Understanding the Cisco Duo MFA Breach

On April 1, 2024, a significant security breach was reported by Cisco, impacting its Duo multi-factor authentication (MFA) service. The Cisco Duo MFA breach occurred through a third-party telephony provider that manages SMS and VOIP services for Cisco Duo. A successful phishing attack enabled hackers to obtain employee credentials at the telephony provider, which were then used to access systems and download MFA SMS message logs. These logs contained metadata such as phone numbers, carriers, and geographical locations, though it’s crucial to note that the content of the messages was not accessed​​.

The Scope and Response

The Cisco Duo MFA breach specifically involved the logs of messages sent between March 1, 2024, and March 31, 2024. While the actual content of the MFA messages was secure, the metadata contained within could potentially be exploited for further targeted phishing campaigns or to facilitate other forms of social engineering attacks​​.

Upon discovering the breach, the affected telephony provider took prompt measures to contain the incident. This included invalidating the compromised credentials and enhancing security protocols to prevent future breaches. Cisco has been transparent with its customers, advising them to be vigilant and to educate their users on the risks associated with social engineering​.

Common Vulnerabilities in MFA Systems

While MFA is a robust security measure, the Cisco Duo incident highlights some vulnerabilities inherent in MFA systems, particularly those relying on telecommunication-based methods such as SMS and VOIP:

1. Phishing Attacks: As seen in the Cisco Duo breach, phishing remains a significant threat. Attackers can use sophisticated tactics to trick individuals into providing access credentials.
2. Social Engineering: Access to metadata from MFA systems can aid attackers in crafting more credible phishing attempts and other social engineering strategies.
3. MFA Fatigue: Attackers may repeatedly request MFA codes to wear down a user’s resistance, eventually leading them to share a code inadvertently.
4. SIM Swapping: This involves an attacker convincing a mobile provider to switch a victim’s phone number to a SIM card they control, intercepting MFA codes sent via SMS.
5. Technical Flaws and Exploits: Vulnerabilities in the software or hardware used for MFA can allow attackers to bypass security measures. For example, exploiting network-level vulnerabilities to intercept or redirect MFA messages.

Enhancing MFA Security

To mitigate these vulnerabilities, organizations can adopt several strategies:

• Layered Security: Combine MFA with other security measures like digital certificates, hardware security keys, or behavioral analytics to reduce reliance on any single security mechanism.
• Educating Users: Regular training sessions can help users recognize phishing attempts and other forms of social engineering.
• Using More Secure MFA Methods: Prefer push notifications or use hardware tokens instead of SMS-based MFA, which are less susceptible to interception.
• Regular Audits and Updates: Keeping security systems updated and conducting regular security audits to identify and mitigate potential vulnerabilities.

The Cisco Duo MFA breach serves as a potent reminder of the ever-evolving landscape of cybersecurity threats. While MFA adds a critical layer of security, it is not infallible. Organizations must continuously evaluate their security practices and educate their users to safeguard against sophisticated cyber threats.

How Linux (Almost) Had a Terrible, Horrible, No Good, Very Bad Day

If there’s one thing you can say about the people behind the xz supply chain hack, they were certainly willing to play a long con.    For the last two years, a (probable) state-sponsored hacker quietly began integrating themselves into the open source community, particularly with the people responsible for maintaining xz utils (more on what this is and what it does in a minute.)  They began systematically inserting a back door into this core component of the Linux operating system that would have allowed attackers to bypass SSH authentication and remotely access millions of systems.  We were just days away from the biggest supply chain attack in history when they were caught.

What is XZ Utils?

Xz Utils is a program that handles file compression, and it is included as part of several popular Linux distros like Fedora, Debian, and Ubuntu.  There is even a Windows version, although Windows software is usually a zip file rather than an xz file.    Programs like this are crucial because large downloads like software packages need to be compressed, or they would take forever to download even with the highest internet speed.

