When I first heard that a smartphone app was worth more than $2B, I thought that has to be a gaming company. But no, it was Duo Security being bought by Cisco. Duo makes a multifactor authentication (MFA) app that runs on phones and desktops. Certainly, this has to be irrational exuberance, or something, right? Wrong.
Duo has grown to a 700-person company with 12,000 customers by being very clever. Their MFA app at first blush looks like just another authenticator app that is similar to at least a dozen different products (Google Authenticator, OneSpan, Authy, HID Approve, Microsoft, Lastpass, SafeNet MobilePass, Sophos, Salesforce and Okta Verify, just to name a few). The way these apps work is that when you try to login to a particular resource – your cloud drive, your Salesforce app, your Slack community – you see a message on your laptop’s screen that directs you to your phone, where you approve the login and go on your merry way. No typing in those one-time password codes that disappear seconds after you see them. Simple and effective security.
These apps have become popular thanks to the numerous exploits of using SMS texts and emails as the additional authentication factor. You can read my own summary of this issue in a blog post I wrote for iBoss last year. But we aren’t really looking at the real value add of Duo. The Duo acquisition works out to about $200 per customer. Given that the top tier plan for Duo costs about $100/user/year, that math makes sense if you are in this business for more than a couple of years, and certainly Cisco has plenty of patience and cash. But the simple math is still missing the point.
Cisco is buying Duo not because of their app – which is a nice app – but because they need to have something to deliver an entirely new access management ecosystem. Remember Network Access Control (NAC) from back in 2006 or so? Then Cisco was one of three major industry efforts to try to standardize this particular market segment. All three more or less fizzled, although NAC still lives on with Forescout and Portnox products, and a (growing but still) little-used Cisco product called Identity Services Engine.
The entire Duo ecosystem is based in the cloud, with one important exception: its app. By calling it an authenticator app, it is really a Trojan Horse (and I don’t mean in the malware context, but the original Homeric one) for NAC, identity management, and Bring Your Own Device mobile management all rolled up into one. (See the screenshot of one of its numerous management screens below.) The app is really Duo’s agent.