With $30 Million in Funding, Silicon Valley Visionaries Jim Clark and Tom Jermoluk Aim to Replace Passwords With a Chain of Trust
Internet icons Jim Clark and Tom Jermoluk (past founders of Netscape, Silicon Graphics and @Home Network) have launched a phone-resident personal certificate-based authentication and authorization solution that eliminates all passwords.
Their new firm, Beyond Identity, has been launched with a $30 Million Series A funding round led by Koch Disruptive Technologies, LLC (KDT) and New Enterprise Associates (NEA). Hilarie Koplow-McAdams (venture partner at NEA), Forest Basket (general partner at NEA), and Byron Knight (managing director at KDT) have joined Clark and Jermoluk as board members.
The Beyond Identity solution is designed to eliminate the need for any password in the authentication process. With no passwords, the primary cause of data breaches (either to steal passwords or by using stolen passwords) is gone. It removes all friction from the access process, takes the password reset load off the help desk, and can form the basis of a zero-trust model where identity is the perimeter.
The technology used is not new, being based on X.509 certificates and SSL (invented by Netscape some 25 years ago and still the bedrock of secure internet communications). It is the opportunity provided by the modern smartphone with biometric user access, enough memory and power, and a secure enclave to store the private keys of a self-certificate that never leaves the device that is new. The biometric access ties the phone to its user, and the Beyond Identity certificate authenticates the device/user to the service provider, whether that’s a bank or a corporate network.
“Certificate chains are appropriately referred to as a Chain of Trust,” commented Jermoluk. “When this technology was created at Netscape during the beginning of the World Wide Web, it was conceived as a mechanism for websites to securely communicate, but the tools didn’t yet exist to extend the chain all the way to the end user. Beyond Identity includes the user in the same chain of certificates bound together with the secure encrypted transport (TLS) used by millions of websites in secure communications today.”
Setting up is simply getting the Beyond Identity client app (available for Windows, Mac, iOS and Android) and executing it. This generates the private key on the device that provides the certificate that authenticates the user. The app gathers additional device information (not personal user information, but a device profile) that can be used to determine the security posture of the device. This is generated at the time of service login, and can be used for additional risk-based authorization.
Device information presented with the certificate includes the device model and operating system, whether the device is password protected and/or has biometrics enabled, whether hard drives are encrypted, and whether Gatekeeper and the firewall are enabled. Such information helps ensure both regulatory and security policy compliance, adds accuracy to anomaly detection and provides data for threat hunting and incident investigation.
Users can use the process on as many different devices as they wish. The only real difference is the device profile generated at the time of service login is unique to the different devices. This allows companies to differentiate between authentication (via the crypto) and authorization (via the device profile).
For now, Beyond Identity is concentrating on the corporate market. To help this, it also integrates with existing SSO implementations, as a delegate identity provider, to protect companies’ existing investments — such as Okta, Ping and ForgeRock. In this instance, the user logs into the SSO, which then provides access to the services, but in this case, even the password into the SSO is eliminated. This makes commercial sense. “We can simply drop into any site that already has an SSO,” Jermoluk told SecurityWeek. “They’ve already done the heavy lifting — all of the work that has been done over the last ten years by the SSO doesn’t have to be repeated. What we do is take that work all the way to the end user with no need for a password at all.”
Towards the end of 2020, Beyond Identity will be available to consumers. Jermoluk explained, “We will be taking it into the consumer market because we have another unique, patented approach to how we can go after the service provider applications without changing them, but be a legacy way of providing our services to them. We will be able to solve all of the password issues for consumers as well.” Beyond Identity is not disclosing this technology today, but expects to announce it in the Summer for delivery by the end of the year.
The logical extension to the Beyond Identity approach would be to achieve pre-installation status with the device distributors. This is not out of the question in the future since the product can work with, rather than against, the SSO services already offered by Google and Apple.
Launching such a major new approach to authentication and authorization is not ideal in the middle of a global health crisis. Nevertheless, the growth in working from home has received a massive boost by the various national lockdowns. This is likely to continue even if and when the Covid-19 crisis is solved. In many ways, then, Beyond Identity’s claim to irrefutably solve the authentication and authorization problem by making every user the security perimeter regardless of location or device is a product at the right time.
Related: ZenKey: How Major Mobile Carriers Are Teaming Up to Eliminate Passwords
Related: Why User Names and Passwords Are Not Enough
Related: PayPal Patches Vulnerability That Exposed User Passwords
Related: Many Users Don’t Change Unsafe Passwords After Being Warned: Google