Duo is a software-as-a-service (SaaS) solution that makes it simple to deploy multi-factor authentication and device visibility, even without mobile device management. In addition to the primary methods of username and password, various factors such as device ownership and biometric authentication via fingerprints and facial recognition can be used as authentication. A combination of multiple methods establishes trust that users who are trying to access your application are who they say they are.
Future ready with SAML and SSO
Single Sign-On (SSO) from Duo is a cloud-hosted Security Assertion Markup Language (SAML) 2.0 identity provider that secures access to cloud applications with existing directory credentials. Duo Central acts as a dedicated portal for registering frequently used cloud services and on-premises applications in advance.
With SSO, the user does not need to reauthenticate in individual applications after logging into Duo Central. Mr. Chonan says, "In addition to Microsoft 365, we use various applications such as Adobe Creative Cloud, various [learning management systems], faculty and staff, personnel and payroll systems, [content management systems], etc., and it is expected that the number will increase in the future. It is easy to link them with SAML, assuring smooth future expansions."
User-friendly push notifications
One way Duo confirms identity is through sending push notifications to a user's smartphone. With Duo Push enabled, when someone pretending to be a user tries to log in, the user will receive an alert on their smartphone immediately. Chonan says, "Push notifications were the must-have features for our system. Duo offers user-friendly push notifications on the smartphone app, which made it easy to use for all users including those who are not familiar with IT."
Hybrid IT environments
Duo comes with multiple modules, providing flexibility for adding multi-factor authentication for systems running on a cloud or accessing devices on premises whether they are Windows or Linux-based servers. Akashi says, "This feature is one of [Duo's] strengths that no other products have, and since system admins will need to access systems remotely in the future, vulnerability control of Duo was especially appealing."
Location-based access
DWCLA uses Duo's IP address-based access control and enforces multi-factor authentication for users only when they access from an off-campus location. "We have strict physical security control upon entry into the campus, so we made the system more convenient by waiving multi-factor authentication for access on campus. This way, students can still attend classes even if they forgot their smartphones."
The network was almost ready in early 2020, with construction proceeding according to plan. However, college-wide deployment and rollout were postponed until Fall 2021. Chonan explains, "the decision was made based on safety reasons. We started giving lectures online since the pandemic started. If we deploy the service while the university staff and students are not physically present on campus, it is difficult to troubleshoot in case there is an issue with access and so on. Therefore, we decided it's best to start rollout when we resume face-to-face classroom lectures."
For college-wide deployment, the network infrastructure team prepared a user guide by extracting instructions needed for users of the network from the manuals provided by Cisco. The team also created a user guide video for device registration and posted it on the university's website to reduce the number of inquiries.
According to Mitsuaki Okuda, a member of the Network Infrastructure team, "Web manuals provided by Cisco were extremely helpful because they were thorough and easy to understand. Gradual rollout from university staff, current students, and then to new students turned out to be successful, as it helped us improve accuracy of the user guide by clarifying the inquiries we received."
Potential user friction was addressed as well: "We were initially concerned about smartphone model change, but by providing a model change form on the website, we minimized workload for operation," he noted. Duo also supports authentication by a hardware token for users without a smartphone. Okuda says, "we prepared a considerable number of tokens, but actual tokens used were only one-tenth of what we anticipated."
Okuda comments on the manageability of Duo: "The intuitive management console is helpful because it makes it easier to find problematic users. Another benefit is that we can request function improvement or an addition of new features from the dashboard." In particular, Akashi emphasizes peace of mind realized with access routes visualized on logs. "When we have access from overseas, Duo can tell us which country the access came from, so we can determine if the access is legitimate or not by verifying whether a user of the terminal is located overseas, either on business or as part of a study abroad program. Also, we enabled settings to notify any access from a location outside Japan to a system admin via email through Duo API and to analyze a trend based on a user ID. Duo helped us clarify ambiguous areas and investigate them further when needed without extra workload. In fact, no serious incidents have occurred since we started using Duo."
As for plans and expectations for Cisco by DWCLA, Chonan concluded as follows: "As SaaS is becoming more common in education, how we ensure security has been a growing concern. However, from now on, we plan to install Duo's multi-factor authentication into all applications we will use and expand it further. Duo is highly versatile while it provides good integration and visibility. Educational institutions are expected to undergo a drastic transition today. We hope Cisco will continue to provide solutions in consideration of user convenience at competitive pricing."
