Operations //

Identity & Access Management

05:39 PM
Dark Reading
Dark Reading
Products and Releases

Yubico and Duo Security Accelerate Federal Cybersecurity Modernization and Smart Card Replacement

Revisions to federal cybersecurity requirements open door for transition to modern and more effective methods to secure government data

PALO ALTO, Calif., and ANN ARBOR, Mich., - March 28, 2018 - Cybersecurity leaders Yubico and Duo Security today announced a joint solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity.

Yubico’s YubiKey hardware authentication device, recognized as the gold standard in login protection, combined with Duo’s cloud-based software, provides strong two-factor authentication (2FA) so federal employees and contractors can securely access agency data and applications on a traditional network or in the cloud. Duo’s industry standard methodology allows federal security officers to quickly add strong cryptographic authenticators, such as YubiKey, to applications that were previously difficult for the government to secure due to internal development requirements or third-party ownership.

“Strong user authentication is one of the primary areas federal agencies need to address as they look to modernize their security infrastructure to fit an increasingly cloud and mobile-first world," said Kiersten Todt, Managing Partner at Liberty Group Ventures and former Executive Director of the Presidential Commission on Enhancing National Cybersecurity. “Private sector firms who were built with this new infrastructure in mind will be key partners for the government in expediting this modernization process.”

To secure access to critical information, federal law requires government agencies and contractors who process, store and transmit data to implement strong authentication controls as outlined in the National Institute of Standards and Technology (NIST)’s Digital Identity Guidelines (SP-800-63-3). The rigor of security measures required is segmented into three Authenticator Assurance Levels (AAL 1 - AAL 3), determined by the sensitivity of the information. Duo and Yubico help federal agencies comply with all three levels using one unified security platform.

The upcoming, YubiKey-FIPS device supports FIDO U2F, smart card (PIV compatible), Yubico OTP, OpenPGP, OATH-TOTP, and OATH-HOTP protocols, and will be the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3 to meet AAL 3.

“With reliable hardware-backed protection at the touch of a button, using two-factor authentication with Duo and YubiKey is remarkably easy and four times faster than typing codes or using an access card to log in,” said Jerrod Chong, Senior Vice President of Product at Yubico. “The YubiKey is the trusted secure authentication choice for the largest internet, finance, and retail companies in the world. With FIPS certification on the horizon, introducing the multi-protocol YubiKey into the federal space is a natural progression for this technology.”

Previously, federal agencies were required to secure their most critical data with cumbersome and expensive personal identity verification (PIV) or common access (CAC) cards, which couldn’t be implemented across all resources. Recently revised NIST guidelines allow federal employees and contractors to use biometric identity authentication on a trusted device, as well as the use of a validated hardware token like the YubiKey for replacement of a CAC or PIV card.

“The days of requiring federal employees and contractors to use clumsy smart cards to access critical government data are numbered,” said Sean Frazier, Duo Advisory Chief Information Security Officer, Federal. “In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment.”

At half the cost of similar products, Duo has no complex software configurations nor manual setup, allowing 75 percent of organizations who use Duo to get up and running in less than a week.

“The private and public sectors are beginning to solve their security problems in the same way,” said Frazier. “IT modernization is about using off-the-shelf technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security in the bargain. Leveraging existing, strong, ‘good enough for commercial market’ technology is what the government’s journey to IT modernization is all about.”

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-21
In the GNU C Library (aka glibc or libc6) through 2.28, the getaddrinfo function would successfully parse a string that contained an IPv4 address followed by whitespace and arbitrary characters, which could lead applications to incorrectly assume that it had parsed a valid string, without the possib...
PUBLISHED: 2019-01-21
Teradata Viewpoint before 14.0 and contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.
PUBLISHED: 2019-01-21
In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.
PUBLISHED: 2019-01-21
GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c because strncpy is misused.
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.