Open Source, Open to All

To understand how we came so close to disaster, you first have to understand how open source software works.  Open source means that the source code – the building blocks of the software – is available for anyone to see and modify.   Open source software is like buying a box of legos – sure, you can make the robot on the outside of the box, but you can also modify and invent whatever you want.  The same applies to open source software – if you have the requisite programming knowledge, you can contribute bug fixes, work on features, and shape the future of the programs you use every day.  Software like Microsoft Windows and macOS are closed source (although macOS runs on FreeBSD, which is open source, but the user interface and applications are closed source.) With these operating systems, you’re at the mercy of Microsoft and Apple to fix bugs, and as we all know, they often don’t (just take a look at this 40+-year-old bug someone found in Windows in 2018!)  The huge advantage of using an open source OS like Linux is that if you have a bug or a feature request that you want to be implemented, you can just do it yourself.    Of course, just because anyone can technically contribute, does not mean there is just software anarchy.  According to The Linux Foundation, most projects have a structure:

• Leaders

• Someone responsible for making the final decisions about features, releases, and other priorities

• Maintainers

• These people are leaders for specific areas or features; for instance, there is a documentation leader, a leader for developing device drivers, USB, etc. etc.  They are responsible for reviewing code from others before it gets added to their individual area.

• Committers

• Trusted developers who have done enough work for the project that they can make direct code changes rather than be subject to reviews by the maintainers.

• Contributors

• Anyone who contributes, be it code, documentation, or what have you.  Their contributions are reviewed by the maintainer(s) before they’re added to the project.

Foxes in the Hen House

In 2021, someone with the user name JiaT75 opened a GitHub account and made their first commit to an open source project.  They claimed it was just adding clearer error text when an untaring (aka uncompressing) process failed; at the time, it was added without comment, but in retrospect, it appears suspicious.  These changes have since been reverted. In April of 2022, Jia Tan (aka JiaT75) submitted a patch to Xz via the mailing list.  Around the same time, two people began badgering the maintainer of Xz to add another maintainer because patches were not happening fast or often enough.  Neither of these people had any history in the open source community, and after these messages they were never seen again.  Over the course of 2022, JiaT75 becomes the second most active contributor to the xz project.  In January of 2023 JiaT75 merges their first direct code change, which means they have now achieved a level of trust that allows them to implement the code for the back door.  Over the course of 2023, changes were regularly made as JiaT75 implemented the back door one piece at a time.  In February of 2024, the last few files were completed.     While this was happening, the hacker was contacting the leads of all the major Linux distributions to get them to install the updated version of xz utils.  Richard WM Jones from Redhat wrote about his contact with the hacker and Redhat’s scramble to remove the backdoor once they found it, and Ubuntu has also made public the post from Jia Tan asking them to include it.  This is an overview of the timeline, you can find an excellent detailed version with links to the GitHub submissions and e-mails here.    An Unlikely Discovery  With all the careful measures taken to make this look legit, how did they get caught?  Purely by a stroke of luck. Andres Freund, a developer working at Microsoft, was troubleshooting a performance issue on a Debian Linux system.  When you remember that no stable version of Debian was released with the vulnerability, and therefore he was working on an experimental version, the sheer luck behind this discovery is astounding.  He noticed that SSH logins were using too much CPU and recalled an error he had seen in Valgrind (a program used to monitor computer memory), so he put the pieces together.  Thanks to his keen eye and serious investigative skills, he traced the problem to xz utils and sent a missive to the Open Source Security List to describe the problem.    Most people never dig this deep into performance issues, and even if they do, it takes a lot of system knowledge to be able to trace them to the specific cause the way Freund did.

We’re Safe Now, Right?…..Right?

Supply chain attacks are obviously not limited to open source software. After all, the reason most people know the term “Supply chain attack” is because of SolarWinds in 2020, which was most certainly not open source.  But still, this shows that open source software may be more vulnerable than others.  When the fake accounts began badgering Lasse Collin about lack of updates,  his response showed that the open source developers are subject to limited time, burnout, and other struggles just like closed source developers, and adding this on top of the fact that open source development is not paid, well…it’s easy to see how someone could make themselves popular very quickly, and how maybe new code is not always tested as thoroughly as it should be.  Again, this definitely isn’t a problem specific to open source, but it’s perhaps easier to exploit.  Regardless of the development method, we need to ramp up supply chain security across the board before the next attack is successful.

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted new rules that significantly enhance how public companies must handle and disclose cybersecurity incidents and their overall cybersecurity risk management. This initiative is crucial in promoting transparency and protecting investors from the adverse effects of cybersecurity threats. One of the technological strategies that can be pivotal in complying with these new regulations is Network Access Control (NAC). Here’s a detailed look at the new requirements and how NAC systems can be integrated to ensure compliance.

