The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication

The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication

June 04, 2013 2:00 pm

(Save to cal)

Online

Richard Li and Brian Kelly of Duo Security and Jason Yaeger, Director of Operations/Risk Management & Security Officer of Online Tech discuss how to employ two-factor authentication to protect your data and your business.

Title: The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication
Description: Never suffer from weak passwords again. According to Mandiant, 100% of security breaches involve stolen credentials. Not a week goes by without news of another high-profile security breach-- trusted websites like LinkedIn, LivingSocial, Evernote, and more. And in a cascade of damage, when these sites are breached, passwords are stolen and can be reused to access additional accounts. The impact on your business and the professional reputation of your business can be disastrous.  

If you must meet industry compliance standards such as HIPAA compliance or PCI DSS compliance, two-factor authentication is a best practice to fulfill authorization and authentication requirements. Join Richard Li and Brian Kelly of Duo Security and Jason Yaeger, Director of Operations/Risk Management & Security Officer of Online Tech as they discuss how to employ two-factor authentication to protect your data and your business.

 

 

 

View Slides - From Online Tech

View Slides - From Duo Security


April: We are thrilled to have guests here from Duo Security and I have to give everyone a little bit of disclosure here. We do buy products from Duo Security. Part of the reason we invited them here today is because we are thrilled with their service and the protection that they give to us and our clients and we wanted to ask them to share their expertise, give you folks an idea of how we use Duo to protect our data center and the clients that we host here and give all of you a chance to learn directly from them and ask them some questions.

We have here with us Jason Yeager who is Online Tech’s Director of Operations. Jason is going to give a really quick overview of how we use Duo and why we selected Duo.

We have Richard Lee with us from Duo Security; and we have Brian Kelly.

I apologize I don't have your bios in front of me, because of the little bit of screen scrambling that we did, so if you just take a couple minutes and let us know your backgrounds and field that would be fantastic. We'll let Jason dive in with a little bit of info on how Online Tech uses this. Richard, welcome.

Richard: Well, I'm delighted to be here. I'm Richard Lee. I'm VP of Products and Strategy at Duo Security. I'm relatively new to the company, not new to security. Previous to this, I actually spent four years most recently as VP of Strategy at Rapid7, which is the home of Metasploit and NeXpose. Brian.

Brian: Hi, everyone. This is Brian Kelly. I'm a Senior Product Manager here at Duo. I've been with Duo a little over a year and previously spent time at both Symantec and VeriSign, also in user authentication, but more specifically on the PKI side of the house, so happy to be here this afternoon.

April: Thanks so much. They braved the construction traffic on the way here and patiently dealt with our technical difficulties, so we're in good company. So, Jason, do you want to give us an overview on how Online Tech came to need Two-Factor and why Duo?

Jason: Sure. We'll start the webinar off with explaining what Two-Factor is for people who don't know or understand the different levels of authentication. Then, we'll go into why you need it or why we need it, why we needed to use it and why you may need to use it, how we implemented Duo’s service for our needs, and why Duo.

Two-Factor authentication, specifically for Duo, is something you know and something you have. In the case of your username and password, that's something you know. Your username and password are something you know and something you have on either your mobile phone, a token, a smart card. Something else would be biometric access, fingerprint, some sort of retinal scan or something along those lines. In the case of how Online Tech uses Duo Security, we implemented it for remote access into our network. So we implemented something you know and something you have. We have our traditional way of logging into a VPN where you use your username and password and then you're allowed access. Well, to take it one step further, we wanted to implement a solution that had one extra step of authentication, which was something you have, which we're going to get into in a minute on how Duo integrates that.

Something to know about Two-Factor authentication is that it is not two single-factor requests. A lot of people confuse that where you request the username and password on one window and then on the next window you request that same level of authentication. That's not an acceptable form of Two-Factor authentication for the purposes that Online Tech and many of our compliant customers need. Two single-factor authentications do not equal a Two-Factor authentication.


Jason: Why do you need Two-Factor? Passwords, alone, aren't enough. They're stolen. They're phished. There are a number of ways that a hacker can get your password. When they get access, when they have your username and password, it's impossible to know what they've taken and where they've gone, So, passwords alone are not enough, especially, when you're talking about PCI and HIPAA compliant solutions.

