Updated: RSA’s Hottest Startup Signals Online Identity Shakeup

In-brief: The RSA Conference’s most celebrated start-up, UnifyID, signals a fast-approaching revolution in how we do identity online.  (Updated with link to UnifyID interview video.  – PFR 2/20/2017)

The RSA Security Conference’s Innovation Sandbox is an annual competition among the world’s most promising start-ups. As such, it offers a window onto where the information security industry is going, rather than where it has been. That’s why this year’s winner, San Francisco based start-up UnifyID, is being seen as a harbinger for a revolution in online identity that promises to finally retire moth-eaten conventions like user names and passwords in favor of hybrid identities that are a mash-up of far more specific and hard to fake factors.

The company offers a novel – but promising – approach to identifying users termed”implicit identity” that combines biometrics with other unique identifiers, from behaviors to impossible-to-fake signatures rooted in the devices an individual uses. Together, says UnifyID CEO and founder John Whaley, the data can create an identifier that is independent of any technology platform and based on who they are, not a piece of hardware or data they possess.

Verifying identity has long been a sticky problem for organizations. Technologies like Microsoft’s Active Directory long ago allowed companies to create consolidated databases of employee usernames, passwords and the rights needed to access resources within corporate environments. Still, most organizations still rely on single-factor authentication models (a user name and password) even as massive data breaches have exposed user names and passwords to cyber criminals by the billion. And, in the last decade, the emergence of a vibrant ecosystem of third-party, cloud-based applications (think Salesforce.com) has blurred the lines between internal and external user roles. UnifyID claims to combine more than 100 attributes to uniquely identify people with “five nines” (99.999%) accuracy.

In an interview with Security Ledger, Whaley said that the widespread adoption of sensor-packed smart phones combined with advances in machine learning make the company’s unique take on identity possible.  In addition to the standard kinds of measurements capable with smart phones’ accelerometers, GPS and cameras, the company leverages other, more subtle identifiers created by observing wireless signals like bluetooth and fingerprinting unique device characteristics. Among other things, UnifyID uses slight variations in chips embedded within smart phones that can be used to uniquely identify the physical device associated with a user. That factor is then combined with others to prove the identity of a prospective user.

The glaring limitations of password based security are pushing technology firms to look for novel and more reliable systems that can’t be stolen or forged, and that can work seamlessly across different, cloud based resources.

UnifyID beat out 10 other firms to claim the Innovation Sandbox award, following in the footsteps of companies like Sourcefire (now part of Cisco), publicly traded Imperva and Phantom Cyber in past years. The award is sought after, garnering media attention and the attention of would-be investors and customers. The unanimous vote for the company reflects growing interest among investors in Silicon Valley and elsewhere in developing alternative identities that are flexible enough to work across an Internet landscape with fewer and fewer borders separating corporate from third-party and personal networks and devices.

“Next-generation” identity platforms is one of four investment areas that Trident Capital Cybersecurity will pursue with a new $300 million fund, said Sean Cunningham, Trident’s Managing Director said in a panel discussion on investment trends in the information security space the Conference on Thursday.  There are many drivers for new approaches to online identity, from regulatory compliance to the demands of hybrid technology environments of “on-premise” and cloud based applications. That has fueled interest in companies like Okta and Forgerock that promise secure identity platforms that bridge such environments.

The fallibility of passwords has made account takeovers a common method that hackers use to get a foothold on corporate networks, said Uri Rivner, the Chief Cyber Strategy Officer at the firm BioCatch, which helps companies spot account takeovers by mapping a user’s online behavior and then noting deviations from that indicating an account has been compromised.

A recent survey by the Pew Center found that 8 in 10 Americans simply memorize or write down their passwords, while a substantial minority (39%) solve the password complexity problem by reusing the same (or a very similar) password across accounts. One consequence is that cyber-criminal groups are increasingly using stolen credentials to exploit remote access virtual private network (VPN) connections to corporate networks – a technique previously reserved to sophisticated nation-state actors, Rivner said.

New, stronger identity schemas could remove that risk by replacing passwords with a strong identifier that is based on a mix of passive biometric measurements and other, immutable factors. The goal is what’s often termed “continuous authentication,” in which authentication ceases to be a discrete action and individuals gain access to services seamlessly.

Whaley said that implicit identity schemes have other applications as well, including fraud prevention, e-commerce and on the Internet of Things. Such technology will be needed to address security challenges created by The Internet of  Things, which will add billions of new devices and services that users need to connect to. In the future, UnifyID hopes the technology can work in offline scenarios as well.