Key Provisions of the SEC’s New Cybersecurity Disclosure Rule

The newly adopted SEC rules require public companies to report material cybersecurity incidents within four business days of their determination as being “material.” Companies must provide a comprehensive description of the incident, detailing its nature, scope, and timing, as well as the impact or potential impact on the company.

Additionally, the regulations, encapsulated under Regulation S-K Item 106, necessitate annual disclosures that elaborate on the processes a company uses to assess, identify, and manage cybersecurity threats. This includes detailing the roles of the board of directors and management in overseeing these risks.

The Role of Network Access Control (NAC) in Complying with SEC Rules

Network Access Control (NAC) systems are critical in managing access to network resources, ensuring that only authorized and compliant devices are allowed network access, and thereby significantly reducing the potential for unauthorized or harmful entries that could lead to cybersecurity incidents. Here’s how NAC can fit into the SEC’s new cybersecurity framework:

1. Prevention of Unauthorized Access: By enforcing policies for user and device access, NAC can prevent unauthorized access, an essential factor in mitigating the risks of cybersecurity incidents that must be disclosed under the new SEC rules.
2. Enhanced Incident Detection and Response: NAC systems can monitor and log access activities within the network, providing an audit trail that can be crucial for detecting and responding to cybersecurity incidents swiftly. This capability supports the requirement for timely reporting as stipulated by the SEC.
3. Assessment and Management of Cyber Risks: NAC helps in identifying and categorizing devices connected to a network, assessing their compliance with security policies, and managing their access. This ongoing assessment and management align with the SEC’s requirements for companies to describe their processes for managing cybersecurity risks.
4. Supporting Compliance and Reporting: NAC systems can generate comprehensive reports on network access and security incidents, providing the necessary documentation that companies can use to support their compliance with the new SEC regulations. These reports can be crucial during audits and inspections to demonstrate adherence to prescribed cybersecurity practices.

Looking Ahead

The SEC’s new rules on cybersecurity disclosures set a clear path for how public companies should manage and report cybersecurity incidents and their overall cybersecurity strategies. Network Access Control (NAC) systems offer robust solutions that can help companies meet these new requirements efficiently. By integrating NAC into their cybersecurity frameworks, companies can enhance their security measures, ensure compliance with regulatory requirements, and protect their stakeholders from the potentially devastating effects of cybersecurity breaches. This strategic approach not only aligns with the SEC’s mandate but also strengthens the company’s overall cybersecurity posture.

Move Towards Passwordless Security: Embracing Change on Identity Management Day

As we celebrate Identity Management Day, business leaders and IT decision-makers must understand the significance of identity management in today’s digital landscape. With the increasing dangers of not properly securing identities and access credentials, the need for unified access and passwordless security solutions has never been more pressing.

The Urgent Call of Identity Management Day: Why Leaders Must Listen

Identity Management Day underscores a critical, often overlooked aspect of cybersecurity that demands our immediate attention and action. In an era where digital identities form the backbone of almost every cyber transaction and interaction, the cost of neglect in this domain can be devastating. To make matters worse, more than 80% of confirmed breaches are related to stolen, weak, or reused passwords, an issue that is hard to combat when you rely on passwords to keep your critical data safe. This observance acts as a wake-up call to business executives and IT strategists, urging them to elevate identity management to the top of their security agendas.

The digital landscape is rife with sophisticated threats that prey on weak links in identity and access management protocols. It is no longer a question of if but when an organization will find itself in the crosshairs of these cyber adversaries. The stakes are high, and the potential damage – ranging from financial loss to irreparable harm to reputation – can be catastrophic.  

Leadership in this context involves not just awareness but proactive engagement with the latest in identity-centric security methodologies. The mantle of responsibility rests with those at the helm to ensure that their organizations are not merely reacting to threats as they emerge but are steps ahead, fortified by preemptive planning and robust security architectures. This entails a commitment to understanding the nuances of identity management, from governance to the adoption of innovative technologies designed to preempt breaches.

As we commemorate Identity Management Day, it becomes imperative for leaders to introspect on their current identity management strategies and embrace a forward-looking posture. This is a pivotal moment to champion change, advocate for stringent identity protection measures, and lead organizations towards a more secure and resilient future. The path forward is clear – it is one that requires unwavering dedication, visionary leadership, and a steadfast commitment to safeguarding digital identities against the burgeoning tide of cyber threats.

