Two security startups independently chip away at passwords

By Paul Gillin - April 14, 2020

Source: SiliconANGLE

Two startups are separately tackling the task of eliminating passwords from standard online interactions with new products announced today. Identité Inc. is rolling out a mobile app-based authentication system that it says eliminates the need for passwords while also shortening the login process. Volterra Inc., a maker of software for distributing applications that emerged from stealth six months ago, is releasing an approach to data encryption that likewise takes passwords out of the equation. Passwords are now routinely vilified in the computer security community as a method of guarding precious data. Between the theft of billions of passwords over the past few years and people’s proclivity to use easily guessed passwords across multiple applications, cybersecurity professionals have been looking for a new approach. Identité says it has one in NoPass, a three-factor authentication system that it claims is faster to use than passwords, simple for website owners to implement and compliant with all major industry standards. The software requires users to download and authenticate to an app that will soon be available in Android and Apple app stores. Once installed, future authentications automatically launch the NoPass app and present an image and number for visual verification. The user need only verify the number or use the built-in biometric capabilities on the device. The angel-funded company, which was founded by John Hertrich, the former founder of Professional Software Associates Inc. and Joe Skocich, who helped start IBM Corp.’s security business unit, says its technology is impervious to such attacks as man-in-the-middle. That’s when the attacker intercepts data from other apps, including those that generate authentication codes. “A lot of token-based authenticators put a token out there and all the server does is ask if the user has the token,” said Skocich, who is vice president of sales at Identité. “Any hacker can wake up apps and ask for the token.” NoPass is packaged as a Docker container image for rapid deployment. It’s also fully compatible with standards created by Fast Identification Online or Fido, a nonprofit organization dedicated to eliminating the need for passwords. “When they purchase the subscription, customers they install a lightweight Docker image on a virtual machine” running in the Amazon Web Services Inc. or Microsoft Corp. Azure cloud, Skocich said. “It installs in minutes,” although he said some HTML changes are needed to display registration and authentication details. Volterra’s VoltShare is an end-to-end data encryption product that the company claims plugs some of the security gaps in popular encryption technology like PGP and public-key cryptography. The complexity of both approaches limit their use to large organizations. And they require individual users who want to encrypt data to share passwords or keys with each other, which can be intercepted. With the VoltShare approach, users download an application, create an account, attach a file and create a policy. Target recipients can decrypt the data using VoltShare, assuming they are using the email address specified by the sender and are within the specified timeframe. VoltShare can be used with a wide range of file-sharing and collaboration tools and encryption is independent of the underlying platform. The software is available today as a free download for individual users with a paid enterprise subscription option. Photo: Unsplash