Skip navigation

Duo Security: About Duo products, solutions, use cases, benefits, and more

Start a Duo free trial

Duo Security: Key takeaways

Duo Security, a Cisco company, is a leading provider of multi-factor authentication (MFA) and comprehensive identity access management (IAM) security solutions on a cloud-delivered platform that helps organizations verify user identities and device health before granting access to applications, data, and networks.

Duo serves tens of thousands of customers worldwide — from small businesses to government agencies to Fortune 500 enterprises. Its solutions secure industries as varied as healthcare, higher education, manufacturing, technology, finance, and public sector organizations, helping them implement modern Zero Trust strategies without slowing down the business.

Duo's core product capabilities

Duo Security's core product capabilities focus on securing access to applications and data, and include Phishing-resistant Multi-Factor Authentication (MFA), Single Sign-On (SSO), Duo Directory, Passwordless Authentication, Duo Passport, Device Trust, Identity Threat Detection and Response (ITDR), and Identity Security Posture Management (ISPM). Other product capabilities include Two-Factor Authentication, Remote Access, and Adaptive Access Policies.

Duo's security solutions

Duo's solutions combine product capabilities to address specific security requirements. Solutions include Security-first Identity Access Management (IAM), End-to-End Phishing Resistance, Compliance Solutions, Access Management, and Zero Trust Security.

Duo's product editions and how to purchase

Duo offers four subscription levels: Free (up to 10 users), Essentials, Advantage, and Premier, each providing increasing levels of security and features. Subscriptions are billed per user, per month, and can be purchased directly via credit card in the Duo dashboard after a free trial, or by contacting sales for larger or specialized needs.

Duo helps organizations of all sizes reduce risk, protect against identity threats, and ensure compliance with an easy, user-friendly experience.

Table of contents

Duo core product capabilities

Duo security solutions

Pricing and product editions (product packages)

Use cases and customer success stories

Duo core product capabilities

Duo Multi-Factor Authentication (MFA)

Duo delivers strong security without the hassle. It integrates easily, offers phishing-resistant MFA in addition to options like biometrics and tokens, and includes user-friendly identity verification. That means a smoother experience for users and less work for IT support.

What is Duo's Multi-Factor Authentication (MFA) product?

Duo's Multi-Factor Authentication (MFA) is a security solution that requires users to provide two or more verification factors to gain access to an application, system, or service. It adds a second, distinct layer of authentication beyond just a username and password. The product integrates with various applications and identity providers to enforce this additional authentication step. Its purpose is to verify a user's identity by requiring something they know (like a password), something they have (like a phone or hardware token), and/or something they are (like a fingerprint), thereby significantly increasing the difficulty for unauthorized individuals to access protected resources even if they obtain primary credentials.

How does Duo's Multi-Factor Authentication product capability work?

Duo's Multi-Factor Authentication integrates into existing login workflows to add a secondary verification step. The general process is as follows:

  1. Primary Authentication: The user first provides their primary credentials (e.g., username and password) to the application or service they are trying to access. This initial authentication can be handled by the application itself, an Identity Provider (IdP), or a directory service.

  2. Duo Integration Point: After successful primary authentication, the application or service redirects the authentication request to Duo's MFA service. This integration is typically achieved via various methods such as RADIUS,SAML/OIDC, Duo's Authentication Proxy, and Direct API Integrations.

  3. Second Factor Prompt: Duo then prompts the user for a second factor of authentication. The user can choose from various enrolled methods, which may include Duo Push, Security Keys, Biometrics, Passcodes, or a Phone Call.

  4. Verification and Access Decision: Duo verifies the second factor. If the verification is successful, Duo communicates this success back to the application or service.

  5. Access Granted: The application or service then grants the user access to the requested resource. If the second factor verification fails, access is denied.

Duo also allows for the application of adaptive policies during this process, considering factors like device health, location, and network to determine if additional authentication steps or access restrictions are necessary.

Why is Duo MFA important?

Duo's Multi-Factor Authentication product capability is important because it significantly enhances the security posture of an organization by addressing vulnerabilities inherent in single-factor authentication.

  1. Mitigates Credential Theft: It provides a critical defense against attacks that compromise primary credentials, such as phishing, credential stuffing, and malware. Even if an attacker obtains a user's password, they cannot gain access without the user's second factor.

  2. Reduces Risk of Unauthorized Access: By requiring multiple distinct forms of verification, MFA drastically reduces the likelihood of unauthorized access to sensitive applications and data. This is particularly crucial in environments where users might reuse passwords or use weak passwords.

  3. Supports Compliance Requirements: Many regulatory and industry compliance standards (e.g., HIPAA, PCI DSS, NIST, GDPR) mandate the use of MFA for accessing sensitive data or systems. Duo MFA helps organizations meet these requirements.

  4. Enhances Security for Remote and Cloud Access: With an increasing number of users accessing resources remotely and via cloud applications, traditional perimeter security is insufficient. Duo MFA secures access from any location and any device, ensuring that only verified users can connect.

  5. Provides Granular Control and Visibility: Administrators gain the ability to enforce specific authentication policies based on user groups, application sensitivity, and contextual factors. Duo also provides logging and reporting on all authentication attempts, offering visibility into access patterns and potential security incidents.

Single Sign-On (SSO)

Just like you need MFA for strong protection, Single Sign-On (SSO) is the bedrock of secure identity management. By cutting down on the chaos of multiple logins, SSO strengthens your entire security strategy—ensuring easy access without the risk.

What is Duo's Single Sign-On (SSO) product?

Duo's Single Sign-On (SSO) product is an identity solution that allows users to access multiple cloud applications using a single set of credentials. It functions as an Identity Provider (IdP) for cloud applications, integrating multi-factor authentication (MFA) and adaptive access policies directly into the SSO process. This centralizes authentication and authorization, ensuring that user logins are secured with MFA and evaluated against defined security postures before access is granted.

How does Duo's Single Sign-On work?

Duo's Single Sign-On product functions as an Identity Provider (IdP) for cloud applications (Service Providers - SPs). The process involves these steps:

  1. User Initiates Access: A user attempts to access a cloud application configured to use Duo SSO. The application redirects the authentication request to Duo's SSO.