Understanding the Pillars of Identity Management

In the realm of digital security, the comprehension and application of identity management’s foundational pillars stand as a beacon for organizations aiming to fortify their defenses against the incessant waves of cyber threats. These pillars—governance, processes, and technology—constitute the trinity that underpins effective identity management systems. To navigate the complex cybersecurity landscape, organizations must delve deep into each of these components, understanding their unique roles and synergies.

Governance serves as the strategic framework guiding the management and security of identities. It is the compass by which policies are developed, ensuring that identity management aligns with broader organizational objectives and compliance requirements. This layer of oversight and direction is paramount, as it establishes the principles and standards that shape the secure handling of digital identities.

Processes are the operational backbone, the series of actions and protocols that operationalize governance policies into day-to-day activities. They ensure the consistent and effective application of security measures across all user interactions and access points. Through well-defined processes, organizations can streamline identity verification, access controls, and response strategies, thereby minimizing vulnerabilities and enhancing efficiency.

Technology, the third pillar, offers the tools and solutions that actualize governance and processes into tangible security outcomes. Cutting-edge technological advancements enable organizations to deploy sophisticated identity management systems, from biometric authentication to blockchain-based verification mechanisms. Embracing innovative technologies is not a mere option but a necessity in constructing a resilient identity management infrastructure capable of thwarting advanced cyber threats.

In synthesizing these pillars, organizations embark on a comprehensive approach to identity management. By meticulously integrating governance, processes, and technology, they lay the groundwork for a robust identity management system—one that not only defends against current threats but is also adaptable to the evolving digital landscape. This integration is the cornerstone upon which secure digital identities are built and safeguarded, marking the path forward for organizations seeking to navigate the complexities of cybersecurity with confidence and foresight.

The Visionary Path to Unified Access and Passwordless Futures

The relentless advancement of technology and the interconnectedness of our digital world demand a bold reimagining of security paradigms. The journey towards unified access and the embrace of passwordless futures represents a seminal shift in the battle against cyber threats. This visionary path is not merely about adopting new technologies; it’s a comprehensive realignment of our approach to identity management, underscoring the imperative to transcend traditional password-dependent frameworks.

Unified access epitomizes the seamless integration of authentication mechanisms across diverse platforms and systems, facilitating a user experience that is both secure and intuitive. It is the harbinger of an era where access control transcends the boundaries of passwords, employing a constellation of authentication factors that are inherently more secure and less susceptible to compromise. These may include biometric verification, security tokens, and behavioral analytics, each contributing a layer of defense that collectively fortifies the digital ecosystem against unauthorized intrusions.

The move towards a passwordless future is not merely a technical evolution but a strategic imperative. It acknowledges the inherent vulnerabilities of password-based security – the human propensity for creating weak passwords, the logistical challenges of managing them, and their susceptibility to phishing attacks and breaches. By contrast, passwordless authentication methods offer a more robust and user-friendly alternative, significantly reducing the attack surface for cyber adversaries.

Embracing this visionary path necessitates a paradigmatic shift in mindset among leaders and decision-makers. It requires the courage to innovate, the wisdom to foresee the emerging landscape of cyber threats, and the resolve to implement forward-thinking security strategies. As organizations chart their course towards unified access and passwordless futures, they embark on a transformative journey that not only enhances security but also redefines the very essence of digital identity management in the modern era.

Considering adopting a unified access approach? Check out our webinar on the Pillars of Unified Access Control to gain a better understanding of the value it will bring to your IT security strategy.

Implementing Identity-Centric Security Best Practices

The imperative of adopting identity-centric security best practices cannot be overstated within the realm of modern cybersecurity frameworks. As organizations navigate through the labyrinth of evolving digital threats, anchoring their defense strategies in identity-centric methodologies emerges as a linchpin for robust security postures. The principle of least privilege access forms the foundation of this approach, ensuring that access rights are meticulously calibrated to the minimal level necessary for users to fulfill their roles. This minimization of access privileges acts as a crucial barrier, significantly mitigating the potential for unauthorized data breaches and system infiltrations.

Continuous monitoring represents another cornerstone of identity-centric best practices. In an environment where threat vectors are continually morphing, the vigilance afforded by real-time monitoring of user activities and access patterns is indispensable. This proactive surveillance enables organizations to detect anomalies and respond to potential security incidents with alacrity, thereby closing the window of opportunity for cyber adversaries.

