Duo Security, a five-year-old, 100-person company that sells its cloud-based two-factor authentication software to thousands of organizations, including Facebook, Twitter, NASA and Uber, has just raised $30 million in Series C funding led by Redpoint Ventures, with participation from Benchmark, Google Ventures, Radar Partners and True Ventures. (The Ann Arbor, Mi.-based startup has now raised around $50 million altogether.)
Last week, we chatted the Duo Security’s cofounder and CTO, Jon Oberheide, about how his company is using mobile devices as a second form of authentication, and what comes next.
Some major company’s information is breached every week it seems, yet there are also other two-factor authentication services out there tackling the problem. What makes yours different?
First, we think the existing security is broken. Underlying information technology has shifted out underneath existing security technologies and they aren’t relevant anymore. In the past few decades, your security model was built within the physical walls of your organization, then people began accessing the same device but they weren’t necessarily in the building, which made phishing for those employees’ names and passwords easy. Poor hygiene across multiple sites was the problem we were trying to solve, and we succeeded in ensuring that your identification couldn’t be stolen.
Then mobile devices came along and now everyone uses their own favorite products.
Yes, and those mobile devices aren’t under the control of an IT administrator. You have these cloud services that are being controlled by third parties. IT departments have gone from saying “no,” to partnering with [various parties] to ensure their [devices’] secure enablement.
And you have a new edition that you say works even better than what your customers have been using. How so?
Our new platform edition allows companies to establish what security policies are acceptable and customize protection at the point of entry. It can stop break-ins regardless of whether hackers have a user’s name or password by analyzing a company’s policies for each log-in attempt, including the location of the user, the reputation of the IP address, and what level of device health they want to admit into their enterprises. It addresses, for example, the employee who might forget his phone at the bar. A company can require that a full encryption and screen lock [are activated] to prevent someone else rom picking it up and trying to access corporate information. Or, if you’re a domestic company whose employees primarily log-in from Starbucks, you might want to block access to China or Russia, where a lot of hackers come from. You just click a box and it’s done.
How much more will this new edition cost customers?
On a per user, per month basis, we currently charge $3; our platform edition wil cost $6 per user per month because we’re providing a lot more value to companies that we think justifies [the price hike]