Duo Push: The Next Generation of Two-Factor Authentication

Wednesday, June 8, 2011

We’re excited to announce that we’ve officially launched Duo Push, a new authentication method that leverages modern smartphones to provide two-factor authentication that’s both resistant to the latest threats and is actually enjoyable to use!

But first, some background…

When we first started Duo, we set out to create a two-factor authentication platform that was not only secure, but also easy to use and manage. We saw that two-factor authentication technologies were avoided not because they failed to offer an increase in security, but because their cost, management complexity, and user annoyance factor were prohibitively high. In addition, the “one authenticator fits all users” model employed by our competitors (OTP only, phone only, SMS only, etc), just didn’t fit the diversity of the user base needing two-factor authentication.

Fast forward a year later. We had developed a modern two-factor authentication platform that was authenticator-agnostic, enabling mobile-generated passcodes on 7 mobile platforms, phone callback, SMS-delivered passcodes, and even hardware tokens. More importantly, our platform was “built for the web,” discarding the traditional legacy interfaces and integration points (“pin+passcode”, on-premise appliances, RADIUS, etc.) in favor of a user-friendly web interface that provided interactive factor selection, self-enrollment, and real-time feedback to the end user:

In my not-so-humble opinion, we had built the best-of-breed platform for strong and usable two-factor authentication.

Introducing Duo Push

However, we still weren’t satisfied. Simply using a mobile application to generate one-time passcodes seemed like an insult to the power, connectivity, and programmability of modern mobile devices. In addition, with the advancement of man-in-the-browser malware that is able to silently manipulate user-initiated transactions (e.g. changing a payee account number on a money transfer), it was clear that something more was necessary to provide assurance in the face of the latest threats.

So, we again set out to develop something that was true to our founding principles, providing both security and usability

And today, we’re happy to officially launch a new authentication method that represents the next generation of two-factor authentication: Duo Push!

Duo Push leverages the capabilities of modern smartphones to create a more secure and user-friendly two-factor authentication experience. Specifically, Duo Push utilizes the native push notifications (APNS, C2DM, etc) to provide real-time notification of transaction and login requests to a user’s smartphone, a secure out-of-band (OOB) communications protocol to display the full verified details of the request to the user, and simple one-touch responses to allow the user to approve or deny the request on the smartphone itself.

The best way to understand how Duo Push works is to see it in action! For our demonstration, let’s use Duo Push as our secondary authentication method when logging in to a Juniper SSL VPN for remote access:

After selecting Duo Push and clicking “Log in”, a push notification is instantly sent to our smartphone. Clicking on the notification brings up the Duo Mobile application and shows the full verified details of the login request. As seen below, we can approve the request if it is indeed authentic or deny the request if it was a mistake or appears to be fraudulent:

Simply tapping the “Approve” button immediately logs us in to the Juniper SSL VPN. No transcribing of passcodes between devices, no answering phone calls, no responding to SMS challenges — just easy, secure, one-touch authentication on the smartphone!

Since screenshots can’t really do it proper justice, we’ll be releasing some videos in the next week or two that really emphasize the fluidity of the authentication process when using Duo Push.

Duo Push is now integrated into our existing Duo Mobile application on the Android and iPhone platforms (Blackberry and WinMo coming soon) and works seamlessly regardless of whether you’re protecting a web app, VPN device, or UNIX server.

Paired with our existing one-time passcode generation in the Duo Mobile app, you’re now able to use easy two-factor authentication regardless of whether your mobile device is online (Duo Push) or happens to be offline (passcodes) in an area with poor cellular coverage at the time of authentication.

That’s all for now … stay tuned next week to see how Duo Push can protect you against the latest man-in-the-browser threats! If you have any questions about Duo Push, feel free to leave a comment below. And if you’d like to try out Duo Push to protect your web app, VPN device, or UNIX server, sign up today for free!

Copyright © 2021 - Jon Oberheide