Simple to Scale: Duo Security Uses Android Hardware for Its Own Hack-Resistance

Duo Security has launched a new two-factor authentication service for Android devices that ships with a hardware security module, or HSM, under the hood.

The security firm says that one in two Android phones is susceptible to privilege escalation, a type of exploit that relies on unlatched vulnerabilities in the operating system to access protected system resources.  Duo’s technology thwarts this kind of attack by storing user credentials on the HSM, which is out of reach for any hacker “even if the user’s mobile device has been fully compromised.”

“By leveraging the unique hardware security capabilities of modern Android devices, our Duo Push technology is not only the most user-friendly two-factor authentication in the market, but also the most secure,” says Dug Song, CEO of Duo Security. “Duo continues to lead and innovate in mobilesecurity to ensure consumer mobile devices can act as trusted authenticators in the modern enterprise.”

The Ann Harbor, Michigan-based developer saw demand for its two-factor authentication software quadruple in the past year.  Duo Security credits this explosive growth to the simplicity of its platform: authentication has traditionally been hard to implement on a large scale, a fact of life that made it too costly for many organizations.

Duo Security disrupted the market with “patent-patent methods” that solve this issue, and quickly caught the attention of CIOs everywhere. The company’s software is leveraged by three of the top five global social networks, as well as Bechtel, Toyota, PwC, Thomson Reuters, Etsy, Duke University and a long list of unspecified SMBs.

Security is a big deal because the bad guys are getting more sophisticated by the day.  Unique methods are required to outsmart the rapid evolution of hacker mentality, and that means Duo Security must truly differentiate itself in the market.

“There are no other authentication vendors employing this hardware-backed security on consumer/commodity mobile devices,” says Jon Oberheide, CTO and co-founder at Duo Security.  “Other methods in the market require custom handsets or specialized firmwares that aren’t feasible for broad end-user deployment (eg. restricted to fedgov, high-security environments).”