Skip navigation

If the world is run by little ones and zeroes and little bits of data, the Duo Labs team are the mad scientists putting ‘em to work. Not only do we have our customers’ backs by serving up deep knowledge, we’re also dedicated to protecting the Internet more generally by identifying and fixing vulnerabilities on a broader scale. What does that look like? We build, we break, we reason. Our work spans the breadth of product prototyping, Internet scale research and analysis, vulnerability research and exploit development, and applications of data science and machine learning to address security problems. As a group our core goals are to Disrupt, to Derisk, and to Democratise complex security topics and to share our innovations in ways that make the greatest possible impact.

Duo Labs Research Projects

  • Label Legend

  • paper
  • website
  • app
  • github
  • video

Authentication and Authorization Part 2: A New, Verifiable Era

Discover the future of digital identity in this deep dive into risks and benefits of passkeys, verifiable credentials, and passwordless authentication.

Proactive Threat Hunting in Duo Data

Learn how Duo's data scientists and threat analysts proactively identify and prevent novel attack methods across billions of authentications.

Authentication and Authorization Part 1: Through the Ages

How reviewing sociological problems with authentication can help us address the technological problems we face today.

A Security Analyst’s Guide to Identity Threats

An in-depth look at current identity-based threats and a discussion of mechanisms to both prevent and detect them.

The Administrator's Guide to Passwordless

Learn all you need to know to determine for yourself why passwordless authentication can be more secure & usable than today’s leading authentication systems.

Data Companies Are Watching Me

Discover what happened when our engineer requested his data from location data brokers & learn why existing processes don't work for the average person.

Balancing Privacy and Security: Google Apple Contact Tracing

Learn how Google & Apple’s Exposure Notification API works & the security considerations that make it good for preserving user privacy & stopping bad actors.

The Invisible World of Near-Infrared Authentication

Duo Labs investigates how infrared imaging is used for authentication in facial recognition and vein scanning technologies.

TEMPEST@Home - Finding Radio Frequency Side Channels

An introductory guide to finding radio frequency side channels for data exfiltration.

The Good and Bad of Biometrics

Explore what properties of biometrics make them good or bad at defending against one threat but not another, then take a deeper look at specific technologies.

Security Researchers Partner With Chrome To Take Down Browser Extension Fraud Network Affecting Millions of Users

Duo Labs’ CRXcavator tool used to uncover and remove a large scale campaign of malvertising Chrome extensions.

Gamifying Data Science Education

Learn about how Duo’s data science team used gamification to teach data analysis skills in an interactive workshop.

Chain of Fools: An Exploration of Certificate Chain Validation Mishaps

Explore what can go wrong for developers when bad cryptographic advice on the internet turns into common implementations.

How to Monitor GitHub for Secrets

Learn about the problem of sensitive info getting published on version control systems and discover multiple ways to monitor GitHub for secrets.

Deciphering the Messages of Apple’s T2 Coprocessor

Learn about the communication channel between macOS & the new T2 secure boot chip. We illuminate the XPC messaging protocol & provide tools to explore yourself.

Anatomy of Twitter Bots: Amplification Bots

Duo Labs study on amplification bots: what they are and how they operate.

Secure Boot in the Era of the T2

An in-depth look at the new secure boot feature found in T2 enabled Apple devices.

MDM Me Maybe: Device Enrollment Program Security

Discover how an authentication weakness in Apple’s Device Enrollment Program can be used to leak information and potentially enroll rogue devices in MDM servers.

Microcontroller Firmware Recovery Using Invasive Analysis

Duo Labs security researchers show how to bypass microcontroller interfaces used for internet of things (IoT) devices. Learn more.

History of Vulnerability Disclosure

Explore some of the more notable vulnerability disclosure moments in infosec history, all in one timeline for your reference.

Tech Talks

What else is Duo Labs thinking about? Find out at our Tech Talks, where our security researchers give the inside scoop on their latest projects and host experts from across the industry showcasing their own cutting-edge work.

See All Tech Talks

Duo Labs on Github

View Projects
folded mesh abstract computer generated illustration.