deeper look at both OS login and application login. Achieving fishing resistance today typically requires rolling out expensive hardware keys to your workforce. This is especially true for authenticator assurance level 3 or or AL3 the strongest authentication defined by NIST. And while Duo is going to continue
to support 502 hardware keys, we want to give you a better alternative for less headache and a much lower cost. And that's where proximity verification comes in. We're using Bluetooth low energy or BLE between your laptop and your mobile phone to detect proximity to detect that they are near each other through a combination of trust we've established with your device. By virtue
of them being near each other and a biometric check on dual mobile, we now have an exceptionally robust combination of factors to prevent fishing. An attacker would literally need to be in the same room sitting next to you in order to access your account. But instead of talking about this, I would much rather just show you how this works. All right, so here I am at the login page of my Windows device. I'm going to go ahead and click sign in. And
if you're noticing, I am being prompted for Duo's passwordless OS login utilizing Duo Mobile. So, what you saw there is all I did was do a biometric check on that mobile device plus approved push and I'm allowed in. I did not type a single password. And here I am now on my Windows device. Now, to continue forward with my work, I need to access Chrome. And within Chrome, I'm going to access Duo Central, which is our Duos SSO launching pad to have access to applications. Now, what you notice
though is that I did not perform a single interactive authentication. Instead, I was taken right into Duo Central. The way that this works is through Duo Passport. I have do desktop installed on my machine and through do desktop we're able to use passport which brokers that strong authentication that occurred at the OS login level with do passwordless and I'm able to use that and broker the session right into Duo central without having to perform another authentication. Now for
my day job though I need to access Salesforce. Since Salesforce has some customer information in it, some PI about individuals as an organization we decided that users need to perform another interactive authentication. This is something that as an administrator you can decide for your users at a per application level whether or not you should broker that trust and continue it forward from passport or to force another interactive authentication. The interactive authentication that I just went through though is Duo through proximity verification which is our fishing resistant authentication method. The way that this works is that Duo connects to Duo Desktop's app and ensures that the request is coming from a legitimate website. Dual desktop advertises that single-use token or encrypted nods and dual mobile at the same time is scanning for Bluetooth devices nearby advertising that encrypted nods. If found, dual mobile
decrypts using its private key stored in a secure hardware which is tied to the user making the access request. If successful, proximity is established. The authentication device, my phone and this laptop are nearby each other. Once that proximity is established, there's the user is able to just complete the authentication with a dual push. So there you have it. end to end fishing
resistance starting at the OS login level with passless OS login utilizing passport to have a seamless access into applications and if needed being able to perform a fishing resistant authentication utilizing proximity verification. All right. So, with this feature, you get the same level of assurance as a 502 hardware key, but without the hassle of actually shipping keys and dealing with the overhead of managing them. You just turn it on. Okay, let's pick another aspect of the end journey. Say midsession security. Today, once you've established trust with your identity provider through authentication, like that's it.
