Duo Security Rides Growing Interest in Two-Factor Authentication

Hardly a day goes by without a big headline announcing yet another consumer security breach; today’s version trumpets the possible theft of Staples customers’ credit card information. Keeping payment information safe from criminals is a priority for both businesses and consumers, and since Ann Arbor, MI-based Duo Security is at the forefront of a promising method to improve Internet security—more on that in a minute—business is booming.

It’s been a particularly busy few months for Duo, as evidenced by a move to a bigger office planned in November, a hiring push, and the successful close of a $12 million Series B round led by Silicon Valley-based Benchmark in late September.

“We continue to do really well—we just had another record quarter,” says Dug Song, Duo Security’s co-founder and a Detroit Xconomist. “We’re making sure we put ourselves way ahead of the curve.”

When Xconomy first covered Duo Security in 2010, it was called Scio Security and it was in stealth mode. Song, a serial entrepreneur who served as chief security architect at Arbor Networks before it was sold to Tektronix in 2010, founded the company with Jon Oberheide, a veteran of Arbor Networks and a Forbes’ “30 under 30” honoree for his Android security research.

A conversation with Song can be delightfully circuitous, as he can converse just as comfortably about building skateparks or the talents of Kathleen Hanna or the time he taught Kid Rock to play roulette as he can about the latest in Internet security. But it’s clear that Song—and, by extension, Duo Security—cares deeply about protecting private information online.

Duo’s flagship product is cloud-based, two-factor authentication technology called Duo Push that, once installed and activated on a smartphone, provides secondary authentication with the tap of a button. With the rise of password thefts, two-step authentication is emerging as one way to add an additional layer of security to online communications by confirming that you are who you say you are, since passwords can be easy to guess and many people re-use them for multiple sites. (Think of it like having one set of keys to unlock your car, your office, and your apartment. If a thief gets that one set of keys, they have access to everything.)

Duo Push is designed to protect against “man-in-the-browser” and other identity theft attacks by delivering a private key to the user’s mobile device to authenticate the user’s credentials, while the public key verifies the signature on the server side. So, even if Duo’s database is compromised, an identity thief wouldn’t be able to bypass two-factor authentication and gain access sensitive information.

“We’re able to leverage personal devices to help protect and augment password-based log-ins,” Song explains. “It’s interesting the way the world’s going—most employees have way more access to technology in their personal lives than at work. It didn’t used to be that way. There’s a new drive toward security without borders in the age of access. But we’ve got tricks up our sleeve to leverage that shift.”

Duo’s newest “trick,” announced today, is that its authentication products now support the Fast IDentity Online (FIDO) Universal Second Factor (U2F) specifications. Duo is launching its U2F phishing-resistant authentication method in conjunction with Google, Yubico, and other members of the FIDO Alliance in the hopes of driving adoption of this new U2F standard.

It comes in the form of a small USB device that plugs into the computer. Users touch … Next Page »

Single PageCurrently on Page: 1 2

Sarah Schmid Stevenson is the editor of Xconomy Detroit/Ann Arbor. You can reach her at 313-570-9823 or sschmid@xconomy.com. Follow @XconomyDET_AA

Trending on Xconomy

By posting a comment, you agree to our terms and conditions.

  • Hitoshi Anatomi

    The two-factor authentication, though not a silver bullet, could be reliable when it comes with a reliable password. 2 is larger than 1 on paper, but
    two weak boys in the real world may well be far weaker than a toughened
    guy. Physical tokens and phones are easily lost, stolen and abused. Then the password would be the last resort. It should be strongly emphasized
    that a truly reliable 2-factor solution requires the use of the most reliable
    password.

    Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.