Last week, several universities and colleges experienced a systemwide outage with Duo, Cisco’s popular authentication service. The outage began at 9 a.m. ET and lasted for approximately five hours, causing disruptions for students and faculty who were unable to log into their accounts.
Georgetown University’s Information Services was one of the first to alert students about the outage on Twitter. They stated that Duo was experiencing a systemwide outage that could impact the ability to log into GU systems. Two hours later, the university provided an update, stating that Duo’s performance was slowly improving but still reporting issues affecting the university’s two-factor authentication for all Georgetown systems.
Similarly, San Francisco State University’s Information Technology Services informed students on Twitter that they had identified an issue with Duo and were working towards a resolution in collaboration with the vendor.
The outage was caused by application latency that reached service-impacting levels, according to Duo’s status log. This incident highlighted the importance of organizations having contingency plans in place for the eventuality of two-factor authentication services not being available. It also emphasized the need for organizations to consider resilience and business continuity when exploring newer and stronger authentication methods.
Andras Cser, vice president and principal analyst at Forrester Research, emphasized that a failure in an authentication service can disrupt operations, especially when there are no alternative or backup login methods and form factors. Without authentication, a company essentially stops working.
Duo first received a notification of latency issues at 9:03 a.m. ET on August 21. The increased latency eventually caused authentication failures for some customer applications protected by Duo’s service. Several universities, including the University of Manchester in the UK, Colorado State University, and Western University, experienced the impact of the outage, as reported by their respective IT groups on Twitter.
Steve Won, chief product officer at authentication firm 1Password, emphasized the need for businesses to ensure they do not have single points of failure in their authentication infrastructures. He mentioned that push-based models, where a device and a back-end authentication service are linked, can cause outages when the back end becomes unavailable. To avoid this, he suggested using time-based one-time password (TOTP) authentication, which does not have a single point of service failure and can be used as a failover mechanism.
Won also cautioned against using SMS text-based one-time passwords due to known vulnerabilities, such as SIM swapping attacks. Current best practices advise against relying solely on SMS-based authentication.
Duo’s “Guide to Business Continuity Preparedness” outlines how applications should fail over during an outage. Organizations have the option to “fail secure” and not allow alternative types of access, or to “fail safe” and allow users to use lesser forms of authentication and bypass two-factor authentication. When service is reachable but performance is degraded, organizations must implement their own countermeasures.
In conclusion, the recent outage with Duo’s authentication service serves as a reminder for organizations to have contingency plans and consider resilience and business continuity when implementing two-factor authentication systems. Single points of failure should be avoided, and alternative authentication methods, such as TOTP, should be considered. By taking these precautions, organizations can minimize disruptions and ensure the uninterrupted operation of their systems.