Hardly a day goes by without a big headline announcing yet another consumer security breach; today’s version trumpets the possible theft of Staples customers’ credit card information. Keeping payment information safe from criminals is a priority for both businesses and consumers, and since Ann Arbor, MI-based Duo Security is at the forefront of a promising method to improve Internet security—more on that in a minute—business is booming.
It’s been a particularly busy few months for Duo, as evidenced by a move to a bigger office planned in November, a hiring push, and the successful close of a $12 million Series B round led by Silicon Valley-based Benchmark in late September.
“We continue to do really well—we just had another record quarter,” says Dug Song, Duo Security’s co-founder and a Detroit Xconomist. “We’re making sure we put ourselves way ahead of the curve.”
When Xconomy first covered Duo Security in 2010, it was called Scio Security and it was in stealth mode. Song, a serial entrepreneur who served as chief security architect at Arbor Networks before it was sold to Tektronix in 2010, founded the company with Jon Oberheide, a veteran of Arbor Networks and a Forbes’ “30 under 30” honoree for his Android security research.
A conversation with Song can be delightfully circuitous, as he can converse just as comfortably about building skateparks or the talents of Kathleen Hanna or the time he taught Kid Rock to play roulette as he can about the latest in Internet security. But it’s clear that Song—and, by extension, Duo Security—cares deeply about protecting private information online.
Duo’s flagship product is cloud-based, two-factor authentication technology called Duo Push that, once installed and activated on a smartphone, provides secondary authentication with the tap of a button. With the rise of password thefts, two-step authentication is emerging as one way to add an additional layer of security to online communications by confirming that you are who you say you are, since passwords can be easy to guess and many people re-use them for multiple sites. (Think of it like having one set of keys to unlock your car, your office, and your apartment. If a thief gets that one set of keys, they have access to everything.)
Duo Push is designed to protect against “man-in-the-browser” and other identity theft attacks by delivering a private key to the user’s mobile device to authenticate the user’s credentials, while the public key verifies the signature on the server side. So, even if Duo’s database is compromised, an identity thief wouldn’t be able to bypass two-factor authentication and gain access sensitive information.
“We’re able to leverage personal devices to help protect and augment password-based log-ins,” Song explains. “It’s interesting the way the world’s going—most employees have way more access to technology in their personal lives than at work. It didn’t used to be that way. There’s a new drive toward security without borders in the age of access. But we’ve got tricks up our sleeve to leverage that shift.”
Duo’s newest “trick,” announced today, is that its authentication products now support the Fast IDentity Online (FIDO) Universal Second Factor (U2F) specifications. Duo is launching its U2F phishing-resistant authentication method in conjunction with Google, Yubico, and other members of the FIDO Alliance in the hopes of driving adoption of this new U2F standard.
It comes in the form of a small USB device that plugs into the computer. Users touch