A Little Software with a Big Punch: Duo Seems to be Taking Higher Ed by Storm

For the past six weeks, I have been conducting interviews with Higher Education Chief Information Officers and their teams in charge of Identity & Access Management (IAM). I’m in my first phase of primary research for an Identity and Access Market Report that we will be publishing in Q1 2018. In a nutshell, Identity and Access Management covers your people security—how you define an “identity,” provisioning/deprovisioning, who is accessing what, what rights they have to access that information, etc. It also covers password management (including reset) and two-factor and multi-factor authentication methods, among some other attractive capabilities.

Many things have differed across my interviews (staffing models, policies, budgets, maturity of the overall IAM program, open source vs. homegrown vs. enterprise system), but a few trends have already begun emerging. One item has stood out like a flashing neon sign: almost every institution (private, not-for-profit;  2-year public; 4-year public) I spoke with is either considering purchasing, has purchased, or is in the process of actively rolling out Duo, a two-factor authentication solution. (Keep in mind that this is anecdotal until proven otherwise; I’ve conducted about 12 interviews so far).

First, before we get into the growing popularity of this tool, let’s review what two-factor authentication is. Two-factor authentication means that in order to access internal systems, you must demonstrate something you know (i.e. a username and password) along with something you have (i.e. Duo Mobile application installed on your phone to validate an authentication request). You are probably already quite familiar with two-factor authentication; you do it every time you go to an ATM and enter your debit card and pin number.

Now, let’s explore why Duo seems to be so well known. One reason may be that Internet2’s InCommon Federation has partnered with Duo to bring the solution to Higher Education at an affordable rate, and the pricing tiers are based on IPEDS enrollment level. (You can learn more here). Even institutions that are not part of Internet2 have rolled out Duo, so I began asking those schools very direct questions about why. The answer? The solution is good; the pricing is great; and the licensing model is FANTASTIC. I have not yet personally seen a Duo contract, but the feedback I received indicated that this SaaS contract is built around the needs of higher education (unlike a lot of other vendors). Roll out times across campuses seem to typically happen in a multi-step process across constituents; some institutions even offer an “opt-in” program and allow their constituents to choose whether or not to use Duo. Duo has been able to build an impressive reputation in higher education as an enterprise class security company; according to their website, “Duo is the fastest growing SaaS security company, tripling year over-year for three years in a row.” Duo also works with Yubikeys, a hardware token, to create even stronger multi-factor authentication.

Look for another post coming up soon on Yubikeys and their use in higher education. If you want to know more about Duo and larger IAM trends in Higher Education, look for the upcoming IAM Market Trends Report or contact Katelyn Ilkani. In the meantime, we’d like to hear from you and your journey with two factor or multi factor identification, or your overall Identity and Access Management program.