Within PCI, there's a requirement. PCI requirement 8.3 states that all remote access to any PCI network must utilize Two-Factor authentication. Any network that's considered remote is something where the public Internet is between you and that PCI network. Even if you're using a VPN, which is considered an extension of your local network, you still need Two-Factor authentication. It is not required for local access. If you're sitting local with the PCI environment, it's not required under PCI 8.3.

With HIPAA, it is not required yet although it's highly recommended that you implement a Two-Factor service for all remote access into your HIPAA compliant network. PHI is as important as cardholder data. We view it as such and I think everybody else would probably agree with that or any mission critical system. We have a number of clients that don't have PCI or HIPAA data in their environment, but they deem the data that's on their system secure enough that they need a Two-Factor authentication system, because it is easy to hack a password just alone by itself. Passwords are not enough. PCI requires it. HIPAA does not require it yet.

April: They should.

Jason: They should. It's probably coming down the line, so we recommend to all of our compliant clients that they implement a solution like Duo.

When we went to look at the type of solution that we wanted to implement, for not only ourselves, but for our clients we looked at a number of different options out there. A lot of people historically remember the token system where you carry around a Key Fob on your keychain. It has a list of maybe six numbers that change every 30 seconds or every minute, whatever they set it to change at. That was the old way of Two-Factor authentication That was something you had on your person.

We didn't particularly care for that method, because tokens are hard to track, the maintenance nightmare. Most people stay that they're frustrating to use, tokens. They lose them. You don't know when you lose them. You remember that you don't have it on you 10 or 15 minutes after you really need it, so we had a lot of people say they left them at home or they’re outside of their home and they need to have that access and they just can't get to it. We really didn't want to go that method.


Jason: We had a couple of solutions that we found at Duo that implemented the phone where they would call you or there was an app or something that was tied to your phone as opposed to a token, which we really, really liked. You already know how to use your phone. You know how to pick up a phone call. You know how to hit a key. The system calls you and asks you to press a key for your authentication. You don't need a new device. When you lose your phone, you know it, probably, within seconds. I know I do anyway. If I've misplaced my phone, I know within seconds. We felt that was the right way to go for what we at Online Tech internally wanted and we felt that was a good way to go for our clients, which really narrowed it down.

There aren't that many companies out there that implement Two-Factor that way. It just so happened Duo was one of them. How we implement Two-Factor in our environment, our PCI network, is we have it integrated with our highly redundant Fortinet firewalls. We use our authentication system, our active directory system. The user logs into their VPN with their username and password. A screen pops up from Duo asking for authentication. You can either have it place a phone call to your cell phone, or you can have it push an authentication request to the application that sits on your iPhone or your Android device, or you can type a code in that comes from that application that sits on Duo device, or they can text message you those codes as well. Any user, any one of our users, Marketing Department, Sales Department, all of the employees of Online Tech, if they want to VPN in and get access to our internal documents or anything that's on our internal network, they must use Two-Factor to do that, and every one of them uses Duo Security.


Jason: Why did we choose Duo? We talked about tokens even though I think we do support tokens, right?

April: Yes, I do.

Jason: Yeah, you do support tokens if you really want to use one. We didn't want to offer that as a service and we found every one of our users has really benefited from the fact that it does use the mobile phone and it's really few and far between where anyone has requested a token.

The mobile application … When we chose Duo, there wasn't another provider out there that had an app like Duo's installed right on your phone either Android, BlackBerry, Windows, iPhone, all of the major smartphone manufacturers and also the tech based solutions were somewhat unique as well. They'll send you a text message with a bunch of codes on it that expires after a certain number of minutes.

It was very cost effective, local live support when needed, chat support very convenient. When we implemented Duo's solution, we kind of put them through the ringer, because we were new to it and they were wonderful to work with also, the documentation. All of the documentation on integrating Duo's service (which I'll let you guys talk about) with a number of different VPN manufacturers, all the software you can think of underneath the sun, SSH, RDP, a ton of web apps, the documentation to implement them is all on their website. It is extremely easy to follow and if you can't follow it, the support that they have backs that up and makes it really easy for you to just to implement it. It's innovative and security conscious. That's we chose Duo.

I'm going to turn it over, right now, so that we can talk about why you should choose Duo.


Richard: Great. Thanks Jason.

April: Alright, we're going to change the presentation over to Richard here. I'd just like to invite everyone. If you have questions to ask while we're discussing things, please feel free to share them with us and we'll work them in or we can get to those at the end of the presentation.

Jason: Sorry, folks. We're transferring over to Richard's computer.

Richard: Thought maybe there's a ghost of me somewhere, because I may have logged in more than once trying to get in.

Richard: Okay, thanks everyone. Sorry about that. As I said, I'm Richard Li. I'm here with Brian Kelly from Duo. What I'm going to talk about today is just a brief introduction to Duo Security. I'm going to talk about the evolution of the tech landscape and how people really focus on user targeted attacks and why. As a consequence, protecting your credentials is more important than ever. Then, I'm going to talk a little bit about Two-Factor authentication in Duo specifically. Jason did a great job introducing the concepts behind Two-Factor, so what I'll really focus on is how Duo actually implements Two-Factor in a way that's easier for you to actually deploy and manage.

Duo was founded a few years by a number of security industry veterans. Dug Song, our CEO was the chief architect to Arbor Networks and he pioneered the DDoS protection industry. Jon Oberheide, our CPO is one of the world's leading experts on mobile security for Android and Two-Factor. You'll see both Dug and Jon quoted, pretty frequently, in both mainstream and industry publications about mobile security and Two-Factor.

We've got over a thousand companies that are using our solution including three of the top five US social networks. One thing that we're really proud of is the fact that 60% of our customers are first time Two-Factor authentication users. We're really proud of that, because we really tried to make Two-Factor very easy for people to use because we think everyone needs to protect their password and it's not just the providence of Fortune 500 companies. We've got customers around the world, large companies, small companies, medium size companies, educational institutions, so really running the gamut. We really work very hard at making the solution very easy to use and deploy.

Richard: I'm going to talk a little bit about the attack landscape today. Really, what's happening today in the security industry and cyber tech that we see is that attackers have really figured out that end users are really the easiest people to target. End users use mobile devices. They log in from their house or from Internet cafes. They log into social networks all the time. At this point they have logins and drop boxes and sales force, and 30 other different cloud services. So, in that case you can attack all these users and you only need to compromise one user and steal one password. Then, you actually are successfully compromising the entire organization, so that's what attackers are actually doing. If you look at how a typical attack occurs today, the attackers actually entice the end user to click on a contaminated website by clicking on a link or opening an email attachment that has some innocuous sounding name like 'your hiring spreadsheet' or something like that. They send it to all these different users and they actually fake the sender so they only need one user to actually open that file or to click on that link. That user will then be compromised, because that will actually download a piece of mail or, without that user's knowledge, it will install it on the system and that piece of mail will actually go off and actually watch all the keystrokes to capture passwords or search the user's hard drive to find additional credentials and, lastly, send that information back to the so-called commanding control network where it will actually be used to actually gain remote access to that organization's network.

The malware that they install is actually extremely hard to detect. Zeus, in this example here, even with antivirus that's fully up-to-date, it's rarely detective. That's just because the guys who write now have really evolved their technique to the point where AV is really designed to solve and address last year's malware attack techniques.

The other technique that we see a lot is so-called spear phishing where an attack will actually create a website that looks exactly like your online banking website and you'll type in your username and password and will actually get sent to their database and actually it's not Chase, in this example. It's actually a website that an attacker has created that looks like Chase. Again, most people aren't going to fall for this, but enough people do that it's actually an extremely effective technique.

What we find is that, pretty much, in all breeches stolen credentials are in play. Mandiant, is a firm that does a lot of post breech forensics. So, you've been broken into. You want to find out who actually caused it and what did they actually do, you hire Mandiant. They published a study back in February. They pointed out that 100% of their breeches involved stolen credentials. The reason for that is simple. Once you steal credentials, you have access to everything that a user has access to and to the computer network you look exactly like that user. All your security technologies that are trying to detect bad behavior, they're not going to actually detect that because you're actually looking like a legitimate user. What you really need is a strong Two-Factor authentication solution to actually protect those credentials being the single most important thing you can do to secure your network.