  2. Redirection to Duo SSO: The user's browser is directed to Duo's SSO login page.

  3. Primary Authentication: The user enters their primary credentials (username and password) into Duo. Duo verifies these credentials, potentially against an existing directory (e.g., Active Directory, Azure AD, LDAP).

  4. Multi-Factor Authentication (MFA) Enforcement: Following successful primary authentication, Duo's SSO product requires a second factor of authentication. This can be a Duo Push notification, a security key, a passcode, or another configured method.

  5. Adaptive Access Policy Evaluation: Before access is granted, Duo's SSO product evaluates the login attempt against configured adaptive access policies. These policies can consider factors like Device Trust, Geographic Location, Network Context, and Application Sensitivity.

  6. Token Issuance: If MFA is successful and all adaptive policies are met, Duo's SSO product generates an authentication token (e.g., SAML assertion, OIDC token) containing user identity information.

  7. Access Granted: This token is sent to the cloud application. The application validates the token and grants the user access.

Why is Duo Single Sign-On important?

Duo Single Sign-On is important because it integrates advanced security features directly into the SSO process.

  1. Integrates Multi-Factor Authentication (MFA): Duo SSO enforces MFA for every login. This adds a critical layer of security, as access requires not only a password but also a second verification factor (e.g., a push notification, security key). This helps protect against credential theft, phishing, and other attacks, even if primary credentials are compromised.

  2. Applies Adaptive Access Policies: Duo enables organizations to implement granular, context-based access policies. Access decisions can be based on factors beyond just user identity, such as:

    • Device Trust: Whether the device is managed and meets security requirements.

    • Geographic Location: The user's login location.

    • Network Context: Whether the user is on a trusted network.

    • Application Sensitivity: Specific authentication requirements for sensitive applications. This approach allows for dynamic security enforcement, blocking high-risk access attempts while allowing legitimate users appropriate access.

  3. Centralizes Security Policy Enforcement: By acting as an IdP or integrating with existing IdPs, Duo centralizes the application of security policies across cloud applications. This simplifies identity management for IT administrators and provides a consistent login experience for users.

  4. Provides Visibility and Control: Duo offers administrators insights into user authentications, device health, and access attempts. This data supports security monitoring, threat identification, and compliance efforts. It also enables enforcement of device hygiene checks, such as requiring up-to-date operating systems or antivirus software, before granting access.

Duo Directory

Use Duo as a true identity provider, offering a cloud-based user directory for single sign-on applications and advanced security like phishing-resistant MFA, passwordless authentication, and device trust and security posture evaluation.

What is the Duo Directory product?

Duo Directory is Duo’s identity directory and storage offering, allowing Duo to be a standalone identity provider (IdP) or work in tandem with existing IdPs in an environment. It’s a component within the Duo platform designed to synchronize user identities and group information from an organization's existing identity sources into Duo Security. Its primary function is to serve as a secure and automated method for populating and maintaining user accounts within the Duo administration console. This ensures that Duo's multi-factor authentication (MFA) and access policies operate with accurate and up-to-date user data derived directly from the organization's authoritative directories, such as Active Directory, Azure Active Directory, or Google Workspace.

How does Duo Directory work?

Duo Directory is a standalone feature that provides cloud-based user directory services. It can also operate by establishing a secure connection to an organization's primary user directory and performing a synchronization process. The typical workflow involves:

  1. Connection Establishment: Duo connects to the organization's directory. For on-premises directories like Active Directory, this often involves deploying a Duo Authentication Proxy server within the network to facilitate secure communication. For cloud directories like Azure AD or Google Workspace, API-based integrations are used.

  2. User and Group Synchronization: Once connected, Duo's Directory product imports specified user attributes (e.g., usernames, email addresses, phone numbers, group memberships) and group structures from the source directory into the Duo service.

  3. Attribute Mapping: Administrators configure how attributes from the source directory map to user properties within Duo. This ensures consistency and allows for granular policy enforcement based on directory data.

  4. Continuous Synchronization: The synchronization process is typically configured to run on a scheduled basis (e.g., hourly, daily) or can be triggered manually. This ensures that any changes made in the source directory—such as new users, user deletions, password changes, or group modifications—are reflected in Duo.

  5. Data Utilization: The synchronized user and group data is then utilized by Duo for various functions, including User Enrollment, Authentication, and Policy Enforcement.

Why is Duo Directory important?

Duo Directory provides a foundational layer for efficient and secure identity management within the Duo ecosystem.

  1. Automated User Provisioning and De-provisioning: It automates the creation and removal of user accounts in Duo, directly reflecting changes in the organization's authoritative directory. This eliminates manual administrative tasks and reduces the risk of stale accounts or unauthorized access for terminated users.

  2. Centralized User Management: It maintains a single source of truth for user identities. Administrators manage users in their existing directory, and Duo automatically reflects those changes, ensuring consistency across systems.

  3. Simplified Policy Application: By synchronizing group memberships, Duo allows administrators to apply MFA and access policies based on existing organizational groups. This simplifies policy management and ensures that security controls align with established roles and responsibilities.

  4. Improved Security Posture: Automated synchronization reduces the potential for human error in user management, ensuring that security policies are consistently applied to the correct user base. It helps maintain an accurate inventory of users requiring MFA.

  5. Scalability and Efficiency: For organizations with a large number of users, manual user management in an MFA solution is impractical. Duo's Directory product provides the scalability needed to manage identities efficiently, reducing administrative overhead and operational costs.

Duo Device Trust

Duo Device Trust cuts risk by verifying every device before granting access. Adaptive security policies block threats before they reach your network, stopping risky devices in their tracks and keeping your organization safe.

What is Duo's Device Trust product?

Duo's Device Trust is a capability within the Duo platform that evaluates the security state of an endpoint device (e.g., laptop, smartphone) at the time of an authentication attempt. It collects information about the device's characteristics and configuration to determine if it complies with an organization's security policies. This assessment is then used to make real-time access decisions, allowing or denying access based on the device's trustworthiness and compliance status.

How does Duo's Device Trust work?

Device Trust integrates into the authentication workflow, typically during or immediately after the multi-factor authentication (MFA) step. The process involves:

  1. Device Identification: When a user attempts to log in, Duo identifies the device being used. For managed devices, this often involves a certificate or agent that uniquely identifies the device to Duo. For unmanaged devices, it uses browser information and other heuristics.

