US-based two-factor authentication provider Duo Security announced this morning that it is in talks to be acquired by networking giant Cisco. According to Duo’s press release, Duo will become a “business unit” under Cisco’s Security Business Group, and current Duo CEO Dug Song will become the unit’s general manager.
Ars is a happy Duo customer, and we use the product extensively to apply 2FA to a variety of our internal services; beyond that, several Ars staffers (myself included) use Duo’s free tier to wrap 2FA around our own personal stuff, like Linux PAM authentication and Mac/Windows logins.
Duo’s flexibility and ease of use has been a huge driver of success for the company, which says it has about 12,000 customers.
But the worry here is that Cisco is going to murder the golden goose—and, as a former Cisco customer, I’m struggling to feel anything but dread about all the ways in which this acquisition might kill everything that’s good about Duo.
Duo boss says not to worry
In an email to Duo customers this morning, Duo CEO Dug Song attempts to address fears like mine in the very second paragraph:
If you read nothing else, please read this: our commitment to provide you with the service and functionality you have been accustomed to will not change. We will also be continuing to expand our library of integrations and innovative solutions to ensure your security choices remain the most loved in the industry.
I know this is supposed to make us feel better, but it’s a lawyer-friendly non-statement that doesn’t actually assure anyone of anything meaningful. “ [emphasis added] to provide you with the service and functionality you have been accustomed to will not change” is shameful corporate doubletalk. Duo’s “commitment” is immaterial to this discussion. Saying “our commitment to provide you with the service and functionality you have been accustomed to will not change” is from actually saying “the service and functionality you have been accustomed to will not change.”
I’ve reached out to Duo’s press office seeking comments about the acquisition, but Duo had not responded at publication time. I’ll update this piece with the company’s comments if it does.
My peril-sensitive sunglasses just went dark
Maybe I’m just overreacting. Maybe everything’s going to be fine. Consumer-facing brands like Linksys have been getting along well under Cisco for the past few years—at least after this idiocy, right?
I’d love for that to be the case, but I just can’t find the hope within me. I spent a decade as a Cisco enterprise customer, elbows deep first in Cisco MDS9500-series SAN directors and then later in NX-OS powered converged switches, and my personal experience with Cisco was overall profoundly negative, even though I was working for a Fortune 25 company with all the extra sales and support attention that warranted.
In my opinion—which is informed by my own anecdotal experience—Cisco belongs on the same shelf as Oracle when it comes to businesses that exhibit a profit-above-all-else mindset. From my point of view as an enterprise customer, Cisco consistently came across as unswervingly committed to revenue extraction at every single point in its relationship with a customer. The company’s per-feature licensing was (and remains) so expensive and so complex that the whole product portfolio seemed designed around creatively separating customers from their capital and actual network/SAN administration a distant second.
The yawning abyss of suckification
When the news broke this morning, I had a brief and despairing conversation in Ars Slack with Jason Marlin, Ars’ technical director-in-chief. We’d just seen the emails and had both independently had the same initial reaction of dismay:
The concerns we had—articulated above, complete with swears for emphasis—can broadly be packed together under a single scary prediction: Cisco is going to screw up Duo by turning it into a Cisco-style product. Jason’s “gross Java applet” comment was mostly in jest—dear God in heaven, please let that not come to pass, because I already have to keep a dedicated virtual machine around loaded with Java so that I can manage my Web server’s ASA box—but the Cisco-fication of Duo is legitimately scary.
From a usability standpoint, we’re afraid UI/UX creep will transform the existing Duo console into a Frankenstein-monster nightmare of tabs and infinite nested menus. We’re afraid of the light user-facing sign-on interface bloating into a grossly overcomplicated portal that buries simple operations under layers of extraneous crap. We’re afraid that development time will be spent on features that specifically benefit only the top-tier enterprise customers rather than improving the overall product.
More importantly, we’re nervous about Duo’s free tier—because at Cisco, all things serve the stock price (I’ve had lunch with a whole heap of Cisco enterprise sales reps, and those conversations gave me a very stark, very unflattering peek into Cisco’s revenue-driven culture). That alone is more than enough to make me fear for the elimination of Duo’s extremely useful free tier, coupled with Cisco mandating Duo raise the rates on Duo’s paid tiers in order to assist with the company’s mindless obsession with beating its quarterly guidance. The fact that Cisco has returned to profitability in 2018 makes that kind of price-pumping almost inevitable. The next time revenue dips, management will have to go all-hands-on-deck to make up for the shortfall, and squeezing additional revenue out of an acquisition is a time-honored tradition.
Why must everything I fall in love with die?
Much of my despair here comes from the fact that I’ve extensively adopted Duo into my own personal operational security routines, and it works great. It felt like the bit in where Jack and Tyler are talking about the perceived permanence of furniture. Whatever else happened, I had my 2FA issues handled. I didn’t have to think about it anymore.
And Duo is excellent at handling those issues. My servers all use Duo for both 2FA logins and also privilege escalation, via Duo’s excellent Duo Unix integration. I use Duo 2FA for local logins for my work Macbook Air. I’ve got Duo 2FA protecting the WordPress logins of a number of sites I help administer. The service supports push requests via its app (which also will generate TOTP codes and works as a Google Authenticator replacement if desired). It works with hardware tokens like Yubikeys. It even supports U2F authentication, and it’s got a great self-service portal for users to add or remove their own devices as needed.
Whatever else happened, I had my 2FA issues handled.
And, as long as you don’t need more than 10 functioning accounts, the service has a free tier that does everything an individual or home user needs. The extensive functionality, coupled with Duo’s ongoing development of new ways to utilize the service, make it a joy to use. It’s one of the few services in my life that I’m almost totally 100 percent happy with.
(It’s worth noting that I fell head over heels in love with StartCom’s free SSL/TLS services and its cheap wildcard certificates, too, and we all know how that turned out. Word of advice: if I start talking about how awesome a company is, because it’s probably about to either collapse or be purchased and destroyed.)
To be fair, Cisco is clearly in the process of creating its own self-contained infosec vertical and, as Ars IT editor Sean Gallagher said while discussing this story, Duo is almost the platonic ideal of a company that was created with the express purpose of being sold. It’s exactly the kind of building block a company like Cisco would be looking for to incorporate into its own plans. And as much as I’m dissing Cisco, there are worse companies to be acquired by—at least it wasn’t Huawei or McAfee (I just threw up in my mouth a little while typing that). And Cisco doesn’t have its own broadly applicable 2FA solution, so the likelihood that Cisco would buy Duo only to kill it (cough cough) seems low.
The only thing that doesn’t change is change
I just can’t shake the sadness—the feeling that this is the closing chapter in Duo being a usable, friendly company and the opening chapter of its existence as an increasingly crappy cog in an enterprise machine focused on making 2FA accessible only to those who can afford it, rather than for everyone. It’s hard to see past the idea that Cisco is going to come in and screw this up.
But, ultimately, change is part of life. And, again, it’s possible (likely, even!) I’m overreacting—Cisco hasn’t wholly gutted and destroyed other security-focused acquisitions like OpenDNS and Sourcefire, and the company does appear to be solidly committed to myriad noble-sounding goals. And it’s impossible to deny that, if left alone, Duo could likely do a lot of great things with Cisco’s financial and technical resources to draw on.
But my gut—and plenty of life experience on the customer end of Cisco’s business practices—tells me that I should start researching alternatives to Duo. Cisco’s frothy “people first” rhetoric clashes heavily with every interaction I’ve ever had with the company, and—while I’m happy for the Duo team and its success—as a customer, the only things I’m feeling are anxiety and uncertainty.