Duo Security

NIST SP 800-63B §4.2: "AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscriber's account. At least one authenticator used at AAL2 SHALL be replay resistant." §5.1.3: "Multi-factor OTP devices generate OTPs for use in authentication after activation through an additional authentication factor." §4.2.2: "Authentication at AAL2 SHOULD demonstrate authentication intent from at least one authenticator." Duo Push meets AAL2 requirements with user interaction providing authentication intent. §4.3: "AAL3 authentication SHALL use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance." Duo hardware tokens and WebAuthn meet AAL3 requirements.

CIS Control 6.3: "Require MFA for externally-exposed applications." CIS Control 6.4: "Require MFA for remote network access." CIS Control 6.5: "Require MFA for administrative access." Duo provides centralized MFA enforcement.

Covers policy configuration, authentication methods, trusted endpoints, and integration with various applications.

SOC 2 CC6.1: "The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events." CC6.2: "Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users." CC6.3: "The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles." Duo MFA implements access controls aligned with SOC 2 requirements. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.5.16: "The full lifecycle of identities shall be managed." A.5.17: "Authentication information shall be controlled through a management process including advising users to keep authentication information confidential." A.8.5: "Secure authentication procedures shall be implemented in accordance with the information access restriction policy." Duo supports ISO 27001 identity management and secure authentication requirements. Source: ISO/IEC 27001:2022 Annex A.