  2. Security Posture Assessment: Duo collects various data points about the device's security configuration. This can include:
    Operating System (OS) Version: Checking if the OS is up-to-date or within an approved range.
    Screen Lock/Passcode: Verifying if a screen lock or passcode is enabled on mobile devices.
    Encryption Status: Determining if disk encryption (e.g., BitLocker, FileVault) is active.
    Security Software: Detecting the presence and status of antivirus software.
    Browser Security: Assessing browser version and security settings.
    Managed Device Status: Confirming if the device is managed by the organization's endpoint management system.

  3. Policy Evaluation: The collected device information is then compared against pre-defined Device Trust policies configured by the administrator. These policies specify the required security attributes for different levels of access or for specific applications.

  4. Access Decision: Based on the policy evaluation, Duo makes an access decision:
    Grant Access: If the device meets all specified policy requirements.
    Block Access: If the device fails to meet critical policy requirements.
    Require Remediation: If the device is non-compliant, Duo can prompt the user to update their OS, enable encryption, or take other corrective actions before re-attempting access.

  5. Reporting: Duo logs the device trust status for each authentication, providing administrators with visibility into device compliance across the organization.

Why is Duo Device Trust important?

Duo's Device Trust is important because it extends security beyond user identity to include the security state of the accessing device, significantly strengthening an organization's overall security posture.

  1. Reduces Attack Surface: By ensuring only compliant devices can access resources, it prevents compromised or insecure devices from becoming entry points for attackers, even if the user's credentials and MFA are valid.

  2. Enforces Security Standards: It automates the enforcement of an organization's endpoint security policies, ensuring that devices accessing corporate data meet minimum security requirements (e.g., up-to-date OS, enabled encryption).

  3. Enhances Adaptive Access Control: Device Trust adds a crucial contextual factor to access decisions. This allows for more granular and risk-aware access policies, where access to sensitive applications can be restricted to only highly trusted devices.

  4. Improves Compliance: Many regulatory frameworks and security best practices require organizations to ensure that devices accessing sensitive data are secure. Duo Device Trust helps meet these compliance obligations by providing verifiable device security checks.

  5. Supports Zero Trust Architectures: It is a fundamental component of a Zero Trust security model, where every access request, regardless of origin, is verified. Device Trust ensures that both the user and the device are explicitly verified before access is granted.

Duo's Remote Access

Duo's Remote Access refers to the application of Duo's security capabilities to protect access to an organization's internal resources from external locations. It integrates multi-factor authentication (MFA) and device trust into existing remote access solutions like VPNs, virtual desktop infrastructure (VDI), and secure access gateways. This ensures that only verified users on trusted devices can establish remote connections to sensitive corporate networks and applications.

What is Duo's Remote Access?

Duo's Remote Access offering is not a standalone remote access solution (like a VPN client itself), but rather a set of integrations and features within the Duo platform designed to secure an organization's existing remote access infrastructure. It provides a layer of identity and device security for various remote access technologies, including Virtual Private Networks (VPNs), Remote Desktop Protocol (RDP), Virtual Desktop Infrastructure (VDI), and other secure access gateways. Its purpose is to enforce strong authentication and assess device security posture before granting remote users access to internal networks and applications.

How does Duo's Remote Access product capability work?

Duo's Remote Access integrates with an organization's existing remote access solutions to add security layers. The typical workflow involves:

  1. Remote Access Initiation: A user attempts to connect to a corporate resource remotely, for example, by launching a VPN client, connecting to a VDI session, or accessing a remote desktop.

  2. Primary Authentication: The user first provides their primary credentials (username and password) to the remote access solution (e.g., VPN concentrator, VDI broker).

  3. Duo Integration: The remote access solution is configured to send the authentication request to Duo for secondary verification. This integration is commonly achieved via:

    • RADIUS: The remote access solution acts as a RADIUS client, sending authentication requests to a Duo Authentication Proxy server, which then communicates with Duo's cloud service.

    • SAML/OIDC: For web-based remote access portals or cloud-native secure access solutions, Duo can act as an Identity Provider (IdP) or integrate with an existing IdP.

  4. Multi-Factor Authentication (MFA) Enforcement: Duo prompts the user for a second factor of authentication. This could be a Duo Push notification to their smartphone, a security key, a passcode, or another enrolled method.

  5. Device Trust Assessment (Optional but Recommended): During or after MFA, Duo can assess the security posture of the device being used for remote access. This involves checking factors like operating system health, encryption status, and the presence of security software through Duo Device Trust capabilities.

  6. Policy Evaluation: Duo evaluates the authentication attempt against configured adaptive access policies, which can consider user identity, MFA success, device trust status, network location, and the specific resource being accessed.

  7. Access Decision:

    • If MFA is successful and all policies (including device trust, if enabled) are met, Duo signals successful authentication back to the remote access solution.

    • If MFA fails or policies are not met, Duo signals a failed authentication, and the remote access solution denies the connection.

  8. Connection Established: Upon successful authentication, the remote access solution grants the user access to the requested internal resources.

Why is Duo Remote Access important?

Duo's Remote Access significantly enhances the security of remote access, which is a common entry point for cyberattacks, especially in distributed work environments.

  1. Prevents Unauthorized Remote Access: By enforcing strong multi-factor authentication, it ensures that even if a user's primary credentials are stolen, attackers cannot gain unauthorized access to the corporate network via remote connections.

  2. Secures Unmanaged Devices: It extends security controls to devices connecting remotely, including personal devices (BYOD). Device Trust capabilities ensure that these devices meet minimum security standards before being allowed to connect, reducing the risk of malware or vulnerabilities entering the network.

  3. Enables Secure Remote Work: It provides a framework for organizations to securely enable remote workforces, allowing employees to access internal resources from anywhere while maintaining a strong security posture.

  4. Reduces Attack Surface: By validating both user identity and device security, it significantly reduces the attack surface presented by remote access points, protecting against credential theft, session hijacking, and other remote-specific threats.

  5. Supports Compliance and Zero Trust: It helps organizations meet compliance requirements for secure remote access and is a foundational component for implementing a Zero Trust security model, where every access request is explicitly verified, regardless of whether it originates inside or outside the traditional network perimeter.

