Multi-Factor Authentication

Evaluation Guide
What to look for when assessing and comparing
multi-factor authentication solutions

© 2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
Multi-Factor Authentication
Evaluation Guide

What to look for when assessing and comparing

multi-factor authentication solutions

© 2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
 Multi-factor authentication
is the simplest, most effective
way to make sure users really are
who they say they are.
Over 80% of the It protects your applications and data against unauthorized But, not every MFA solution is the same. Some vendors only

breaches categorized access due to credential theft by verifying your users’ identities

before they access your data. Multi-factor authentication works

provide the bare minimum needed to meet compliance requirements

– and lots of hidden costs required for deployment, operation and

under web application by requiring multiple factors to be confirmed before permitting

access versus just an email and a password. Authentication factors

maintenance. Plus, many traditional solutions are clunky, error-prone

and require extensive user training and support – costing your

attacks can be can be something you know, like a password; something you have,

like your device or a security key; something you are, like your
employees time and productivity.

attributed to stolen personal fingerprint (biometrics); somewhere you are, like your

location; and your level of access based on adaptive policies.

credentials, allowing
IN THIS GUIDE, YOU’LL GET:
attackers to login + A comprehensive set of criteria to customize your evaluation to your organization’s needs

+ An overview of the hidden costs of an MFA solution and how to determine your return on investment (ROI)

rather than break-in. + What to look for to ensure your solution can protect against the risk of a data breach

+ A list of resources needed to deploy, provision and integrate your solution

VERIZON 2022 DATA BREACH
+ An overview of the different strategic business initiatives, and how your solution fits into them
INVESTIGATIONS REPORT

© 2022 Cisco Systems, Inc. and/or its affiliates. All rights reserved. 1
Consider the following criteria when evaluating
different multi-factor authentication solutions:

Security Impact Strategic Total Cost

Can your solution protect against unauthorized Business Initiatives of Ownership
access and provide visibility of users and
Is your solution compatible with other business Does your solution provide upfront value, or
devices in your environment? How effectively
initiatives such as enabling remote work or incur hidden costs to your organization? Can it
does the solution reduce the risk of a data
onboarding cloud applications? Does it fulfill work with modern and legacy systems? Can the
breach? Can your solution provide access
compliance requirements? solution help consolidate multiple siloed tools?
control for managed and unmanaged devices?

Does your solution alert you to unusual or

suspicious login activities?

Time to Value Required Resources These are some of the big

How quickly can you get the solution up and What kind of resources are required to deploy questions you want to ask to find
running in your environment? and provision users? Is the solution architected out if an MFA solution is truly the
to reduce ongoing administration tasks? best solution for your business. Let’s
dig in deeper into these questions.

2
Security Impact
The most critical security aspects of an authentication solution are 1) effectiveness against threats related to credential theft, and 2) underlying

security and reliability. The primary goal is to reduce the risk of a data breach to your organization. If a solution is easily bypassed or doesn’t provide

comprehensive protection, it’s not worth implementing (at any cost!).

Secure Everything, Everywhere

FOCUS ON REMOTE LOGINS REDUCE DEPENDENCY ON PASSWORDS
Before you implement a new security solution, take full inventory of your Passwords are a thorn in the side of enterprise security. An average Enabling a single sign-on (SSO) option along with MFA is a great way to

organization’s applications, networks and data that can be accessed enterprise uses more than 1,000 cloud apps today. That’s too many start the passwordless journey without compromising on security.

remotely. If you can log into an application or a system over the internet, passwords for IT to manage securely, and for users to remember. This
For end users, SSO provides access to multiple applications with a single
you should protect it with more than just a username and password. VPN, results in password fatigue, and it’s no surprise that weak and stolen
login (using one master set combination of username and password) —
SSH and RDP connections are gateways to your corporate networks passwords are among the leading causes of a breach. Eliminating
and reducing the number of passwords eliminates bad password habits
and therefore require added layers of protection to prevent unauthorized passwords from authentication sounds very attractive; however, as with
such as password reuse. For administrators, SSO serves as a unified
access. Wherever possible, use FIDO-based (Fast IDentity Online, an open any new technology, it is wise to take a thoughtful approach to adopting
point of visibility for authentication and access logs, and an effective
industry standard for strong authentication) security keys that leverage passwordless authentication.
policy enforcement point to apply security policies for each application
WebAuthn and provide the highest level of assurance for authentication.
Passwordless is a journey that requires incremental changes for both depending on its risk profile.

With a modern MFA solution built on zero trust principles, you can get users and IT environments. Ask security vendors how their products can

a clearer picture of the users and devices that are trying to access your help you embrace a passwordless future without creating security gaps or

network. It is no longer enough just to verify the user before granting causing IT headaches.

access. Consider verifying the device status as part of the authentication

workflow. Ensure your solution can integrate with any custom software,

VPNs, cloud-based applications and device management tools.

