Cisco's Duo Security suffers major authentication outage

Updated Cisco-owned access management firm Duo Security has been unable to give customers access to their own IT systems due to an outage that began on Monday morning.

The incident began around 0934 EDT and is still limiting some clients' ability to login to their respective services using Duo multi-factor authentication about three hours later.

According to Duo Security's status page, the company began investigating authentication errors on its DUO1 deployment around that time. But the status page also notes most of its other instances, up to DUO73, are also experiencing a partial outage to the Core Authentication Service.

This has been affecting Duo Prompt, its web-based authentication interface.

Separately, around 1135 EDT, the biz said it is investigating authentication errors related to Azure Conditional Access integrations.

A subsequent update suggests the source of that problem has been found. "We have identified the root cause of the issue causing authentication errors with Microsoft Azure Conditional Access Duo protected applications," the company said about 30 minutes later. "The issue has auto-resolved and we are now monitoring for stability."

• Microsoft DNS boo-boo breaks Hotmail for users around the globe
• Global Slack messaging outage cuts world off from colleagues
• Bank of Ireland outage sees customers queue for 'free' cash – or maybe any cash
• GitLab deploys on a Friday and ... is down for a few hours

In an update at 1400 EDT, Duo noted: "We are continuing to increase capacity to resolve the authentication failures on DUO1. Systems have started to recover."

The outage comes at a particularly bad time for some of Duo's education customers, which happen to be starting classes on Monday.

The University of Iowa, for example, starts classes today, and the school's IT department issued an alert about the issue.

"Users are reporting issues authenticating with Duo Two-Step login," the school's Information Technology Service said. "Upon login the Duo Two-Step page shows an error or that the service is under heavy load. Support staff are working to resolve the issue."

University of North Carolina at Chapel Hill, which also starts classes today, similarly issued an alert that its services may be affected.

Other schools that are preparing to welcome students in the days ahead have also reported problems.

Georgetown University, which begins classes on Wednesday, warned that the outage may limit the ability to log in to its systems. The University of South Carolina, which begins classes on Thursday, also issued an alert about the outage. So too did Pace University, which doesn't start classes until next month.

And a number of other schools, including the University of Idaho and Ohio State, have reportedly been affected.

The authentication outage follows on the heels of an August 17 outage affecting Duo's SMS/Phone delivery mechanism for multi-factor authentication messages. That incident has since been attributed to a failure of the company's autoscaling mechanism to handle increased traffic.

Cisco did not immediately respond to a request for comment. ®

Updated to add at 2345 UTC

In a statement to The Register, a Cisco spokesperson told us, "Cisco’s top priority is the satisfaction and support of our customers.

"On August 21, Cisco experienced an issue with Duo that resulted in an interruption of service for some of our customers and end users. The issue is now resolved, and we continue to monitor for stability."