Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Enclave-bound service aims to be another nail in the password coffin


Hoping to actually make the long foretold end of passwords happen, a startup called Beyond Identity believes it can hasten the demise of the memory-taxing access ritual by embedding a personal certificate authority into mobile devices.

The New York City-based biz, founded by Silicon Valley vets Jim Clark and Tom Jermoluk – the latter was formerly the president and COO of venerable computing firm Silicon Graphics – has managed to raise $30m in funding, in a round led by Koch Disruptive Technologies and New Enterprise Associates. It is hoping to become an authentication provider that integrates with existing identity and access management services.

At least since 2004, when then-chairman of Microsoft Bill Gates predicted the death of passwords, it has been clear few people enjoy remembering complicated codes or changing them periodically to satisfy some enterprise security policy.

But touchscreen mobile devices have soured people further, because typing and toggling character sets on cramped virtual keyboards taxes even the most nimble-fingered among us. And with credential stuffing bots proliferating – Akamai recently reported [PDF] 8.3 billion malicious login attempts over a two-month period – persistent bad practices like reusing the same passwords on multiple websites represent a meaningful risk.

Beyond Identity proposes an app for Apple, Windows, Android and cloud services to handle authentication in a way that doesn't require tapping in a memorized secret. The company describes its app as an on-device personal certificate authority.

The app utilizes TLS and X.509 asymmetric-key cryptography to handle authentication challenges, either directly or via single-sign on (SSO) integration, from within a secure enclave, so private keys never leave the device. It also handles certificate signing functions and provides users with recovery and migration options.

A woman intercepting a conversation

Avast's AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping

READ MORE

The biz intends to offer its service in two forms: Beyond Identity for Workforces, which works with SSO services such as ForeRock, Ping Identity, and Okta as a delegated identity provider, and Beyond Identity for Customers, which lets developers integrate the service via API or an SDK for native apps.

The Beyond Identity Cloud supports common identity management technologies such as OpenID Connect (OIDC), OAuth 2.0, and SAML, as well as industry frameworks like FIDO2 and WebAuthn.

In a conference call with The Register on Monday, co-founder and CEO Tom Jermoluk explained that the company's initial focus is on organizations of 200 or more employees that have already committed to getting rid of passwords through corporate SSO services.

"In the enterprise market, no API changes are required," he said. "We just drop in an [identity provider] agent for SSO and everything just works."

The process of signing in, demonstrated via video, looks rather elegant, once the initial app has been downloaded and installed.

The API, by which companies like GrubHub or Uber could implement password-free authentication, is coming this summer. And after that, the technology is expected to be available to consumers directly in a way that can integrate into legacy and SAML apps without an API.

Jasson Casey, CTO, said the company's technology has some similarities with Let's Encrypt, but it authenticates clients rather than servers.

In a traditional public key infrastructure environment, said Patrick McBride, chief marketing officer, key management is a big concern. "We've packaged all that into an app," he said. ®


Biting the hand that feeds IT © 1998–2020