Embracing a Passwordless Future: Cisco's Journey to Seamless Authentication with Duo Passwordless
ndly way that would allow its 130,000 users to securely work anywhere, from any device, without friction. By leveraging its own Duo Passwordless, the team was able to eliminate phishable multi-factor authentication factors, improve usability and productivity, reduce authentication actions by 93%, and secure its workforce from anywhere.
At Cisco, securing our workplace for the future means continuously adapting to technological advancements and staying ahead of the threat landscape. Leveraging our own suite of security products, including Duo, has been key in helping us do that.
When most of our workforce worked remotely during the pandemic, we implemented Duo Beyond and moved from a traditional network-based perimeter and VPN model to a zero-trust framework so that users could securely work anywhere, from any device, without friction.
Today, our zero-trust journey continues as we strive to meet the security needs of today while adapting for what’s next with Duo Passwordless. Identity is now the perimeter— the first line of defense against cyber threats. With most data breaches coming from weak or stolen credentials, it’s clear that the future requires passwordless authentication.
The problem with passwords
To put it simply, passwords are an easy target for hackers. Once the gold standard for protecting sensitive information, passwords are now outdated and vulnerable in the ever-evolving threat landscape. They’re highly susceptible to phishing attacks, can be easily forgotten, and often lead to user frustration that brings an influx of password-related help desk tickets to IT teams.
When plagued by password fatigue, users are inclined to use weak, reused, or only slightly modified passwords across different accounts. Good password management is hard and difficult to enforce, and prior to using Duo Passwordless, Cisco IT struggled to manage these challenges across a massive workforce spanning more than 130,000 users.
As a large company and a leader in technology, a compromise in our security can have a major impact on our business and our innovation. If attackers obtain sensitive information such as source code, internal system details, customer data, or intellectual property, it not only puts our business and employees at risk, but the customers who rely on our technology. We needed to adapt our approach to authentication to mitigate the password related security risks to our business and challenges faced by our employees and support teams.
Traditional multi-factor authentication (MFA) is no longer sufficient
Authentication has evolved as cybercrime has become more and more sophisticated. We started with “something you know,” or a username and password. We added MFA, which combines “something you know” with “something you have” or “are” like a device or fingerprint. While stronger than a username and password alone, the “something you know” factor of a password remained susceptible to vulnerabilities.
The move to passwordless: focusing on security and user experience
We began working closely with the Duo product team to take a user-friendly, zero trust approach that not only enhanced security but also improved the user experience. To do this, we implemented Duo Passwordless. It wasn’t just about improving security, but at the same time cultivating a seamless experience that would better serve our customers and employees both now and into the future.
While Duo Passwordless is still MFA, it takes it a step further and combines the experience into one step, making for a smoother user experience. It relies on cryptographic public-private key pairs, utilizing biometrics (such as fingerprint or facial recognition) or security keys like YubiKeys to authenticate users without the need for passwords.
Enhancing Duo as customer zero
As “customer zero” for Duo Passwordless, we had the ability to test and improve the technology through early pilot programs before release. Using a multi-phased approach, we started with a small group of IT and security staff, improving performance and functionality through feedback before gradually expanding to the full workforce over 10 months. The knowledge gained from initial pilot groups and insights into how different users would be impacted helped shape our approach to communicating the changes with our workforce.
Through careful collaboration between teams across our organization, Cisco IT Security and the Security and Trust Organization (S&TO) began driving the direction of our passwordless future. My team within IT Security served as the main drivers behind this effort, with S&TO providing change management support, and IT UX, IT Comms, and IT Research & Analytics supporting as needed. Help@Cisco also played a role once we shifted to mandatory passwordless only for key apps, managing the support process for our internal users so service teams could focus on the operation and improvement of the product.
Challenges and lessons learned
While the full rollout has seen high levels of organic workforce enrollment with limited promotion, there were some challenges with adoption. Many users reported initial concerns with utilizing biometrics. For example, Windows Hello users who didn’t log in with biometrics by default, simply didn’t know to set it up. Unless specifically told, users in this situation did not realize biometrics were an option for them.
To remedy, we focused on employee education around how biometrics are used, where they’re stored, as well as the value of shifting to passwordless authentication. In addition, we provided alternatives to biometrics. For example, on Windows, users can use a PIN. If they don’t like platform-based authenticators, they can use a YubiKey with a PIN or setup a passkey on a mobile device.
Also important to note, we did not initially mandate the move to passwordless. Our approach to encouraging employee adoption and change was shaped by our commitment to delivering the best user experience. We wanted to deliver services and technology that acted as a magnet for adoption rather than a mandate.
Now that we are further into our journey, we have started Passwordless Only enforcement on certain apps. The slower, but at-will transition allowed organic adoption and helped get people comfortable with the new technology prior to making the practice mandatory.
The impact: A more secure and productive workforce
Since the passwordless solution was made available to the entire workforce, we’ve seen substantial benefits including:
- Zero password-related security incidents
- A frictionless experience for over 130,000 employees with zero trust secure access
- Improved usability and productivity, reducing authentication actions by 93%
- Enhanced security by eliminating phishable MFA factors
- Substantial reduction in IT time and costs due to fewer password-related issues
The future: Continued innovation and expansion
While there is a long road ahead of a full industry shift away from passwords entirely, this has primarily been about changing the experience for our workforce today and mitigating potential future threats for our business. Preparing for a completely passwordless future is a journey that we continue to build and improve on, including:
- Improving security and usability for our workforce: Our journey began with our implementation of Duo Beyond and continues with Duo Passwordless, underpinning our current transition to Cisco Secure Access within Cisco IT (more to come!). Identity security is a foundation for zero trust access, and Duo is much more than just MFA.
- Strengthening and evolving our zero-trust architecture: The successful rollouts of our Duo solutions combined with the latest rollout of Cisco Secure Access unlocks even stronger zero trust outcomes with an identify-first SSE.
Learn more about Duo Passwordless Authentication, our journey, and the powerful combination of Cisco Secure Access and Duo. For Cisco employees, learn how to set up passwordless on your Cisco device here.
Additional Resources:
PS: Attending Cisco Live in San Diego this June?
You’ll have a special opportunity to talk live with Cisco IT experts to dive into these success stories and other deployments! Look for Cisco on Cisco in each of the showcases and be sure to search Cisco on Cisco in the session catalog to add our sessions to your schedule!
Share:
