Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
IT Technology

Duo Goes Passwordless (techcrunch.com) 32

Duo, the authentication service Cisco acquired for $2.35 billion in 2018, today announced its plans to launch a passwordless authentication service that will allow users to log in to their Duo-protected services through security keys or platform biometrics like Apple's Face ID or Microsoft's Windows Hello. The infrastructure-agnostic service will go into public preview in the summer. From a report: "Cisco has strived to develop passwordless authentication that meets the needs of a diverse and evolving workforce and allows the broadest set of enterprises to securely progress towards a passwordless future, regardless of their IT stack," said Gee Rittenhouse, SVP and GM of Cisco's Security Business Group. "It's not an overstatement to say that passwordless authentication will have the most meaningful global impact on how users access data by making the easiest path the most secure." If you're using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene -- and to the despair of any IT department, they also keep forgetting them.
This discussion has been archived. No new comments can be posted.

Duo Goes Passwordless

Comments Filter:
  • by bmimatt ( 1021295 ) on Tuesday March 30, 2021 @01:51PM (#61218054)

    We definitely need more centralization of such things like authentication.

    Looking forward to the day, when we need to authenticate and get permission from FB/Apple/Goog/$whatever account to drive a car to pick up a carton of milk.

    • We definitely need more centralization of such things like authentication.

      Looking forward to the day, when we need to authenticate and get permission from FB/Apple/Goog/$whatever account to drive a car to pick up a carton of milk.

      Check the "Verizon" SSO. I always click "I'll do this later" if later means slightly after the Sun goes out.

      • Check the "Verizon" SSO. I always click "I'll do this later" if later means slightly after the Sun goes out.

        I really wish those sites also had an "I'll do it never" button...

        • Check the "Verizon" SSO. I always click "I'll do this later" if later means slightly after the Sun goes out.

          I really wish those sites also had an "I'll do it never" button...

          I'd prefer "Never ask me again" which I may or may not click

    • It's not necessarily "centralized" if done right. If this is certificate based, then anyone can use the public certificate while the user keeps the private certficate hidden. This is vastly better than the archaic password method of authentication, and any sort of password or biometrics would be used only to accesss the private cert on the local device. If you hack the site that has the public certs you don't get any private info.

      What is centralized would be any company that says "we will authenticate yo

  • So I can cut some head off and then login to there systems?

  • 2FA (Score:5, Insightful)

    by nuckfuts ( 690967 ) on Tuesday March 30, 2021 @01:55PM (#61218066)

    If you're using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene...

    That's the entire point of 2 factor authentication. Passwords alone aren't good enough. However, they're still a barrier to some degree. I don't see how getting rid of passwords entirely is going to be much better. At least it's something the user can control. I can change my password at any time. What happens if I start using biometrics, for example, instead of a password? I can't very easily change my fingerprint or my iris scan. So I would really need to trust anyone I allowed to use my biometrics.

    • I don't see how getting rid of passwords entirely is going to be much better.

      Depends on who you're talking about. You (probably) aren't protected under the 5th Amendment in the USA using Security Keys and Biometrics, so they're better for Law Enforcement ...

      Personally, I wouldn't use Apple's Face ID or Microsoft's Windows Hello -- or other similar -- even if you/they paid me.

    • Agreed. "Passwordless" almost always actually means replacing a the service-specific password with a device-specific password (almost any device that can currently be unlocked by biometrics can also be unlocked by a passcode of some kind as a backup, and Duo currently largely works by asking you to tap "yes" on your smartphone within a short time window to authenticate.) So if there is already one factor needed to unlock the device, why require a third in addition to possession of the device and the facto

      • by Bengie ( 1121981 )
        Google already has a case study of their 100k+ employees and has shown that passwordless security keys have reduced overall IT support by over 70%. This goes beyond just passwords. This also affects hack attacks like phishing. Once you realize indirect benefits, it's a huge win.
  • by DontBeAMoran ( 4843879 ) on Tuesday March 30, 2021 @02:01PM (#61218086)

    Duo Goes Passwordless

    Duo, the authentication service Cisco acquired for $2.35 billion in 2018...

    First of all, thank you for telling us what it is at the very beginning of the summary.

    Secondly, WTF kind of name is "Duo" for an authentication service, and can companies please stop using and registering/trademarking common Microsoft Word(TM)s for their stupid products?