Companies, both large and small, were breached and effected last year. The vast majority actually had stolen credentials, so if you look at LivingSocial fifty million stolen passwords, Evernote, Sony RSA. All of these had breaches that actually involved stolen passwords or passwords were actually stolen as part of that breach. Again, two factors really are an approach that really help mitigate that risk.


I'm going to talk a little bit about Two-Factor authentication and Duo. As Jason pointed out, passwords have a lot of problems. Right? They're easily stolen as we talked about. Not only are they easily stolen, but users and sites can actually share passwords, which means if an employee actually leaves your company and you terminate that account, you might be terminating an access with five different people if they're sharing that password. They can be easily guessed. They can be cracked. In LivingSocial's case, they stole fifty million passwords and they were encrypted, but you can actually run programs like John the Ripper, which are freely available against that encrypted list and most of the time, you'll actually be able to actually figure out what those passwords are. Finally, we've all forgotten passwords and then you go through this account recovery process where they ask you about your dog, your dog's name or your sister's maiden name or something like that. It's a very cumbersome process as you try to remember the passwords.

As Jason pointed out, Two-Factor is about taking two different kinds of factors and there are four basic kinds of factors we think about when it comes to identifying yourself. There is knowledge base factor, passwords. There's a possession factor, something that you have like a phone or a smart card. There's the identity factor, which is something you are and there's the behavioral factor, which is something that you do whether it's location or your reputation. The idea behind Two-Factor is you actually pick two of these factors, because then it's much harder for an attack to actually compromise both of these factors. He may be able, for example, to steal your key, but they won't actually be able to see your password. They really have to go through two different channels, if you will, to actually compromise your identity.

The challenge, of course, is if Two-Factor is so proven why haven't people actually used it? The reality is that historically Two-Factor has been very difficult to deploy. It's been hard to use and it's been expensive to manage. You've got to deploy all these tokens and give them to everyone. If you have 100 people who don't work in the office, they all have to figure out when to get in the office and if they lose their token they have to show up again. Any sort of mass market Two-Factor solution really needs to be able to reduce fraud and improve security while not adding to that management overhead, and help to support cost, which would really be useful. With Duo, that's exactly the mission that we embarked upon.

We wanted to really solve the biggest problem in security today around account takeover and online fraud and wanted to make a solution that really scaled from small two-person organizations to tens of thousands of users and we didn't want to make it limited to any particular market niche. We felt we could do this because of the advent cloud technology, so our solution is 100% in the cloud and also because mobile devices, everyone has a mobile device or smartphone today. That's really the two sort of market forces that we've taken advantage of to create this mass market two factor solution.


Richard: In addition to making it easy to use, we spent a lot of time worrying about security, so we have this Duo Push protocol, which is secure by design and the Duo Push, you can see on the right here, is via phone and you're trying to log into a system. It actually pops up and says do you want to approve or deny, so you're not typing in passwords or anything like this. It really enables you to actually architecturally be a lot more secure than the traditional six-digit pin that you're typing in. The other thing that this lets you do is that if you want to actually deny, you can actually explain why it was denied. You could say it was fraudulent or it was a mistake. You can actually report fraud. This approach actually lets us deputize all of our end users to actually monitor the system for fraud. That way, we can actually identify people who are trying to break into the system much earlier than traditional password authentication systems.

Duo is easy to deploy. We stay on the cloud. We manage all the service ourselves. It's easy to manage. One of the things we spent a lot of time on is for end users who actually try to access your system, we created a stealth enrollment process, so they don't need to actually spend a lot of time talking to your helpdesk support people and it's easy to use. Your phone is your key and you just install a simple application in your phone and you click a button, say it's approved or deny and then you're logged into the system.

We're just going to show a couple screen shots for both an administrator and an end user around what the Duo experience looks like. For an administrator, they just go to our website. They sign up, you type in your organization name, and then as Jason said, we have a wealth of documentation that explains how you actually drop in Duo into any of your VPNs, to your web applications, or you can also use our open APIs that's to integrate with other applications that we might not necessarily support out of the box. Typically, for an application that we support, we find an administrator is actually going to get this thing up and running in less than 15 minutes.

