Cisco Duo and Your Privacy Follow
Cisco Duo Mobile App and Your Privacy
There are many concerns regarding privacy and the Department of IT Services wants to assure users that the Cisco Duo Mobile App is not an invasion of privacy. At the bottom of this article, you will find a couple of PDF captures from a user’s profile in the Cisco Duo console. These will provide transparency to the level of information collected by Duo in which City IT will have access to. However, before describing those documents, we’ll describe why multi-factor authentication is important to the City of High Point and why it will become a job requirement. As a local municipality we collect and store various data regarding citizens, employees, and those that choose to conduct business in the city. Examples of the data collected include but are not limited to:
- Census data
- Property records
- Public Safety data (Criminal/Arrest Records, Arson Records, Recorded calls to 911 dispatch and all call records entered into CAD [computer aided dispatch], etc.)
- Utility records (payment history, utility use data, outage records, etc.)
- Payment information (card holder transactions by the Library, Parks and Recreation, High Point Transportation, Customer Service, etc.)
- Employment records (Social security numbers, Bank and Routing numbers, Health insurance ID number, Personally Indefinable Information [sex, ethnicity, age], etc.)
As an employee of the City of High Point, it is our duty to protect this information. Bad actors – both local and abroad – pose a threat to this data. Here are examples:
- An individual walks in off the street wearing a North State shirt and carrying a clipboard in an effort to blend in. They walk into an individual’s office that has a privileged level of access to Lawson. That individual has walked away from their PC and gone to a meeting. The attacker steals personally identifiable information with the plan to commit identity theft. With MFA (multi-factor authentication), the screen would time out, and even if the employee had their password in plain sight, the attacker wouldn’t be able to answer the MFA prompt provided by Cisco Duo.
- Attacker sends an email. The email claims to contain a voice mail message. Without reviewing the email, nor regarding how that they typically obtain voicemails via email, the user clicks a link to open the voicemail. They are delivered to a website which offers to allow them to review the message if they enter their email address and password. Depending on the individual and their position in the city, they may have direct access to sensitive information. If that employee doesn’t have access to sensitive information, with their credentials, the attacker could breach their workstation and begin the process of island hopping. This is where an attacker could jump from workstation to workstation, or even a server until they access the data that they seek. With MFA, the attacker could steal the password, but they couldn’t answer the MFA prompt provided by Cisco Duo. Also, the end user would be alerted to the theft of their password by the MFA prompt appearing on their phone. Since the user would be aware of the password theft, they could reach out to IT for assistance.
We implore you to help us keep not just your information private, but anyone who resides in or does business in the City of High Point!
Some employees have mentioned bad reviews for the Duo Mobile App. We have also read the reviews for the app on Google Play and the Apple App Store. There are several factors that could lead to a poor experience with Cisco Duo:
- The age of the mobile device or the version of Android or iOS that run on it
- The level of support provided by the organization deploying multi-factor authentication (Cisco Duo will supply support to City IT for major issues, but City IT will support our employees)
Both the City of Greensboro and the City of Winston-Salem have successfully implemented Cisco Duo with no major complaints.
How does the Cisco Duo app work? With the City Duo app installed on your Windows workstation or registered with your Office 365 account, when you log in, an API call is made to Cisco Duo’s cloud environment. Some information is sent with the login attempt:
- Computer Name
- Computer IP address
- Unique identifier generated to identify the MFA transaction
- Registered Duo account information
Duo logs the event and looks up the registered devices (for Duo Push [mobile app], SMS, One Time Pin or Hardware Token) or a static pin number (yes, we can issue a static pin for you to use rather than a hardware token or the Duo app). The Windows workstation or Office 365 login then issues a challenge to the end user. The challenge could be answering the Duo push notification on the phone, entering a onetime pin supplied in the Duo app or via SMS/Voice, or by entering a static pin number (which never changes and is the less secure method of MFA).
If you are using Cisco Duo on your mobile device, some information is logged about the device, acknowledging the push notification, such as phone number and operating system version. This would help us determine if an attacker has cloned your SIM card.
The app does not provide City IT any level of access to your mobile device.
You can view screenshots in the below PDFs that prove this. These are all records associated with an IT employee, his Duo use, and the devices that have prompted him for MFA or that he acknowledged MFA prompts from. As you can see, little is logged. The data contains his phone number, device names and IP addresses, and some meta-data about the device status (i.e., out of date or current). The meta-data is helpful when troubleshooting. You can also see approximate geo-location information which is useful if a device or password is stolen or if a SIM card is cloned.
You can view all the Duo MFA methods available in the Duo Guide to Authenticating with the Duo Prompt:
- Cisco Duo Push (mobile app)
- Call me (Voice call)
- Passcode (including SMS/text)
- Security Keys (Yubikey or OTP device)
- Bypass Code (PIN)
Hopefully, this detailed information helps you understand why MFA is important to guard the city from ransomware, nation state actors (i.e., Russian/Chinese military), and individual bad actors. Additionally, it should be helpful in the selection of which multi-factor authentication method you wish to use.
Comments
0 comments
Please sign in to leave a comment.