Portland, Ore-based startup Acceptto has emerged from stealth today to launch its cognitive authentication platform and announce an unspecified Series A funding round from Aetna Ventures, Millennium Venture Partners and Celeres Investments. Aetna is now both an investor and an early adopter. Its CSO, James Routh, joins the Acceptto Board of Directors.
SecurityWeek asked Acceptto CEO, Shahrokh Shahidzadeh, how much was raised in this funding round. He replied, “We decided not to focus on the amount and rather focus on… the mix of investors.” Aetna, he said, is both a client and an investor. Aetna Ventures is the investment arm of Aetna Life Insurance Company, which is currently involved in a $69 billion merger with CVS.
Millennium is traditionally a late-stage investor, with investments in Facebook, Twitter, Tumblr, Spotify and others. Celeres, he explained, is a private UK-based equity firm supporting Acceptto’s international aspirations “with a laser focus on EU and Asia growth strategies”.
“In an ever evolving cyberthreat environment, enterprises are forced to deliver binary MFA solutions that are full of avoidable friction,” said Azhaan Merchant, Investment Analyst, Celeres Investments. “We are excited about our investment into Acceptto as they have developed a solution that is able to continuously analyze a number of independent physical and virtual factors in order to provide frictionless authentication and real-time authorization.”
Acceptto is one of a growing number of firms using ML-based behavioral biometric technology to challenge the traditional username + password (and possibly MFA) method of user authentication. It will be competing with companies like BehavioSec and BioCatch.
The primary two traditional authentication issues that Acceptto seeks to address are the sheer prevalence of compromised user credentials available on the dark web, and the user friction created by MFA attempts to verify authentication. On the first, Shahidzadeh suggests that companies should, “Assume all your credentials already breached, even those which have not yet been created…”
This reality is forcing security teams onto the backfoot, having to spend ever greater time and resources on mitigation. Shahidzadeh believes that the accuracy and reliability of Acceptto’s Cognitive Continuous Authentication engine will “infer, predict and prevent in real-time” rather than force mitigation after the event.
Acceptto, he told SecurityWeek, “provides a full mobile, web and enterprise solution powered on behavioral modeling (vs binary controls) and the use of many contextual factors contributing to a unique contextual signature associated with each user and his/her individual transactions at any given time or place. This enables a mixture of expert systems that are constantly improving by learning about normalities and abnormalities of the system and individual transactions.”
The second issue is ‘user friction’. Seamless work by employees is quickly disturbed by traditional methods of repeated authentication, while new customers are put off by the MFA hoops they have to navigate. Behavioral biometrics eliminates this friction by building — in this case — a ‘Behavioral Derived Credential’ (or normal usage signature) for each user. The continuous nature of cognitive continuous authentication checks usage against the stored signature, and anomalies highlighted.
The only adverse friction comes for new non-employees’ initial account set-up. Here it is minimized through Acceptto’s mobile SDK allowing the customer to use out-of-band mobile phone biometrics to assert initial identity.
Of course, not all friction is necessarily bad. “As an enterprise enables our behavioral modeling, we learn more and more about the good users, their devices and trusted locations,” Shahidzadeh told SecurityWeek, “and we constantly guard against new factors and anomalies and inject appropriate friction when risk is identified to surpass the acceptable threshold for the individual transaction of interest.”
The key to the process is the user’s digital credential signature. “All traditional binary individual credentials that can be compromised/breached become irrelevant. Instead we use aggregated context to establish a normal/baseline, and the more context over time and user habits captured, the better and more effective the solution.”
This context is almost impossible to spoof or copy. It is kept in secure storage of the user device to ensure privacy and minimize the attack surface. “Certain attributes,” he added, “are encrypted — or hashed — and stored in the configured enterprise backend database, which could be in the cloud or on premise — for speedy search and match For example, is this device one of the trusted of the user’s devices, and what is the trust attribute associated with it based on the user’s habits…”
Acceptto will be at H-ISAC 2018 in San Antonio, Texas, this week. It was founded in 2013 by Nahal Shahidzadeh (COO), Haitham Akkary (CTO) and Shahrokh Shahidzadeh — all of whom previously worked with Intel.