From an end user perspective, we have a stealth enrollment process, so when you try to connect, in this example, to your Juniper SSL VPN, you actually give your phone number. It will actually verify your phone and then it gives you a link to actually install your application in one click. That's all there is to actual enrollment. You don't need to show up and get hardware tokens or anything like that. It's just all self-managed and designed to really be in a way where you don't actually need to use your help desk.

We've got a full management web console for administrators and open APIs to integrate with. They'll provide reporting and user management, device management, and all the functionality you might need to actually administer all your different user authentication mechanisms.

From an end user perspective, we verify users as they log in. You enter your username and password as usual. You choose your authentication method and then you're logged in. We support both Duo Push like I was talking of before. We support traditional pass codes. We support text messages. We can even support sort of Legacy tokens and dinosaur mode. Whether they're soft tokens or sort of modern, sort of Duo Push technology using a Callback SMS, we support both offline and online use cases.

Showing what Outlook for the application looks like, this is for folks that use Microsoft Exchange. They've probably seen this web interface. We integrate exactly this web interface. If you actually go to OWA with Duo enabled, you type in your username, type in your password and then the next screen pops up and actually it looks at part of that overall user experience and work flow and you can choose your authentication technique, your second factor. By default, we recommend Duo Push and if you just click login on your phone it will pop up and it will say there's a remote access request after the login. You unlock your phone. It shows you the system that you're trying to actually access and you can approve or deny. You click approve and immediately you have access to your email.

Similarly, if you're offline, instead of using Duo Push, your phone doesn't have Internet connectivity, you can actually just type in a pass code. We support that. You just click on the key. It gives you a six-digit pass code. You type it in. You log in and, again, you have access to your email.

With that, wanted to share my contact information or with questions you can also contact Joey, a colleague of ours or follow me on Twitter. If anyone's got any questions I'm happy to answer them.


April: We do have a question here. I have multiple access points on my network, webmail, VPN, and some custom web apps. Can I use Duo across all of these with a single customer account?

Brian: Sure, I'll take that one. This is Brian. Yeah, absolutely, so really the only variable in a Duo account is how many users you have. By design, we allow as many integrations, is what we call them, integration being connecting Duo to a VPN or to your webmail or a custom web app. You can use as many of those as you'd like and your users only have to enroll once. So, the user goes in. Maybe, the first thing they use that has Two-Factor is webmail, set up, link their phones, their user name. Then, subsequently when they access their VPN, which also has Two-Factor enabled, they don't have to go through enrollment again. So, once enrolled, use everywhere.

We have quite a many customers using us in this fashion. It's kind of what they initially look at wanting to deploy Two-Factor, probably, for VPN. That’s probably one of the most popular business cases. Then, other teams at a company get word of it and they say, "Oh, you know, I have this production server that, you know, we have SSH access to we should really be using something more than using a password and so commonly it will expand into other integrations throughout the customer's use of Duo.”

Jason: We also use it on remote desktop installations, so we log into a remote desktop and it asks us to type in Push, phone, text, whatever.

Brian: Exactly, yeah. We use the Windows version of it and remote desktop.

April: Another question here. Can users select the method they use? Some of our clients are located in big buildings where coverage isn't available?

Brian: Absolutely. By design, from day one, we give the flexibility both to users and administrators. I'll talk about the user side first. If you activate a smartphone with Duo, you'll be able to either use Duo Push, which is our preferred out-of-band secure method. It's really easy to use. Just tap that green button, but as mentioned here, if you don't have network connectivity you can still generate an offline event-based passcode using the Duo mobile app or if you don't have a smartphone, you could use a hardware token or even an SMS passcode that you got in advance when you did have network connectivity. All those methods work on, what we call, the offline scenario when the user has a primary device with connectivity, maybe, over a hard network, but their second factor device does not have connectivity.

One other point I'll make on the administrative side is we have had a number of requests that customers said, "You know what? My smartphone coverage is really great and I would prefer just to use Duo Push. I don't want to give my user a choice. I want to keep it simple for them," so recently, we added a feature that lets you do factor restriction. So, if you prefer not to do phone callback or SMS, you check a couple boxes in the Duo admin interface and then users will only be presented with the options that are permitted by your organization.

