Traditional password authentication has long been recognised as the weak link in the security chain, even before the Heartbleed vulnerability exposed the private keys of millions of servers worldwide. A password the user can easily remember is rarely a good password, while a good password is rarely easy to remember.
Two-factor authentication aims to fix this flaw. The most common implementations mix something you know with something you have: a password and a physical key, which uses a seeded pseudo-random number generator to verify that you are indeed the account holder.
It’s neat, but awkward: the hardware tokens are typically expensive and various platforms require tokens from various vendors leading to a full keyring. Duo Security is just one company that looks to solve that issue, and appears to have come closer than most.
Signing up for a Duo Security account is free of charge if you’re looking to protect fewer than ten users. For larger companies, the fee is $1 per user per month for an unlimited number of accounts, while the Enterprise Edition at $3 per user provides access to an application programming interface (API) for integration into bespoke applications.
The API is an especially impressive feature, allowing paying users to quickly add Duo support to their in-house applications. Those who just want to use the software with existing applications will find a long list of supported platforms: source code is provided for integration into Linux and other Unix-like systems, while modules are available to integrate with most brands of virtual private network (VPN) devices and a wide variety of software from the LastPass cloud-based password manager to the popular WordPress blogging platform.
These modules can work independently, verifying the authenticity of each user’s login attempts by sending a text message or making an automated voice call. Doing so uses up ‘telephony credits’, which can be bought in bulk or are automatically regenerated each month for paying accounts.
A better choice is to use the Duo Security smartphone application, available for Android, iOS and BlackBerry 10. This runs in the background and supports push notifications – these notifications can be acted upon with a simple tap.
The Android app is particularly slick: the phone is registered with the Duo Security management site by scanning a QR code, while authentication prompts can be confirmed or denied directly in the notification system without having to load the app itself.
For users who don’t like the idea of tying their security into their smartphones, Duo supports traditional hardware tokens, available from the company for $20 each. A minimum order quantity of 20 units for international orders is somewhat annoying, although any third-party OATH HOTP token – including the popular YubiKey – can be used instead.
Duo’s SSH server integration is simple yet powerful: compile the software from the provided source code and add it to the SSH config. As the software runs at log-on, users will be prompted to choose a means of authentication: app-based Duo Push, SMS or voice call. If SSH is being called non-interactively, such as by a backup script, Duo recognises this and defaults to the first available authentication method for confirmation.
If there could be anything bad to say about Duo Security, it’s that the administrative website is somewhat user-unfriendly. While packed with features – including detailed logs of all authentication attempts across all services – it’s clearly aimed primarily at enterprise users and may leave home users just looking for a bit of extra security confused. It’s well worth working your way through, though and once your account is set up you’ll rarely need to visit the site again.
It’s hard to fault Duo Security. While points could be deducted for the software’s lack of an official app for older or more esoteric phone platforms, or its somewhat user-unfriendly master configuration site, its power and flexibility more than make up for this. For home users the free tier will be more than enough to bolster security.