By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
GTM Playbooks

How Duo first won in Multi-Factor-Authentication and later in Zero Trust

This article is part of François Dufour’s “New Category or not?” series on positioning and category creation in B2B. There, founders and CMOs reflect on their positioning, category-naming journeys, and decisions. 

How do you win SMB and mid-market segments in an established category dominated by an 800-pound gorilla? 

What category do you select once you have more product lines and want to expand your TAM?

What role can your brand and experience teams play in that journey? (hint: massive) 

Jon Oberheide, co-founder and former CTO of Duo Security, reflected back on the journey that took Duo from creation in 2010 to an acquisition by Cisco for $2.35 billion in 2018. Pete Baker, former Head of Design at Duo, joined that conversation as well.

Key takeaways:

  • Duo started as a pure player in Multi-Factor Authentication. They joined that large established category and "democratized" it, focusing on capturing security’s “underserved segments”: SMB and mid-market
  • They obsessed over making their tech easy to use and deploy to “surf the wave of distaste” of the category and enlist both users and buyers in securing their organization
  • Emphasizing their story, bringing consumer-grade design to enterprise-grade products, and communicating with personality and authenticity were huge differentiators. They hired outside of the security to bring fresh thinking and shake up the industry 
  • Later, as they saw the opportunity to expand their product line and TAM, they associated themselves with Zero Trust, an emerging but then “muddy” philosophy in security, and helped define it as a category instead of creating a brand new one or joining Identity Access Management that was not playing to their strengths

What was the initial vision behind Duo, what category did you decide to play in, and what were your key challenges?

Jon: Duo was born from a desire to make the Internet a secure place. Our mission was to protect the mission of our customers by making security simple for everyone. My co-founder Dug Song and I wanted to bring accessible security to underserved markets, those at or below the “security poverty line”. We decided to play in the Two-Factor (therefore our name, Duo) then Multi-Factor Authentication category (MFA) and to bring it to the SMB and mid-market. These companies would typically have one person in charge of IT - network, help desk, and whatever infrastructure they had - security, and facilities. So they had little bandwidth for buying and deploying the security products of the time. 

Pete: Act 1 was not easy, even though MFA was the easiest product to explain in the world. You could demonstrate it with two hands: 1) I log in on one thing, and 2) my phone pops up and says “Was that you logging in?”. People got it immediately. But the challenge was that MFA was a hard category to get anyone excited about. 

Jon: Yes, our product category was universally hated and reserved only for Fortune 100 companies and their privileged access users. RSA owned the authentication market. This is back when we carried around RSA hardware tokens. It was associated with pain, friction, and cost. We set out to convince customers that our technology could actually be easy to use, adopt, manage, and deploy.

How did you end up dominating the two-factor authentication category in your target segments then?

Jon: We stayed focused on winning the low end of the market. We thought that RSA’s channels could not reach that low. We obsessed over the user experience: ease of use and deployment was always our differentiator. Our buyers were super close to the users and we couldn’t expect all of them to carry a key fob. We also designed a high-velocity and inbound PLG and sales motion. People call that Product-Led Sales today. That forced us to build something super simple and easy. 

Pete: we were riding a “wave of distaste”.

“Frustrate the bad guys, not your users” and “Security that does not suck” became our rallying cries. We all cared about user experience and we built this culture of violent love of the product, the company, and the brand.  

We positioned Duo as one of the only, if not the only, user-centric and usable security products at the time. As this evolution to remote work and hybrid employees became new problems, user-friendly software was the solution to avoid going back to the old way of bunkering down the firewall. Duo was one of few companies in security at the time that really made user empathy and highly designed products central to the company's value proposition. We had to make a product that our customer's employees would be willing to install on all of their devices, even their personal phones, and welcome the security, rather than resist it.

We encouraged prospects to sign up for a trial, enroll themselves and two coworkers, and set up the product on their Unix server. Their eye-opening moments confirmed that our product was completely different and easy to use.

Jon: we were really at the confluence of two massive trends: cloud and mobile. They made us super relevant and made our user experience so easy that we managed to reach the Enterprise as well. MFA was a $2 billion market: big, but not that big.

What we may not have realized at the time, was that we were creating a much larger TAM, because our ease of use brought new customers to that category. Those that the existing products just couldn't serve.
Duo’s Homepage in 2014. Already focusing on showing a simple MFA experience

Later, you decided to join and define the Zero Trust category, beyond MFA. Why and how did that happen?

Jon: Around 2015-2016, we had to decide: do we keep doubling down on MFA and possibly extend it or further expand our product line and choose another category?

We were doing fine in MFA, successfully growing upmarket, expanding internationally, and going deeper into verticals - healthcare, education, and government. That was actually a debate that we had every year during our strategic planning: are we just the vacuum that just sucks up all of the RSA revenue or should we do more? 

We knew that we were ideally positioned to address securing access in the new world of cloud, mobile, hybrid users (first-party employees, contractors, third-party vendors), hybrid devices (corporate managed devices, BYOD, IoT), and hybrid applications (on-prem, cloud, and everything in between). Connecting those users with their devices through applications looked very different in this new cloud and mobile world. We decided to go after a bigger opportunity than MFA and got into additional adjacent product spaces, such as single sign-on and endpoint security, always through the perspective of user convenience and security. 