If you can log into it over the internet,
you should protect it with more than a
username and password.
3
SECURE SENSITIVE DATA VERIFY DEVICE STATE ADAPTIVE POLICIES & CONTROLS
Check that the solution allows you to create and enforce advanced Consider a solution that offers comprehensive device verification An advanced multi-factor authentication solution lets administrators define

policies and controls that you can apply to environments with sensitive capabilities across laptops, desktops or mobile devices. The solution rules and levels of access with adaptive controls, balancing security

data – whether it is internet-accessible or a private network. should ensure that devices accessing your environment are in compliance and ease-of-use based on the users, groups, devices, networks and

Examples include: with your organization’s security criteria. This includes verifying that the applications involved.

devices have critical software patches installed and enabling end-user

+ Define how users access sensitive systems, such as servers containing Examples of adaptive policies and controls include:
remediation where applicable.
financial data
+ Require admins and IT staff to perform two-factor authentication using
+ Set a stricter policy for servers with customer payment data vs. public Check that the solution can leverage telemetry from your endpoint security
biometrics or a FIDO-based security key every time they log in to protect
file servers agents and device management tools as part of posture assessments.
privileged access

+ Allow users to authenticate less often when using the same device

+ Block login attempts from foreign countries where you don’t do business,

and block access from anonymous networks, like Tor

+ Allow users to only access critical applications from corporate managed

devices

While traditional solutions such as firewalls and network access control

(NAC) can do this, they’re typically limited to protecting your on-

premises resources. But by focusing only on the local network perimeter,

these solutions leave many security gaps and zero coverage for cloud

applications. Look for a solution that offers protections beyond a

traditional network-based perimeter and truly protects access from any

device and from any location.

Check that your provider offers different

authentication methods to fit every user’s need.

4
VISIBILITY & ANALYTICS FLEXIBILITY AVAILABILITY
Ask your provider if your solution gives you insight into your users and It’s expensive to rip and replace a solution, so choose one that can scale A security solution is only as valuable as it is available, and resilient against

the devices they use to access your organization’s apps and data. An to support new users, integrations and devices – no matter where they are, security incidents and downtime. A cloud-based MFA provider should

advanced authentication solution should give you an at-a-glance picture including on-premises and in the cloud. Check that your provider offers maintain their solution independent from your systems. That way, even if

of the security profile of all devices in your environment, letting you different authentication methods, including smartphone apps, biometrics, you’re breached, access to your applications is still securely managed by

take action to protect against known vulnerabilities. Because data is phone callback, passcodes and hardware tokens to fit every user’s need. your provider.

only as useful as it is accessible, make sure your dashboard provides a

To protect against downtime, your provider’s service should be distributed
comprehensive bird’s-eye view along with the ability to quickly zoom or
across multiple geographic regions, providers and power grids for
filter into more granular information.
seamless failover. Reliable vendors should demonstrate 99.99% uptime,

Ensure your solution comes with detailed logs about your users, devices, guaranteed by strong service level agreements (SLA).

administrators and authentication methods. The solution should allow

Check that your provider offers different authentication methods to fit
these logs to easily export to your SIEM tools and help create custom
every user’s need.
reports, ideal for security analysts and compliance auditors.

Choose a solution that gives you visibility into authentication attempts,

including data on IP addresses, anonymous networks, blacklisted countries

and more – useful for determining where and when certain attacks may

occur. Ask if the provider can detect and automatically alert administrators

in case of risky login behavior or suspicious events, such as new device

enrollment for authentication or login from an unexpected location.

Ensure your solution comes with

detailed logs about your users, devices,
administrators and authentication methods.

5
Strategic Business Initiatives
When evaluating a new security solution, consider how it may integrate with ongoing or future business initiatives, including legacy systems, bring

your own device (BYOD), remote work or the adoption of cloud applications. Other business drivers to consider include compliance regulation

requirements, which vary by industry and location.

CLOUD ADOPTION TODAY BRING YOUR OWN DEVICE (BYOD) —

Most of your applications and servers might be on-premises, but some REMOTE WORK PROTECTION
may migrate to the cloud in the near future. Check that the authentication Many organizations are allowing employees to use their personal devices Can your authentication solution detect potential vulnerabilities in the

solution can easily integrate with your cloud applications. Additionally, if to get work done. When evaluating authentication solutions, consider how devices your employees use? Ask your provider how you can get greater

you’re moving away from managing software and hardware on-premises, compatible they are with your BYOD environment. Can users use their own visibility and control into your cloud and mobile environment, without

then you should consider adopting a cloud-based authentication solution devices to complete authentication? requiring users to enroll their personal devices in enterprise mobility

that can scale as needed. Make sure your authentication solution protects solutions (like mobile device management/MDM).
Check that your authentication solution provides a mobile app that works
what’s important both today and in the future.
with all of the different types of mobile and remote devices your employees If it’s not easy to use, your users won’t use it. Evaluate the usability of

use, including Windows, Apple iOS and Android. For flexibility, ensure the your mobile app, for both your users (enrollment, activation and daily

solution works with other methods like security keys, mobile push, code authentication) and administrators (user and solution management).

generators and phone callback.

