authentication
Auto Added by WPeMatico
Auto Added by WPeMatico
“There is no doubt that over time, people are going to rely less and less on passwords… they just don’t meet the challenge for anything you really want to secure,” said Bill Gates.
That was 17 years ago. Although passwords have lost some of their charm, they have so far survived many attempts to kill them for good.
The perception of high cost and tricky implementations has stalled some smaller businesses from ditching passwords. But alternatives to passwords are affordable, easy to implement and safer, show industry insights gathered by Extra Crunch. The move to zero trust systems is acting as a catalyst.
First, a primer. Zero trust focuses on who you are, not where you are. Zero trust models require companies to never trust any attempt to access its network, and must verify every single time — even from logins from inside the network. Passwordless tech is a key part of zero trust models.
There are several alternatives for passwords, including:
Wolt, a Finnish food-delivery site, is just one example of going passwordless.
“The user registers by entering their email address or a phone number. Login to the app takes place by clicking the temporary link in the user’s inbox. The app on the user’s mobile phone places an authentication cookie, which enables the user to continue from that device without having to go through any further authentication,” said Erka Koivunen, CISO at F-Secure.
In this case, the service provider is in full control of the authentication, allowing it to set expiration time, revoke service and detect fraud. The service provider does not need to count on the user’s commitment to keep track of their passwords.
Passwordless tech is not inherently costly but may take some adjustment, explained Ryan Weeks, CISO at managed service provider Datto.
“It is not necessarily costly in terms of monetary investment, because there are a lot of easily accessible open-source alternatives for multi-factor authentication that don’t require any sort of investment,” said Weeks. But some companies believe passwordless tech may cause friction to their employees’ productivity.
Koivunen also dismissed that zero trust models are unaffordable for startups.
“Zero trust recognises the futility of forcing users to authenticate themselves by presenting something they should keep as secret. Instead, it prefers to establish the user’s identity using some context-aware method,” he said.
Zero trust goes further than authenticating users; it also includes the device and the user.
“From a zero trust perspective, there is an idea that there is a continuous authentication or revalidation of trust occurring. Therefore, passwordless in a zero trust model is potentially easier for the user and more secure as the combination of the ‘something you have’ and ‘something you are’ factors are more difficult to attack,” said Datto’s Weeks.
Larger companies, like Microsoft and Google, already offer zero trust technologies. But investors are also eyeing smaller companies that offer zero trust for growing companies.
Axis Security, a zero trust provider that allows remote employees to access their company’s network, raised $32 million last year. Beyond Identity raised $75 million in funding in December. And Israel identity validation startup Identiq raised $47 million in Series A funding in March.
Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20% off tickets right here.
Powered by WPeMatico
Some eight months after it was reported that Ping Identity’s owners Vista Equity had hired bankers to explore a public listing, today Ping Identity took the plunge: the Colorado-based online ID management company has filed an S-1 form indicating that it plans to raise up to $100 million in an IPO on the Nasdaq exchange under the ticker “Ping.”
While the initial S-1 filing doesn’t have an indication of price range, Ping is said to be looking at a valuation of between $2 billion and $3 billion in this listing.
The company has been around since 2001, founded by Andre Durand (who is still the CEO), and it was acquired by Vista in 2016 for about $600 million — at a time when a clutch of enterprise companies that looked like strong IPO candidates were going the private equity route and staying private instead.
But more recently, there has been a surge in demand for better IT security linked to identity and authentication management, so it seems that Vista Equity is selling up. The PE firm is taking advantage of the fact that the market’s currently very strong for tech IPOs, but there is so much M&A in enterprise right now (just yesterday VMware acquired not one but two companies, Carbon Black for $2.1 billion and Pivotal for $2.7 billion) that I can’t help but wonder if something might move here too.
The S-1 reveals a number of details on the company’s financials, indicating that it’s currently unprofitable but on a steady growth curve. Ping had revenues of $112.9 million in the first six months of 2019, versus $99.5 million in the same period a year before. Its loss has been shrinking in recent years, with a net loss of $3.1 million in the first six months of this year versus $5.8 million a year before (notably in 2017 overall it was profitable with a net income of $19 million. It seems that the change is due to acquisitions and investing for growth).
Its annual run rate, meanwhile, was $198 million for the first six months of the year, compared to $159.6 million in the same period a year ago.
The area of identity and access management has become a cornerstone of enterprise IT, with companies looking for efficient and secure ways to centralise how not just their employees, but their customers, their partners and various connected devices on their networks can be authenticated across their cloud and on-premise applications.
