Passwords are so 2019. Beyond Identity, a new company with some real Silicon Valley cred, has developed what it says is an easier-to-use, more secure way of verifying identity, and it doesn't involve usernames and passwords.
Instead of relying on a username and password for authentication, the software-based Beyond Identity Cloud uses digitally signed certificates. The software, installed on the endpoint, issues a "self-signed" certificate, which is registered with Beyond Identity's back-end cloud environment. The software then validates that the link is correct. Private keys are stored on user devices themselves in a secure compartment. The solution also collects and sends important device security posture information in a signed package with each authentication transaction.
The technology for verifying identity comes with impressive credentials. Netscape founder Jim Clark and former Silicon Graphics President and broadband cable modem developer TJ Jermoluk created the new company specifically for this product.
The workforce version requires employees to download the app to their devices once and integrates with single sign-on solutions as a delegate identity provider. Once enrolled, employees get an email from the help desk inviting them to join the new password list log. That email provides a link for employees to download the Beyond Identity client that will generate the private key on the user's device. After downloading the client, the user executes it and the process is complete. From that point on, employees can access their applications without passwords. The customer-facing version provides API-based services or an SDK for integration with customer-facing apps.
On this platform, any device can be an authenticator, the company says. In other words, if an employee gets a new device or loses one, any other device they have can reauthorize the new one.
In essence, Beyond Identity is creating a new "chain of trust" for verifying online identity, said Patrick McBride, the company's chief marketing officer.
"Before Beyond Identity, you could establish a 'chain of trust' from browser to server or server to server," he explained. "We extended that chain of trust out to the end user," not just the browser, but to the person.
Because users go through the process just once, it can help eliminate the barriers to access. On the user end, these include forgetting passwords, being required to change passwords, and dealing with multifactor authentication. For customers of online resources, requiring a username and password to log in also can lead to page abandonment. On the company side, they include responsibilities related to protecting and managing potentially billions of usernames and passwords.
It's also more secure, said Richard Stiennon, chief research analyst at IT-Harvest.
"With the traditional method, anybody with your username and password can get access. This method essentially says, 'Show me your digitally signed certificate.' That would be really hard to spoof," he said.
In a way, what's old has become new again—with a twist. Instead of using a directory to authenticate users, Beyond Identity seems to be bringing back what is actually a very old model: the client-side certificate, Stiennon said. But the time might be right; while client-side certificates have typically been difficult to use and manage, the development of Trusted Platform Modules (TPMs), which create tamper-proof stores on devices, has made them more relevant again. Virtually all devices today have TPM technology.
"Today, devices have secure hardware in them that the software can take advantage of," he said. "It sounds like this company is taking advantage of the fact that 99% of devices in the cloud and in people's hands have the capability to accept digital certificates pushed to them."
While the concept is sound, Stiennon warned that it may not be appropriate for all devices. Devices without the required level of security, such as Internet of Things (IoT) devices, conference phones and CCTVs, for example, would be poor choices for this technology.