Lyft Strengthens Device Trust and Reduces Ownership Costs by 50% with Duo Security

Executive Summary

Lyft strengthened user data protection and simplified device management by working with Duo Security, an AWS Advanced Technology Partner. The rideshare company required its employees to access internal applications using specific virtual private network clients, which hindered productivity. By implementing Duo Security’s Beyond Edition and device trust functionality, Lyft gained a centralized view into all managed and unmanaged devices connected to its network and the ability to quickly deploy risk mitigation policies. Using this solution, the company strengthened its security posture without harming employee productivity and reduced its total cost of ownership by 50 percent.

Facilitating a Secure Ridesharing Solution

For Lyft, protecting the personal and financial information of customers is a top priority. The rideshare company provides over 50 million rides per month, and its team must handle sensitive user data across multiple operating systems. Lyft needed a way to streamline access to internal applications hosted on Amazon Web Services (AWS) and further strengthen its security capabilities. By working with Duo Security (Duo), an AWS Partner, Lyft developed a solution to consolidate several projects and implement device trust capabilities to continuously monitor the status of user devices. Lyft can now prevent unauthorized devices from accessing sensitive customer data without impacting employee productivity.

“Duo Beyond has proven to be one of those rare solutions that improves the security of our company while simultaneously being easier for our employees to use.”

- Mike Johnson, former CISO, Lyft

Maintaining VPN Clients for Disparate Operating Systems

Founded in 2012, Lyft provides on-demand rideshare services for millions of customers across the United States and Canada. It employs over 4,500 people who work on a diverse set of user devices, including Windows, Chrome, Mac, and Linux machines. Its employees rely on a virtual private network (VPN) to access internal applications hosted on AWS. To facilitate this access, Lyft had implemented a custom solution using OpenVPN, a VPN system that enables organizations to create site-to-site connections for client and server applications. 

However, this solution posed several issues for the company and its employees. For example, employees needed to use the VPN to access internal data even when they were inside the Lyft offices, which hindered productivity. Lyft also needed to maintain VPN clients for each of its employees’ devices, which was costly and required significant management effort. Additionally, some employee devices were not managed by Lyft’s information technology team, leading to a gap between device visibility and the company’s security posture. Searching for a way to strengthen its access controls, Lyft chose to implement a solution from Duo.

An AWS Independent Software Vendor, Duo is a cloud-based trusted access provider delivering security technologies to thousands of organizations globally. Its product Duo Beyond enables organizations to identify corporate devices and block unauthorized users and devices, providing secure, streamlined access to applications. Duo Beyond also includes Duo multi-factor authentication (MFA), which enables customers to mitigate the threat of compromised credentials caused by phishing, malware, and other security threats, reducing risk while meeting compliance requirements for access security. “We chose Duo primarily due to three reasons: broadest coverage of devices and applications; great user experience for accessing protected internal tools; and simple implementation and roll-out,” says Vivian Ho, Security Team Software Engineer at Lyft.

Securing Data Access while Supporting Employee Productivity

Lyft strengthened its security posture by implementing Duo Beyond and Duo MFA on AWS, which can be automatically deployed in about 10 minutes using the AWS Quick Start for Duo MFA. The company is also closer to reaching zero-trust security, a philosophy that discourages companies from trusting devices by default, even if they are connected to the corporate network. Using these services and Duo’s device trust functionality, which provides simplified access control enforcement, Lyft now has a centralized view into both managed and unmanaged devices on its network. “We envision Duo enabling team members to innovate and deliver services by providing easy and timely access to the tools and data they need in order to be productive and effective,” says Ho. “Additionally, we see Duo serving as a core technology building block to enable our zero-trust security philosophy.”

Because Duo provides complete visibility to its stakeholders, Lyft can assess potential security risks, identify device vulnerabilities, and enforce risk mitigation policies in one location. For example, if an outdated or jailbroken device attempts to access one of its internal applications, Lyft’s security team can identify the device and deploy a policy to block it from accessing these applications. Using Duo’s services, Lyft enforces device trust across its organization without sacrificing employee efficiency. Employees can quickly and securely access internal applications without using a specific VPN client, which streamlines productivity. “Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls,” says Mike Johnson, former Chief Information Security Officer at Lyft. Duo also helped Lyft consolidate multiple security projects, including MFA and mobile device management, into one solution. As a result, they reduced total cost of ownership by more than 50 percent.

“Duo Beyond has enabled us to push our zero-trust strategy faster, allowing us to utilize client systems that were difficult and costly to support, making it very low effort to bring new services online and granting granular access controls."

- Mike Johnson, former CISO, Lyft

Continuing to Streamline Device Management on Duo Beyond

By implementing Duo, Lyft has strengthened its device trust capabilities and is able to continuously monitor the health of user devices. Now, the company can better protect its users’ sensitive data without affecting employees’ access to internal applications. In the future, Lyft plans to continue developing security solutions using Duo’s services. “My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe,” says Ho. “We believe Duo is a trusted partner in this journey.”


About Lyft

Lyft was founded in 2012 and is one of the largest transportation networks in the United States and Canada. As the world shifts away from car ownership to transportation-as-a-service, Lyft is at the forefront of this massive societal change. Its transportation network brings together rideshare, bikes, scooters, car rentals, and transit all in one app. It is singularly driven by one mission: to improve people’s lives with the world’s best transportation. 

About Duo Security

Duo Security, part of Cisco, is a cloud-based trusted access provider that supports thousands of organizations worldwide. Founded in 2010, Duo is an AWS Advanced Technology Partner, AWS Public Sector Partner, and AWS Independent Software Vendor. 

Published July 2021