Operations //

Identity & Access Management

3/28/2018
05:39 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Yubico and Duo Security Accelerate Federal Cybersecurity Modernization and Smart Card Replacement

Revisions to federal cybersecurity requirements open door for transition to modern and more effective methods to secure government data

PALO ALTO, Calif., and ANN ARBOR, Mich., - March 28, 2018 - Cybersecurity leaders Yubico and Duo Security today announced a joint solution that allows government agencies and contractors to accelerate their IT modernization efforts while complying with the most stringent level of federal digital identity and authentication requirements, without added cost and complexity.

Yubico’s YubiKey hardware authentication device, recognized as the gold standard in login protection, combined with Duo’s cloud-based software, provides strong two-factor authentication (2FA) so federal employees and contractors can securely access agency data and applications on a traditional network or in the cloud. Duo’s industry standard methodology allows federal security officers to quickly add strong cryptographic authenticators, such as YubiKey, to applications that were previously difficult for the government to secure due to internal development requirements or third-party ownership.

“Strong user authentication is one of the primary areas federal agencies need to address as they look to modernize their security infrastructure to fit an increasingly cloud and mobile-first world," said Kiersten Todt, Managing Partner at Liberty Group Ventures and former Executive Director of the Presidential Commission on Enhancing National Cybersecurity. “Private sector firms who were built with this new infrastructure in mind will be key partners for the government in expediting this modernization process.”

To secure access to critical information, federal law requires government agencies and contractors who process, store and transmit data to implement strong authentication controls as outlined in the National Institute of Standards and Technology (NIST)’s Digital Identity Guidelines (SP-800-63-3). The rigor of security measures required is segmented into three Authenticator Assurance Levels (AAL 1 - AAL 3), determined by the sensitivity of the information. Duo and Yubico help federal agencies comply with all three levels using one unified security platform.

The upcoming, YubiKey-FIPS device supports FIDO U2F, smart card (PIV compatible), Yubico OTP, OpenPGP, OATH-TOTP, and OATH-HOTP protocols, and will be the first multi-protocol hardware authenticator certified at FIPS 140-2 Overall Level 2 and Physical Level 3 to meet AAL 3.

“With reliable hardware-backed protection at the touch of a button, using two-factor authentication with Duo and YubiKey is remarkably easy and four times faster than typing codes or using an access card to log in,” said Jerrod Chong, Senior Vice President of Product at Yubico. “The YubiKey is the trusted secure authentication choice for the largest internet, finance, and retail companies in the world. With FIPS certification on the horizon, introducing the multi-protocol YubiKey into the federal space is a natural progression for this technology.”

Previously, federal agencies were required to secure their most critical data with cumbersome and expensive personal identity verification (PIV) or common access (CAC) cards, which couldn’t be implemented across all resources. Recently revised NIST guidelines allow federal employees and contractors to use biometric identity authentication on a trusted device, as well as the use of a validated hardware token like the YubiKey for replacement of a CAC or PIV card.

“The days of requiring federal employees and contractors to use clumsy smart cards to access critical government data are numbered,” said Sean Frazier, Duo Advisory Chief Information Security Officer, Federal. “In a sector that has been pushing to catch up to other industries in terms of cloud and mobile, the new guidelines are a welcome change for every federal CISO who’s looking to modernize their IT environment.”

At half the cost of similar products, Duo has no complex software configurations nor manual setup, allowing 75 percent of organizations who use Duo to get up and running in less than a week.

“The private and public sectors are beginning to solve their security problems in the same way,” said Frazier. “IT modernization is about using off-the-shelf technologies and services to give agencies the ability to be more agile in deploying and managing their environment and get better security in the bargain. Leveraging existing, strong, ‘good enough for commercial market’ technology is what the government’s journey to IT modernization is all about.”

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6691
PUBLISHED: 2019-01-23
phpwind 9.0.2.170426 UTF8 allows SQL Injection via the admin.php?m=backup&c=backup&a=doback tabledb[] parameter, related to the "--backup database" option.
CVE-2018-19019
PUBLISHED: 2019-01-22
A type confusion vulnerability exists when processing project files in CX-Supervisor (Versions 3.42 and prior). An attacker could use a specially crafted project file to exploit and execute code under the privileges of the application.
CVE-2019-6260
PUBLISHED: 2019-01-22
The ASPEED ast2400 and ast2500 Baseband Management Controller (BMC) hardware and firmware implement Advanced High-performance Bus (AHB) bridges, which allow arbitrary read and write access to the BMC's physical address space from the host (or from the network in unusual cases where the BMC console u...
CVE-2018-19011
PUBLISHED: 2019-01-22
CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file. An attacker could exploit this to execute code under the privileges of the application.
CVE-2018-19013
PUBLISHED: 2019-01-22
An attacker could inject commands to delete files and/or delete the contents of a file on CX-Supervisor (Versions 3.42 and prior) through a specially crafted project file.