Duo Security brings its two-factor authentication app to users' wrists, adding a new modality for strong security.
The Apple Watch could become an important new ally in the continued fight to secure user identities online—that is, if Duo Security
has anything to say about it. Duo Security today officially announced that its Duo Mobile two-factor authentication app is coming to the Apple Watch this week.
With two-factor authentication, a user requires an additional factor or password to access a site or service. The general premise is that while a single password can be stolen, a second factor makes it more difficult for an attacker to steal a user's credentials. Duo Security has a platform that is available in multiple deployment methods to help enable two-factor authentication mechanisms.
Duo's Mobile app has several options for two-factor authentication. One is the generation of a one-time password that a user needs to copy/paste into a service in order to gain access. The other method is a push notification that verifies that a user has requested access to a given site.
"We envision push as the fastest and primary use case for the Apple Watch," Omar Abduljaber, software engineer at Duo Security, told eWEEK
Duo is making use of the taptic sensation on the Apple Watch such that users can simply tap a button to gain access for a push two-factor verification notification. Abduljaber explained that users can't copy the passcode on the watch, though they can type the passcode displayed on the watch to their log-in prompt. As such, Duo made the passcode font very big so users can read it, if they choose to manually enter it into another device for access.
Given that the Apple Watch needs to be paired with an iPhone work, the Duo log-in request notification could appear on either device. Abduljaber noted that based on best judgment, Apple's IOS operating system decides where the notification goes.
"For example, if my phone is in my pocket, the notification will go to my watch," Abduljaber said. "However, if I was using my phone (screen unlocked), the notification will go to my phone."
The process by which Duo Security's Apple Watch version of Duo Mobile was created was not an initial direct product effort from the company. Abduljaber said he built the initial project for Duo Hack Day, which is a day Duo sets aside each quarter to encourage employees to break things, build things and work with teams they don't normally engage with. Often the side projects end up as features in Duo's products, he said.
"I experimented with an update for Apple Watch at our latest Duo Hack Day, using XCode," Abduljaber said. "It received such great feedback internally that we decided to make it real."
The process by which Duo Mobile for Apple Watch was built was not an overnight success either. Abduljaber said the initial version had a lot of issues, mainly due to the high security of Duo Mobile, and so multiple iterations were built slowly over several months.
"The current version was built when we were invited to test our app at Apple's headquarters," he said. "It was rewritten on the weekend from April 3-6 right before our Apple lab session on the 7th. During the lab session, we tested and polished the finished app and spoke with Apple engineers to make sure we're following best practices for Apple Watch apps."
Overall, Abduljaber emphasized that Duo Security's goal is to make authentication as easy and painless as possible. The basic idea is that the easier it is to deploy two-factor authentication, the more people will use it and the more secure users will be. He added that the Apple Watch experience is also a bit more personal.
"The Taptic Engine in the Apple Watch doesn't feel like a vibration; it feels like a tap on your wrist," Abduljaber said. "So when you log in to an application, it's almost like someone taps you asking, 'Was that you?'"
The new Duo Mobile 3.8 release with Apple Watch support is set to be available in the Apple App Store by the end of this week.
Sean Michael Kerner is a senior editor at
InternetNews.com. Follow him on Twitter @TechJournalist.