Duo Security Rides Growing Interest in Two-Factor Authentication

Hardly a day goes by without a big headline announcing yet another consumer security breach; today’s version trumpets the possible theft of Staples customers’ credit card information. Keeping payment information safe from criminals is a priority for both businesses and consumers, and since Ann Arbor, MI-based Duo Security is at the forefront of a promising method to improve Internet security—more on that in a minute—business is booming.

It’s been a particularly busy few months for Duo, as evidenced by a move to a bigger office planned in November, a hiring push, and the successful close of a $12 million Series B round led by Silicon Valley-based Benchmark in late September.

“We continue to do really well—we just had another record quarter,” says Dug Song, Duo Security’s co-founder and a Detroit Xconomist. “We’re making sure we put ourselves way ahead of the curve.”

When Xconomy first covered Duo Security in 2010, it was called Scio Security and it was in stealth mode. Song, a serial entrepreneur who served as chief security architect at Arbor Networks before it was sold to Tektronix in 2010, founded the company with Jon Oberheide, a veteran of Arbor Networks and a Forbes’ “30 under 30” honoree for his Android security research.

A conversation with Song can be delightfully circuitous, as he can converse just as comfortably about building skateparks or the talents of Kathleen Hanna or the time he taught Kid Rock to play roulette as he can about the latest in Internet security. But it’s clear that Song—and, by extension, Duo Security—cares deeply about protecting private information online.

Duo’s flagship product is cloud-based, two-factor authentication technology called Duo Push that, once installed and activated on a smartphone, provides secondary authentication with the tap of a button. With the rise of password thefts, two-step authentication is emerging as one way to add an additional layer of security to online communications by confirming that you are who you say you are, since passwords can be easy to guess and many people re-use them for multiple sites. (Think of it like having one set of keys to unlock your car, your office, and your apartment. If a thief gets that one set of keys, they have access to everything.)

Duo Push is designed to protect against “man-in-the-browser” and other identity theft attacks by delivering a private key to the user’s mobile device to authenticate the user’s credentials, while the public key verifies the signature on the server side. So, even if Duo’s database is compromised, an identity thief wouldn’t be able to bypass two-factor authentication and gain access sensitive information.

“We’re able to leverage personal devices to help protect and augment password-based log-ins,” Song explains. “It’s interesting the way the world’s going—most employees have way more access to technology in their personal lives than at work. It didn’t used to be that way. There’s a new drive toward security without borders in the age of access. But we’ve got tricks up our sleeve to leverage that shift.”

Duo’s newest “trick,” announced today, is that its authentication products now support the Fast IDentity Online (FIDO) Universal Second Factor (U2F) specifications. Duo is launching its U2F phishing-resistant authentication method in conjunction with Google, Yubico, and other members of the FIDO Alliance in the hopes of driving adoption of this new U2F standard.

It comes in the form of a small USB device that plugs into the computer. Users touch the device in order to log in and provide a second authentication method in addition to a password. At the moment, it has to be used with Google Chrome, but Brian Kelly, Duo’s principal product marketing manager, says that users can leave it or take it with them and it’s “completely phishing proof.”

“Overall awareness of two-factor authentication is at peak levels,” Kelly says. Last year, Google, Microsoft, PayPal, and other heavy hitters in the IT realm put aside their competitive differences and got together to brainstorm how they could improve the authentication process, he says, realizing that an effective solution couldn’t come from just one entity. “Two-step authentication is becoming more of a household best practice, like backing up your data was a decade ago. I think two-factor authentication is reaching a similar level of maturity, and U2F is the first one to get market traction because it’s very pragmatic and specific about what it’s trying to deliver. Customers can choose their vendor, and everything is interoperable and compatible because we weren’t getting anywhere with proprietary solutions.”

While FIDO U2F was initially created for the consumer market, Kelly says Duo recognized that this same technology could also significantly bolster authentication on the business side. Google, Yubico, and the FIDO Alliance are marketing U2F devices to consumers, while Duo’s target customer is the enterprise market. Kelly adds that businesses that don’t have the resources to create their own in-depth security infrastructure are Duo’s “sweet spot.” But that’s not to say Duo’s customers are mostly small businesses, since Kelly says Duo’s security technology is used in-house by Facebook, Yelp, Etsy, and Tumblr employees, among others.

“Duo is focused on the business-to-business use case, though the marketing has to be end user-friendly,” Kelly points out. “We’re not targeting customers, but the businesses that want to offer it to their customers. As far as we know, we’re the first business-to-business vendor to support this new standard.”

Earlier this month, Duo also released its API edition, which enables developers to add two-factor authentication to their apps. The starting price for this feature is $3 per user per year with a minimum of 10,000 users, and Duo Security takes care of all of the operational aspects of authentication: alerting, reporting, key management and provisioning, and self-service device management. Current Duo API customers include Egnyte, Computer Services Inc., Gamesys, OTC Markets, and Dell SecureWorks.

“We’re taking the same authentication platform for internal use and applying it to much larger-scale access,” Kelly says. “We had been selling it on a case-by-case basis until we learned what people wanted. Now, we’re formally offering it because of market conditions and lots of people wanting it.”

In addition to the API Edition, Duo Security this month also released its mobile software development kit for iOS and Android, which allows mobile app providers to embed in-app authentication capabilities.

With so much growth in the past year and ever-increasing threats to keeping personal data secure, Song says Duo’s challenge now is attracting and retaining top talent. The company has roughly 100 employees, with 10 open positions currently listed on its website.

“We’re continually hiring,” he adds.

Trending on Xconomy

By posting a comment, you agree to our terms and conditions.

One response to “Duo Security Rides Growing Interest in Two-Factor Authentication”

  1. Hitoshi Anatomi says:

    The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but
    two weak boys in the real world may well be far weaker than a toughened
    guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized
    that a truly reliable 2-factor solution requires the use of the most reliable

    Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.