Duo’s full-time security team is experienced in running large-scale systems security. We employ the top mobile, app and network security experts. Our researchers and engineers have worked at Fortune 500 companies, government agencies and financial firms.
Duo is founded by CEO Dug Song and CTO Jon Oberheide, two respected pioneers in the security community with a commitment to driving innovation and growth. Learn more about our team.
Duo follows an agile development cycle, releasing updates in hours and days compared to several months and quarters, typical of other two-factor vendors.
There’s no overhead required to keep our application up to date - we send automatic updates to your users’ devices to ensure they have the latest security patches and features. Consider it the end of maintenance windows for your in-house IT support.
Duo builds security into each step of our operations, including customer data handling, code release, upgrades, patch management, security policies and more.
We endeavor to meet compliance standards like PCI DSS, ISO 27001, NIST 800 and more. A team of independent third-party auditors regularly audit and review our infrastructure and operations to ensure we’re secure enough to support our customers.
Some two-factor solutions rely on shared secrets to generate token numbers, which, if attackers steal, they can use the information to compromise an organization. Duo’s two-factor solution is designed with security in mind.
We use asymmetric cryptography, keeping only the public key on our servers and storing private keys on your users’ devices in a tamper-proof secure element. Duo never stores your passwords - meaning your logins stay safe.
We know the most effective security solution is one your users actually use. Our solution only requires your users to carry one device - their smartphone, with the Duo Mobile app installed on it. Logging in via push notification is fast and easy.
We strongly recommend using Duo Push as your second factor, a more secure method than SMS passcodes that can protect against man-in-the-middle (MITM) attacks.
Duo has maintained uptime of greater than 99.99% for more than four years, with a hard service level guarantee backed by SLA. Duo’s servers are hosted across independent PCI DSS, ISO 27001-certified, and SSAE 16-audited service providers with strong physical security.
We provide a high-availability service split across multiple geographic regions, providers and power grids for seamless failover, and our multiple offsite backups of customer data are encrypted.
Duo Security’s operational processes are SOC 2 compliant, as determined by an independent auditor. The SOC 2 report measures internal controls at service organizations relating to security, availability, processing integrity, confidentiality and privacy. The standards are outlined by the American Institute of CPAs (AICPA).
Duo’s two-factor authentication cryptographic algorithms are validated by NIST under FIPS CAVP. Our NIST certifications are available for review for FIPS 186-3 RSA asymmetric cryptography, FIPS 180-4 SHS/SHA hash families and FIPS 198 HMAC algorithm.
A DEA-accredited auditor, Drummond Group, LLC, have confirmed that Duo Push satisfies Electronic Prescription of Controlled Substance (EPCS) requirements for two-factor authentication. Duo can also help healthcare organizations meet strong access recommendations for Health Insurance Portability and Accountability Act (HIPAA).
Duo leverages FIPS 140-2 validated cryptographic algorithms to achieve FIPS 140-2 compliance for Duo Mobile Push and Mobile Passcode, by default with no configuration required.
Duo Push and Passcode authentication methods are built in alignment with NIST SP 800-63-3 Authenticator Assurance Level 2 (AAL2) requirements.
Learn more about Duo’s different authentication methods and how they meet EPCS compliance for FIPS 140-2, Level 1 in the Duo for Epic documentation.
The GDPR replaces the European Union’s decades-old data privacy laws, bringing them more inline with the modern technology landscape. This new law affects any organization that collects and handles EU residents' personal data, regardless of where in the world the organization is located. It governs how these organizations handle and protect personal information (PI) and how they report data breaches. As a provider of secure access solutions, Duo ensures our customers’ data is protected. As such, is committed to GDPR compliance across our organization.
Duo is 27001:2013, 27017:2015, and 27018:2019 certified. The 27001:2013, 27017:2015, and 27018:2019 standards were developed to help organizations improve their maturity and protect their intellectual property and data in a scalable and verifiable way.
To achieve certification, Duo was audited by an accredited external auditor who verified Duo’s control environment and assessed the implementation of controls. The ISO 27000 series certification is valid for three years and requires an annual surveillance audit to ensure continued compliance for the lifespan of each certification.
As a cloud service provider (CSP) with customers in the Kingdom of Saudi Arabia, Duo is required to comply with business continuity, disaster recovery and risk management related rules and guidelines identified as mandatory by the CITC. Duo also complies with applicable provisions in the CITC Cloud Computing Regulatory Framework for data classified as Level 1 and as Level 2.
Duo is Cloud Computing Compliance Controls Catalog (C5) certified. C5 is a set of compliance criteria issued by the German Federal Office for Information Security (BSI). Aimed at cloud service providers, C5 seeks to establish a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government and organizations that work with the government.
To achieve certification, Duo was audited by a qualified, independent auditor, Coalfire, who assessed Duo’s implementation of C5 controls and verified their operating effectiveness. A C5 certification is generally valid for one year.
Duo is an AgID-qualified SaaS solutions provider, and complies with the principles established by the Digital Italy Agency (AgID) to provide services to the Italian public sector. Duo meets both organizational requirements outlined by AgID (e.g. disaster recovery, support availability and incident management processes) as well as specific requirements around (1) security, privacy and data protection, (2) performance and scalability, (3) interoperability and portability and (4) compliance with the relevant Italian and European legislation.
Only providers who meet the above requirements can be included in the Marketplace Cloud, a digital platform with a catalogue of cloud services. The Italian public sector can access cloud services only through providers included in the Marketplace Cloud.
“Using Duo, we have enabled a culture of multi-factor authentication without it being seen as a burden to the user. The experience is pleasant and the protection is unparalleled.”
“The thing that I personally love about Duo is, the interface is absolutely slick. You just can’t beat the fact that it’s one touch, one button, one press.”
Cisco helps you achieve zero trust across your organization by securing all access to your applications and environment, from any user, device and location. Learn why Forrester has named Cisco a leader in zero trust.