If it’s not easy to use,

your users won’t use it.
6
MONITORING & REPORTING VALIDATION & COMPLIANCE
Ensure your solution comes with detailed logs about your users’ activity so If you deal with any type of sensitive data, like personally identifiable

you can create custom reports, ideal for security analysis and compliance information (PII), protected health information (PHI), customer payment

auditors. Armed with details about jailbroken statuses, patch levels, data, etc., you need to ensure your two-factor solution can meet any

browsers and more, you can also take action to prevent opening up your compliance regulation requirements.

network to known vulnerabilities. Monitoring also gives you insight into any
Additionally, your MFA provider must be able to provide an up-to-date
user behavior anomalies or geo-impossible logins – if your user logs in
proof of compliance report for your auditors. Ask your provider if their
from one location, and then logs in from another location around the world,
company and solution is audited annually or regularly by an independent
your security team will know.
third-party auditor.

Every organization’s environment is unique. Check if the solution provider

offers advanced machine learning-based behavioural analytics that can

Check that the vendor’s cloud-based service uses PCI DSS (Payment
Remember, it only takes
create a risk profile for your specific organization and notify administrators
Card Industry Data Security Solution), ISO (International Organization

for Standardization) 270001 and SOC (Service Organization Controls)

one weak link in the security
of any unusual login activity.
2 compliant service providers. It only takes one weak link in the security chain for a breach to affect
chain of contractors for a breach to affect your organization.
your organization.

7
Total Cost of Ownership
The total cost of ownership (TCO) includes all direct and indirect costs of owning a product – for a multi-factor solution, that may include hidden costs,

such as upfront, capital, licensing, support, maintenance, operating and many other unforeseen expenses over time, like professional services and

ongoing operation and administration costs.

How can you be sure you’re getting the best security return on your investment? Consider:

Upfront Costs
See if your vendor’s purchasing model requires that you pay per device,
ADMINISTRATIVE SOFTWARE/HARDWARE VENDOR CONSOLIDATION
user or integration – this is important if your company plans to scale and
Is this included in the software license? Additional management While network environments with a traditional perimeter defense model
add new applications or services in the future. Many hosted services
software is often required – without this, customers can’t deploy MFA. rely on a handful of key services to maintain visibility and enforce security
provide a per-user license model, with a flat monthly or annual cost
Does the service require the purchase and configuration of hardware standards, the growth of SaaS adoption has resulted in many piecemeal
for each enrolled user. When investigating licensing costs, make sure
within your environment? Confirm the initial and recurring costs for solutions to cover the expanded needs of securing cloud-based data and
to confirm whether licenses are named (locked to a single user ID) or
this equipment, and research the typical time and labor commitment assets. Secure access includes strong authentication through MFA to
transferable, whether there are add-on charges for additional devices or
necessary to set up these tools. For administrative access with tiered validate users and may also include:
integrations configured, or delivery charges for different factor methods.
permissions based on license version, confirm all functionality you depend
Estimate how much it will cost to deploy multi-factor authentication to all of + Endpoint management or mobile device management tools for defending
on is available, or collect a complete list of necessary upcharges.
your apps and users. against device compromise threats

+ Single sign-on portals to centralize and simplify login workflows for users

+ Log analysis tools to identify and escalate potential security threats

+ Multiple dashboards to manage disparate services and cover

unsupported applications, and more

Along with the redundant costs that can accrue from these overlapping

Look for vendors with simple subscription models, services, each added tool increases complexity and the chances of human

error or oversight. Finding a solution with comprehensive utility for secure

priced per user, with flexible contract times. access can reduce both initial and ongoing management labor costs.

8
Upfront Costs Deployment Fees
(continued)

AUTHENTICATORS DEPLOYMENT & CONFIGURATION ADMINISTRATOR SUPPORT

Do you have to purchase hardware authentication devices? Physical Find out if you can deploy the solution using your in-house resources, or To make it easy on your administrators, look for drop-in integrations for

tokens add inventory, management, and shipping costs to consider. For if it will require professional services support and time to install, test and major apps, to cut time and resources needed for implementation. Also

mobile authenticators, confirm if there is any per-device cost for soft troubleshoot all necessary integrations. confirm the availability of general-purpose integrations for the most

tokens, or if an unlimited number of enrolled devices is permitted for each common authentication protocols to cover edge use cases, along with

user license. END USER ENROLLMENT APIs to simplify integration for web applications. See if you can set up a

Estimate how long it will take each user to enroll, and if it requires pilot program for testing and user feedback – simple integrations should

DATA CENTER COSTS any additional administrative training and helpdesk time. Discuss with take no longer than 15 minutes.

