Duo Security Made MFA Ubiquitous. The Second Factor Is Still a Credential.
by Nick Clark | Published March 28, 2026
Duo Security made multi-factor authentication ubiquitous by providing push-based approval, biometric verification, and device health assessment through a simple integration model. The friction of MFA dropped significantly. But each authentication factor is a credential: the Duo Mobile app holds a registration secret, biometric templates are enrolled and stored, and hardware tokens carry cryptographic keys. More factors means more credentials. The structural gap is between multiplying credential types and eliminating the credential dependency entirely through identity derived from accumulated behavioral continuity.
Duo's contribution to making MFA accessible across enterprises and its device trust capabilities are genuine advances in security posture. The gap described here is about the credential model underlying all authentication factors.
More factors, more credentials
Duo adds a second factor to authentication: push notification, phone callback, SMS code, hardware token, or biometric. Each factor requires credential material. The Duo app must be enrolled with a registration secret. Biometric verification requires a stored template. Hardware tokens contain cryptographic seeds. The second factor is a second credential, not an escape from credentials.
When users lose their phone, change devices, or have their Duo registration compromised, they need to re-enroll. The identity was bound to the credential. When the credential is gone, identity verification fails until new credentials are provisioned.
Device trust evaluates the container, not identity
Duo's device trust feature evaluates whether the accessing device meets security requirements: OS version, disk encryption, screen lock. This is device health assessment. It verifies that the device is in a secure state. It does not verify that the device's identity derives from its own behavioral continuity.
A device that passes all health checks but has been factory-reset and re-enrolled is treated as the same identity. The identity is the enrollment, not the device's accumulated behavior.
What keyless identity addresses
Keyless identity would replace enrolled credentials with behavioral continuity. A device's identity would derive from its accumulated interactions validated through trust slope functions. No enrollment secret, no stored biometric template, no hardware token. The device proves it is the same device through continuity of behavior, not through possession of a credential.
Duo's adaptive access and device health capabilities could complement keyless identity by providing context signals. The identity primitive would shift from enrolled credentials to behavioral continuity.