Furthermore, the deployment of robust authentication mechanisms stands as a testament to an organization’s commitment to securing its digital identities. The adoption of multifactor authentication (MFA), leveraging a combination of something the user knows, has, and is, elevates the security threshold, creating a formidable barrier against unauthorized access attempts. This layered approach to authentication enhances the integrity of access control but is still vulnerable. The best option to keep your network safe is to migrate to a passwordless approach.

Embracing these identity-centric security best practices is not merely a technical endeavor but a strategic imperative. It requires a holistic understanding of the threat landscape, a commitment to continuous improvement, and an unwavering dedication to safeguarding the digital identities that are the lifeblood of the contemporary organizational ecosystem.

The Role of Leadership in Cultivating a Secure Digital Culture

In the quest to establish a resilient digital fortress, the impetus falls squarely on the shoulders of organizational leaders. It is their vision and proactive stance towards the integration of identity-centric security practices that pave the way for a culture steeped in vigilance and responsibility. Such a culture does not emerge by happenstance but is carefully nurtured through deliberate action and unwavering commitment. Leaders set the tone, embedding security into the fabric of the organization’s ethos, making it a universal priority rather than a peripheral concern.This leadership imperative extends beyond mere policy implementation. It involves engendering an environment where every member of the organization feels personally invested in the security of digital assets. Through educational initiatives, regular security briefings, and open forums for discussion, leaders can demystify cybersecurity, transforming it from a daunting challenge into a collective mission. This educational crusade equips team members with the knowledge and tools necessary to recognize and thwart potential threats, fostering a proactive mindset that is critical in today’s fast-evolving threat landscape. Moreover, by advocating for cutting-edge security technologies and practices, leaders exemplify a forward-thinking approach that encourages innovation and adaptability. This not only positions the organization at the forefront of cybersecurity but also signals to employees the critical nature of their roles in this ongoing battle. Ultimately, it is the caliber of leadership that determines whether an organization’s digital culture is its Achilles’ heel or its strongest bulwark. In championing a culture where security is ingrained and revered, leaders are the architects of a future where digital identities are shielded with unwavering diligence and sophistication.

Why MFA Isn’t Going to Save You

Think multi-factor authentication (MFA) is iron-clad protection against a data breach? Think again. Hackers are increasingly coming up with clever ways to bypass MFA, from social engineering to elaborate man-in-the-middle attacks. Here are some of the ways bad actors exploit MFAs:

One-Time Passcodes

The worst form of two-factor authentication is the one-time passcode (OTP). Not only are the passcode text messages annoying, but they are also not very secure.

SIM Swapping

Even if your phone never leaves your pocket, hackers can get control of all your digital life by a technique known as SIM swapping. A Subscriber Identity Module (SIM) is a little card from your phone carrier that stores information to point your phone to the correct cellular network to pick up your correct phone number, and other information to identify it. Nowadays most smartphones use eSIM, which is a digital version of what used to be a physical card. Since it’s now all electronic, all you need to do to change things around is call your cellphone provider. If a hacker gets enough information about you – often through a phishing text message, or just scraping social media – they can call your carrier and change your number to their phone. All OTPs will then go to their phone instead of yours, letting them reset accounts and gain access to even more information. Think  this is unlikely? The former CEO of Twitter begs to differ.

Provider outage

On February 22nd, 2024, US cell provider AT&T suffered an outage impacting 74,000 subscribers for approximately 12 hours, starting at 3:30am ET. Beyond just a frustrating inconvenience, if you use SMS one-time passcodes for MFA, you were not able to receive messages for the majority of the workday.  Unfortunately, AT&T is not the only carrier to have issues – Verizon customers also reported wide-spread connectivity issues for at least 4 hours on January 26th, 2024. T-Mobile users were lucky this go-round, but maybe that’s because they had their turn in February of 2023.

SMISHING

This is a silly word for a serious problem; phishing via SMS. Text messages are easy to fake; If your employees are used to getting authentication messages via SMS, it’s that much more likely that they’ll click on a bad link in a moment of carelessness. It happened to Activision in 2022; several employees got fake text messages, and only one person fell for the scam, but that was enough. The victim, in this case, happened to be part of HR, which gave the hackers access to quite a bit of data.