    • by 93 Escort Wagon ( 326346 ) on Tuesday March 30, 2021 @02:13PM (#61218122)

      Secondly, WTF kind of name is "Duo" for an authentication service, and can companies please stop using and registering/trademarking common Microsoft Word(TM)s for their stupid products?

      Some companies Excel at that. They must have Teams of people generating Sheets full of possible names - it shows a lot of Drive.

      • Secondly, WTF kind of name is "Duo" for an authentication service, and can companies please stop using and registering/trademarking common Microsoft Word(TM)s for their stupid products?

        Some companies Excel at that. They must have Teams of people generating Sheets full of possible names - it shows a lot of Drive.

        I think you missed a Word

    • I'm so used to the Duo, the Duolingo owl, harassing me that when I read the headline I thought it was time to practice German.
  • But one would hope they'd still allow password-based access as a backup. To pull a crazy far-out example out of the air, what if most people, oh I don't know... started having to wear masks and their FaceID stopped working?

    On my phone, Bitwarden lets me use my thumbprint as an alternative authenticator (I have to choose to enable that, which is the right way for that to work in my opinion) - but I could still type my long-ass vault password in, if I needed to. Same with my banking app.

  • Solar Winds might start providing this, too. Centralized authentication hasn't even hit its stride yet.
  • I interviewed there about 6 years ago, place was for tools.

    I was in the process of interviewing with Bloomberg for some serious coin in NYC and Doug their CEO literally told me a bunch of bald-face lies about one of their other guys who went to WallStreet and got screwed.

    He tried to tell me I would be better off in Ann Arbor making 150K than over in NYC making 300+. Kept bragging how smart they were to write an OpenSSH Auth module for 2-factor.

    Ended up deciding before lunch was over I wasn't interested so I

  • by fahrbot-bot ( 874524 ) on Tuesday March 30, 2021 @02:25PM (#61218152)

    Cisco's newly acquired two-factor authentication service "Duo" will be renamed "Uno" as they move to a single-factor authentication method of either security keys or biometrics -- to make things easier for people (and Law Enforcement).

  • by TeddyRick ( 6515134 ) on Tuesday March 30, 2021 @02:29PM (#61218166)
    I thought this meant Duolingo was not going to require a password ending years of phone calls from my mother telling me she is "locked out and need to get in before my 138 day consecutive streak of doing my Italian is going to end"

    Then I read with a bit more care and well.. my mom is calling.. gotta go.
  • Slow news day obviously...

  • There are issues that keep coming up that have yet to be resolved that seemingly keep being ignored.
    I cannot change my bio-metrics and those hardware keys are way too expensive.
  • Passwords alone are only a problem if you are exposed to the internet for everything (dumb and lazy) or you don't trust your own people not to try to crack into each other's accounts.

    2FA doesn't solve the second problem, especially if it's your admins you don't trust (cough Snowden cough). But it does make you more dependent on yet another vendor's shit always working properly and them trusting their sysadmins.

    But that's not how phbs think. They see marketing material promising ouchless security and they be

    • Passwords alone are only a problem if you are exposed to the internet for everything (dumb and lazy) or you don't trust your own people not to try to crack into each other's accounts.

      Or if you are exposed to people walking into / tailgating your employees into the building and mess with your computers. Happened a few times already with ransomware attacks.

      2FA doesn't solve the second problem

      It mitigates the problem of people (for innocent or nefarious reasons) sharing account credentials with each other. If your 2nd auth factor is a corporate badge (to be worn visibly at all times and also opens the doors etc), account sharing becomes a lot less practical. With an added bonus if you use card reading keyboards that auto-

  • by Anonymous Coward
    Given Cisco's track record with password security (their products have hundreds of CVEs against them for hard-coded passwords) I think I'll pass on any authentication service offered by them. If anything they've proven they're experts on what not to do.
  • Guess scammers/hackers will find a good use for deepfakes now lol
  • But users are notoriously bad about their password hygiene

    I resent that. I drop a Duo every morning. Sure I'm a but user. There is no way I dont clean up after. Did you ever pinch a loaf and not wipe? It gets pretty nasty back there real fast, and burns and itches. I would bet most people that use there buts to poo are good about there hygene.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...