Duo Security Advances Two-Factor Authentication - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Devices
01:29 PM
Connect Directly

Duo Security Advances Two-Factor Authentication

Using mobile devices as a second factor in authentication is not a new idea, but Duo Security makes it easier than some of its competitors.

After his pitch at a recent juried technology competition in Silicon Valley, CEO Dug Song of Duo Security handed a business card to two of the three judges. The third judge said he'd already traded cards with Song the night before at a networking event. That's how excited the Valley was to hear about Duo's token-less two-factor authentication technology, and it's no surprise the company took home the judge's choice award for mobile access.

Duo's token-less--really two-factor authentication via mobile device--was on BYTE's radar back in February. But evidently, everyone's excited about it. The reason: mobile devices make two-factor authentication technology possible to deploy easily at low cost. Doing so eliminates "... the high cost of provisioning, replacing, revoking, and managing physical tokens [that] has been a barrier to widespread implementation," Matt Sarrel of BYTE wrote.

Dug Song of Duo Security presenting at Under The Radar, introduced by TechWeb's David Berlind.

As Sarrel explains in the article, most two-factor mobile authentication technologies use a call, SMS message, or application to verify a login attempt with the user. Duo's technology is different largely because it's versatile. System administrators can deliver Duo's authentication via smart phones, standard cell phones, land lines, and existing hardware tokens, the company claims. If users do not have reception when they need the key, the company says users can ask the system to generate one-time passcodes deliverable via SMS prior to needing the code. Users also can generate one-time passcodes with Duo's mobile app.

Duo Security offers a wide variety of notification methods for the second factor. The company built free apps for Android, Blackberry, and iPhone.

Duo's service looks relatively expensive. Rates start at $3 per user per month, and drop with volume above 500 users. Compared with the competition mentioned in BYTE's February article, at the 100-user mark, that's expensive. For example, for 100 licenses Trustwave charges $1,417 per year, according to the company website, versus Duo's rate of $3600. PhoneFactor doesn't list pricing information on its website but a company representative said 100 licenses would average about $2,500 a year, depending on the features selected by the client.

An impressive claim Duo made at the competition is that its clients credentials are more secure than RSA's. "Even if we were to be breached," CEO Song said, "There'd be no way to for an attacker to go and impersonate all the clients, all the end users, because they don't have the private key that's actually on the user's phone." The technology uses a patented system that combines public and private encryption and prevents sharing secrets, he said.

The claim was in response to the judge's question about the widely reported heist on RSA's data centers last March. RSA reported the breach cost $66 million in restitution to clients. For the firms using RSA's two-factor authentication technology, it was a mess to clean up. For example, CRN.com reported that, "... Lockheed [Martin] had to shut down its computer systems and reissue tokens to many of its employees, while requiring a password reset for its 120,000 workers."

A demo of Duo Security's software.

Duo also is interesting investors. Steve Coplan of 451 Research wrote in a recent report that Duo looks a lot like its competitors, until you dig deeper. "... Duo is moving toward shaking up the market with some fairly radical ideas." Google Ventures led a funding round in February that included True Ventures, and Resonant Venture Partners. The trio gave Duo $5 million in funding.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
How COVID is Changing Technology Futures
Jessica Davis, Senior Editor, Enterprise Apps,  7/23/2020
10 Ways AI Is Transforming Enterprise Software
Cynthia Harvey, Freelance Journalist, InformationWeek,  7/13/2020
IT Career Paths You May Not Have Considered
Lisa Morgan, Freelance Writer,  6/30/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Special Report: Why Performance Testing is Crucial Today
This special report will help enterprises determine what they should expect from performance testing solutions and how to put them to work most efficiently. Get it today!
Flash Poll