What category was the right one for us then? We considered playing in Identity Access Management (IAM), which was growing in importance, with Okta leading the charge. As we moved further upmarket, analysts were becoming more important and we knew that Gartner was going to stop covering MFA. However, we were not convinced that participating in their upcoming IAM Magic Quadrant aligned with our worldview. 

Then, we saw that, at the time, more CISOs were looking into Zero Trust and at other blended methodologies of securing modern networks, like Google's BeyondCorp; Google’s own internal blueprint for enabling stricter access security that enabled more hybrid workforces. Then Forrester embraced and promoted Zero Trust. If you knew what it was, it was easy to understand. However, if you didn't know, it was complicated. Zero Trust was muddy. It was not a product, not a category, but a philosophy that basically meant “don't trust anybody”.

Pete: Zero Trust was the buzziest term and the topic du jour for four years. That let everybody claim they were doing it because it wasn't clearly defined.

The confusion was great for us and we decided to jump in, partly because of the strength of our brand storytelling. It allowed us to educate users about the devices and apps they access without using industry jargon since we knew how to do that so well.

We showed that users were helping with security instead of being mandated to help top-down. We were educating and empowering users. We talked a lot about deputizing users, so they are part of the security team without being security experts. We used the more descriptive term "Unified Access Security" to describe our solutions – because we were all about clarity - but really embraced delivering Zero Trust in an approachable fashion.

Section of Duo's homepage at the end of 2018, explaining how to implement Zero Trust with their tools, in simple terms.

You always believed in investing in brand and user experience. What drove that conviction and how did you win there?

Jon: We made a significant design and brand investment that Pete and the creative team were able to create and nurture.

For Duo, it was clearly “brand before pundits and analysts”. Because we were targeting SMBs and mid-market, where analysts are less influential.  

In some ways, AR/PR was an afterthought for us, whereas the brand was front and center. It was an authentic brand promise of the customer's experience of our product and every touch point with our company. AR/PR can be a good amplifier of success, but you can't manifest it out of thin air, regardless of the bucket and quadrant you convince analysts to put you. When 4 out of 5 of your CISO peers recommend Duo, it doesn't matter what Gartner says. And with an NPS that was 70+, that customer love was real!

Pete:  Even more than the creative ways we marketed ourselves, what resonated most with our audience was our identity; our story; the reason Duo existed. Recognizing and calling out the fact that "security just sucks” was a major motivation for our team. It attracted some of our earliest customers.

Empathizing with the people tasked with rolling out crappy tools (with dubious effects) and actually caring about the people those crappy tools were forced upon was not a muscle that was exercised very much in the industry.

Emphasizing that story, bringing consumer-grade design to enterprise-grade products, and communicating with personality and authenticity were huge differentiators for us. 

It’s always been bizarre to me that the security industry has one of the more interesting and vibrant subcultures (see any DEFCON conference) but the galaxy-brain hackers and researchers that hated going to an RSA Conference, and *never* wanted to hear a sales pitch, were completely ignored by the major companies in the industry. Our marketing, website, and content were built on providing the right information (and trials) for that audience to self-determine if our product was for them because that’s how *we* bought software too.

We also created sub-brands - Duo Labs and Decipher - to have an even more specific conversation with even more ingrained security audiences; researchers and journalists. Rather than confuse the product story that’s blog was for with tech notes for a very different audience, we let the researchers publish whatever they wanted on a separate imprint, with their own logo and swag, and brand so their contemporaries at conferences knew they were there for deeply technical interests, not to sell anything.

But I think it all actually started with bringing together, early on, a bunch of people that *weren’t* steeped in the security industry, and didn’t know how things in the industry had always worked and brought ideas that seemed obvious to us but were fairly radical to the incumbents.

Being real people, communicating well and openly, and being the first to say what our product doesn’t do, as much as what it does. That simple stuff went a long way.

Jon, how did you justify the focus and investment in brand to the board?

Jon: It didn't require much justification...We were tripling ARR and doubling headcount each year, so having a few more headcounts in our creative team than the average startup wasn't a headline conversation with the board.

It's the kind of ROI that is so obvious that it's not worth the squeeze of trying to measure.

What do you see as the next evolution in these security categories?

Jon: We still believe in user empowerment and user centricity. When users select and bring more and more apps into an organization themselves, often without their IT and security team’s knowledge, users have to be part of the effort to improve their organization's security posture. 

So, if Act I was MFA, Act II was Zero Trust, we believe there's an Act III underway now: further enlisting users in a company’s security effort. That’s why I've invested in Push Security and joined their board. Pete is also an investor in Push and even designed their new brand and visual identity. Push helps IT and security teams quickly understand what SaaS apps their employees tried or bought to do their job, analyzes their security posture, and enlists users to adopt good security practices such as setting up MFA, using strong passwords, and more. It prompts them with messages in Slack or Teams or notifications via browser plug-ins with simple and timely education. As Duo did before them, they focus on ease of use and helping security teams and users work better together. That’s bringing security to all. Like Duo did.