You're done. You're good to go. But what if an attacker's installed malware on your device? They're able to scrape your session cookies and they're in now without having to ever steal, let's say, your username, your password, or go through any of that fancy MFA we just talked about. They're able to get into your account. But with Duo, we've gone cookieless. When you use Duo Desktop, instead of a cookie, we rely on a cryptographic challenge that can't be replayed by an attacker. The best way to
avoid session hijacking, let's just get rid of cookies. So that's exactly what we did. But if all else fails, right, uh there's this last piece and I want to give you one last line of defense and that's identity intelligence. You may already know that identity intelligence connects to your existing identity systems and it extracts information about your users, your machines, your service accounts, and so on. and it correlates that data into an identity graph that includes your users and their activity, your vulnerabilities, your threats, and so on. But with this release, we're also announcing the availability of our new user trust score. On its own, you can
use the trust score to identify users who need deeper inspection. And even bigger news is that we can now take this trust score and use it to drive differentiated policy across our Cisco security portfolio. Finally, we come to our worldclass user experience. This is my favorite part because this is where Duo Passport comes in which provides seamless access to all of your application. So, Matt, this is Duo's true solution to a true single signon experience. And as you saw in my demo earlier, Passport ensures that users authenticate once and they get on with the rest of their day. Whether
they're jumping between websites or VPNs or native applications, Passport is there to ensure a seamless trusted experience across every aspect of their day. Ultimately achieving our mission of frustrating attackers, not users. Thanks, Chris. I think to to sum things up, do IM is available today as part of our existing pricing tiers. It's identity you can trust. And if you want to know more, attend our virtual webinar on June 18th for a deeper dive. Or if you happen to be heading to Identiverse, come say hello. Stop by our Cisco booth and don't
miss my keynote on Thursday morning, June 5th. Thanks for tuning in. [Music] Heat. Heat. [Music] What if you could secure your IT infrastructure against 80% of breaches with just one product? If you're over AM providers who make security feel like a costly add-on, Duo is your answer. Duo redefineses identity and access management with a security first approach, making it the only AM solution built to enable security from day one instead of upcharging for clunky bolt-on functionality. The introduction of Duo Directory brings full identity provider functionality into that same secure foundation Duo was famous for. Now you
could say goodbye to lots of different tools or thirdparty identity providers that make identity expensive and complicated. Duo lets you manage and secure identity with one platform. Still tied to your existing directory? No problem. Duo routing rules give you precise control over how authentication flows and gives you a unified defense layer across your identity ecosystem, enabling strong security controls like fishing resistance, password list, and device trust. Duo even makes getting started easy with a guided migration path, automatic provisioning, and a built-in AI assistant to walk you through it all. So make your identity
and access management simpler and more secure from the start without any surprise costs with [Music] Duo. Where will you be in 5 years? Where will we be in 5 years? In 25 in 50? Let's be here and here with her and him and they. Let's connect them. Let's connect everyone. Let's deliver technology that gives them access to power opportunity. Let's set a new standard for data security and personal privacy. Let's change the
system. Promote equality and fairness in the workplace. Let's tear down the barriers to social justice. It's a new day for the new era. AI is everywhere. So are
we. We have the infrastructure AI needs and now the breath of data AI [Music] craves. We'll use AI to help the world see more. do more and we'll secure it like never before. You've all heard the AI hype. Now you want AI's help. That's exactly what we'll give
you. Cisco, making AI work for you. [Music] Where will you be in 5 years? Where will we be in 5 years? In 25? In 50? Let's be here and here with her and him and they. Let's connect them. Let's connect everyone. Let's deliver technology that gives them access to power opportunity. Let's set a new standard for data security and personal privacy. Let's change the system. Promote equality and fairness in
the workplace. Let's tear down the barriers to social justice for a more inclusive world. Let's clean house. Zero carbon, zero waste. Because the health of our
family is tied to the future of our home. Let's gather resources and partners, steer toward our greatest challenges, and accelerate for the benefit for all. Cisco has made it its purpose to power an inclusive future for all. Where will we be in 50 years? Let's go see. Cisco, the bridge to possible.
At Cisco, we believe inclusion isn't just the right thing to do. It's the innovative thing to do. Because every invention, every improvement, every achievement, every small step and giant leap inside our company and in the history of the world started when a different perspective was invited. A
different voice was elevated. A different opinion was accepted. To us, inclusion is progress. And it's why we're reimagining how people come together. Changing the system, tearing down barriers, respecting and honoring each other's identities, promoting equality and fairness, using technology to create more opportunities, empowering a more inclusive future for each other, for good, for all. A hacker doesn't always look like a hacker.
[Music] A hacker's at home everywhere. [Music] The hacker comes in many forms. [Music] He's interested in everything. He can work alone. But with the crew, it's so much better.
[Applause] [Music] A hacker is free. With Cisco, protecting your business from cyber attackers is simple. If it's connected, you're protected.
2025-06-01 04:54
