Roughly 80% of data breaches globally are tied to weak or stolen passwords, according to the World Economic Forum, and contribute to the $2.9 million that cybercrime costs the global economy every minute. Moreover, with anywhere between 20% and 50% of all help desk calls reportedly related to password resets, it’s easy to see why there has been a growing push to get rid of the password altogether.
It’s against this backdrop that identity and access management startup Transmit Security is launching a new product that could play a part in the burgeoning “passwordless” security landscape. The Boston-based company today unveiled BindID, an “app-less mobile authenticator” that software makers can use to authenticate users by leveraging the same biometrics (i.e. face or fingerprint) registered to their mobile device.
For example, a company could deploy a “login with mobile” button at the top of their website. When the user taps it, it would call BindID using OpenID Connect (OIDC), an identity layer built on top of the OAuth 2.0 protocol. This would then throw up a QR code, which the user scans with their mobile phone to open a web browser that invokes the device’s preconfigured biometrics.
Above: Transmit Security: BindID uses QR code to authenticate any user with biometrics.
The user does have to register each online account (e.g. banking or ecommerce) with BindID the very first time they access an online service. The first time they try to access a website that has BingID embedded, they will have to provide their login credentials to register their biometrics. After that, they don’t have to provide any additional credentials when accessing that online service on any device.
BindID also works on mobile phones, either in a browser or a native app, though this won’t require a QR code — the user can simply hit a button to start the process.
Above: Transmit Security: BindID can authentic users with their biometrics on any device
Moreover, BindID can be configured to work in other scenarios, such as call centers. An interactive voice response (IVR) could ask a caller to identify themselves with their biometrics by sending an SMS link, which they tap. It then checks their device’s biometric authentication smarts to tell the call center that they are who they say they are.
The story so far
Transit Security has raised around $40 million in external funding since its inception in 2015, and the company constitutes part of a broader move to passwordless technology. Beyond Identity, for example, recently raised $75 million, while notable players like Axiad and Trusona have secured sizable investments for similar initiatives over the past year.
With BindID, however, Trust Security is setting out to advance things in several notable ways. For one, the user only needs to register with BindID once, and they can authenticate themselves with a specific account on any device, application, or channel associated with that account, regardless of whether the device has built-in biometric capabilities. This is particularly useful in situations where the end-user has forgotten their credentials because they only have to access their account a few times a year. Moreover, the end-user isn’t required to download any other mobile authentication apps to their device, as is the case with other authentication platforms.
So rather than abandoning a shopping cart at the checkout when they’re asked to provide forgotten login credentials, a customer can simply scan a QR code and authenticate from their mobile.
“BindID is the industry’s first app-less, strong, portable authenticator that uses device-based biometrics for secure, convenient, and consistent customer authentication,” Transmit Security cofounder and CEO Mickey Boodaei told VentureBeat. “Shared trust at the user, device, and network levels allows other biometric-enabled devices, such as laptops and tablets, to be associated with BindID accounts and provides secure device re-enrollment.”
It’s also worth highlighting the fact that the service provider (i.e. the app maker) doesn’t manage any of the authentication process itself, instead handing that off to BindID. This could be particularly appealing for businesses wary of holding or processing sensitive customer data or worried about the resources required to roll out biometrics-based security.
Transmit Security expects that BindID will initially be adopted by consumer-facing services that are looking for an easy way to integrate biometric authentication smarts into their software, but the company is eyeing a much wider market.
“Customers see the potential and are exploring use cases for workforce applications of BindID,” Boodaei said. “Open standards and APIs let organizations deploy the cloud-based BindID service quickly in any channel. Most development teams can have it up and running within a single agile sprint.”
Boodaei added that it is currently in trials with “some of the largest Fortune 100 companies” but said it wasn’t at liberty to divulge any names.
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform
- networking features, and more
Source: Read Full Article