Do you have to purchase servers? Server hosting costs can add up: your vendor the typical deployment timeframe expected with your use

power, HVAC (heating, cooling and air conditioning), physical security, case, and seek feedback from peers to validate how this aligns with

personnel, etc. A cloud-based solution will typically include these costs in their experience. Look for an intuitive end user experience and simple

the licensing model. enrollment process that doesn’t require extensive training. Token-based

solutions are often more expensive to distribute and manage than

HIGH AVAILABILITY CONFIGURATION they are to buy.

Is this also included in your software license? By setting up duplicate

instances of your software and connecting a load balancer with the

primary instance, you can end up tripling your software costs. Setting

up a redundant or disaster recovery configuration can also increase

costs significantly, and some vendors charge additional licensing fees for

business continuity.

Token-related help desk tickets can account

for 25% of the IT support workload.

9
Ongoing Costs
PATCHES, MAINTENANCE & UPGRADES ADMINISTRATIVE MAINTENANCE SUPPORT & HELP DESK
Annual maintenance can raise software and hardware costs, as customers Consider the costs of employing full-time personnel to maintain your MFA Live support via email, chat and/or phone should also be included in your

must pay for ongoing upgrades, patches and support. It’s often the solution. Does your provider maintain the solution in-house, or is it up to vendor’s service – but sometimes support costs extra. Consider how much

responsibility of the customer to search for new patches from the vendor you to hire experts to manage it? time is required to support your end users and helpdesk staff, including

and apply them. Look for a vendor that automatically updates the software troubleshooting time.
Estimate how long it takes to complete routine administrative tasks. Is
for security and other critical updates, saving the cost of hiring a team.
it easy to add new users, revoke credentials or replace tokens? Routine Gartner estimates that password reset inquiries comprise anywhere

One of the benefits of SaaS and cloud-hosted services is that servers, tasks, like managing users, should be simple. Sign up for a trial and take it between 30% to 50% of all helpdesk calls. And according to Forrester,

maintenance and monitoring are covered by the provider’s network and for a test run before deploying it to all of your users. 25% to 40% of all helpdesk calls are due to password problems or resets.

security engineers, lightening the load for your team. Depending on your Forrester also determined that large organizations spend up to $1 million

solution, you may have to manually upgrade to the latest version. per year on staffing and infrastructure to handle password resets alone,

with labor cost for a single password reset averaging $70.

You should also consider the frequency of updates — some vendors may

only update a few times a year, which can leave you susceptible to new If a solution requires extensive support from your IT or infrastructure

vulnerabilities and exploits. Choose a vendor that updates often, and teams, will you get charged for the time spent supporting your on-premises

ideally rolls out automatic updates without any assistance from your team. MFA solution? Estimate that cost and factor it into your budget.

10
Modern Solutions
High value, upfront costs

+ Simple subscription model + User, device and application access policies

+ Free authentication mobile app and controls

+ No fees to add new apps or devices + Device health and posture assessments

+ No data center/server maintenance + Device context from third-party security

+ High availability configuration solutions

+ Automatic security and app updates + Passwordless authentication

+ Administrative panel included + User behavior analytics

+ User self-service portal included + Single sign-on (SSO) and cloud support

NO HIDDEN COSTS

Traditional Solutions MANY HIDDEN COSTS

Potentially low upfront costs, not much value

LOTS OF HIDDEN COSTS:

− Additional cost to add new apps or users

− Administrative software/hardware

− Authenticators – tokens, USB, etc.

− Data center and server maintenance

− High availability configuration

− Administrative support

− Patches, maintenance and upgrades

− Helpdesk support

11
Time to Value
Time to value, or time to security, refers to the time spent implementing, deploying and adapting to the

solution. Determine how long it takes before your company can start realizing the security benefits of a

multi-factor authentication solution. This is particularly important after a recent breach or security incident.

Proof of Concept Deployment Onboarding & Training Users

Setting up a MFA pilot program lets you test your solution across a small Walk through likely implementation scenarios so you can estimate the A vendor’s enrollment process is often a major time sink for IT

group of users, giving you the ability to gather valuable feedback on what time and costs associated with provisioning your user base. Cloud-based administrators. Make sure you walk through the entire process to identify

works and what doesn’t before deploying it to your entire organization. services provide the fastest deployment times because they don’t require any potential issues.

hardware or software installation, while on-premises solutions tend to take

For enterprises, bulk enrollment may be a more time-efficient way to sign
more time and resources to get up and running.
up a large amount of users. To support your cloud apps, ensure your

Most security professionals don’t have time to write their own integration MFA solution lets you quickly provision new users for cloud apps by using

code. Choose a vendor that supplies drop-in integrations for all major existing on-premises credentials.