Duo Passwordless

Duo Passwordless represents a significant step forward in identity security, offering a more secure, user-friendly, and efficient way for individuals to access digital resources.

What is Duo Passwordless?

Duo Passwordless is an authentication method offered by Cisco Duo that allows users to log in to applications and services without needing to type in or remember a password. Instead of passwords, it leverages strong, modern authentication standards like FIDO2 (Fast Identity Online 2) and WebAuthn (Web Authentication API) to verify a user's identity. This typically involves using a biometric (like a fingerprint or facial scan) on a trusted device (such as a smartphone or a hardware security key) to complete the login process. The core idea is to replace vulnerable, guessable, or phishable passwords with cryptographic proof of identity tied to a user's device.

How does Duo Passwordless work?

Duo Passwordless operates by establishing a secure, cryptographic link between a user's identity and their registered authentication device. Here's a simplified breakdown of the process:

  1. Enrollment: A user first enrolls a passwordless authenticator (e.g., their smartphone with Duo Mobile, a FIDO2-compliant security key like a YubiKey, or built-in biometrics on a device) with Duo. During enrollment, a unique cryptographic key pair (public and private key) is generated on the authenticator. The public key is registered with Duo, while the private key remains securely stored on the device and never leaves it.

  2. Login Initiation: When a user attempts to log in to an application protected by Duo, they typically enter their username. Instead of being prompted for a password, Duo recognizes that the user is enrolled for passwordless authentication.

  3. Authentication Challenge: Duo sends an authentication challenge to the user's registered passwordless authenticator.

  4. User Verification: The user interacts with their authenticator to approve the login. This usually involves a biometric verification (e.g., fingerprint scan, facial recognition) or a PIN entry directly on the device or security key. This action authorizes the authenticator to use its private key.

  5. Cryptographic Signature: The authenticator uses its private key to cryptographically sign the challenge received from Duo.

  6. Verification by Duo: The signed challenge, along with the user's public key (which Duo already has from enrollment), is sent back to Duo's service. Duo verifies the signature using the public key. If the signature is valid, it confirms that the request originated from the legitimate, enrolled device holding the corresponding private key.

  7. Access Granted: Upon successful verification, Duo authenticates the user and grants them access to the application.

This process eliminates the need for passwords entirely, as the user's identity is verified through a secure, device-bound cryptographic exchange.

Why is Duo Passwordless important?

Duo Passwordless is important for several critical reasons, enhancing both security and user experience:

  1. Enhanced Security:

    • Eliminates Phishing: Since there's no password to type, phishing attacks designed to steal credentials become largely ineffective. Users cannot be tricked into entering a password on a fake site.

    • Prevents Credential Stuffing and Brute-Force Attacks: Without passwords, these common attack vectors, which rely on guessing or reusing stolen credentials, are rendered useless.

    • Resilience to Data Breaches: If a service's database is breached, there are no passwords (hashed or otherwise) to steal, significantly reducing the impact of such incidents.

    • Stronger Authentication: FIDO2/WebAuthn uses public-key cryptography, which is inherently more secure than shared secrets (passwords). The private key never leaves the user's device, making it extremely difficult for attackers to compromise.

  2. Improved User Experience:

    • Faster and Easier Logins: Users no longer need to remember complex passwords, type them in, or deal with password reset processes. Authentication often involves a quick touch or glance at their device.

    • Reduced Password Fatigue: The burden of managing multiple unique and strong passwords for various accounts is removed, leading to a less frustrating experience.

    • Fewer Help Desk Tickets: A significant portion of IT help desk requests are related to forgotten or locked-out passwords. Passwordless authentication drastically reduces these incidents, freeing up IT resources.

  3. Operational Efficiency and Compliance:

    • Streamlined Security Operations: IT and security teams can enforce stronger authentication policies more easily without negatively impacting user productivity.

    • Better Compliance Posture: Adopting passwordless authentication helps organizations meet stringent security and compliance requirements by implementing modern, robust authentication mechanisms.

Duo Integrations

Hundreds of leading vendors partner with Duo to make security easy and effective for organizations of all sizes.

What are Duo Integrations?

Duo Integrations refer to the extensive capabilities of Cisco Duo to connect and work seamlessly with a wide array of applications, services, identity providers, and IT infrastructure. The core purpose of these integrations is to extend Duo's robust security features, such as multi-factor authentication (MFA), device trust, and adaptive access policies, across an organization's entire digital environment. Duo integrates with over 500 different applications and vendors, ranging from network and remote access solutions to widely used business applications. This allows organizations to protect virtually any application or system, whether it's on-premises, in the cloud, or a custom-built solution.

How do Duo Integrations work?

Duo Integrations work through various mechanisms designed to accommodate diverse IT environments and application types:

  1. Pre-built Connectors and SDKs:For popular cloud applications (like Office 365, G Suite, Salesforce) and on-premises web applications (like Splunk, Confluence, Jira), Duo provides pre-built connectors and Software Development Kits (SDKs). These allow for straightforward integration, often requiring only a few lines of code or simple configuration to add Duo's authentication to existing login pages. Duo offers client libraries for various programming languages, including Python, Ruby, Classic ASP, and Java.

  2. Identity Provider (IdP) and Single Sign-On (SSO) Integration:Duo integrates with major identity providers and federation services such as Active Directory Federation Services (ADFS), Okta, OneLogin, and Azure AD. This allows Duo to add MFA protection to the SSO process, securing access to multiple applications once a user is authenticated through their primary IdP.

  3. Authentication Proxy and Network Gateway:For legacy applications, SSH, RDP servers, and other services that may not natively support modern authentication protocols, Duo utilizes an Authentication Proxy or the Duo Network Gateway. The Authentication Proxy acts as an intermediary, handling authentication requests and communicating with Duo's cloud service for verification. The Duo Network Gateway provides secure, VPN-less remote access to on-premises web applications, SSH, and RDP servers, verifying identity and establishing device trust before granting access.

  4. APIs for Customization and Management:Duo provides various APIs (Admin, Auth, REST, Device, OIDC Auth) that allow developers to customize the 2FA user interface, manage users and devices, and integrate Duo's capabilities into custom solutions. For instance, the OIDC Auth API enables the addition of strong two-factor authentication to web applications, supporting the Duo Universal Prompt.

