Using mobile devices as a second factor in authentication is not a new idea, but Duo Security makes it easier than some of its competitors.
After his pitch at a recent juried technology competition in Silicon Valley, CEO Dug Song of Duo Security handed a business card to two of the three judges. The third judge said he'd already traded cards with Song the night before at a networking event. That's how excited the Valley was to hear about Duo's token-less two-factor authentication technology, and it's no surprise the company took home the judge's choice award for mobile access.
Duo's token-less--really two-factor authentication via mobile device--was on BYTE's radar back in February. But evidently, everyone's excited about it. The reason: mobile devices make two-factor authentication technology possible to deploy easily at low cost. Doing so eliminates "... the high cost of provisioning, replacing, revoking, and managing physical tokens [that] has been a barrier to widespread implementation," Matt Sarrel of BYTE wrote.
Dug Song of Duo Security presenting at Under The Radar, introduced by TechWeb's David Berlind.
As Sarrel explains in the article, most two-factor mobile authentication technologies use a call, SMS message, or application to verify a login attempt with the user. Duo's technology is different largely because it's versatile. System administrators can deliver Duo's authentication via smart phones, standard cell phones, land lines, and existing hardware tokens, the company claims. If users do not have reception when they need the key, the company says users can ask the system to generate one-time passcodes deliverable via SMS prior to needing the code. Users also can generate one-time passcodes with Duo's mobile app.
Duo Security offers a wide variety of notification methods for the second factor. The company built free apps for Android, Blackberry, and iPhone.
Duo's service looks relatively expensive. Rates start at $3 per user per month, and drop with volume above 500 users. Compared with the competition mentioned in BYTE's February article, at the 100-user mark, that's expensive. For example, for 100 licenses Trustwave charges $1,417 per year, according to the company website, versus Duo's rate of $3600. PhoneFactor doesn't list pricing information on its website but a company representative said 100 licenses would average about $2,500 a year, depending on the features selected by the client.
An impressive claim Duo made at the competition is that its clients credentials are more secure than RSA's. "Even if we were to be breached," CEO Song said, "There'd be no way to for an attacker to go and impersonate all the clients, all the end users, because they don't have the private key that's actually on the user's phone." The technology uses a patented system that combines public and private encryption and prevents sharing secrets, he said.
The claim was in response to the judge's question about the widely reported heist on RSA's data centers last March. RSA reported the breach cost $66 million in restitution to clients. For the firms using RSA's two-factor authentication technology, it was a mess to clean up. For example, CRN.com reported that, "... Lockheed [Martin] had to shut down its computer systems and reissue tokens to many of its employees, while requiring a password reset for its 120,000 workers."
A demo of Duo Security's software.
Duo also is interesting investors. Steve Coplan of 451 Research wrote in a recent report that Duo looks a lot like its competitors, until you dig deeper. "... Duo is moving toward shaking up the market with some fairly radical ideas." Google Ventures led a funding round in February that included True Ventures, and Resonant Venture Partners. The trio gave Duo $5 million in funding.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?