Facebook s Security Philosophy, and how Duo helps.



Similar documents
Securing your Juniper SSL VPN with two-factor authentication.

Authentication Solutions. Versatile And Innovative Authentication Solutions To Secure And Enable Your Business

Multi-Factor Authentication FAQs

ADDING STRONGER AUTHENTICATION for VPN Access Control

Remote Access Securing Your Employees Out of the Office

Two-Factor Authentication Evaluation Guide

Entrust IdentityGuard Versatile Authentication Platform for Enterprise Deployments. Sam Linford Senior Technical Consultant

Guide to Evaluating Multi-Factor Authentication Solutions

STRONGER AUTHENTICATION for CA SiteMinder

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

Entrust IdentityGuard

Security Considerations for DirectAccess Deployments. Whitepaper

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

RSA SecurID Two-factor Authentication

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

A brief on Two-Factor Authentication

SECUREAUTH IDP AND OFFICE 365

Authentication Solutions VERSATILE AND INNOVATIVE AUTHENTICATION SOLUTIONS TO SECURE AND ENABLE YOUR BUSINESS

Using GhostPorts Multi-Factor Authentication

Strong Authentication for Secure VPN Access

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Enhancing Organizational Security Through the Use of Virtual Smart Cards

Two-Factor Solutions Choosing the Right One"

Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION

White Paper. The Principles of Tokenless Two-Factor Authentication

Strong authentication of GUI sessions over Dedicated Links. ipmg Workshop on Connectivity 25 May 2012

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

Creating a DUO MFA Service in AWS

The Authentication Revolution: Phones Become the Leading Multi-Factor Authentication Device

RSA SecurID Software Token 1.0 for Android Administrator s Guide

2-FACTOR AUTHENTICATION WITH OPENLDAP, OATH-HOTP AND YUBIKEY. Axel Hoffmann

Two-factor Authentication

Duo Two-Factor Authentication: Frequently Asked Questions

Securing Virtual Desktop Infrastructures with Strong Authentication

The University of Texas Rio Grande Valley. Network Security. Create a Virtual Private. Network (VPN) Connection. Network Security How-to:

Full disk encryption with Sophos Safeguard Enterprise With Two-Factor authentication of Users Using SecurAccess by SecurEnvoy

Why SMS for 2FA? MessageMedia Industry Intelligence

Using Entrust certificates with VPN

OWA vs. MDM. Once important area to consider is the impact on security and compliance policies by users bringing their own devices (BYOD) to work.

Setting Up and Accessing VPN

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

French Justice Portal. Authentication methods and technologies. Page n 1

Interlink Networks RAD-Series AAA Server and RSA Security Two-Factor Authentication

Replacing legacy twofactor. with YubiRADIUS for corporate remote access. How to Guide

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Commercially Proven Trusted Computing Solutions RSA 2010

Two-factor Authentication: A Tokenless Approach

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Hard vs. Soft Tokens Making the Right Choice for Security

Modern two-factor authentication: Easy. Affordable. Secure.

iphone in Business How-To Setup Guide for Users

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Mobile OTPK Technology for Online Digital Signatures. Dec 15, 2015

Two Factor Authentication (TFA; 2FA) is a security process in which two methods of authentication are used to verify who you are.

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Multi-factor authentication

When enterprise mobility strategies are discussed, security is usually one of the first topics

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

YubiRADIUS Deployment Guide for corporate remote access. How to Guide

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

RELEASE NOTES. Release Notes. Introduction. Platform. Product/version/build: Remote Control ( ) ActiveX Guest 11.

Integration Guide. Duo Security Authentication

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

NEO Manager Quick Start Guide

Two Factor Authentication and PKI Token (for Windows)

Endpoint Security VPN for Windows 32-bit/64-bit

Rohos Logon Key for Windows Remote Desktop logon with YubiKey token

Allianz Global Investors Remote Access Guide

A new Secure Remote Access Platform from Giritech. Page 1

The Convergence of IT Security and Physical Access Control

Evolving Strong Authentication at The University of Arizona

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

Virtual Private Network (VPN)

ProtectID. for Financial Services

Two Factor Authentication. Using mobile for additional IT security

Enhancing Web Application Security

IDENTITY & ACCESS. BYOD and Mobile Security Seizing Opportunities, Eliminating Risks in a Dynamic Landscape

Authentication Solutions Buyer's Guide

Secure Login Issues & Solutions

Swivel Multi-factor Authentication

VMware Horizon View for SMS PASSCODE SMS PASSCODE 2014

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

The Centrify Vision: Unified Access Management

TABLE OF CONTENTS. Introduction 3 OTP SMS Two-Factor Authentication 5 Technical Overview 9 Features 10 Benefits 11 About MobiWeb 12 Quality 13

Authentication. Authentication in FortiOS. Single Sign-On (SSO)

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Transcription:

Facebook s Security Philosophy, and how Duo helps.

How Duo Factors in to Facebook s Information Security Philosophy The Challenge: Facebook manages personal data for 1.19 billion active users 1 across their platform; creating a clear case that the integrity of the personal data entrusted to them is integral to the overall success of the company. Facebook is a very fast-paced environment and we needed technologies that would allow us to maintain that pace. Because of the ease of use of Duo Security and Yubico authentication technologies, we have seen minimal support and overhead costs. Other technologies, such as traditional OTP-based hardware tokens, smart cards, and biometrics didn t fully support our need to allow multiple and rapid logins to SSH sessions. John Four Flynn Information Security Manager Facebook Their mission: to protect a billion users without losing (much) sleep. This means shielding their developers from targeted malicious attacks while they re accessing Facebook s internal networks and databases during development in order to avoid security risks to their source code and user data. Facebook s internal security culture is focused on reducing friction and making security easy for their fast-paced developers. This required their security solution to be versatile, efficient and streamlined with their workflow process, which involved logging into a development server to write code. With tens of thousands of SSH sessions a day, more than 60 individual interactive sessions and over 3,000 non-interactive authentications, 2 they needed security that would support their needs without adding more friction. Strong security required, without any hassle. And, while they already used passwords, public and private key pairs, etc., they were looking for a stronger form of authentication that they could easily extend

to their other Facebook employees. That s when they turned to two-factor authentication as a solution; combining something they knew (a password) with something they had (authentication via a device, like a phone). Facebook s security team put extensive research into choosing the perfect twofactor authentication solution - but ran into several downsides of each option. With time-based tokens (i.e., RSA-provided) and Facebook s code generator, developers typically had only 30 seconds to authenticate. These options were also not ideal for SSH use if two terminals needed to be open at the same time. Plus, the authentication method was annoying, as you could only authenticate via passcode. With OTP (one-time passwords), they ended up with sync errors. If you hit your token several times on accident, you may end up out of sync, which is a huge usability fail. Tokens are also designed for infrequent use, which is good for VPNs for one session, but not good when opening multiple SSH sessions. Biometrics provided extremely limited support for most devices, and had their own set of security problems, like false acceptance rates and replay problems. There was also the practical issue of how to use a biometric factor on a remote server when the user was local to their laptop. PKI (Public Key Infrastructure) provided poor device support and used smart cards as the form of authentication, which were susceptible to smartcard proxy attacks. A hacker could intercept a smart card s pin number and use a smartcard without the user s knowledge. Plus, smart card management is a pain to integrate across multiple platforms and requires a lot of overhead. Facebook s security team ultimately needed a two-factor authentication solution that was built better than these other methods - they needed usability, flexible options, fast deployment and strong security with minimal support overhead. The Solution: Why did Facebook choose Duo Security? Facebook s Information Security Manager, John Four Flynn said that Duo was pushing usability, as well as pushing the usability envelope for authentication. Duo s two-factor authentication solution can be installed on phones as an app with Duo Mobile, and also supports a multitude of authentication methods for landlines and offline devices, including push, SMS, mobile and voice.

Duo s two-factor is also cloud-based, eliminating the need for hardware and software install, making it both fast and easy to deploy, cutting down on support overhead for administrators. Versatile two-factor authentication for custom security solutions. The long list of integrations that Duo s two-factor supports includes some of the most widely used platforms, applications and devices. The flexibility and versatility of Duo s authentication service offers a great platform on which various other technology can be used to create a custom security solution, which prompted Facebook to enlist a third-party hardware token to support the most aggressive of their users that required very fast authentication. To support these specific users, Facebook combined Duo Security s powerful two-factor with Yubico s Yubikey Nano that worked as an OTP token inside the USB port. Pairing these two solutions together allowed frequent SSH-login users to push the side of their laptop to authenticate securely, while giving users the option of many different authentication methods if they traveled or lost their device. In addition, Facebook needed to support the way engineers chose to login - they found that they were running third-party software as their SSH clients, requiring a lot of custom scripts to login, and using SFTP often. They needed to support scripts that were run non-interactively without having someone authenticate. Passwords created friction for their users, as most users wanted to use Kerberos, SSH certificates or keys to login. With the help of Duo Security, Facebook wrote separate keyboard interactive drivers and custom modules to direct authentication input. Ultimately, Facebook needed a solution that provided the ultimate ease of usability and flexibility for their engineers with fast deployment with minimal support overhead. Strong security was a given. Duo Security and Yubico combined forces to provide a powerful two-factor solution that custom-fit Facebook s security needs.

Recently, a team from Facebook gave a presentation to the Center for Education and Research in Information Assurance and Security (CERIAS) Seminar at Purdue University, explaining how the company utilizes Duo Security and YubiKeys to provide two-factor authentication for the company. The presentation provided thoughtful insight into the security culture of Facebook and how that led them through the evaluation and implementation decisions of their two-factor authentication deployment. View the recorded presentation at duo.sc/facebook-purdue. Duo s organic growth at Facebook, from protecting 300 to more than 10,000 users. Initially deployed on Linux servers, Duo s two-factor spread organically within the organization to VPN, Windows servers, Splunk, OWA and others. Duo s lightweight, cloud-based integration model has allowed Facebook to experiment with deployments efficiently for their production, financial and remote corporate VPN access systems. So where is Facebook today with Duo? Facebook moving away from using time-based tokens provided by RSA SecurID completely in order to expand Duo to their entire organization with a full enterprise site license agreement, supporting more than 10,000 employees. 1 Key Facts - Facebook as of Sept. 30, 2013: http://newsroom.fb.com/key-facts 2 CERIAS Security Seminar at Purdue University (Video): Protecting a billion identities without losing (much) sleep: http://duo.sc/blog-facebookphilosophy Duo Security www.duosecurity.com 617 Detroit St. Ann Arbor, MI 48104 +1 (734) 330-2673 1-866-760-4247 Have questions or want to learn more/get a demo walkthrough? Contact one of our Duo representatives today! Contact sales: http://duo.sc/contactduo

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information