cloud apps, VPNs, Unix and MS remote access points. You’ll also want
Cloud-based services to look for a vendor that enables you to automate functionality and export
See if the solution requires hardware or software for each user, or time-

consuming user training. Token deployment can require a dedicated

deploy faster because they logs in real time.
resource, but easy self-enrollment eliminates the need to manually

don’t require hardware or Also, to save on single sign-on (SSO) integration time, check that your

MFA solution supports the Security Assertion Markup Language (SAML)

provision tokens.

software installation. authentication standard that delegates authentication from a service

With a mobile cloud-based solution, users can quickly download the

app themselves onto their devices. A solution that allows your users to
provider or application to an identity provider.
download, enroll and manage their own authentication devices using only a

web browser can also save your deployment team’s time.

12
Required Resources
Consider the time, personnel and other resources required to integrate your applications, manage users and devices, and maintain/monitor your solution.

Ask your provider what they cover and where you need to fill in the gaps.

Application Support User & Device Management Maintenance

Some MFA solutions require more time and personnel to integrate with Like any good security tool, your MFA solution should give administrators Make sure that your solution requires minimal ongoing maintenance and

your applications, whether on-premises or cloud-based. the power they need to support users and devices with minimal hassle. management for lower operating costs. Cloud-hosted solutions are ideal

because the vendor handles infrastructure, upgrades and maintenance.

Check that they provide extensive documentation, as well as APIs and Look for a solution with a centralized administrative dashboard for a

SDKs so you can easily implement the solution into every application that consolidated view of your two-factor deployments, and enables admins to: Can you use your existing staff to deploy and maintain this solution, or will

your organization relies on. you need to hire more personnel or contractors to do the job? Ask your
+ Easily generate bypass codes for users that forget or lost their phones
vendor if monitoring or logging is included in the solution.
+ Add and revoke credentials as needed, without the need to provision and

manage physical tokens

A solution that requires many additional resources to adapt and scale may

not be worth the cost and time. Evaluate whether your solution allows
Ask your provider if they offer a self-service portal that allows users to
you to easily add new applications or change security policies as your
manage their own accounts, add or delete devices, and other simple tasks.
company needs evolve.

Can your staff deploy and maintain the

solution, or will you need to hire more
personnel or contractors?

13
The Duo Advantage
Duo Security’s MFA solution combines intuitive usability with advanced security features to protect against the latest attack methods and to provide a

frictionless authentication experience.

Security Impact
TRUSTED USERS TRUSTED DEVICES SECURE EVERY APPLICATION
Duo’s authentication is built on the foundation of zero trust. Duo When organizations deploy Duo, device trust becomes a part of the To secure every type of application, Duo’s solution easily and quickly

verifies the identity of users and protects against breaches due to authentication workflow during the user login process for protected integrates with virtual private networks (VPNs) and remote access gateways

phishing and other password attacks with an advanced MFA solution, applications. This enables Duo to provide in-depth visibility across like CA SiteMinder, Juniper, Cisco, Palo Alto Networks, Citrix and more;

verifying trust in multiple ways before granting access. Duo’s contextual managed and unmanaged devices, however and from wherever the users enterprise cloud apps like Microsoft O365, Salesforce, Google Apps, AWS

user access policies let you create custom controls to further protect connect to these applications. Duo also verifies the security health and Box; and on-premises and web apps like Epic, Splunk, Confluence,

access to your applications based on type of users, devices and apps. and management status of endpoints before granting access to your Shibboleth and more. Duo provides APIs and client libraries for everything

applications, and blocks access if the device is unhealthy or does not meet else, including your custom and proprietary software.
Learn more about Trusted Users.
your security requirements.
Learn more about Every Application.

You can easily ensure that users maintain appropriate device hygiene,

whether by updating the OS patch levels or browser versions, checking

for presence of device certificates, or enabling security features such as

enterprise antivirus (AV) agents and disk encryption.

Learn more about Trusted Devices.

Duo verifies the identity of your users with two-factor authentication, and
the security health of their devices before they connect to your applications.

14
Security Impact
(continued)

ADAPTIVE POLICIES & CONTROLS

START YOUR PASSWORDLESS JOURNEY
Duo’s passwordless authentication solution will improve user experience, Security policies for every situation. Duo’s granular advanced policy
Going passwordless means establishing a strong assurance of a user’s
reduce IT overhead, and strengthen security posture. Duo uniquely takes controls provide zero trust protection to environments with sensitive data,
identity without relying on passwords, allowing them to authenticate using
its passwordless solution a step further by enabling organizations to whether on-premises or in the cloud. With Duo, you can create custom
biometrics, security keys or a mobile device. Duo will help you get to a
implement a passwordless authentication that’s secure and usable. Duo access policies based on role, device, location and many other contextual
passwordless future starting with reducing the number of logins. With
ensures that a risky device (unknown, jailbroken or out of date) cannot factors that are the bedrock of a strong zero trust security framework.
Duo’s secure cloud-based single sign-on (SSO), you can leverage your
be used to authenticate without a password. In addition, Duo continually
existing identity provider for faster provisioning and improved accuracy
Duo verifies the identity of your users with multi-factor authentication
monitors logins and new enrollments to automatically detect anomalies
whether in the cloud or on-premises, allowing your users to log in just once
and the security health of their devices before they connect to your
and alerts the administrators in case your environment is compromised.
to securely access your organization’s applications.
applications. With Duo, IT administrators may also create complex policy

