Duo Security Made MFA Ubiquitous. The Second Factor Is Still a Credential.

Vendor and product reality

Cisco Duo's catalog covers the operational MFA stack end-to-end. Duo MFA handles enrollment, push, TOTP, SMS fallback, voice callback, U2F, and WebAuthn across web applications, VPN concentrators, RDP, SSH, and a long tail of integrations through RADIUS and SAML. Duo Single Sign-On provides a SAML identity-provider front end so that the second factor and federated session can be administered together. Duo Trust Monitor adds behavioral analytics over authentication events, surfacing anomalies for security-team review. Duo Device Health and Trusted Endpoints assess the posture of the device performing authentication — operating-system version, disk encryption, screen lock, presence of a managed-device certificate.

The combined product reduces the operational cost of strong authentication to a level that small and mid-market organizations can absorb. Duo's enrollment flow, the simplicity of the push approval, and the integration breadth are why the product is the de facto MFA layer across a wide swath of the market. The gap described below is not a critique of the product. It is a structural property of the authentication-factor model that Duo and every other MFA vendor implements.

The architectural gap

More factors mean more credentials. The Duo Mobile app holds a registration secret established at enrollment; the secret is what allows the app to produce valid push approvals. TOTP factors hold a shared seed. U2F and WebAuthn authenticators hold private keys generated at registration. Biometric verification, where it is used, relies on an enrolled template against which subsequent presentations are matched. Each factor is a piece of secret or sensitive material whose protection is now part of the security surface, and whose loss requires re-enrollment. The credential model has been multiplied, not transcended.

The trust root remains central. Duo's authentication decisions terminate at the Duo service, which holds the binding between user identity, enrolled factors, and policy. A compromise of the central trust root — credential database exfiltration, administrative-account takeover, integration-secret leakage — is not a theoretical concern; the 2024 Duo telephony-provider incident exposed the operational reality that the central trust anchor is a target whose compromise has authentication-wide consequences. The factor menu is wider than a password; the structural model is the same: a centrally-administered credential database that grants or denies access on the basis of presented secrets.

Device trust evaluates the container, not the identity. Duo Trusted Endpoints checks whether the device performing authentication meets posture requirements. It does not verify that the device's identity derives from the device's own accumulated behavioral history. A factory-reset and re-enrolled device passes the same checks; an attacker who provisions a new device into the enrollment, by whatever means, presents identically to a relying party. The identity is the enrollment record, not the device's continuous operational existence.

What the keyless-identity primitive provides

The Adaptive Query keyless-identity primitive removes the credential as the identity-bearing object. A user or device's identity is established through accumulated behavioral continuity — a trust slope computed over the entity's own interaction history — rather than through possession of an enrolled secret. There is no registration secret to steal, no TOTP seed to phish, no template to spoof, no central credential database whose compromise grants impersonation. The identity is the continuity itself, which an attacker cannot reproduce by capturing storage and cannot bypass by compromising a central trust anchor, because there is no central anchor whose key material defines the identity.

The primitive is also post-quantum by construction. It does not depend on the asymmetric primitives that WebAuthn authenticators rely on, and therefore does not inherit the migration cliff that a transition to post-quantum signing schemes will impose on the FIDO ecosystem.

Composition pathway

Keyless identity does not require enterprises to discard the Duo deployment they have. The composition pathway is hybrid and additive. During transition, an authentication event can present both a Duo factor — push, WebAuthn, hardware token — and a keyless continuity attestation. Relying parties that understand only the Duo factor continue to authenticate as before; relying parties that understand the keyless attestation gain the credential-elimination and central-anchor-decentralization properties without losing backward compatibility with the existing factor catalog.

For Cisco specifically, the integration surface aligns with existing Duo product boundaries. Duo Single Sign-On already federates authentication across the relying-party ecosystem; the same federation surface can carry keyless attestations alongside SAML assertions. Duo Trust Monitor already aggregates authentication-event signal for behavioral analysis; the same signal pipeline is, in effect, an early form of the continuity history that keyless identity formalizes architecturally. Duo Device Health and Trusted Endpoints continue to provide useful contextual signals — posture, location, network — that compose with keyless identity rather than competing with it; posture remains a useful input to access decisions even when the identity itself no longer depends on enrolled credentials.

The migration path lets enterprises retire credentials gradually. As the keyless continuity history accumulates for each user and device, the weight that authentication policy places on the legacy factor can decline, and the enrollment-and-recovery operational burden — lost-phone re-enrollment, token replacement, biometric re-registration — declines with it.

The recovery story changes in a way that matters operationally. Today, a lost authenticator is a hard re-enrollment event whose security posture depends on the strength of the help-desk verification process, which is a well-documented attack surface. Under keyless identity, a new device for an existing user does not begin from a zero-trust enrollment; it begins from the user's accumulated continuity, which the new device can establish by demonstrating consistency with the user's prior interaction history rather than by presenting a credential that the help desk has been social-engineered into resetting. The MFA-fatigue and push-bombing attack patterns that depend on user approval of unsolicited prompts also lose their structural foothold, because the authentication decision is no longer a binary approve-or-deny on a credential-based prompt. Continuity-based authentication is evaluated against the user's accumulated history rather than against the user's willingness to dismiss a notification, which removes the fatigue surface that an attacker exploits when they generate enough prompts that the user eventually approves one to make the buzzing stop.

Commercial and licensing posture

Adoption sequencing favors identity vendors whose installed base spans both the workforce-identity horizon — where helpdesk re-enrollment cost and MFA-fatigue attacks set the operational pain points — and the workload-identity horizon, where machine-to-machine authentication is increasingly the bulk of authentication traffic and where credential rotation is the dominant operational burden. Cisco Duo's combined posture across workforce identity, device trust, and the broader Cisco workload-identity portfolio spans both. The keyless-identity primitive is available for licensing to identity and authentication vendors under terms that preserve the licensee's customer relationships, integration catalog, and revenue model. The intended commercial shape is an enabling layer that Cisco Duo and similar vendors integrate behind their existing product surfaces — Duo MFA, Duo SSO, Duo Trust Monitor — rather than a competing identity service sold directly to end customers. License terms accommodate hybrid deployments during the multi-year credential-retirement window and contemplate the eventual rebalancing of value from per-seat MFA licensing toward continuity-attestation services as the keyless path matures. Adaptive Query's interest is in the primitive being adopted by the vendors whose installed base and operational scale are precisely what a credential-elimination transition will require; the commercial structure is designed to make that adoption straightforward.