Duo Security Advances Two-Factor Authentication

After his pitch at a recent juried technology competition in Silicon Valley, CEO Dug Song of Duo Security handed a business card to two of the three judges. The third judge said he'd already traded cards with Song the night before at a networking event. That's how excited the Valley was to hear about Duo's token-less two-factor authentication technology, and it's no surprise the company took home the judge's choice award for mobile access.

Duo's token-less--really two-factor authentication via mobile device--was on BYTE's radar back in February. But evidently, everyone's excited about it. The reason: mobile devices make two-factor authentication technology possible to deploy easily at low cost. Doing so eliminates "... the high cost of provisioning, replacing, revoking, and managing physical tokens [that] has been a barrier to widespread implementation," Matt Sarrel of BYTE wrote.

As Sarrel explains in the article, most two-factor mobile authentication technologies use a call, SMS message, or application to verify a login attempt with the user. Duo's technology is different largely because it's versatile. System administrators can deliver Duo's authentication via smart phones, standard cell phones, land lines, and existing hardware tokens, the company claims. If users do not have reception when they need the key, the company says users can ask the system to generate one-time passcodes deliverable via SMS prior to needing the code. Users also can generate one-time passcodes with Duo's mobile app.

Duo's service looks relatively expensive. Rates start at $3 per user per month, and drop with volume above 500 users. Compared with the competition mentioned in BYTE's February article, at the 100-user mark, that's expensive. For example, for 100 licenses Trustwave charges $1,417 per year, according to the company website, versus Duo's rate of $3600. PhoneFactor doesn't list pricing information on its website but a company representative said 100 licenses would average about $2,500 a year, depending on the features selected by the client.

An impressive claim Duo made at the competition is that its clients credentials are more secure than RSA's. "Even if we were to be breached," CEO Song said, "There'd be no way to for an attacker to go and impersonate all the clients, all the end users, because they don't have the private key that's actually on the user's phone." The technology uses a patented system that combines public and private encryption and prevents sharing secrets, he said.

The claim was in response to the judge's question about the widely reported heist on RSA's data centers last March. RSA reported the breach cost $66 million in restitution to clients. For the firms using RSA's two-factor authentication technology, it was a mess to clean up. For example, CRN.com reported that, "... Lockheed [Martin] had to shut down its computer systems and reissue tokens to many of its employees, while requiring a password reset for its 120,000 workers."

Duo also is interesting investors. Steve Coplan of 451 Research wrote in a recent report that Duo looks a lot like its competitors, until you dig deeper. "... Duo is moving toward shaking up the market with some fairly radical ideas." Google Ventures led a funding round in February that included True Ventures, and Resonant Venture Partners. The trio gave Duo $5 million in funding.