  5. Directory Synchronization:Duo can integrate with external IAM solutions and user directories (like Active Directory) to sync user information, simplifying user provisioning and management.

Why are Duo Integrations important?

Duo Integrations are crucial for several reasons, significantly enhancing an organization's security posture and operational efficiency:

  1. Comprehensive Security Coverage:Integrations allow organizations to apply strong MFA and adaptive access policies across a vast range of applications and systems, ensuring that virtually all access points are protected.

  2. Leveraging Existing Investments:Duo's ability to integrate seamlessly with current IT infrastructure, whether on-premises or in the cloud, means organizations can fortify their security without requiring major overhauls or disruptions to existing systems.

  3. Enabling Zero Trust Security:Integrations are fundamental to implementing a Zero Trust security model. By connecting to various applications and data sources, Duo can verify user identity and device health for every access attempt, regardless of location or network, ensuring that only trusted users on trusted devices gain access.

  4. Simplified Deployment and Management:Duo provides detailed documentation, knowledge base articles, and configuration guides to assist with integrations, making deployment easier for IT teams.

  5. Flexibility and Scalability:The wide range of integration options ensures that Duo can support diverse organizational needs and scale to protect a growing number of users, devices, and applications without requiring additional hardware or complex configurations.

  6. Improved User Experience:By integrating with SSO solutions, Duo can provide a consistent and user-friendly authentication experience across multiple applications, reducing password fatigue and encouraging security best practices.

Duo Adaptive Access Policies

Adaptive access policies empower you to manage who gets access, when, and how, without slowing anyone down.

What are Duo Adaptive Access Policies?

Duo Adaptive Access Policies are dynamic security controls that adjust authentication requirements based on contextual factors during a login attempt. They move beyond static authentication by evaluating user, device, and environmental data to determine the appropriate level of trust. These policies allow granular control, applicable globally, per application, or per user group, to ensure only authorized users access resources under specific conditions, supporting a Zero Trust model.

How do Duo Adaptive Access Policies work?

Adaptive policies function by collecting and assessing various risk signals in real-time for each login. This includes:

  • Contextual Data Collection: Gathering information about the user (role, group), device (health, OS, browser, managed status, patches, encryption), location, and network type.

  • Risk Assessment: Duo's engine evaluates these signals to determine the risk level of the access attempt.

  • Dynamic Policy Enforcement: Based on the risk, Duo dynamically enforces policies. This can mean simplifying access for high-trust scenarios, requiring stronger authentication (e.g., Verified Duo Push) for higher-risk situations, or blocking access entirely if critical security baselines are not met.

This process ensures that security measures are proportionate to the risk, without unnecessarily hindering trusted users.

Why are Duo Adaptive Access Policies important?

Duo Adaptive Access Policies are crucial for modern security due to several benefits:

  • Enhanced Security: They provide robust defense against threats like phishing and malware by continuously verifying user identity and device health, reducing the attack surface.

  • Zero Trust Alignment: They are fundamental to a Zero Trust model, ensuring continuous authentication and authorization for every access attempt.

  • Improved User Experience: By reducing friction for low-risk access and only increasing security when necessary, they balance strong security with user productivity.

  • Operational Efficiency: They automate access decisions, reducing manual intervention for IT and security teams.

  • Granular Control: Administrators gain flexible, precise control over access based on a wide range of contextual factors.

  • Compliance: They help organizations meet regulatory and compliance requirements by providing strong, context-aware access controls.

Duo Identity Threat Detection and Response (ITDR) Product

Identity threats leverage user accounts to gain access. By using AI and analytics to assess the current trust level of all identities – teams can easily prioritize action and seamlessly share relevant user identity context.

What is Duo's Identity Threat Detection and Response (ITDR)?

Duo's Identity Threat Detection and Response (ITDR) encompasses the features and functionalities within the Duo platform that are designed to identify, analyze, and act upon suspicious or malicious activities related to user identities and access attempts. It extends beyond basic authentication by continuously assessing the risk associated with each login. This includes monitoring for anomalous behavior, detecting compromised credentials, and identifying policy violations, with the ultimate objective of preventing unauthorized access and containing identity-based threats.

How does Duo's Identity Threat Detection and Response (ITDR) work?

Duo's ITDR capabilities operate by continuously collecting and analyzing data from various points within the authentication and access process. The operational flow typically involves:

  1. Data Collection: Duo gathers comprehensive data from every authentication attempt. This includes user identity, device information (via Device Trust), network context (IP address, geographic location), application being accessed, and the outcome of multi-factor authentication (MFA).

  2. Threat Detection and Analysis: This collected data is analyzed against established baselines, security policies, and known threat indicators. Duo identifies potential threats through several mechanisms:

    • Behavioral Analytics: Detecting deviations from a user's typical login patterns (e.g., login from an unusual location, at an odd time, or accessing an unfamiliar application).

    • Policy Violations: Identifying instances where a login attempt violates configured adaptive access policies (e.g., an unmanaged device attempting to access a sensitive application, or a login from a blocked country).

    • Compromised Credential Detection: Integrating with threat intelligence feeds to identify if primary credentials involved in an authentication attempt have been exposed in data breaches.

    • Device Posture Assessment: Leveraging Device Trust to identify if the device itself is compromised or non-compliant.

  3. Automated Response: Upon detecting a potential threat or policy violation, Duo can initiate automated responses, which may include:

    • Blocking Access: Immediately denying the login attempt.

    • Step-Up Authentication: Requiring a stronger MFA method or re-authentication.

    • User Notification: Alerting the user to a suspicious login.

    • Administrator Notification: Sending alerts to security teams for investigation.

    • Risk Scoring: Assigning a risk score to the login attempt, which can then be used by other security systems.

  4. Reporting and Forensics: Duo provides detailed logs and reports of all authentication events, including those flagged as suspicious, allowing security teams to investigate incidents, understand attack patterns, and refine policies.

Why is Duo Identity Threat Detection and Response (ITDR) important?

Duo's ITDR capabilities provide a critical layer of defense against sophisticated identity-based attacks, which are a primary vector for data breaches.

  1. Proactive Threat Mitigation: It moves beyond reactive security by actively detecting and responding to threats in real-time during the authentication process. This prevents unauthorized access before it can lead to a breach.

