Duo Goes Passwordless (techcrunch.com) 32
Duo, the authentication service Cisco acquired for $2.35 billion in 2018, today announced its plans to launch a passwordless authentication service that will allow users to log in to their Duo-protected services through security keys or platform biometrics like Apple's Face ID or Microsoft's Windows Hello. The infrastructure-agnostic service will go into public preview in the summer. From a report: "Cisco has strived to develop passwordless authentication that meets the needs of a diverse and evolving workforce and allows the broadest set of enterprises to securely progress towards a passwordless future, regardless of their IT stack," said Gee Rittenhouse, SVP and GM of Cisco's Security Business Group. "It's not an overstatement to say that passwordless authentication will have the most meaningful global impact on how users access data by making the easiest path the most secure." If you're using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene -- and to the despair of any IT department, they also keep forgetting them.
That's great! (Score:5, Funny)
We definitely need more centralization of such things like authentication.
Looking forward to the day, when we need to authenticate and get permission from FB/Apple/Goog/$whatever account to drive a car to pick up a carton of milk.
Re: (Score:2)
We definitely need more centralization of such things like authentication.
Looking forward to the day, when we need to authenticate and get permission from FB/Apple/Goog/$whatever account to drive a car to pick up a carton of milk.
Check the "Verizon" SSO. I always click "I'll do this later" if later means slightly after the Sun goes out.
Re: (Score:2)
Check the "Verizon" SSO. I always click "I'll do this later" if later means slightly after the Sun goes out.
I really wish those sites also had an "I'll do it never" button...
Re: (Score:2)
Check the "Verizon" SSO. I always click "I'll do this later" if later means slightly after the Sun goes out.
I really wish those sites also had an "I'll do it never" button...
I'd prefer "Never ask me again" which I may or may not click
Re: (Score:2)
It's not necessarily "centralized" if done right. If this is certificate based, then anyone can use the public certificate while the user keeps the private certficate hidden. This is vastly better than the archaic password method of authentication, and any sort of password or biometrics would be used only to accesss the private cert on the local device. If you hack the site that has the public certs you don't get any private info.
What is centralized would be any company that says "we will authenticate yo
So I can cut some head off and then login to there (Score:2)
So I can cut some head off and then login to there systems?
Re: (Score:2)
2FA (Score:5, Insightful)
If you're using Duo or a similar product today, chances are that you are using both passwords and a second factor to log into your work applications. But users are notoriously bad about their password hygiene...
That's the entire point of 2 factor authentication. Passwords alone aren't good enough. However, they're still a barrier to some degree. I don't see how getting rid of passwords entirely is going to be much better. At least it's something the user can control. I can change my password at any time. What happens if I start using biometrics, for example, instead of a password? I can't very easily change my fingerprint or my iris scan. So I would really need to trust anyone I allowed to use my biometrics.
Re: (Score:2)
I don't see how getting rid of passwords entirely is going to be much better.
Depends on who you're talking about. You (probably) aren't protected under the 5th Amendment in the USA using Security Keys and Biometrics, so they're better for Law Enforcement ...
Personally, I wouldn't use Apple's Face ID or Microsoft's Windows Hello -- or other similar -- even if you/they paid me.
Re: (Score:2)
Agreed. "Passwordless" almost always actually means replacing a the service-specific password with a device-specific password (almost any device that can currently be unlocked by biometrics can also be unlocked by a passcode of some kind as a backup, and Duo currently largely works by asking you to tap "yes" on your smartphone within a short time window to authenticate.) So if there is already one factor needed to unlock the device, why require a third in addition to possession of the device and the facto
Re: (Score:2)
"DUO"? WTF is that, it's a common word (Score:3)
First of all, thank you for telling us what it is at the very beginning of the summary.
Secondly, WTF kind of name is "Duo" for an authentication service, and can companies please stop using and registering/trademarking common Microsoft Word(TM)s for their stupid products?
