Operations //

Identity & Access Management

05:39 PM
Dark Reading
Dark Reading
Products and Releases

Yubico and Duo Security Accelerate Federal Cybersecurity Modernization and Smart Card Replacement

Revisions to federal cybersecurity requirements open door for transition to modern and more effective methods to secure government data

PALO ALTO, Calif., and ANN ARBOR, Mich., - March 28, 2018 - Cybersecurity leaders Yubico and Duo Security today announced a joint solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity.

Yubico’s YubiKey hardware authentication device, recognized as the gold standard in login protection, combined with Duo’s cloud-based software, provides strong two-factor authentication (2FA) so federal employees and contractors can securely access agency data and applications on a traditional network or in the cloud. Duo’s industry standard methodology allows federal security officers to quickly add strong cryptographic authenticators, such as YubiKey, to applications that were previously difficult for the government to secure due to internal development requirements or third-party ownership.

“Strong user authentication is one of the primary areas federal agencies need to address as they look to modernize their security infrastructure to fit an increasingly cloud and mobile-first world," said Kiersten Todt, Managing Partner at Liberty Group Ventures and former Executive Director of the Presidential Commission on Enhancing National Cybersecurity. “Private sector firms who were built with this new infrastructure in mind will be key partners for the government in expediting this modernization process.”

To secure access to critical information, federal law requires government agencies and contractors who process, store and transmit data to implement strong authentication controls as outlined in the National Institute of Standards and Technology (NIST)’s Digital Identity Guidelines (SP-800-63-3). The rigor of security measures required is segmented into three Authenticator Assurance Levels (AAL 1 - AAL 3), determined by the sensitivity of the information. Duo and Yubico help federal agencies comply with all three levels using one unified security platform.

The upcoming, YubiKey-FIPS device supports FIDO U2F, smart card (PIV compatible), Yubico OTP, OpenPGP, OATH-TOTP, and OATH-HOTP protocols, and will be the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3 to meet AAL 3.

“With reliable hardware-backed protection at the touch of a button, using two-factor authentication with Duo and YubiKey is remarkably easy and four times faster than typing codes or using an access card to log in,” said Jerrod Chong, Senior Vice President of Product at Yubico. “The YubiKey is the trusted secure authentication choice for the largest internet, finance, and retail companies in the world. With FIPS certification on the horizon, introducing the multi-protocol YubiKey into the federal space is a natural progression for this technology.”

Previously, federal agencies were required to secure their most critical data with cumbersome and expensive personal identity verification (PIV) or common access (CAC) cards, which couldn’t be implemented across all resources. Recently revised NIST guidelines allow federal employees and contractors to use biometric identity authentication on a trusted device, as well as the use of a validated hardware token like the YubiKey for replacement of a CAC or PIV card.

“The days of requiring federal employees and contractors to use clumsy smart cards to access critical government data are numbered,” said Sean Frazier, Duo Advisory Chief Information Security Officer, Federal. “In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment.”

At half the cost of similar products, Duo has no complex software configurations nor manual setup, allowing 75 percent of organizations who use Duo to get up and running in less than a week.

“The private and public sectors are beginning to solve their security problems in the same way,” said Frazier. “IT modernization is about using off-the-shelf technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security in the bargain. Leveraging existing, strong, ‘good enough for commercial market’ technology is what the government’s journey to IT modernization is all about.”

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-08-14
An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera G5 firmware 1.87.00. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability...
PUBLISHED: 2018-08-14
An exploitable stack-based buffer overflow vulnerability exists in the 802dot1xclientcert.cgi functionality of Sony IPELA E Series Camera G5 firmware 1.87.00. A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST r...
PUBLISHED: 2018-08-14
In Eclipse Vert.x version 3.0 to 3.5.1, the HttpServer response headers and HttpClient request headers do not filter carriage return and line feed characters from the header value. This allow unfiltered values to inject a new header in the client request or server response.
PUBLISHED: 2018-08-14
In Eclipse OpenJ9 version 0.8, users other than the process owner may be able to use Java Attach API to connect to an Eclipse OpenJ9 or IBM JVM on the same machine and use Attach API operations, which includes the ability to execute untrusted native code. Attach API is enabled by default on Windows,...
PUBLISHED: 2018-08-14
Systems with microprocessors utilizing speculative execution and Intel software guard extensions (Intel SGX) may allow unauthorized disclosure of information residing in the L1 data cache from an enclave to an attacker with local user access via a side-channel analysis.