  2. Protection Against Identity Compromise: ITDR capabilities are specifically designed to combat attacks like phishing, credential stuffing, and account takeover, where legitimate credentials might be used maliciously. By analyzing context and behavior, it can identify and block these attempts.

  3. Reduces Breach Impact: By quickly identifying and responding to suspicious activity, ITDR minimizes the window of opportunity for attackers, thereby reducing the potential impact and cost of a security incident.

  4. Enhances Adaptive Security: It leverages the contextual data collected during authentication (user, device, location, application) to make intelligent, risk-based access decisions, aligning with modern adaptive security and Zero Trust principles.

  5. Improves Security Operations: ITDR provides security teams with actionable intelligence and automated responses, reducing manual effort in threat hunting and incident response, and allowing them to focus on higher-level strategic security initiatives.

Duo Identity Security Posture Management (ISPM)

Understanding the identity perimeter is the first step in defending it. Identity Security Posture Management (ISPM) is the practice of gaining visibility into identity to proactively protect it.

What is Duo's Identity Security Posture Management (ISPM)?

Duo's Identity Security Posture Management (ISPM) is a set of functionalities within the Duo platform designed to provide administrators with a comprehensive view of their identity security landscape. It involves continuous assessment of configurations, policies, and user behaviors within the Duo environment to identify weaknesses, non-compliance, and areas for improvement. ISPM aims to help organizations maintain a strong and resilient identity security posture by ensuring that authentication policies are robust, user enrollment is complete, and device trust mechanisms are effectively deployed.

How does Duo's Identity Security Posture Management (ISPM) work?

Duo's ISPM operates by continuously analyzing data and configurations within the Duo administration console and across the integrated identity ecosystem. The typical workflow includes:

  1. Configuration Assessment: Duo ISPM systematically reviews the organization's Duo configurations. This includes:

    • Policy Review: Checking the strength and coverage of multi-factor authentication (MFA) policies, adaptive access policies, and authentication methods.

    • Application Coverage: Identifying which applications are protected by Duo and which might be exposed.

    • Integration Health: Assessing the status and security of integrations with directories (e.g., Active Directory, Azure AD) and other identity providers.

  2. User and Device Analysis: It analyzes the state of user identities and enrolled devices:

    • MFA Enrollment Status: Identifying users who have not yet enrolled in MFA or who have not activated their second factor.

    • Device Trust Adoption: Monitoring the percentage of devices meeting device trust requirements and identifying non-compliant devices.

    • Authentication Method Usage: Reviewing the types of MFA methods being used (e.g., push notifications, SMS, hardware tokens) to identify less secure options.

  3. Vulnerability Identification: Based on the assessments, Duo ISPM identifies potential vulnerabilities or misconfigurations. Examples include:

    • Weak or permissive access policies.

    • Gaps in MFA coverage for critical applications or user groups.

    • Outdated or insecure authentication methods being permitted.

    • Unmanaged or non-compliant devices accessing sensitive resources.

  4. Reporting and Recommendations: The system generates reports and provides actionable recommendations to administrators. These recommendations are designed to guide administrators in strengthening their identity security posture, such as:

    • Suggesting policy adjustments to enforce stronger MFA.

    • Highlighting users or groups that require MFA enrollment.

    • Recommending updates to device trust policies.

    • Providing insights into overall security health and compliance against best practices.

  5. Continuous Monitoring: ISPM is an ongoing process, providing continuous monitoring and updates as configurations change or new threats emerge, allowing organizations to adapt and maintain their security posture over time.

Why is Duo's Identity Security Posture Management (ISPM) important?

Duo's ISPM capabilities enable organizations to maintain a robust and resilient defense against identity-based attacks by proactively managing their security configurations and controls.

  1. Proactive Risk Reduction: It shifts security from a reactive to a proactive stance by continuously identifying and addressing potential vulnerabilities in identity and access controls before they can be exploited by attackers.

  2. Ensures Policy Effectiveness: ISPM helps verify that implemented security policies are actually effective and cover the intended scope, preventing gaps that could lead to unauthorized access.

  3. Aids Compliance and Audits: By providing clear visibility into the state of identity security controls and offering recommendations for improvement, it assists organizations in meeting regulatory compliance requirements and simplifies audit processes.

  4. Optimizes Security Investments: It helps administrators understand where their identity security is strong and where it needs improvement, allowing them to optimize their security investments and focus resources on the most critical areas.

  5. Strengthens Overall Security Posture: By continuously assessing and improving the security hygiene of identities, authentication, and devices, ISPM contributes to a stronger overall security posture, reducing the likelihood and impact of identity-related breaches.

Duo solutions

Duo Security-First Identity and Access Management (IAM)

Duo's Security-First IAM integrates robust security directly into identity and access management processes, ensuring trust in every access attempt.

What is Duo's Security-First IAM solution?

Duo's Security-First IAM solution is built on the principle of verifying user identity and device trust before granting access to any application. It combines strong MFA with device trust capabilities, allowing organizations to enforce adaptive access policies. This means that access decisions are not just based on who a user is, but also on the security posture of the device they are using and the context of their access attempt. Duo's solution provides a unified platform to store identities and manage access across cloud and on-premises applications, ensuring that security is an inherent part of the access workflow.

Why is Duo's Security-First IAM important?

Duo's Security-First IAM provides a foundational layer of security that proactively mitigates risks associated with compromised credentials and unauthorized access. By integrating MFA and device trust into every login, Duo ensures that only verified users on trusted devices can access sensitive resources. This approach significantly reduces the attack surface, helps enforce a least-privilege model, and provides organizations with the visibility and control needed to establish a resilient security posture. It simplifies secure access for users while providing administrators with powerful tools to define and enforce security policies across their entire IT environment.

Duo End-to-End Phishing Resistance

Duo's End-to-End Phishing Resistance fortifies user authentication against sophisticated phishing attacks across the entire access journey.

What is Duo's End-to-End Phishing Resistance solution?