Re:"DUO"? WTF is that, it's a common word (Score:5, Funny)
Secondly, WTF kind of name is "Duo" for an authentication service, and can companies please stop using and registering/trademarking common Microsoft Word(TM)s for their stupid products?
Some companies Excel at that. They must have Teams of people generating Sheets full of possible names - it shows a lot of Drive.
Re: (Score:3)
Secondly, WTF kind of name is "Duo" for an authentication service, and can companies please stop using and registering/trademarking common Microsoft Word(TM)s for their stupid products?
Some companies Excel at that. They must have Teams of people generating Sheets full of possible names - it shows a lot of Drive.
I think you missed a Word
Re: (Score:2)
I think you missed my original post.
Re: (Score:2)
Maybe you just can't Access his positive Outlook?
-Yo Grark
Re: (Score:2)
Maybe you just can't Access his positive Outlook?
-Yo Grark
Maybe it's because he Works.
Re: (Score:3)
It's fine as an alternative... (Score:2)
But one would hope they'd still allow password-based access as a backup. To pull a crazy far-out example out of the air, what if most people, oh I don't know... started having to wear masks and their FaceID stopped working?
On my phone, Bitwarden lets me use my thumbprint as an alternative authenticator (I have to choose to enable that, which is the right way for that to work in my opinion) - but I could still type my long-ass vault password in, if I needed to. Same with my banking app.
From What I Hear You Might Want To Wait (Score:3)
Leader was a big liar. (Score:2)
I interviewed there about 6 years ago, place was for tools.
I was in the process of interviewing with Bloomberg for some serious coin in NYC and Doug their CEO literally told me a bunch of bald-face lies about one of their other guys who went to WallStreet and got screwed.
He tried to tell me I would be better off in Ann Arbor making 150K than over in NYC making 300+. Kept bragging how smart they were to write an OpenSSH Auth module for 2-factor.
Ended up deciding before lunch was over I wasn't interested so I
In related news ... (Score:4, Funny)
Cisco's newly acquired two-factor authentication service "Duo" will be renamed "Uno" as they move to a single-factor authentication method of either security keys or biometrics -- to make things easier for people (and Law Enforcement).
I was excited for a moment (Score:3, Funny)
Then I read with a bit more care and well.. my mom is calling.. gotta go.
Slashvertisement (Score:2)
Slow news day obviously...
Replace a problem with a bigger problem (Score:2)
I cannot change my bio-metrics and those hardware keys are way too expensive.
Dumb, fragile, and a target for attacks (Score:2)
Passwords alone are only a problem if you are exposed to the internet for everything (dumb and lazy) or you don't trust your own people not to try to crack into each other's accounts.
2FA doesn't solve the second problem, especially if it's your admins you don't trust (cough Snowden cough). But it does make you more dependent on yet another vendor's shit always working properly and them trusting their sysadmins.
But that's not how phbs think. They see marketing material promising ouchless security and they be
Re: (Score:3)
Passwords alone are only a problem if you are exposed to the internet for everything (dumb and lazy) or you don't trust your own people not to try to crack into each other's accounts.
Or if you are exposed to people walking into / tailgating your employees into the building and mess with your computers. Happened a few times already with ransomware attacks.
2FA doesn't solve the second problem
It mitigates the problem of people (for innocent or nefarious reasons) sharing account credentials with each other. If your 2nd auth factor is a corporate badge (to be worn visibly at all times and also opens the doors etc), account sharing becomes a lot less practical. With an added bonus if you use card reading keyboards that auto-
Yeah, No. (Score:1)
Deepfakes (Score:2)
Droppin a Duo, Buts and Hygiene (Score:2)
I resent that. I drop a Duo every morning. Sure I'm a but user. There is no way I dont clean up after. Did you ever pinch a loaf and not wipe? It gets pretty nasty back there real fast, and burns and itches. I would bet most people that use there buts to poo are good about there hygene.