Skip navigation

Effective October 28, 2019 Duo Security will be transitioning to Cisco's Privacy Statement. View the Duo Privacy Data Sheet.

Duo Labs

Duo Security Establishes Advanced Security Research Team: Duo Labs!

You’ve been reading their Weekly Ink posts on this blog for several weeks now, so it’s time we announced some big news from Duo Security: we now have a super l33t group of security researchers called Duo Labs!

Our new advanced security research division is led by our intrepid co-founder and CTO Jon Oberheide, who has mobilized this team of top security researchers with the intent to improve security for all:

“Duo Labs has a similar mission as DARPA: to prevent and create strategic surprise through advanced research and technology,” said Oberheide. “Our research team provides the deep security knowledge and innovation necessary to protect our customers, but also has a larger mission of protecting the broader public by identifying and fixing vulnerabilities in large-scale Internet systems.”

Duo is proud of our investment in the security knowledge of our advanced research division. So who’s on the Duo Labs team, you ask? We’ve got Zach Lanier: Senior Security Researcher, Adam Goodman: Principal Security Architect, Mark Stanislav: Security Project Manager, and Chris Czub: Security Research Engineer.

Duo Labs Team

One of the first major projects Duo Labs took on resulted in our disclosure of a bypass in PayPal’s two-factor authentication. The goal was to inform the public about their account security, as well as to motivate PayPal to strengthen their security. Just last year, a few Duo researchers (who are now part of Duo Labs) discovered a similar bypass of Google’s two-factor authentication.

Beyond these high-profile breaks, members of Duo Labs have been on the cutting edge of mobile security research with several DARPA-funded projects such as X-Ray (the first mobile vulnerability assessment app) and ReKey (hot-patching of mobile vulnerabilities), and built tools to bring better awareness to authentication security, such as VPN Hunter and Did I Get Gawkered?

Several researchers from the Duo Labs division presented in Las Vegas, Nevada in the summer of 2014, at Black Hat, DEF CON, PasswordsCon, and Securing IoT. Lanier presented vulnerabilities in several mainstream data loss prevention software packages at Black Hat, citing flaws in Trend Micro, Websense, and OpenDLP.

At DEFCON, Stanislav and Lanier presented on the Internet of Things (IoT) and the issues with a growing market of Internet-connected devices that are often vulnerable to security threats. They also continued outreach at DEFCON about their initiative called BuildItSecure.ly, which aims to make the burgeoning world of IoT safer for the consumer.

In addition to the Black Hat and DEF CON talks, Stanislav presented at PasswordsCon on end-user authentication security. Lanier and Stanislav joined forces again to present about the Internet of Things at Securing IoT Masters, a private event held during Black Hat.

The Duo Labs division has brought elite security researchers from around the country to Ann Arbor’s growing technology community for Duo Tech Talks (now available on our Livestream account) and ARBSEC. These two social meetup groups allow guest experts to share their expertise on a variety of high-level topics, creating a forum for education and exploration.