The demand for secure solutions covering all the different aspects of a company’s IT stack has grown rapidly over recent years, spurred not just by an increased move to centralised applications served through the cloud, but also by the drastic rise in breaches where malicious hackers have exploited vulnerabilities and loopholes in companies’ sign-on screens.
Ping has been one of the bigger companies building services in this area and tackling all of those use cases, competing with the likes of Okta, OneLogin, AuthO, Cisco and dozens more off-the-shelf and custom-built solutions.
The company offers its services on an SaaS basis, covering services like secure sign-on, multi-factor authentication, API access security, personalised and unified profile directories, data governance and AI-based security policies. It claims to be the pioneer of “Intelligent Identity,” using AI to help its system analyse user, device and network behavior to better identify potentially malicious activity.
More to come.
Powered by WPeMatico
Two major U.S. carriers, AT&T and T-Mobile, announced this morning a plan to team up to protect their respective customer bases from the scourge of scam robocalls. The two companies will today begin to roll out new cross-network call authentication technology based on the STIR/SHAKEN standards — a sort of universal caller ID system designed to stop illegal caller ID spoofing.
Robocalls have become a national epidemic. In 2018, U.S. mobile users received nearly 48 million robocalls — or more than 150 calls per adult, the carriers noted.
A huge part of the problem is that these calls now often come in with a spoofed phone number, making it hard for consumers to screen out unwanted calls on their own. That’s led to a rise in robocall blocking and screening apps. Even technology companies have gotten involved, with Google introducing a new AI call screener in Android and Apple rolling out Siri-powered spam call detection with iOS 13.
To help fight the call spoofing problem, the industry put together a set of standards called STIR/SHAKEN (Secure Telephony Identity Revisited / Secure Handling of Asserted information using toKENs), which effectively signs calls as “legitimate” as they travel through the interconnected phone networks.
However, the industry has been slow to roll out the system, which prompted the FCC to finally step in.
In November 2018, FCC Chairman Ajit Pai wrote to U.S. mobile operators, asking them to outline their plans around the implementation of the STIR/SHAKEN standards. The regulator also said that it would step in to mandate the implementation if the carriers didn’t meet an end-of-2019 deadline to get their call authentication systems in place.
Today’s news from AT&T and T-Mobile explains how the two will work together to authenticate calls across their networks. By implementing STIR/SHAKEN, calls will have their Caller ID signed as legitimate by the originating carrier, then validated by other carriers before they reach the consumer. Spoofed calls would fail this authentication process, and not be marked as “verified.”
As more carriers participate in this sort of authentication, more calls can be authenticated.
However, this system alone won’t actually block the spam calls — it just gives the recipient more information. In addition, devices will have to support the technology, as well, in order to display the new “verification” information.
T-Mobile earlier this year was first to launch a caller verification system on the Samsung Galaxy Note9, and today it still only works with select Android handsets from Samsung and LG. AT&T meanwhile, announced in March it was working with Comcast to exchange authenticated calls between two separate networks — a milestone in terms of cooperation between two carriers. T-Mobile and Comcast announced their own agreement in April.
The news also follows a statement by Chairman Pai that says the FCC will sign off to approve a T-Mobile/Sprint merger, as has been expected.
Powered by WPeMatico
Facebook today released a new SDK that allows mobile app developers to integrate WhatsApp verification into Account Kit for iOS and Android. This will allow developers to build apps where users can opt to receive their verification codes through the WhatsApp app installed on their phone instead of through SMS.
Today, many apps give users the ability to sign up using only a phone number — a now popular alternative to Facebook Login, thanks to the social network’s numerous privacy scandals that led to fewer people choosing to use Facebook with third-party apps.
Plus, using phone numbers to sign up is common with a younger generation of users who don’t have Facebook accounts — and sometimes barely use email, except for joining apps and services.
When using a phone number to sign in, it’s common for the app to confirm the user by sending a verification code over SMS to the number provided. The user then enters that code to create their account. This process can also be used when logging in, as part of a multi-factor verification system where a user’s account information is combined with this extra step for added security.

While this process is straightforward and easy enough to follow, SMS is not everyone’s preferred messaging platform. That’s particularly true in emerging markets like India, where 200 million people are on WhatsApp, for example. In addition, those without an unlimited messaging plan are careful not to overuse texting when it can be avoided.
That’s where the WhatsApp SDK comes in. Once integrated into an iOS or Android app, developers can offer to send users their verification code over WhatsApp instead of text messaging. They can even choose to disable SMS verification, notes Facebook.