Duo's End-to-End Phishing Resistance solution focuses on deploying authentication methods that are inherently resistant to common phishing techniques, such as credential harvesting and man-in-the-middle attacks. A core component of this solution is Duo Proximity Verification, which protects against remote phishing attempts by verifying physical proximity using Bluetooth Low Energy (BLE, enabling a hardware-free alternative to phishing-resistant MFA. Duo also supports phishing-resistant authenticators, particularly those based on the FIDO (Fast Identity Online) standard, such as security keys. These authenticators use cryptographic methods to verify the legitimacy of the website or service, ensuring that even if a user is tricked into visiting a malicious site, their credentials cannot be used by an attacker to gain unauthorized access. Duo also provides features like Verified Push, which adds context to push notifications to help users identify legitimate requests.

Why is Duo's End-to-End Phishing Resistance important?

Duo's End-to-End Phishing Resistance is important because phishing remains a primary vector for breaches, often circumventing less robust MFA solutions. By offering and promoting the use of phishing-resistant MFA methods, Duo helps organizations protect against the most advanced credential theft attempts. This significantly reduces the risk of account takeovers, which can lead to data breaches, financial loss, and reputational damage. It ensures a higher level of assurance for user identities, making it extremely difficult for attackers to impersonate legitimate users even if they manage to trick them into revealing information.

Duo Zero Trust Security solution

Duo's Zero Trust Security operates on the principle of "never trust, always verify," requiring strict identity verification for every person and device trying to access resources.

What is Duo's Zero Trust Security solution?

Duo's Zero Trust Security solution provides the essential building blocks for implementing a Zero Trust architecture. It enforces the "never trust, always verify" principle by requiring strong multi-factor authentication for every access attempt, regardless of network location. Beyond user identity, Duo also assesses the security posture of the device being used through device trust capabilities, checking for factors like up-to-date operating systems, enabled firewalls, and encryption. Based on these verifications, Duo then applies adaptive access policies to grant or deny access, or to prompt for further authentication, ensuring that only trusted users on trusted devices can access resources.

Why is Duo's Zero Trust Security important?

Duo's Zero Trust Security is important because it fundamentally shifts an organization's security posture from perimeter-based defense to an identity- and device-centric model, which is critical in protecting against modern threats like ransomware, insider threats, and sophisticated phishing attacks. By verifying every user and every device for every access attempt, Duo minimizes the attack surface and prevents lateral movement within the network, even if an initial compromise occurs. It ensures that trust is never implicitly granted, providing continuous verification and adaptive access controls that are essential for building a resilient and secure environment in a world without a defined network perimeter.

Duo Compliance Solutions

Duo's Compliance Solutions help organizations meet regulatory requirements and internal security policies related to access control and data protection.

What are Duo's Compliance Solutions?

Duo's compliance solutions provide the tools and capabilities necessary for organizations to meet various industry and governmental compliance mandates, such as HIPAA, GDPR, PCI DSS, NIST, and CMMC. The solution offers strong multi-factor authentication, granular access policies based on user and device trust, and comprehensive audit logging and reporting features. These capabilities allow organizations to demonstrate that they have implemented robust controls to protect sensitive data and systems, ensure proper user authentication, and maintain detailed records of access events, which are often required for regulatory audits.

Why are Duo's Compliance Solutions important?

Duo's compliance solutions simplify the complex task of achieving and maintaining regulatory compliance. By providing a centralized platform for enforcing secure access policies, Duo helps organizations avoid the significant penalties and reputational damage associated with non-compliance. The detailed audit trails and reporting features offer the necessary evidence to auditors, proving that access controls are robust, consistently applied, and meet specific regulatory requirements. This not only helps in passing audits but also strengthens the overall security posture, protecting sensitive information from unauthorized access.

Duo Access Management solution

Duo's Access Management defines and enforces who can access what resources, under what conditions, and from which devices.

What is Duo's Access Management solution?

Duo's Access Management solution is a cloud-based platform that secures access to all applications—cloud, on-premises, and legacy—for all users and devices. It goes beyond traditional authentication by integrating multi-factor authentication (MFA) with device trust and adaptive access policies. This allows administrators to define policies that consider not just the user's identity, but also the security health of their device, their location, and the application they are trying to access. Duo provides a seamless and secure login experience for users while giving organizations granular control over who can access what, and under what circumstances.

Why is Duo's Access Management important?

Duo's Access Management provides a flexible and powerful way to secure access in today's hybrid and multi-cloud environments. It ensures that every access attempt is verified for both user identity and device trustworthiness, significantly reducing the risk of unauthorized access and data breaches. By centralizing access policies and providing a consistent security layer across all applications, Duo simplifies administration, improves user experience, and strengthens the overall security posture. This adaptive approach allows organizations to implement fine-grained access controls, ensuring that users only get access to what they need, only when they need it, and only from trusted devices.

Duo editions and pricing

There are four Duo editions (product packages), including a free edition for 1-10 users.

Duo user licenses are acquired in increments of 10 users. For organizations with up to 2,500 users, subscriptions can be purchased directly via credit card through the Duo Dashboard. The purchasing process typically begins with a 30-day free trial, allowing organizations to experience Duo's capabilities firsthand, after which they can seamlessly transition to a paid subscription using a credit card. Larger organizations or those with specific requirements should contact Duo sales for purchasing details.

Duo is also available through Managed Security Provider (MSP) partners.

Duo Free product edition

This edition provides essential multi-factor authentication for very small teams. Free for up to 10 users.

What product capabilities are included in Duo Free?

Duo Free includes core multi-factor authentication (MFA) capabilities, allowing users to secure logins with methods like Duo Push and SMS passcodes. It offers basic administrative features for user management and integration with a wide range of applications and services.

Who is Duo Free best for?

Duo Free is ideal for very small businesses, startups, or individual teams of up to 10 users who need to implement strong MFA to protect their applications and data without incurring a cost. It's a great starting point for organizations looking to enhance their security posture with minimal overhead.

What are the benefits of Duo Free?

The primary benefit is the ability to deploy robust multi-factor authentication at no cost for up to 10 users, significantly improving login security. It's easy to set up and manage, providing a foundational layer of defense against credential theft for critical applications.

Duo Essentials product edition

Duo Essentials is an all-in-one IAM solution that expands on the Free edition, offering Phishing-resistant MFA and seamless authentication for growing organizations. $3 per user per month.

What product capabilities are included in Duo Essentials?

Duo Essentials provides foundational security-first IAM capabilities. Key features include:

  • Duo Directory

  • Phishing-resistant MFA

  • Duo Single Sign-On (SSO)

  • Complete Passwordless

  • AI Assistant

  • Trusted Endpoints

  • Adaptive Access Policies

  • Device Health

Who is Duo Essentials best for?

