Roughly 80% of data breaches globally are tied to weak or stolen passwords, according to the World Economic Forum, and they contribute to the $2.9 million cybercrime costs the global economy every minute. Moreover, with anywhere between 20% and 50% of all help desk calls reportedly related to password resets, it’s easy to see why there has been a growing push to eliminate passwords altogether.
Against this backdrop, identity and access management startup Transmit Security is launching a new product that could play a role in the burgeoning “passwordless” security landscape. The Boston-based company today unveiled BindID, an “app-less mobile authenticator” software makers can use to authenticate users by leveraging the same biometrics (i.e. face or fingerprint) registered to their mobile device.
A company could, for example, deploy a “login with mobile” button at the top of their website. When the user taps that button, it calls BindID using OpenID Connect (OIDC), an identity layer built on top of the OAuth 2.0 protocol. This then throws up a QR code, which the user scans with their mobile phone to open a web browser that invokes the device’s preconfigured biometrics.
Above: Transmit Security: BindID uses QR code to authenticate any user with biometrics.
The user does have to register each online account (e.g. banking or ecommerce) with BindID the very first time they access an online service. When they initially try to access a website that has BingID embedded, they will have to provide their login credentials to register their biometrics. After that, they won’t have to provide any additional credentials when accessing that particular online service on any device.
BindID also works on mobile phones, either in a browser or a native app, though this won’t require a QR code — the user can simply hit a button to start the process.
Above: Transmit Security: BindID can authentic users with their biometrics on any device
BindID can also be configured to work in other scenarios, such as in call centers. An interactive voice response (IVR) could ask a caller to identify themselves with their biometrics by sending an SMS link. It would then check their device’s biometric authentication smarts to tell the call center that they are who they say they are.
The story so far
Transmit Security has so far been funded by $40 million of the founders’ own money, after the founders sold a previously security company to IBM for a reported $1 billion, and it constitutes part of a broader move to replace passwordless technology. Beyond Identity, for example, recently raised $75 million, while notable players like Axiad and Trusona have secured sizable investments for similar initiatives over the past year.
With BindID, however, Transmit Security is aiming for several notable advancements. For one, the user only needs to register with BindID once, after which they can authenticate themselves with a specific account on any device, application, or channel associated with that account, regardless of whether the device has built-in biometric capabilities. This is particularly useful in situations where the end user has forgotten their credentials. Moreover, the end user isn’t required to download any other mobile authentication apps to their device, as would be the case with other authentication platforms.
So rather than abandoning a shopping cart when they’re asked to provide forgotten login credentials, a customer can simply scan a QR code and authenticate from their mobile.
“BindID is the industry’s first app-less, strong, portable authenticator that uses device-based biometrics for secure, convenient, and consistent customer authentication,” Transmit Security cofounder and CEO Mickey Boodaei told VentureBeat. “Shared trust at the user, device, and network levels allows other biometric-enabled devices, such as laptops and tablets, to be associated with BindID accounts and provides secure device re-enrollment.”
The service provider (i.e. the app maker) doesn’t manage any of the authentication process itself — instead handing that off to BindID. This could be particularly appealing for businesses wary of holding or processing sensitive customer data or worried about the resources required to roll out biometrics-based security.
Transmit Security expects BindID to initially be adopted by consumer-facing services looking for an easy way to integrate biometric authentication smarts into their software, but the company is eyeing a much wider market.
“Customers see the potential and are exploring use cases for workforce applications of BindID,” Boodaei said. “Open standards and APIs let organizations deploy the cloud-based BindID service quickly in any channel. Most development teams can have it up and running within a single agile sprint.”
Boodaei added that it is currently in trials with “some of the largest Fortune 100 companies” but said it wasn’t at liberty to divulge any names.
VentureBeat
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform
- networking features, and more
