UnifyID wants to bury the password once and for all

The old-fashioned password gets little respect from hackers these days. In fact, it’s barely a speed bump for them to get past. The hacker can find your password or even the answers to your “security” questions for sale on the internet black market. UnifyID, a participant in this year’s TechCrunch Disrupt SF Battlefield competition, sees a system that’s hopelessly broken — and they think they have a way to fix it.

The trouble with today’s approach, says co-founder Kurt Somerville, is that it uses a system of secrets and you reveal the secret to get into the program or service. In his view that technique isn’t sustainable or scalable, and his company has a better way — implicit authentication.

With UnifyID, instead of supplying a password, the system begins to build an understanding about who you are, the devices you use, the places you go, the sensors you interact with throughout a day, even the way you walk and the cadence of your typing. As you begin to build a reasonable profile, the software can compute a score based on the likelihood that it’s you.

This technology is designed to know it’s you because you’re unique and you have different ways of behaving that make you, you.

The first product, which is being made available in private beta this week at TechCrunch Disrupt in San Francisco, is a Chrome browser extension with an iOS mobile app. (An Android app is coming some time in the future). You install the browser extension and the mobile app and it begins to learn about you and your behavior. You go to a website, and instead of asking for a user name and password, it logs you in using your Unify ID, so long as it’s confident it’s you. If there’s a question (and there is more likely to be a question when you first start using the product), it will send a challenge to your phone such as asking for your Touch ID.

If you’re concerned about a company collecting this much data on you, they say that users are in complete control of their data. Data lives for the most part on the local device, not the back-end cloud servers and, to ensure the company can’t get at any data it does collect, it’s all encrypted. Even if they had the intention of selling data, they couldn’t because they don’t hold any actionable data.

The initial product is free as a kind of showcase for the technology, but the company, which has an undisclosed seed round, plans to sell the ability to embed this technology to companies.

You may be thinking that other companies have tried a similar approach, and you would be right. Google has been working on a similar system for Android, but co-founder John Whaley says there are some key differences between what they are doing at UnifyID and what Google is doing.

“Their technology is focused on a single device and platform: Android, and is purely local to the device. From our experience the accuracy and security goes way up once you combine sensor data from multiple devices,” he says.

What’s more, he thinks the big four — Microsoft, Google, Facebook and Apple — will likely try to build similar systems, not as a single identity system for all, but for their individual platforms, and Whaley sees that as a fundamental problem — one his company is hoping to solve.

“It is of course validating for us that other players recognize this opportunity. One of the biggest challenges of a small startup like ours is to educate the market to the future of authentication,” Whaley said. These companies have a big megaphone to get the public behind new types of authenticating, but he believes there’s still room for a company like his to innovate.

“That being said, I think the space is ripe for innovation and a new and cool enough technology can have a major impact.”



Q: What is the false negative percentage?
A: It was surprising to us that individuals are very unique and very predictable, and so even after just a little bit of training data, we can actually uniquely identify people. For example, we can uniquely identify someone with just four seconds of gait (walking) analysis data, and that’s just one factor out of many, many factors.
After we get data from four sensors, we get five 9s of accuracy that it’s going to be you. What those sensors are depends on the individual.
Q: How many different factors are there?
A: We are using the factors on your phone and your computer and wearables if you have them. There are over 100 different attributes that are basically different permutations of these sensors.
Q: What about when you want to give someone your password?
A: That’s an excellent question. Right now the way you share access is you give somebody your password. The problem is now that you’ve shared it, you need to change it. We are building the ability to delegate access to individuals. We can actually set policy when people can get access.
Q: Is it individual for me and I can use it everywhere or does everyone have to implement it?

A: We have a Chrome extension that works with the Alexa Top 500 sites. There’s a really good chance that it will work on a site you’re visiting. When you get to the site, you are no longer going to see user name and password. It will be a seamless experience and far more secure than using a user name and password.

Source: TechCrunch