Decentralized Authentication for a Password-Less World

The year was 2013, and Apple had just released iPhone 5S with Touch ID, a fingerprint sensor feature that made unlocking devices as easy as touching glass. Young Brooklyn-born tech entrepreneur, George Avetisov, well-versed in eCommerce and cryptocurrencies, began to connect the dots between the threats he was seeing on the Internet each day-to-day with the exciting advances in biometrics and identity-related protections. Thus was born HYPR.

I spent a nice afternoon chatting with George this past week. His eclectic life experiences and background in on-line retail, electronic payments, and cyber security made him a delightful discussion partner. And with his company, HYPR now well-funded to the tune of $15M from RRE, MasterCard, and Samsung, I thought it was time to learn more about this growing company. Here is what I learned from my Manhattan neighbor:

The primary technical basis for HYPR and its approach to identity-based security can be summarized in one word: Decentralization. And for an old computer science hack like me, when I hear this as a design guidepost, I say so-far-so-good. The idea is that when companies place their credentials, or other valuables in one large bucket, then they are asking for trouble. But when important assets are distributed under decentralized management, the cyber risk shrinks.

“We applied this basic decentralization concept in the HYPR solution to the provision and management of biometrics, PINs, and passwords,” George explained, “and the result has been support for our enterprise customers of their evolution toward a true password-less experience. We’ve seen this across all the industry sectors we currently support, including financial services, transportation, and even mass media.”

What HYPR offers specifically is a platform with an integrated SDK and authentication server that support deployment of credentials to endpoints. The result is that fraudsters have no single repository to which they can aim their malicious efforts. Instead, distributed credentials such as thumbprint biometrics can be used to access merchant services, eCommerce sites, and other on-line resources without relying on centralized, and hence vulnerable, support.

“Our SDK integrates easily with many of the major IAM vendors,” George explained, “including Ping Identity, ForgeRock, CA, and Microsoft. Our goal is to simplify the shift from centralized to decentralized credential management.” And this makes perfect sense to me. Readers of this column will know that I’ve been an advocate of this distributed approach for years now, and I’m glad to see more emphasis on this type of architecture.

We spent part of our time last week on demos of the HYPR capability, and the experience looks comfortable. For example, users will enjoy the simplicity of password-less login using biometrics on the mobile; similarly, they will like the option of facial, voice, or proximity proof to gain access to on-line services from a bank or insurance company. This is important, because most users don’t care a lick about the back-end decentralization advantages. They just want easy.

From a compliance perspective, HYPR has achieved valuable Universal Second Factor (U2F) and Universal Authentication Framework (UAF) certification from the powerful FIDO Alliance. This will be helpful as CISO teams weight the advantages of moving their identity infrastructure to a decentralized solution. HYPR also looks useful for emerging GDPR and PSD2 (Revised Payment Service Directive) compliance obligations.

If you are doing anything consequential on the Internet or across your enterprise – and I guess this means everything from retail eCommerce to massive global banking, then my advice is to gather the team together and spend some time investigating the possibilities of decentralized credential usage. And if you are in midtown-Manhattan, give George and his team a call and I suspect they’ll enjoy showing you a demo of the fine HYPR platform and SDK.

As usual, make sure to share your learnings with all of us.