Security & Reliability
Protecting our customers is our first priority and highest mission.
To ensure the security and reliability of our service, we’ve focused our efforts in three key areas: people, process, and technology. With users in mission-critical environments in 42 countries, and uptime exceeding 99.995% since 2010, we’re proud to be able to back our claims with a hard service level guarantee, independent third-party monitoring, and bounties for any reported security issue.
Duo employs a full-time security team with operational experience in large-scale systems security (e.g. site security for 40,000 users, data protection for 5 million users, etc.). Our team also includes some of the world’s foremost experts in mobile, application, and network security. Our founders have been responsible for some of the seminal academic and industry advancements in firewall, IDS/IPS, DDoS, and anti-malware technologies; groundbreaking research in OS and mobile platform security; and open-source security technologies used the world over (OpenSSH, OpenBSD, Linux, etc.)
Every aspect of our operation is designed with security in mind, from our handling of customer data, to the code release, upgrade, patch management, and operational security practices incorporating relevant security, policy, and evaluation frameworks such as PCI DSS, Shared Assessments, OWASP, ISO 27001, NIST 800 series, and other best practices and meaningful standards.
Our security processes and architecture have been reviewed and audited by independent third parties including Matasano Security and iSEC Partners on behalf of the discerning, billion-dollar global enterprises we’re honored to have as customers, and the hundreds of smaller customers we’re proud to support.
Duo is secure in both design and implementation. From modern exploit mitigation and defensive programming techniques, to time-honored least-privilege, data classification, and compartmentalization strategies, every component of our technology and infrastructure is the result of a careful, considered, approach to secure systems design and engineering.
- Duo is hosted across multiple, independent PCI DSS Level 1 and ISO 27001-certified, SSAE 16-audited service providers with strong physical security (and no public datacenter access) such as Amazon. We also offer private hosting as a premium service for customers with data jurisdiction or classification requirements.
- Our scalable, high-availability service is split across multiple geographic regions, service providers, and power grids for seamless failover
- Only device identifiers (e.g. phone numbers), and no personally-identifying information about users is ever gathered by Duo
- Multiple offsite backups of customer data are strictly maintained in encrypted form
- All Duo integrations are mutually-authenticated and speak over SSL-encrypted channels to Duo’s hosted service
- Duo’s authentication, by design, is completely independent of your primary credentials. Even if Duo were to be compromised, your logins would still be safe since no primary authentication would be exposed.
Certifications and Third-Party Attestations
Duo's cryptographic algorithms used for our two-factor authentication service have been validated by NIST under FIPS CAVP and leverage the FIPS 140-2 CMVP-validated OpenSSL library. Our NIST certifications are publicly available for review for FIPS 186-3 RSA asymmetric cryptography, the FIPS 180-4 SHS/SHA hash families, and the FIPS 198 HMAC algorithm.