Interview with Jim Simpson, Director of Product Management at Duo
Back in 2011, LuxSci integrated Duo.com‘s advanced two-factor authentication into our WebMail service. Any LuxSci customer can use Duo.com to protect their WebMail, as well as their admin access to LuxSci. This all comes at no extra cost.
We even use Duo’s authentication ourselves. It’s great for administrative actions both at the server command line and through the web interface. An advanced two-factor authentication system such as Duo.com is excellent for enhancing a system’s security. It is a requirement for PCI compliance and can be helpful for HIPAA compliance as well.
The new Duo Access service is an innovative way to enforce corporate security policies, helping businesses to drastically cut their risks. Duo’s Jim Simpson has taken some time out of his schedule to answer some questions for us and discuss the details of their service.
What is your name, title, and role at Duo.com? How long have you worked there?
I’m Jim Simpson, the Director of Product Management, and I’ve been at Duo 6 years.
How and when did Duo.com start?
We have been around since December 2009, so about 7 years.
What is wrong with the typical method of using SMS / text messages for a second factor?
One of the biggest problems is that SMS messages can be intercepted. The simplicity of text messages makes them useful for some types of authentication, but it all depends on the risk profile. At the end of the day, you have to balance risk with ease of use. The decision of whether SMS is secure enough for a given situation is really up to the administrator.
Duo.com allows companies to select from many different second factors: SMS, phone, token, mobile app, etc. How do these rank in terms of security?
U2F tokens are the most secure, because they are unphishable. After that would come Duo Push, followed by the other methods.
Can you briefly highlight some of the aspects of Duo.com two-factor that really make a difference for administrators?
Ease of deployment and ease of maintenance are the most critical parts for administrators. The versatility of Duo’s granular controls for managing risk between users, devices, and applications is important as well.
The need for multiple authentication factors is really a symptom of the security problems involved with passwords. What do you see as the future of passwords and the evolution beyond them?
Authentication technology will continue to evolve to provide stronger attestation that a user is who they claim to be. It will also get completely out of the way of the user at some stage. Continuous and passwordless authentication will also come into focus in the next year.
At LuxSci, we use our same Duo.com logins to protect access to support-level functionality, to UNIX logins, and to WordPress blogs. What types of devices and applications are integrated with Duo.com?
Duo supports a tremendous number of applications. We recognize that our customers have a diverse product stack, so we look to cover as much as possible, both on-premises and in the cloud. We leverage open protocols to support applications where we don’t necessarily have a native integration. You can see all the things we support on our documentation page at http://duo.com/docs/.
A new service offered by Duo.com is “Duo Access” which allows administrators visibility into the software and configurations of their users’ desktop and mobile devices. Can you describe how Duo Access works?
Duo Access validates that users are who they say they are. It also ensures that devices match a certain level of security hygiene before it grants access to the applications they need. As end users access applications, we gain insight into their devices. This allows administrators to set custom security policy on a per-app, per-group, or combined basis, in a way that meets their overall security profile.
Duo Access seems like a significant and unique way to allow corporate security administrators to enforce aspects of device and BYOD security policies. Can you elaborate on this? What other applications are you seeing for Duo Access?
Duo Access gives administrators the ability to protect their cloud and on-premises applications, as well as helping to manage the BYOD environment. This gives them the same level of control that they had when everyone worked on site, and used applications inside the building or corporate-issued devices.
Compliance laws such as HIPAA put a strong emphasis on access control and logging. How can Duo.com assist companies in meeting their compliance needs?
Duo can be used to meet a variety of compliance requirements. You can read the specifics in our case studies.
Use of Duo.com for two-factor access for up to 10 users is free. This really enables small businesses to upgrade to a strong level of access control at no cost. What does Duo.com pricing look like in general?
This is a really easy question to answer! Check out our pricing page here: https://duo.com/pricing.
What is on the horizon for Duo.com? What can we look forward to in the next year?
Duo is working to build on our new edition, Duo Beyond. We will also continue to strengthen Duo Access, and maintain the world’s easiest MFA experience with Duo MFA.