April: That's something the administrator can effectively control, right?

Brian: Yes, yes, both for security and usability reasons. We've heard requests from both sides. Our whole goal is to give customers a platform and allow them preferences that are appropriate to their organizations and their futures.

April: I do see a couple of Online Tech clients who are asking about some Duo integration with their VPN connections and, yes, we can talk with you about how to support that and follow up with you after the webinar. But for those of you who are considering Duo in other capacities other than specifically connecting to us just here, we'll encourage you to reach out to Duo without caution. We have other questions here. Do any of your clients use Duo for FIPS?

Brian: There are different specific types of FIPS certifications. If you go to our DuoSecrity.com/security web page, you can read about the particular certifications we have on the product and the compliance both from IR approach to our own security. It includes people, process, and technology. We have a primer that's available on the site that will give you an overview of what types of processors we have in place to certify or comply with certification such as FIPS, but FIPS gets into a lot of specific areas, so give a more specific question about which type of FIPS compliance. We can address that, feel free to drop us a line and we can talk more about it.

April: Okay. I'm not specifically familiar with FIPS, but I know that from the HIPAA and PCI point of view, that using Two-Factor authentication has only helped us and actually has served meeting the measure of control for those.

Are there plans to create an Apache module?

Brian: Most of our web integration supports any web app, independent of what web server, what framework, what language you use to develop your web app in. As far as at the web server level, we have different requests for different integrations and we take those in sort of as in the number of requests that come in and the specifics around it. We're happy to work with the customer to specific integration. I encourage you to contact Support for the integration that we might not have listed on the site and also to look at our GitHub repository, which linked from a number of our documentation pages. That server has the leading edge integration that's available, but if one is not there, contact us. We'll talk about it and figure a way to get it done.

April: Yes, now I'll just give a plug here and share that one of our clients needed to do a Duo implementation for, I think it was, a version of Citrix that might not have been directly off the truck and Duo was great at helping them work with it. They got set up very quickly on hundreds of VPN connections. When they say they'll work with you on customization, they mean it.

Let's see other questions. Is there a notification to admin if someone punches denied on their phone to the access request?

Brian: Yes. Real time logs are available in a couple of different ways out of the box. The product can be configured to immediately email both administrators or, maybe, you have a specific mailing list that goes out to a number of people in your operations or IT support team internally. Additionally, all of our logs are available both interactively by logging into our web hosted admin interface, but also we have an API that can connect to your real time log monitoring systems and be handled. However, you would prefer to get your information like this from a system that is in the critical paths of your users.

April: What happens when a user has a new cell phone number? Are they allowed to sign on with the new number or can the user with a new mobile phone number sign up themselves or is that a hard workflow to accomplish if someone gets a new cell phone number.

Brian: Currently, the way to universally solve this being independent of whatever integration you use Duo is to contact helpdesk and have them send you a new enrollment link for that new device. The reason for that is that Duo, by design, stays out of the way of your primary credential, but to make any modification to that user you want to allow them to do it themselves, you want to make sure that they have their first factor and their second factor in their possession.

Our current way to address adding a phone number is for the user to get a unique link after being vetted by their IT department, "This is me. This is my employee ID," whatever mechanism the organization uses, then the admin will provision a new phone number and associate it with their account.

Jason: I would say, from a security perspective, we want our clients and our internal users to notify us when they have a new phone, lose their phone or anything like that. We don't want them to have the ability to do this on a website somewhere, just from a security perspective. I think if they lose their phone or they get a new phone number, something along that line, opening up a ticket for that particular scenario with us if you're an Online Tech client or if it's an internal employee is better than having an automated way for them to go do it.

Brian: I'll point out, though, that I mentioned earlier about you would be in a platform that's accessible. In addition to our authentication API and software development kits, we also have an administrative API, which an organization can take and if they want to do a self-service reset portal according to whatever mechanisms they want to use to prove that user's identity, everything that is available in the interactive admin interface, is also available through an API. If it doesn't exist today, in the product out of the box, you can certainly build it on your own.

April: Since you have described your product as affordable, can you address cost models?

