Compromised Password Detection in Duo

A Multi-Layered Defense for Password Security

Using Duo Security for multi-factor authentication (MFA) is a smart way to protect logins, but even with MFA in place, weak or compromised passwords remain a serious risk. That’s where Enzoic for Active Directory comes in. Enzoic adds an extra layer of password security by actively screening and monitoring passwords against real-time breach data. Integrating Enzoic with Duo gives you the best of both worlds: strong MFA from Duo, and continuous compromised-password protection from Enzoic, resulting in a cohesive, multi-layered defense. In this post, we explain why this integration is valuable and walk through how to implement the Enzoic + Duo integration in a few simple steps.

Why Combine Enzoic with Duo?

Elevated Credential Security: By combining Enzoic with Duo’s MFA, organizations significantly improve credential safety. Enzoic continuously monitors passwords for compromise and automatically enforces changes when a password becomes unsafe. Meanwhile, Duo ensures every login is verified with a second factor. Together, they address both something you know (password security) and something you have (MFA), dramatically reducing the risk of breaches.

Address Password Weaknesses MFA Doesn’t Cover: Duo may require a second factor, but it doesn’t check if the password itself is weak or known to attackers. Many breaches still originate from compromised or common passwords – in fact, 81% of hacking-related breaches involve stolen or weak passwords. Enzoic fills this gap by enforcing modern password policies: it screens new passwords against billions of known compromised credentials and common password patterns, per NIST guidelines. This ensures users aren’t using passwords that attackers could easily guess or that have appeared in breach databases.

Seamless, Conflict-Free Integration: If you already use Duo (or plan to), adding Enzoic is straightforward and won’t interfere with your existing MFA workflow. Enzoic’s client is designed to wrap around Duo’s credential provider on Windows, rather than conflict with it. The configuration involves minimal steps (essentially just exchanging each product’s GUID as explained below) and ensures both tools work in harmony. There’s no need to disable anything in Duo or vice-versa – they operate side by side without user friction. In short, Enzoic integrates easily with Duo with no conflicts and very little configuration effort.

What Compromised Password Detection in Duo Does for Your Password Security

When integrated with Duo, Enzoic for Active Directory provides critical protections at each stage of the password lifecycle:

• Real-Time Password Screening: Whenever a user creates or resets their Active Directory password, Enzoic checks that password against its real-time breach data and password blacklists. If the chosen password is found in a breach corpus or is dangerously weak, Enzoic’s plugin will block it immediately. Users get instant feedback and must choose a more secure password. This real-time screening prevents compromised or common credentials from ever being used in your environment.
• Continuous Credential Monitoring: Enzoic doesn’t stop after the password is set. It continuously monitors each password daily against the latest known breached password databases. If a password that was safe yesterday shows up in a new breach tomorrow, Enzoic will automatically flag it. Administrators can be alerted immediately, or Enzoic can even enforce a password change the next time the user logs in. This means your organization isn’t relying solely on periodic password resets; passwords remain secure over time, and users only have to change them when there’s evidence of compromise (aligning with modern NIST 800-63B guidance).
• Stronger Overall Password Policy Compliance: With Enzoic, you can enforce NIST-compliant password policies that go beyond legacy complexity rules. Enzoic’s checks include weak or common passwords (like “Password1234” or predictable patterns), reused passwords exposed on the dark web, and even variants with common substitutions. By integrating these checks seamlessly, you reduce the attack surface significantly while Duo’s MFA provides an additional step to defend against account takeover attempts. The result is a layered defense: attackers would need not only to compromise a user’s second factor (Duo) but also correctly guess the secure password – a highly unlikely scenario.

Integration Steps – Enzoic for Compromised Password Detection in Duo (It’s Easy)

Setting up Enzoic to work alongside Duo is straightforward. Essentially, you need to let each product know about the other’s credential provider so they can function together. Here’s how to implement the integration step-by-step:

1. Add Duo’s ID inside Enzoic
   In the Enzoic for Active Directory Admin Console go to Settings → Client Settings.
   Paste Duo’s credential‑provider ID 44E2ED41‑48C7‑4712‑A3C3‑250C5E6D5D84 into Alternate Credential Provider GUID, then click Update Configuration.
2. Add Enzoic’s ID inside Duo
   In the registry on machines that will run the Enzoic client, open Registry Editor and browse to HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoCredProv.
   Create (or edit) the multi‑string value ProvidersWhitelist and enter Enzoic’s ID {C6522CF0‑8F6E‑4E5A‑BC65‑9D3B7E8390C2}.
3. Install or upgrade the Enzoic client
   Run the Enzoic MSI (or update if it’s already there).
   Reboot if prompted. Enzoic now “wraps” around Duo instead of disabling it.
4. Spot‑check that it works
   Have a user change a password.
   Enzoic will block anything weak or breached; once the password is accepted, Duo immediately asks for the usual second factor.
   If you see both actions happen in that order, the integration is done.

View the full integration guide in Enzoic’s support documentation here

End-User Flow After Integration

For end-users, the login and password update experience remains straightforward and familiar:

• During Password Change: When users set a new password, Enzoic’s checks happen in the background. If the chosen password is unsafe (e.g. it appears in Enzoic’s compromised password database or violates policy), the user is notified which policies they are violating in real-time with every keystroke. If the user attempts to change a password to one that is out-of-policy or compromised, the password change is blocked on the spot and the user will be prompted to choose a different password. This feedback occurs immediately upon typing and also when they hit “Submit” for a new password. They can then try a stronger password until it meets all criteria.
• During Login (MFA Prompt): Once a user has a valid password set, logging in works just like it did before. The presence of Enzoic does not change the normal Duo MFA workflow. Users will enter their username and password at the Windows logon as usual. If the password is correct (and hasn’t become compromised since it has been set), the system accepts it. At that point, Duo will immediately prompt the user for their second factor, exactly as it normally does. There is no extra step for the user beyond what they already do for Duo’s MFA. In short, the MFA flow remains unchanged. Enzoic’s involvement is invisible during login unless a compromised password was in play. The only difference a user might notice is during a password change when an unsafe password is rejected; otherwise, day-to-day authentication with Duo MFA is the same seamless experience.

This integrated flow ensures that users are prevented from using risky passwords but are not burdened with any new steps during login. If their password ever becomes compromised down the line, Enzoic can force a change (which the user will experience as a prompt to update their password at next login), but after that they continue with Duo MFA as usual. From the end-user perspective, security is tighter without making their login process more complicated. Your first factor, the password, is now your strongest defense.

Conclusion

Implementing Enzoic alongside Duo is a simple yet highly effective way to strengthen your organization’s defenses. With minimal configuration, you gain continuous password compromise monitoring on top of strong MFA – covering two critical aspects of account security without any usability sacrifice. Enzoic + Duo work in tandem to stop weak or breached passwords from creeping into your systems and to block unauthorized access even if credentials are stolen. The integration is quick to set up (often just a few minutes) and supported by both vendors’ documentation, with no additional licensing cost if you already use Enzoic for Active Directory and Duo. Don’t leave the password half of the authentication equation vulnerable, strengthen it with Enzoic, and let Duo handle the rest. Your users will likely never know the difference, but your security team certainly will.

AUTHOR

Josh Parsons

Josh is the Product Manager at Enzoic, where he leads the development and execution of strategies to bring innovative threat intelligence solutions to market. Outside of work, he can be found at the nearest bookstore or exploring the city’s local coffee scene.