Duo's Security & Reliability
We obsess about security so you don't have to.
At Duo, we take security very seriously, and protecting our customers is always first priority. Here’s how we do it.
Duo’s solution is designed with complete security in mind - using asymmetric cryptography, only the public key is kept on our servers, while private keys are stored on your users’ devices in a secure element, designed to be tamper-proof against device and operating system manufacturers.
That means, attackers would need to compromise Duo, then access a user’s device and screen lock passcodes at the same time in order to gain access to your applications. Our approach significantly increases the overall integrity of the solution. Your logins also stay safe, since Duo doesn’t store your passwords.
Duo strongly recommends using Duo Push as your second factor instead of one-time passcodes (OTPs) delivered over SMS or generated by tokens. Duo Push is completely out of band which means that it is immune to man-in-the-middle (MITM) attacks.
There’s no overhead required to keep our authentication application updated - Duo provides automatic updates every two weeks, sending the latest security and feature updates to your users’ devices.
Consider it the end of maintenance windows for your in-house IT support. Some vendors release updates only a few times a year, which can leave your organization vulnerable to new exploits.
Duo ensures an uptime exceeding 99.995% with a hard service level guarantee, with premium private hosting available. Duo’s servers are hosted across independent PCI DSS and ISO 27001-certified and SSAE 16 audited service providers with strong physical security, like Amazon.
We provide a high-availability service split across multiple geographic regions, providers and power grids for seamless failover, and our multiple offsite backups of customer data are encrypted.
Duo’s full-time security team is experienced in running large-scale systems security. We employ the world’s top mobile, app, and network security experts, including researchers and engineers who have worked in Fortune 500 companies, government agencies, and financial firms.
Duo builds security into each step of our operations, including customer data handling, code release, upgrades, patch management, security policies and more.
We endeavor to meet compliance standards like PCI DSS, OWASP, ISO 27001, NIST 800 and more. A team of independent third-party auditors regularly audit and review our infrastructure and operations to ensure we’re secure enough to support our customers.
Duo Security’s operational processes are SOC 2 compliant, as determined by an independent auditor.
Duo’s two-factor authentication cryptographic algorithms are validated by NIST under FIPS CAVP. Our NIST certifications are available for review for FIPS 186-3 RSA asymmetric cryptography, FIPS 180-4 SHS/SHA hash families and FIPS 198 HMAC algorithm.