“I haven’t gotten a single complaint about it. Our overall experience with Duo has been extremely easy - that’s not something that always happens in the technology world.”
— Tristan Hammond, IT Infrastructure Manager
Crowd-sourced online retailer sells merchandise with original designs submitted by artists
Provides a designer platform for artists that want to contribute and support the art community
Needed to meet PCI DSS compliance and secure their logins
Chose Duo to use with their Juniper VPN as a replacement for a frustrating RSA two-factor authentication experience
Since implementing Duo there have been no calls to the help desk about two-factor authentication
Founded in 2000, Chicago-based Threadless is a crowd-sourced e-commerce art and apparel company with nearly one million users. Providing a platform for artists that want to contribute to and support the art community, artists can submit their original designs for consideration.
Users vote for their favorite designs to go to print. Continuing to support the community, Threadless gives back 20 percent of their profits of the designed merchandise to the artists that created the chosen designs.
As an e-commerce retailer, Threadless needed to meet PCI DSS (Payment Card Industry Data Security Standards) compliance in order to securely process online orders.
After undergoing a security audit, they were told they needed to implement two-factor authentication to protect the personal, financial and transaction data of their customers, according to their IT Infrastructure Manager, Tristan Hammond.
Previously, Threadless had settled on using RSA’s two-factor solution, but suffered through a long and painful deployment process, as well as innumerable support issues post-setup.
While using RSA’s mobile apps, Threadless employees were experiencing all kinds of authentication errors. Tristan spent a lot of time on the phone with RSA’s customer service trying to track down why authentications were failing so often, but never received an answer from the company.
Frustrated, they started looking for a new two-factor solution that would solve their headaches - shortly after, they found Duo Security, by referral from a developer friend, the former CTO of Obama for America, Harper Reed.
Tristan was attracted to Duo Security’s solution for its ease of use and simplicity - both when it came to implementation and actual client use. Cost-effectiveness was also a factor, since RSA’s shortest contract term requirement was three years.
Threadless had also lost confidence and trust in RSA as a company.
“[RSA is a] security company that’s proving itself to not be secure anymore...when you get to a place where you’re using a corporate-y solution from a company that appears to be more concerned with their profit than security, it makes you feel kinda gross and uneasy,” said Tristan.
For Threadless, confidence and trust came from great communication with Duo Security’s CEO and co-founder, Dug Song.
“It was more like building a relationship instead of just buying or being sold on a product,” said Tristan. “It’s very apparent that security is a prevalent concern for Dug; which is very good when you’re running a security company.”
With Duo’s self-enrollment feature, Threadless employees were able to choose which authentication method they wanted to use when they signed up. Using two-factor authentication lets their in-house staff work remotely while still securely accessing local assets only available on the Threadless network via their Juniper SSL VPN.
Each team from Threadless uses Duo Security’s two-factor solution to safeguard different types of sensitive information. The Threadless engineers and developers use two-factor to protect access to their AWS (Amazon Web Services) infrastructure, including databases that house customer information. The finance team uses two-factor to protect access to financial documentation stored both locally and in the cloud, while the product and creative teams use the solution to protect raw photo assets.
According to Tristan, testing was easy with their VMware setup - they were able to easily light up a couple of virtual boxes and use another VPN appliance for testing internally. This allowed them to try out Duo’s two-factor without removing what they already had in place.
Switching over was also incredibly simple. “I changed a few IP addresses and hostnames, and we were done.”
Tristan rolled out two-factor after testing the solution with a few users from each department. After that, “there was silence.”
“I haven’t gotten a single complaint about it. If no one’s talking about it, that’s a good thing - nothing’s broken,” said Tristan. “Our overall experience with Duo has been extremely easy - that’s not something that always happens in the technology world...I would definitely recommend it.”