Learn more about Passwordless. rules that continuously monitor logins to identify and flag unusual activity.

We are a very open organization and want employees to work from anywhere.
Box manages highly sensitive data for some of the largest organizations in the world.
As a result of this, we need to ensure the highest level of protection for all user
interactions with our services. We also need to meet an extremely high bar for
security standards while making it easy for users to be productive.
Duo helps us do just that.”

Mark Schooley
Senior Director, IT Operations & Engineering

15
VISIBILITY & ANALYTICS FLEXIBILITY AVAILABILITY
Duo’s dashboard, reports and logs make it easy to monitor every user, on Duo’s Service Level Agreements (SLA) guarantees a 99.99% uptime
As a cloud-based solution, it’s easy to provision new users and protect
any device, anywhere, so you can identify security risks before they lead and is distributed across multiple geographical locations for a seamless
new applications with Duo as your company grows, because there are
to compromised information. Get visibility into authentication attempts, failover. Duo is maintained independently from your systems keeping you
no limits or additional charges per application. We believe that if you’re
including data on IP addresses, anonymous networks, blacklisted safe even if your systems are breached.
protecting a user’s access to your most important applications, you
countries and more from Duo’s admin panel.
shouldn’t be penalized or charged more to protect them everywhere.

Duo gives you complete visibility and helps you inventory every endpoint Easily onboard new users with Duo’s self-enrollment, bulk enrollment or

accessing your applications and provides data on operating system, Active Directory synchronization options.

platform, browser and plugin versions, including passcode, screen lock, full
There are a variety of ways Duo’s MFA can work. You can use a
disk encryption and rooted/jailbroken status. You can easily search, filter
smartphone, landline (such as your office or home phone), tablet or
and export a list of devices by OS, browser and plugin, and refine searches
hardware token. Authentication methods include mobile push, biometrics,
to find out who’s susceptible to the latest iOS or Android vulnerability.
time-based one-time passcodes, bypass codes, security tokens, SMS

Duo Trust Monitor is a security analytics feature that identifies and passcodes and callback.

surfaces risky, potentially insecure user behavior in a customer’s Duo

Learn about User Provisioning.
deployment. If a user significantly deviates from their individualized

behavioral profile, Duo Trust Monitor will surface the case as

behaviorally anomalous.

Duo gives you insight into the security posture of both

corporate and personal devices used to connect to
company applications and services.
16
Strategic Business Initiatives
CLOUD ADOPTION BRING YOUR OWN DEVICE (BYOD) - VALIDATION AND COMPLIANCE
By leveraging a scalable cloud-based platform rather than relying on REMOTE WORK PROTECTION Duo’s full-time security team is experienced in running large-scale systems

on-premises hardware requiring setup and costly maintenance, Duo The Duo Mobile app (iOS, Android) and the Device Health app (Windows, security, and comprises top mobile, app and network security experts.

can be deployed rapidly; and it’s easy to scale with your growing users MacOS) are BYOD-friendly for remote access and can be used on many Duo’s operational processes are SOC 2 compliant. Duo’s multi-factor

and applications. Duo also supports SAML cloud apps via secure single different devices. Duo can maintain your device inventory so you have authentication cryptographic algorithms are also validated by NIST

sign-on, including Google Apps, Amazon Web Services, Box, Salesforce clear visibility into what device is connecting, when and from where. Users and FIPS. Duo has achieved ISO (the international security standard)

and Microsoft Office 365. can download the app on their personal device without enrolling in device 27001:2013, 27017:2015 & 27018:2019 Certification.

management solutions, ensuring user privacy.

