Operations //

Identity & Access Management

3/28/2018
05:39 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Yubico and Duo Security Accelerate Federal Cybersecurity Modernization and Smart Card Replacement

Revisions to federal cybersecurity requirements open door for transition to modern and more effective methods to secure government data

PALO ALTO, Calif., and ANN ARBOR, Mich., - March 28, 2018 - Cybersecurity leaders Yubico and Duo Security today announced a joint solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity.

Yubico’s YubiKey hardware authentication device, recognized as the gold standard in login protection, combined with Duo’s cloud-based software, provides strong two-factor authentication (2FA) so federal employees and contractors can securely access agency data and applications on a traditional network or in the cloud. Duo’s industry standard methodology allows federal security officers to quickly add strong cryptographic authenticators, such as YubiKey, to applications that were previously difficult for the government to secure due to internal development requirements or third-party ownership.

“Strong user authentication is one of the primary areas federal agencies need to address as they look to modernize their security infrastructure to fit an increasingly cloud and mobile-first world," said Kiersten Todt, Managing Partner at Liberty Group Ventures and former Executive Director of the Presidential Commission on Enhancing National Cybersecurity. “Private sector firms who were built with this new infrastructure in mind will be key partners for the government in expediting this modernization process.”

To secure access to critical information, federal law requires government agencies and contractors who process, store and transmit data to implement strong authentication controls as outlined in the National Institute of Standards and Technology (NIST)’s Digital Identity Guidelines (SP-800-63-3). The rigor of security measures required is segmented into three Authenticator Assurance Levels (AAL 1 - AAL 3), determined by the sensitivity of the information. Duo and Yubico help federal agencies comply with all three levels using one unified security platform.

The upcoming, YubiKey-FIPS device supports FIDO U2F, smart card (PIV compatible), Yubico OTP, OpenPGP, OATH-TOTP, and OATH-HOTP protocols, and will be the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3 to meet AAL 3.

“With reliable hardware-backed protection at the touch of a button, using two-factor authentication with Duo and YubiKey is remarkably easy and four times faster than typing codes or using an access card to log in,” said Jerrod Chong, Senior Vice President of Product at Yubico. “The YubiKey is the trusted secure authentication choice for the largest internet, finance, and retail companies in the world. With FIPS certification on the horizon, introducing the multi-protocol YubiKey into the federal space is a natural progression for this technology.”

Previously, federal agencies were required to secure their most critical data with cumbersome and expensive personal identity verification (PIV) or common access (CAC) cards, which couldn’t be implemented across all resources. Recently revised NIST guidelines allow federal employees and contractors to use biometric identity authentication on a trusted device, as well as the use of a validated hardware token like the YubiKey for replacement of a CAC or PIV card.

“The days of requiring federal employees and contractors to use clumsy smart cards to access critical government data are numbered,” said Sean Frazier, Duo Advisory Chief Information Security Officer, Federal. “In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment.”

At half the cost of similar products, Duo has no complex software configurations nor manual setup, allowing 75 percent of organizations who use Duo to get up and running in less than a week.

“The private and public sectors are beginning to solve their security problems in the same way,” said Frazier. “IT modernization is about using off-the-shelf technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security in the bargain. Leveraging existing, strong, ‘good enough for commercial market’ technology is what the government’s journey to IT modernization is all about.”

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12633
PUBLISHED: 2018-06-22
An issue was discovered in the Linux kernel through 4.17.2. vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the same user data twice with copy_from_user. The header part of the user data is double-fetched, and a malicious user thread can tamper with the critical variables (...
CVE-2018-12634
PUBLISHED: 2018-06-22
CirCarLife Scada v4.2.4 allows remote attackers to obtain sensitive information via a direct request for the html/log or services/system/info.html URI.
CVE-2018-12635
PUBLISHED: 2018-06-22
CirCarLife Scada v4.2.4 allows unauthorized upgrades via requests to the html/upgrade.html and services/system/firmware.upgrade URIs.
CVE-2018-12630
PUBLISHED: 2018-06-21
NEWMARK (aka New Mark) NMCMS 2.1 allows SQL Injection via the sect_id parameter to the /catalog URI.
CVE-2018-12631
PUBLISHED: 2018-06-21
Redatam7 (formerly Redatam WebServer) allows remote attackers to read arbitrary files via /redbin/rpwebutilities.exe/text?LFN=../ directory traversal.