This is all a part of WhatsApp’s Account Kit, which is a larger set of developer tools designed to allow people to quickly register and log in to apps or websites using only a phone number and email, no password required.
This WhatsApp verification codes option has been available on WhatsApp’s web SDK since late 2018, but hadn’t been available with mobile apps until today.
Powered by WPeMatico
Consider that there are millions of Okta users out there using the service to sign into their company applications with a single set of credentials. Yet getting customers to work together using Okta authentication was an enormous task for developers. Okta wanted to simplify it, so they created a service they are calling it ‘Sign in with Okta.’
The new API allows developers to add a few lines code and give Okta customers the ability to sign into one another’s websites in a similar way that OAuth allows you to use your Google or Facebook credentials to sign onto consumer sites.
Frederic Kerrest, COO and co-founder at Okta, says the ‘Sign in with Okta’ uses an extension of OAuth called OpenID Connect, which his company has been supporting since 2016. He says the new service gives customers the ability to expand the use of their Okta credentials beyond their own set of internal applications to sign into customer and partner sites. This extends the Okta functionality and brand and helps to make it a kind of standard way of logging in (or that’s the hope).
When developers add this functionality, the user sees a “Sign in with Okta” button on the website or service they are accessing. They can then use their Okta login to get into these sites under whatever rules the site owner has defined.
Site with ‘Sign in with Okta’ button. Photo: Okta
While Okta has provided APIs for developers prior to today, they didn’t provide a package like this that simplifies the process. This forced developers to use the SAML standard to make it work. While there’s nothing wrong with this approach, it can be time-consuming and put a lot of burden on developers to write software and connectors, while updating and maintaining them, Kerrest explained. This removes all of that complexity from the process.
This means that when two businesses are on Okta, they can trust one another because they do business together, and instead of setting up the SAML connection, a process that could take days, they can do it an hour with the Okta API tool, according to Kerrest.
“[Sign in with Okta] is a much easier way for customers or partners to seamlessly integrate into our environment. They could do it before, but we are ‘widgetizing’ it now,” he said.
Powered by WPeMatico
Auth0, a startup based in Seattle, has been helping developers with a set of APIs to build authentication into their applications for the last five years. It’s raised a fair bit of money along the way to help extend that mission, and today the company announced a $55 million Series D.
This round was led by led by Sapphire Ventures with help from World Innovation Lab, and existing investors Bessemer Venture Partners, Trinity Ventures, Meritech Capital and K9 Ventures. Today’s investment brings the total raised to $110 million. The company did not want to share its valuation.
CEO Eugenio Pace said the investment should help them expand further internationally. In fact, one of the investors, World Innovation Lab, is based in Japan and should help with their presence there. “Japan is an important market for us and they should help explain to us how the market works there,” he said.
The company offers an easy way for developers to build in authentication services into their applications, also known as Identification as a Service (IDaaS). It’s a lot like Stripe for payments or Twilio for messaging. Instead of building the authentication layer from scratch, they simply add a few lines of code and can take advantage of the services available on the Auth0 platform.
That platform includes a range of service such as single-sign on, two-factor identification, passwordless log-on and breached password detection.
They have a free tier, which doesn’t even require a credit card, and pay tiers based on the types of users — regular versus enterprise — along with the number of users. They also charge based on machine-to-machine authentication. Pace reports they have 3500 paying customers and tens of thousands of users on the free tier.
All of that has added up to a pretty decent business. While Pace would not share specific numbers, he did indicate the company doubled its revenue last year and expected to do so again this year.
With a cadence of getting funding every year for the last three years, Pace says this round may mark the end of that fundraising cycle for a time. He wasn’t ready to commit to the idea of an IPO, saying that is likely a couple of years away, but he says the company is close to profitability.
With the new influx of money, the company does plan to expand its workforce as moves into markets across the world . They currently have 300 employees, but within a year he expects to be between 400 and 450 worldwide.
The company’s last round was a $30 million Series C last June led by Meritech Capital Partners.
Powered by WPeMatico
If you’re part of a big company, chances are that there are resources that are only available via the internal network, or whatever your company calls it. The usual way to access these from outside company property is a VPN, but VPNs are a clumsy solution — one companies like Google and Amazon are leaving behind. Now Cloudflare wants you to do the same and use its new Access… Read More
Powered by WPeMatico
Used to be when we thought about identity as it relates to computers and software, it involved a person logging into an application or service. Increasingly though, you also have machines and sensors attempting to authenticate as they access your systems. That creates complications for identity management vendors because instead of managing thousands or tens of thousands of identities, it… Read More
Powered by WPeMatico