Operations //

Identity & Access Management

05:39 PM
Dark Reading
Dark Reading
Products and Releases

Yubico and Duo Security Accelerate Federal Cybersecurity Modernization and Smart Card Replacement

Revisions to federal cybersecurity requirements open door for transition to modern and more effective methods to secure government data

PALO ALTO, Calif., and ANN ARBOR, Mich., - March 28, 2018 - Cybersecurity leaders Yubico and Duo Security today announced a joint solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity.

Yubico’s YubiKey hardware authentication device, recognized as the gold standard in login protection, combined with Duo’s cloud-based software, provides strong two-factor authentication (2FA) so federal employees and contractors can securely access agency data and applications on a traditional network or in the cloud. Duo’s industry standard methodology allows federal security officers to quickly add strong cryptographic authenticators, such as YubiKey, to applications that were previously difficult for the government to secure due to internal development requirements or third-party ownership.

“Strong user authentication is one of the primary areas federal agencies need to address as they look to modernize their security infrastructure to fit an increasingly cloud and mobile-first world," said Kiersten Todt, Managing Partner at Liberty Group Ventures and former Executive Director of the Presidential Commission on Enhancing National Cybersecurity. “Private sector firms who were built with this new infrastructure in mind will be key partners for the government in expediting this modernization process.”

To secure access to critical information, federal law requires government agencies and contractors who process, store and transmit data to implement strong authentication controls as outlined in the National Institute of Standards and Technology (NIST)’s Digital Identity Guidelines (SP-800-63-3). The rigor of security measures required is segmented into three Authenticator Assurance Levels (AAL 1 - AAL 3), determined by the sensitivity of the information. Duo and Yubico help federal agencies comply with all three levels using one unified security platform.

The upcoming, YubiKey-FIPS device supports FIDO U2F, smart card (PIV compatible), Yubico OTP, OpenPGP, OATH-TOTP, and OATH-HOTP protocols, and will be the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3 to meet AAL 3.

“With reliable hardware-backed protection at the touch of a button, using two-factor authentication with Duo and YubiKey is remarkably easy and four times faster than typing codes or using an access card to log in,” said Jerrod Chong, Senior Vice President of Product at Yubico. “The YubiKey is the trusted secure authentication choice for the largest internet, finance, and retail companies in the world. With FIPS certification on the horizon, introducing the multi-protocol YubiKey into the federal space is a natural progression for this technology.”

Previously, federal agencies were required to secure their most critical data with cumbersome and expensive personal identity verification (PIV) or common access (CAC) cards, which couldn’t be implemented across all resources. Recently revised NIST guidelines allow federal employees and contractors to use biometric identity authentication on a trusted device, as well as the use of a validated hardware token like the YubiKey for replacement of a CAC or PIV card.

“The days of requiring federal employees and contractors to use clumsy smart cards to access critical government data are numbered,” said Sean Frazier, Duo Advisory Chief Information Security Officer, Federal. “In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment.”

At half the cost of similar products, Duo has no complex software configurations nor manual setup, allowing 75 percent of organizations who use Duo to get up and running in less than a week.

“The private and public sectors are beginning to solve their security problems in the same way,” said Frazier. “IT modernization is about using off-the-shelf technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security in the bargain. Leveraging existing, strong, ‘good enough for commercial market’ technology is what the government’s journey to IT modernization is all about.”

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
PUBLISHED: 2018-10-16
Z-BlogPHP (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.