 Passcodes Are Not Randomly Generated

You probably haven’t given much thought to how one-time passcodes are generated, but there is a vague assumption that when a request is made, some server farm somewhere generates a random number and sends it out to you, and then deletes it after you successfully log in.  That makes sense, but you’d be wrong. The codes are, in fact, stored in a database.  YX International, a company that serves OTPs for multiple big-name companies like Facebook and Google discovered this database was left wide open for anyone to access. Thankfully, it was found by a security researcher who alerted the company. Next time, it may be someone with significantly less altruistic motives.  We’ve established that OTPs have got to go. Maybe authenticator apps are the solution? They are more secure, they solve many of the issues above like carrier outages and stolen phone numbers, plus phones are protected with biometrics so hackers will need to physically take the phone to do any damage, but they aren’t as safe as you may think.

MFA Fatigue

When you use an authenticator app,  signing in often prompts a push notification to approve or deny access.  Hackers will bypass this issue by spamming your device with repeated push notifications in the hopes that you’ll approve, either to make it go away, or by accident (we’ve all clicked “Next” when we meant to hit “Cancel” after all.)  Cisco was hacked using this method after an employee’s Gmail account was compromised. Sometimes there is a social engineering component –as was the case when Uber was hacked in 2022., tThe hacker contacted the owner of the compromised account and pretended to be from Uber’s IT department and asked them to approve the notification.

Attacker-in-the-Middle (AiTM)

This attack is somewhat complex, but is also becoming disturbingly more common. An attacker sets up a fake website that mimics a legit one – such as a banking portal, or an internal portal. They launch a phishing campaign that directs customers and/or employees to the fake site. They use this site to capture credentials and redirect to a fake MFA site, where the user puts in their real prompt – which the attacker then passes on to the real website and captures the session cookie while the “fake” site sends the user elsewhere.

https://www.portnox.com/wp-content/webp-express/webp-images/uploads/2024/04/MFA-Diagram.png.webp” />

Microsoft uncovered a huge AiTM attack in 2023 aimed at financial institutions, and Reddit was hacked that same year using a similar method.

Stolen Cookies

There are almost as many varieties of this attack as there are of actual cookies: pass-the-cookie, cookie poisoning, cookie tossing – but they all boil down to the same basic concept: Once you log in to something through a web browser, a cookie file is created that tracks your session. Without this, you’d have to log in to each page of a website individually, which would make online banking possibly the most frustrating exercise on the planet. Our ever-expanding portfolio of cloud-based services makes these cookies an extremely attractive target. Successful manipulation of a session cookie completely bypasses MFA. When Okta was hacked in 2023, the hackers went after support files, which just so happened to gather cookie information, and was also a factor in the 2020 SolarWinds data breach.

MFA is Inconvenient

You may not think  inconvenience is relevant to how  MFA can be bypassed, but consider this:   Microsoft was hacked in November 2023, and the hackers used a simple password spray attack to compromise e-mail accounts of top executives which didn’t have MFA turned on because no one wants to  get a code or approve a push 20 times a day. In response to the Okta hack, the company announced it would be turning on MFA for protected actions in their admin console. Why wasn’t it on before? Because it slows you down, interrupts your workflow, and is generally annoying. This creates a tendency not to enable it everywhere, which can leave dangerous gaps in your security.  The worst part of all of this is, it’s not terribly difficult or complex to do. There are a lot of videos on YouTube that will show you how to deploy each of these hacking strategies.

Passwordless Authentication is the Future

You may have noticed a recurring theme through these breaches – some form of phishing and/or social engineering is effective when you want to bypass MFA. With the thousands of hours of training, fake phishing e-mail tests, and articles published on security best practices, the reality is that passwords are inherently weak, because they still rely on a human element, and the best way to really keep yourself, your data, and your entire organization secure is to remove that element entirely. Switching to certificate-based, passwordless authentication eliminates all of these issues because certificates are encrypted – they can’t be guessed, phished, or socially engineered. And in a rare win for anything that enhances security, certificates provide a better user experience because there’s no password to remember, no passcode to get from a text message, and no push notifications. Make everyone’s daily digital life easier and more secure with passwordless authentication!  Portnox’s cloud-native NAC solution delivers passwordless authentication, endpoint risk monitoring, and 24/7 compliance enforcement.If you look up NAC solutions on Reddit, you’re likely to encounter frustration, anger, and genuine sadness. That’s how users feel about archaic and cumbersome legacy NAC products. That sorrow ends today. With the Portnox Cloud, powerful and easy-to-use network access control functionality is available at your fingertips.