Duo’s Security & Reliability
We obsess about security so you don’t have to.
At Duo, we take security very seriously, and protecting our customers is always first priority. Here’s how we do it.
Duo’s solution is designed with complete security in mind - using asymmetric cryptography, only the public key is kept on our servers, while private keys are stored on your users’ devices.
That means, if Duo was compromised, attackers would only have access to public keys, which isn’t enough for them to get access to your accounts. Your logins would also stay safe, since Duo doesn’t store your usernames or passwords.
There’s no overhead required to keep our authentication application updated - Duo provides automatic updates every two weeks, sending the latest security and feature updates to your users’ devices.
Consider it the end of maintenance windows for your in-house IT support. Some vendors release updates only a few times a year, which can leave your organization vulnerable to new exploits.
Duo ensures an uptime exceeding 99.995% with a hard service level guarantee, with premium private hosting available. Duo’s servers are hosted across independent PCI DSS and ISO 27001-certified and SSAE 16 audited service providers with strong physical security, like Amazon.
We provide a high-availability service split across multiple geographic regions, providers and power grids for seamless failover, and our multiple offsite backups of customer data are encrypted.
Duo’s full-time security team is experienced in running large-scale systems security. We employ the world’s top mobile, app, and network security experts, including researchers and engineers who have worked in Fortune 500 companies, government agencies, and financial firms.
Duo builds security into each step of our operations, including customer data handling, code release, upgrades, patch management, security policies and more.
We endeavor to meet compliance standards like PCI DSS, OWASP, ISO 27001, NIST 800 and more. A team of independent third-party auditors regularly audit and review our infrastructure and operations to ensure we’re secure enough to support our customers.
Duo Security’s operational processes are SOC 2 compliant, as determined by an independent auditor.
Duo’s two-factor authentication cryptographic algorithms are validated by NIST under VIPS CAVP, and they also leverage a FIPS 140-2 CMVP-validated OpenSSL library. Our NIST certifications are available for review for FIPS 186-3 RSA asymmetric cryptography, FIPS 180-4 SHS/SHA hash families and FIPS 198 HMAC algorithm.
Duo self-certifies compliance with the U.S.-E.U. and U.S.-Swiss Safe Harbor Frameworks set forth by U.S. Dept. of Commerce for the handling of personal data from the European Union and Switzerland. View our certification.
Learn more about the Safe Harbor principles of Notice, Choice, Onward, Transfer, Security, Data Integrity, Access and Enforcement at http://www.export.gov/safeharbor.