Post banner
DevSecOps 5 Min Read

How to Implement 2FA Security in Your Organization Using Duo Security, Part 2

In a recent blog post I spoke about the need to find another way of achieving 2-Factor Authentication now that SMS has been deprecated by the National Institute for Science and Technology.

In this post I’m going to offer some guidance, based on my experience at Threat Stack, on how you can implement Duo Security as an easy and effective way of providing a secondary level of authentication in a 2FA throughout your organization. Along the way, I’ll point out some of the key factors and best practices you should take into account to make sure your setup is usable, based on strategy (i.e., you’re not setting up a feature just because you can), and addresses the actual security needs of your particular company.

Here are some of the topics we’ll cover:

  • Signing up for a Duo Account for your organization
  • Creating & Enrolling Your First Users
  • Securing a service with Duo 2FA in Your Environment
  • Configuring Your Linux/UNIX Environment
  • Investigating Other Configuration Options

Note: This is the second in a series on 2FA. The following are Parts 1 and 3:

Signing up for the Duo Service

When you sign up for the Duo Service, you are creating an account for your organization.

The more thought you bring to setting up Duo, the better the results you’ll get. And therefore, instead of just letting you work through the installation wizard on your own (even though it’s very easy to follow), I’m going to give some guidance on setting up your environment and completing the minimum required configuration.

Let’s get started. As I said, the process is fully self-service, and the first step is as easy as entering or selecting data on the following page and clicking Create My Account:

Create_Duo_Account.png

Enrolling New Users

Once you’ve created your organization’s Duo Account, you need to enrol the first user. Start by enrolling yourself.

Note that the Duo Account you set up here is not the same as the Duo User account that you will use to access your infrastructure as an end user. This is an administrative account that lets you add users, configure accounts, secure services, change settings, etc.

  1. Go to Users (see below) where you can enrol a single New User or Bulk Enrol Users using a variety of means including Active Directory syncing to a basic CSV file.
  2. To begin adding a single user, click New User. On the screen that appears (see below), enter the person’s Username, and click Add User. (Note: If you’re not using a centralized user management service across your systems, you may end up having to enter multiple usernames for a single user.) 
  3. Afer entering the user’s basic information, you can add their phone number (or register a hardware token if this is what your company uses). If you don’t have a hardware token to register, just click Save Changes.

After you click Send Enrollment Email, the user will receive an email (see below) that provides a link to Duo’s self-enrollment portal. You can customize the Enrollment Email to provide branding, instructions, and other detail that’s appropriate for your organization. On receiving the email, the end user can then register their own mobile device.

 

Securing a Service With Duo 2FA in Your Environment

Once you’ve created your organization’s Duo Account and started to enroll users, it’s time to start enabling 2FA in your environment. Duo provides an array of services integration wide. The following list isn’t exhaustive, but the services include:

  • VPN Services
    • Cisco
    • Juniper
    • OpenVPN
  • Identity providers
    • Okta
    • OneLogin
  • GitHub Enterprise
  • Google Apps
  • Confluence
  • Jira
  • WordPress
  • Drupal
  • Slack

Configuring Your Linux/UNIX Environment

Note: The following procedure might not be applicable to your organization. I’ve included it simply to demonstrate how easy it is to configure Duo.

Start by configuring your Linux/UNIX environment. Duo Security provides a Puppet module, and third-party work is available for Chef and Ansible. These will drastically speed the process of getting Duo configured and working:

 

  1. You’ll start the configuration by navigating to Applications and then clicking on Protect an Application. 
  2. This takes you to a page that lists the available Duo integrations. Look for UNIX Application, and click Protect this Application.
  3. You are then taken to a page that shows all the information you need to get started with configuring your Linux hosts to use Duo.Take time later to investigate the policy configuration you can put in place to restrict the way your users access your hosts. Do this after assessing the risks and impact to users. Don’t implement precautions that unnecessarily get in the way of users trying to do their job. Yes, they have to follow what you put in place, but consider security needs along with the way people work in order to get user buy-in. This will go a long way toward promoting a positive working relationship.

  4. From the UNIX Application screen (see below), take note of the Integration key, the Secret key, and the API hostname values. You will need to use these in the different configuration management modules.The Integration key, Secret key, and API hostname values will be the minimum required configuration.UNIX_App.png

Investigating Other Configuration Options

Now that you’ve set up the minimum configuration, take time to investigate other configuration options. The biggest choice you might want to consider is the authentication style: UNIX login program or PAM module.

UNIX Login Program Style

The UNIX login program style will alter the host’s /etc/ssh/sshd_config and force the command to be run on user login. A user will authenticate via the currently configured method (e.g., SSH keys or password), and once successful, the login_duo program is executed as a second authentication method. This will communicate with the Duo platform, and once the user successfully authenticates with Duo, they will be transferred to a shell.

PAM Authentication Module

The alternative is the PAM authentication module. This will alter /etc/ssh/sshd_config to use the host’s PAM configuration. The host will then change pam_unix from, say, a required or sufficient module to a requisite module, one that must return success and will continue on in the authentication change to pam_duo.

Choose the configuration option that makes the most sense for you. If you’re only worried about SSH logins, then Login Program Style setup is sufficient. If you’re looking for greater control after a user has logged in, then PAM style is probably your best choice.

Conclusion

At this point you have configured Duo 2FA and made it usable in your environment. In addition, if you configured your Linux environment, your Linux hosts have a higher degree of security than they did before.

Once you and your end users are comfortable using Duo, you can begin to evaluate the other areas of your environment where Duo 2FA would be useful. While a high degree of integration is available, resist the temptation to enable an integration just for the sake of enabling it. A best practice: Only enable integration with other services when you’ve identified a strategic need for the increased security.