Duo can also help your business meet various compliance requirements
WORKFORCE PRODUCTIVITY
and regulatory framework guidelines. Duo Push satisfies Electronic
Duo provides a better end user experience for accessing applications MONITORING AND REPORTING
Prescription of Controlled Substance (EPCS) requirements for two-factor
by reducing workflow friction and increasing workplace productivity. Duo’s detailed user, administrator and telephony security logs can be
authentication in the healthcare industry, while Duo’s one-time passcodes
Duo offers low-friction authentication methods such as Duo Push, easily imported into a security information and event management
meet FIPS 140-2 compliance for government agencies.
biometrics and FIDO security keys. Duo also offers the ability to apply (SIEM) tool for log analysis, or viewed via Duo’s Admin API for real-time

intelligent policies to reduce how often a user is prompted to authenticate, log access. In addition, Duo Trust Monitor employs machine learning—
Duo Federal Editions are built to enable customer compliance with FIPS
using features such as remembered device. Duo is focused on enabling behavioral analytics to simplify risk detection in case of anomalous
140-2 compliant authentication standards and align with National Institute
users to be productive without compromising on security thereby login activity.
of Standards and Technology (NIST) SP 800-63-3 guidelines. Duo Federal
achieving the right balance for your organization.
editions meet Authentication Assurance Level 2 (AAL2) with Duo Push

or Duo Mobile Passcode for both iOS and Android devices out of the box

and by default with no additional configuration required. Duo also supports

AAL3 authenticators such as the FIPS Yubikey from Yubico.

Duo Device Trust enables organizations to check and enforce the device

Duo’s full-time security team is experienced in running large-scale systems security and compliance posture prescribed by standards such as

PCI-DSS, HIPAA and the NIST cybersecurity framework.

security. Duo’s diverse research and engineering teams comprises top mobile,
Learn more about Security & Reliability
app and network security experts and have worked at Fortune 500 companies,
government agencies and financial firms.
17
Total Cost of Ownership (TCO)
While traditional security products require on-premises software or hardware hosted in a data center, Duo offers security in a software as a

service (SaaS) model through a cloud-based platform.

NO UPFRONT COSTS Other solutions may appear to come with a lower price tag, but the layers

With Duo’s multi-factor authentication, you get the most upfront value with no hidden costs such as upfront, capital, licensing, support, maintenance, of hidden costs can add up fast, rapidly tripling TCO and offering less

operating and many other unforeseen expenses over time. Duo offers a simple subscription model priced per user, billed annually, with no extra fees for value overall. With Duo’s MFA, you get the most upfront value with no

new devices or applications. hidden costs, including:

+ Easy deployment with the help of Duo’s drop-in integrations for + Conext leveraged from endpoint security agents and device ADMINISTRATIVE SOFTWARE/HARDWARE
all major apps and APIs, and an administrative panel for user and management systems Duo’s subscription-based model eliminates hefty software licensing fees

solution management + Self remediation to ensure devices meet your security requirements and includes administrator management tools, meaning there’s no need to

+ Automatic application updates, with patch management, maintenance + Insight on user login behavior in your environment and the ability to flag pay for top-dollar management software to use it.

and live support at no extra cost anomalous login attempts

+ Advanced features that let you customize policies and controls, as well + First steps on the journey to eliminate passwords and improve security AUTHENTICATORS
as get detailed device health data with passwordless authentication Users can download the Duo Mobile app to any device, eliminating the

+ A secure single sign-on (SSO) and authentication solution in one need to shell out for a fleet of devices to deploy to your workforce. Duo

also offers several authentication methods based on specific use cases;

along with Duo Push, Verified Duo Push, end users can authenticate via

U2F, biometrics, tokens, passcodes and more.

NO DATA CENTER COSTS

Because Duo is cloud-based, you don’t need to buy servers and absorb all

Other solutions may appear to come with of the costs that come with running a data center.

a lower price tag, but the layers of hidden

costs can add up fast, rapidly tripling TCO
and offering less value overall.
18
HIGH-AVAILABILITY CONFIGURATION PATCHES, MAINTENANCE & UPGRADES BUDGET CONSOLIDATION
Where some vendors require you to purchase additional licenses for Duo offers automatic application updates, with patch management, With Duo, you can replace the need for multiple different hardware

business continuity and high availability, Duo offers high availability maintenance and live support at no extra cost. and software security solutions that solve for isolated use cases, like

configuration, disaster recovery and data center management tools authentication, network access control, endpoint security, vulnerability

without busting your budget. ADMINISTRATIVE MAINTENANCE assessment tools, etc. with a single cloud service that provides

Duo makes routine tasks like adding new users, revoking credentials or multi-factor authentication, device trust, single sign-on and

DEPLOYMENT & CONFIGURATION replacing tokens quick and easy, meaning your administrative resources adaptive policies and controls.

Duo makes deployment and configuration a snap. Your in-house resources won’t have to do another full-time job to maintain your Duo deployment.
Duo’s trusted access solution provides a comprehensive security platform
can install, test and troubleshoot Duo in just minutes.
that eliminates the need — and budget — for many disparate access
SUPPORT & HELPDESK
management tools that may prove difficult to fully integrate. The value is
END USER ENROLLMENT Duo has an extensive library of free resources to answer any and all
in consolidation, filtering out as much of the noise as possible and giving
With Duo, end user enrollment is a breeze — end users can simply questions you may have. Duo also offers live support at no extra cost, and
a comprehensive dashboard that gives a birds-eye view and the ability to
download the Duo Mobile app for free, enrolling themselves to get started with Duo Care premium support, you can receive 24/7 white glove service
quickly zoom in to the granular details where attention is needed. MFA is
with Duo in seconds. for a small fee.
one step in securing access, and as we’ve grown and developed, we’ve

built on that to cover more steps.