Duo Essentials is best suited for small to medium-sized businesses (SMBs) that need to secure access for more than 10 users and require more control over access policies and basic visibility into user devices. It's for organizations looking to scale their MFA deployment and implement foundational access controls.

What are the benefits of Duo Essentials?

Benefits include scalable MFA for an unlimited number of users, enhanced security through basic access policies, and improved visibility into the devices accessing resources. The inclusion of SSO simplifies access to cloud applications while maintaining strong security.

Duo Advantage product edition

Duo Advantage builds upon Essentials and is best for dynamic threat detection, oversight and authentication. $6 per user per month.

What product capabilities are included in Duo Advantage?

Duo Advantage includes all the capabilities of Duo Essentials, plus advanced features for continuous identity security, threat response, and dynamic risk-based access. These additions include:

  • Cisco Identity Intelligence

  • Identity Security Posture Management (ISPM)

  • Identity Threat Detection and Response (ITDR)

  • User Trust Score

  • Risk-Based Authentication

  • Endpoint Protection Check

  • Enhanced Visibility and Reporting

Who is Duo Advantage best for?

Duo Advantage is designed for mid-sized to large organizations that require more sophisticated control over user access, need to enforce device health standards, and aim to reduce risk from compromised devices and networks. It's suitable for businesses with evolving security needs and a desire for a stronger security posture.

What are the benefits of Duo Advantage?

Key benefits include significantly enhanced security through adaptive policies that respond to risk factors, reduced attack surface by ensuring device trust, and improved compliance capabilities. The advanced administrative controls and reporting provide better insights into security events and user behavior.

Duo Premier product edition

Duo Premier offers the most comprehensive security for complete Zero Trust access, including advanced device visibility, endpoint remediation, and passwordless authentication. $9 per user per month.

What product capabilities are included in Duo Premier?

Duo Premier includes all the capabilities of Duo Essentials and Duo Advantage, plus advanced features for complete zero-trust access and VPN-less remote access. These additions include:

  • Duo Network Gateway

  • Duo Passport

  • Session Theft Protection

Who is Duo Premier best for?

Duo Premier suits organizations requiring maximum IAM security and flexibility. It offers complete zero-trust access for all applications and secure, VPN-less remote access to private resources (on-prem, multi-cloud), while protecting against session theft.

What are the benefits of Duo Premier?

The benefits are extensive, including the most comprehensive security solution available from Duo, proactive risk reduction through endpoint remediation, and a simplified yet highly secure user experience with cookie-less and passwordless options. It provides unparalleled visibility, control, and compliance reporting, making it ideal for organizations aiming for a zero-trust security model for securing remote access.

Duo use cases and customer success stories

Learn about real-world use cases and success stories from some of Duo's customers. Explore more customer case studies here.

Black Hat: IAM, Duo Directory, MFA, SSO

Black Hat, an international cybersecurity event series, transitioned from a problematic on-premises identity solution to Cisco Duo Directory as its primary Identity Provider (IdP). Their previous system was unreliable, difficult to manage with constant user turnover, and required significant manual effort, impacting both security and user experience.

By implementing Duo Directory alongside Duo MFA and SSO, Black Hat achieved a more secure and efficient identity and access management framework. The new solution streamlined user enrollment and management, reduced the time required for IdP setup from hours to minutes, and provided enhanced control over user permissions and system changes. This move not only improved the user experience but also strengthened Black Hat's overall security posture, integrating seamlessly with other security tools. Read the full Black Hat customer story.

University of Sunderland: Zero Trust, MFA, and SSO

The University of Sunderland adopted Duo as a comprehensive zero trust security platform to support its cloud-first strategy and secure a diverse user base across multiple campuses. The university sought a solution that would be easy for faculty, staff, and students to use, while also strengthening its security posture during a five-year cloud migration.

Duo enabled the university to verify user identities, ensure trusted device access, and control information access effectively. This led to a significant reduction in the impact of cyber-attacks, such as phishing, and improved user productivity. With high adoption of Duo Push for authentication and successful deployment of Duo SSO for cloud applications, the university experienced fewer help desk tickets and a more streamlined, secure environment. Read the full University of Sunderland customer story.

Methodist Health System: Compliance, speed, and ease of use

Methodist Health System (MHS) implemented Duo to comply with HIPAA and Electronic Prescriptions for Controlled Substances (EPCS) guidelines, while also modernizing its prescription processing. The organization needed a user-friendly solution that could meet stringent regulatory requirements, consolidate existing security tools, and ensure secure, accessible connectivity for its widespread network.

Duo's integration with Epic Systems and its certified compliance for EPCS two-factor authentication provided MHS with an effective solution. Users found Duo Push authentication convenient and easy, which was crucial for maintaining caregiver workflow efficiency. The adoption of Duo also helped MHS reduce the burden on its IT team, streamline security management, and improve secure remote access for administrative staff, leading to anticipated reductions in operating costs and helpdesk volumes. Read the full Methodist Health System customer story.

Inductive Automation: IAM, MFA, and SSO

Inductive Automation leveraged Duo to strengthen its identity security program, addressing an expanding cyberattack surface driven by SaaS adoption and workforce growth. The company sought to enhance device trust, streamline Identity and Access Management (IAM), and build robust phishing resistance, particularly as its traditional Active Directory solution proved inadequate for a distributed workforce.

By implementing Duo MFA and SSO, and later migrating to Duo Directory, Inductive Automation consolidated identity management and simplified secure access for both employees and contractors. The company further enhanced its security posture with Duo's Trusted Endpoints, Device Trust, and Device Health features, ensuring only healthy devices connect. Duo's phishing-resistant MFA, including proximity verification, provided advanced protection against identity attacks, while its unified identity intelligence offered comprehensive visibility, making Duo a critical and trusted partner in their security evolution. Read the full Inductive Automation customer story.

Ready to secure your organization?

Experience for yourself why Duo is one of the most trusted access management tools. Try it for free, explore editions, and connect with security experts.

Start your free trial

See why Duo is the leader in identity security.

Compare editions

Find out which edition is right for your organization.

Contact sales

Connect with our sales team and learn more.