Skip navigation

Our Mission is to Protect Your Mission.

At Duo, we take security very seriously, and protecting our customers is always first priority. Leave security to the experts and put the focus back on growing your business.

Duo employees standing in a circle, having a discussion in the workplace

We’re more than a security company.

We’re a Trusted Access company.

People

Mission Control

Your Professional Security Experts

Duo’s full-time security team is experienced in running large-scale systems security. We employ the top mobile, app and network security experts. Our researchers and engineers have worked at Fortune 500 companies, government agencies and financial firms.

Duo is founded by CEO Dug Song and CTO Jon Oberheide, two respected pioneers in the security community with a commitment to driving innovation and growth. Learn more about our team.

Ongoing Security Innovation

Duo is committed to investigating new security concerns. To encourage engagement in the security community, please contact security@duosecurity.com or visit Security Response for any security issues.

Process

Built-in Security

Automatic Updates

Duo follows an agile development cycle, releasing updates in hours and days compared to several months and quarters, typical of other two-factor vendors.

There’s no overhead required to keep our application up to date - we send automatic updates to your users’ devices to ensure they have the latest security patches and features. Consider it the end of maintenance windows for your in-house IT support.

Standardized Security Processes

Duo builds security into each step of our operations, including customer data handling, code release, upgrades, patch management, security policies and more.

We endeavor to meet compliance standards like PCI DSS, OWASP, ISO 27001, NIST 800 and more. A team of independent third-party auditors regularly audit and review our infrastructure and operations to ensure we’re secure enough to support our customers.

Technology

Security by Design

Secure Authentication

Some two-factor solutions rely on shared secrets to generate token numbers, which, if attackers steal, they can use the information to compromise an organization. Duo’s two-factor solution is designed with security in mind.

We use asymmetric cryptography, keeping only the public key on our servers and storing private keys on your users’ devices in a tamper-proof secure element. Duo never stores your passwords - meaning your logins stay safe.

Designed for People

We know the most effective security solution is one your users actually use. Our solution only requires your users to carry one device - their smartphone, with the Duo Mobile app installed on it. Logging in via push notification is fast and easy.

We strongly recommend using Duo Push as your second factor, a more secure method than SMS passcodes that can protect against man-in-the-middle (MITM) attacks.

High-Availability Architecture

Duo ensures an uptime exceeding 99.995% with a hard service level guarantee, with premium private hosting available. Duo’s servers are hosted across independent PCI DSS and ISO 27001-certified and SSAE 16-audited service providers with strong physical security.

We provide a high-availability service split across multiple geographic regions, providers and power grids for seamless failover, and our multiple offsite backups of customer data are encrypted.

Compliance

SOC 2 Compliance

Duo Security’s operational processes are SOC 2 compliant, as determined by an independent auditor. The SOC 2 report measures internal controls at service organizations relating to security, availability, processing integrity, confidentiality and privacy. The standards are outlined by the American Institute of CPAs (AICPA).

NIST Cryptographic Certifications

Duo’s two-factor authentication cryptographic algorithms are validated by NIST under FIPS CAVP. Our NIST certifications are available for review for FIPS 186-3 RSA asymmetric cryptography, FIPS 180-4 SHS/SHA hash families and FIPS 198 HMAC algorithm.

EPCS Compliance

A DEA-accredited auditor, Drummond Group, LLC, have confirmed that Duo Push satisfies Electronic Prescription of Controlled Substance (EPCS) requirements for two-factor authentication. Duo can also help healthcare organizations meet strong access recommendations for Health Insurance Portability and Accountability Act (HIPAA).

FIPS 140-2 Compliance

One-time passcodes generated by any recent version of the Duo Mobile app on iOS 6 and later or by the Duo Mobile app for Windows Phone 8.1/10 version 2.0 are FIPS 140-2 Level 1 compliant by default, and Duo's service works with OATH-compliant FIPS 140-2 validated hardware tokens.

Learn more about Duo’s different authentication methods and how they meet EPCS compliance for FIPS 140-2, Level 1 in the Duo for Epic documentation.

  • “Using Duo, we have enabled a culture of multi-factor authentication without it being seen as a burden to the user. The experience is pleasant and the protection is unparalleled.”

    — Bryan Smith, Chief Technology Officer, CyberGRX
  • “The thing that I personally love about Duo is, the interface is absolutely slick. You just can’t beat the fact that it’s one touch, one button, one press.”

    — Paul Pieralde, Principal Product Security Engineer, Eventbrite

Ready to Get Started?

Try out Duo Access for 30 days to experience Trusted Access.