ADMINISTRATIVE SUPPORT
Duo offers easy deployment with the help of drop-in integrations

for all major apps and APIs, and an administrative panel for user and

solution management.

Duo is flexible enough to scale quickly, letting you easily add

new apps, users, or change security policies as you grow.

19
Time to Value Required Resources Dedicated, Responsive Support
To answer your questions before, during and after your Duo deployment,
PROOF OF CONCEPT APPLICATION SUPPORT
you can count on our fully staffed, in-house Duo Support team.
Duo lets you try before you buy, helping you set up pilot programs before Duo integrates easily with your on-premises or cloud-based applications,

deploying to your entire organization, with extensive documentation with no need for extra hardware, software or agents. Duo’s extensive
Our responsive support team members have the security expertise to
and knowledge articles to help guide you through the evaluation stage. documentation, APIs and SDKs make for seamless implementation,
quickly assist you with any specific integration needs. Duo’s customer
View Duo’s documentation. reducing the need for a dedicated IT or security team.
support service is included with your solution at no extra charge, with no

support contracts required. In addition, we offer extensive knowledge base

DEPLOYMENT USER & DEVICE MANAGEMENT
articles to help troubleshoot and quickly fix known issues.
For faster and easier deployment, Duo provides drop-in integrations for Duo’s administrative panel allows admins to support users and devices

all major cloud apps, VPNs, UNIX and MS remote access points, as well using one centralized dashboard. Log into the web-based portal to Our end-user guide and detailed documentation are frequently updated

as support for web SDK and APIs. Quickly provision new users with bulk manage user accounts and devices, generate bypass codes, add phones and helpful resources available on Duo.com. For more advanced

enrollment, self-enrollment, Microsoft Active Directory synchronization, or to users and more. Duo’s self-service portal enables users to manage their deployments and specific SLA requirements, we provide Duo Care,

with the use of Duo Access Gateway for cloud-based applications. own devices, reducing administrative support time for simple tasks. a premium customer support service with extended coverage and a

dedicated Customer Success team.

MAINTENANCE
ONBOARDING & TRAINING USERS
As a cloud-hosted solution, Duo covers the infrastructure and maintenance, The Duo Customer Success team equips you with everything you need
Duo’s authentication app, Duo Mobile, allows users to quickly download
letting you focus on your core business objectives. Since security and to roll out your Duo deployment, including a customized launch kit to help
the app onto their devices, while a self-service portal also lets users
other updates are rolled out frequently and automatically to patch for the with security policies, user training, solution architecture design and more.
manage their own accounts and devices via an easy web-based login,
latest vulnerabilities, you don’t need to hire a dedicated team to manage
reducing help desk tickets and support time.
Duo is flexible enough to scale quickly, letting you easily add new apps,
the solution. Duo’s solution is flexible enough to scale quickly, letting you
users, or change security policies as you grow.
easily add new applications, users or change security policies as needed.

Duo increased our security and was an easy tool to deploy;

every organization should consider it immediately.”
Chad Spiers
Director of Information Security, Sentara Healthcare

20
Secure Everything,
Everywhere.

At Duo, we combine security expertise with a user-centered philosophy Duo Security makes security painless, so you can focus on what’s Duo Security, now part of Cisco, is the leading multi-factor authentication

to provide multi-factor authentication, endpoint remediation and secure important. Duo’s scalable, cloud-based trusted access platform (MFA) and secure access provider. Duo comprises a key pillar of Cisco

single sign-on tools for the modern era. It’s so simple and effective, you addresses security threats before they become a problem, by Secure’s Zero Trust offering, the most comprehensive approach to

get the freedom to focus on your mission and leave protecting it to us. verifying the identity of your users and the health of their devices securing access for any user, from any device, to any IT application or

before they connect to the applications you want them to access. environment. Duo is a trusted partner to more than 25,000 customers
Duo is built on the promise of doing the right thing for our customers
globally, including Bird, Facebook, Lyft, University of Michigan, Yelp,
and each other. This promise is as central to our business as Experience advanced multi-factor authentication, endpoint visibility, custom
Zillow and more. Founded in Ann Arbor, Michigan, Duo also has
the product itself. Our four guiding principles are the heart of user policies and more with your free 30-day trial. You’ll see how easy it is
offices in Austin, Texas; San Francisco, California; and London.
the sensibility: Easy, Effective, Trustworthy, Enduring. to secure your workforce, from anywhere on any device with Duo MFA.

Duo.com