The one other comment I'll add with regard to cost, we regularly get feedback that in addition to it being a fairly priced Two-Factor authentication product, the amount of time that administrators are saved from the day-to-day maintenance of tokens, actually mailing them out or dealing with user requests has cut back their cost substantially. In some cases, we've heard token appointments taking five to 10 hours a week of an IT department handling the requests around that.

Our self enrollment module, which is accessible by any of our web integrations or even Duo Unix also saves a lot of time. Users set themselves up rather than you having to deliver a hardware drive or even have somebody manually adding somebody's phone number by delegating that to the users to set up. Common feedback received from customers is it being a significant labor cost savings in their employment.

Jason: I can tell you that we set a couple of users up when we implemented it internally, because we thought it would be easier for them. They were obviously high level executives.

Brian: Oh, the manual way?

Jason: Right. Well, we set them up so that all they had to do was go, right?

Brian: Yes.

Jason: They had more problems than the user that went through the automated process, because they had an understanding of how it worked.

Brian: Yes.

Jason: So, we recommend everybody go through that automated process of adding your phone and setting things up initially, because it really is easy, because we don't have to do anything with it.

Yeah. I mean, it's really an easy-guided tutorial, how you set up your phone and add your phone and then how it shows you how you're going to be using it from thereon forward. It saves a ton of time, instillation time especially. With some of these other Two-Factor solutions, implementing an RSA token keyed system is very difficult, not easy.

April: Even from the non-technical end user perspective … Jason made the decision and the recommendation that we should rollout Two-Factor across the company. It doesn't matter if you were in sales, marketing, HR, finance, everyone got set up with Duo and it was truly painless.

Jason: It was, absolutely.

April: I can't think of any hiccups or problems.

Jason: It works. It doesn't hurt. It just works, definitely.

April: Great. If there aren't any other further questions, I want to thank everyone for joining us today. Richard, Brian, thank you so much.

Richard: Thank you for having us.

April: Thanks, everyone for your patience with our hiccups today. We will post a recording of the webinar. We'll shoot out a link to all of you for future reference. Please reach out to Duo with any additional questions. We look forward to seeing you on another Tuesday at 2 webinar. Over the next three weeks we’re focusing on encryption. We'll be talking about the impact of encryption on risk management next week. We'll be following that with someone else from Duo Security, Mark Stanislav. He's going to be sharing with us some approaches to encryption on Linux environment. We'll also have Farooq, from Online Tech. Farooq is talking to the Windows environment. Mark will be talking on the Linux environment.

That will be followed the last Tuesday of June with our own Steve Aiello. He's going to be talking encryption options at the hardware and storage level.

Thanks everyone again. Look forward to seeing you again soon.


Richard-LiRichard Li, Vice President of Product and Strategy, Duo Security

Richard Li is Vice President of Product and Strategy for Duo Security. Richard was previously VP, Strategy & Corporate Development at Rapid7, where he managed strategic planning, advanced research, and corporate development. Prior to that, he built and led the product management organization at Rapid7.

Before Rapid7, Richard spent seven years in a variety of engineering, sales, and marketing leadership roles at Red Hat. Richard has a B.S. and M.Eng. from MIT.


Brian-KellyBrian Kelly, Senior Product Manager, Duo Security

Brian Kelly is a Senior Product Manager at Duo Security. Previously Brian helped start TrustBearer Labs, an authentication software company focused on smart card technology. TrustBearer Labs was acquired by VeriSign in 2010 and Brian moved into the User Authentication team as a Product Manager for VeriSign's Managed PKI platform, which was later acquired by Symantec.

Brian led PKI technology partnerships as part of the Symantec User Authentication team. Brian has a B.S. Computer Science from Virginia Tech.


Jason YaegerJason Yaeger, Director of Operations/Risk Management & Security Officer, Online Tech

In his three years at Online Tech, Jason has guided the company through successful completion of many audits, including SAS 70 Type I, SAS 70 Type II, SSAE 16, and HIPAA. In addition to overseeing operations across all of Online Tech’s data centers, Jason is also the Vice President of the Southeast Michigan Chapter of 7x24 Exchange.

Prior to Online Tech, Jason was Director of Internet Operations at 20/20 Communications where he spent 8 years developing the company’s wireless and internet initiatives.



Webinars    |    Online


Get started now. Exceptional service awaits.