Just received the email about the duo admin console not supporting browsers using cipher versions older than TLS 1.2. I appreciate the notice and transparency, but I gotta say I’m disappointed, Duo. The PCI SSC announced this requirement over a year and a half ago, and the deadline (which was already extended a year) for implementation was June 30, 2018. A security company I use and trust is just now implementing this on July 26, 2018 (being out of compliance for almost a month)? Those of us who take PCI seriously know how much effort and preparation may have been required for this, and the LONG time the council gave us to implement it. Don’t get me wrong, we absolutely love Duo and I will whole-heartedly recommend it over your competitors, but just some feedback that we’re disappointed in your lack of preparation and commitment to PCI. When your job is to help me be compliant (primarily section 8.3) and you yourself aren’t (section 4.1), it’s not sending a good message.
Thanks for reaching out with this feedback and your concerns about PCI compliance. We apologize for our delay in moving the Admin Panel to requiring TLS 1.2.
We evaluate all of our security configurations, including TLS, on an ongoing basis and make changes when emerging technologies that help protect our customers become available. We also deprecate legacy technology when warranted due to potentially increased risk to our customers. While our move to TLS 1.2 for the Admin Panel did not occur in a completely satisfactory timeframe, we have no reason to suspect that it put customers at any risk.
We welcome any further feedback you have on this (and any feedback on future items, as well).
Appreciate the response. As I said, I’m a big fan of Duo, both the company and the products, and despite this rare instance of criticism I always readily endorse it when given the chance. I appreciate your transparency and commitment to customer satisfaction.