Skip navigation
duo labs

Duolytics: Four Years with Four Factors

Here at Duo Labs, we’ve been busy slicing and dicing the usage data that we’ve collected over the years (in aggregate, of course). We don’t see much open discussion of analytics in the 2FA community, and we want to change that. As such, we plan to routinely share some of our analyses and discussion of our views of two-factor authentication, starting now.

A Brief History of 2FA

In the beginning (or the '80s), there was the hardware token that we all know and love hate love to hate, which was the first form of one-time passcode (OTP) two-factor authentication to be widely adopted.

In the Dark Ages: Token-Based Two-Factor Authentication

The market for hardware tokens was dominated by RSA Security, which controlled 72% of the 2FA market in 2003. Other notable participants began to offer single-service hardware tokens in the late 2000s, including the PayPal Security Key in 2007 and the Blizzard Authenticator in 2008

PayPal Security Key Blizzard Authenticator RSA Token

While many of us are very familiar with the usability pains of hardware tokens, we got a first-hand look at some of their security risks with the RSA hack in 2012, which left 40 million tokens useful only as very small paperweights, due to the SecurID seeds being compromised. This type of compromise is a fundamental vulnerability of hardware tokens, since the secret cryptographic seed has to be stored in the token and can’t be (easily) changed. Nevertheless, in the '80s and '90s, that was about the best we could do without having more flexible computers available.

The Evolution Begins with Mobile

As mobile phones became commonplace in the late 2000s, two new options for 2FA became feasible: mobile phone calls and SMS. Indeed, phone calls were the first authentication method supported by Duo back in 2010. In early 2011, Duo introduced SMS-delivered one-time passcodes. While phone calls and SMS work universally with any mobile phone, there are substantial trade-offs in terms of both usability (carrier charges, service reliability) and security (reliance of carrier infrastructure).

Phone calls are so 20th century.

Modernizing Two-Factor Authentication with a Mobile App

The mobile device revolution enabled a new opportunity for two-factor authentication: use of a software-based mobile apps to generate OTPs instead of hardware-based token. Through 2010, Duo supported some less-than-modern platforms like J2ME, Symbian, WebOS, and Windows Mobile with a mobile app that generated OTPs. With the introduction of the Android Market and iTunes App Store, Android and iOS quickly became front-runners in the mobile OS market.

We knew we could do better than mobile OTPs with these modern mobile platforms. After all, we had crazy-powerful, always-connected, and extensible computers that fit in the palm of our hands! The easy distribution of apps for these platforms made mobile-based 2FA much more accessible. So, we invented Duo Push in early 2010 and launched it publicly in 2011. The Duo Push security model is stronger than OTPs, phone calls, or SMS, since Push can offer, e.g., asymmetric cryptography and mutually-authenticated secure communication over the data network. Push also enables a user experience (one tap to approve) unlike any authentication method to date.

Authentication Factors at Duo

What does this progression of authentication factors in the market look like from Duo’s perspective? We took a look at how successful authentication events have changed since we introduced push about four years ago. Note: to be able to better understand general enterprise usage, we've removed some specialized telephony-only cases from the dataset.

graph

(Note: Click to embiggen. The "Token + OTP" category includes both hardware tokens (D-100s, Yubikeys, third-party HOTP/TOTP, etc) and Duo Mobile software tokens.)

Shortly after we introduced Push, phone calls remained users' first choice 97% of the time. Just twelve months later, users chose phone calls only 22% of the time. Over the next several years, users favored OTP and Push even more. As can be seen, OTP experienced a large bump in "popularity" during summer 2013. The volume graph (left) reveals a lot of the story: we actually didn’t lose any Push volume and, instead, there was a substantial increase in the number of OTP events. I pulled the anomalous account out to better understand what was happening overall during 2013: graph

(Note: click to embiggen)

Indeed, the behavior of all our other users was _not_ extremely biased toward OTP for those months.

At Duo, we love Push, and we’re excited to see it grow in popularity compared to the more traditional methods we support. Looking back at the complete data set, in May 2015, Push led the pack with 44% of successful authentications. Hardware/software OTP trailed behind with 36%, a share that’s seen a 12% decrease over the past year, as it accounted for 41% of successful authentications in May 2014. As we make Push easier to use, such as our recent addition of notification actions and support for wearables, we hope to see Push grow even more!

In May 2015, 44% of authentication events were Push-based

Stay tuned for future posts on Duo’s perspective of the 2FA market and our metrics. Ping us at labs@duosecurity.com if you have any interesting stats you’d like to see!