Cloudwear Introduces A New Way To Secure Online Accounts

A company that has developed a new way to secure access to online accounts, Cloudwear, is launching today onstage at TechCrunch Disrupt NY. Backed by a team whose experience includes building cloud-based applications for Harvard, MIT and the U.S. Department of Defense, Cloudwear’s system enables companies to better determine a user’s location, then lock or grant access based on that understanding.

The system can be used alongside traditional two-factor authentication methodologies, or it can be used to secure accounts where two-factor authentication is not offered or switched on. The benefit, in the latter case, is that many users today don’t want to deal with the hassles involved in using the more secure two-factor technology. This often involves a code of some sort being sent to a user’s mobile phone that they enter on a website after first typing their username or password combination. But while more secure, it slows down the login process.

However, without that added layer of security, many user accounts today are left vulnerable to hacks. That’s the problem Cloudwear aims to solve.

[gallery ids="1153618,1153617,1153616,1153615,1153614,1153613,1153612,1153611,1153610,1153609,1153608,1153607,1153606"]

The startup was founded around a year-and-a-half ago, and today is a small team of fewer than 10 in Santa Monica. The founders are Evan Tann, whose background includes projects in AI and robotics, as well as several software projects for large companies like Telefónica, Samsung, GE, and others, and for MIT and Harvard; and Wendell Brown, co-founder of LiveOps and eVoice.

The team says that 98 percent of all hacks today originate from outside the United States, according to Cloudwear’s analysis of some 10,000 hack events. If companies were able to accurately detect the origin of a user’s login attempt, they would have a way to quickly flag those that appeared to be fraudulent. After all, someone who always logs in from their work or home IP address in the U.S. isn’t likely to all of a sudden be accessing their account from somewhere in China.

While some online systems, like Gmail for instance, can alert users when a suspicious login attempt is being detected on a remote computer, most sophisticated hackers know how to hide their real location using a VPN.

Explains Tann, the idea for the system came about when they were working to determine how best to protect data and figure out where requests were coming from for another project they were focused on at the time.

“We started looking through the market and couldn’t find any way to do it. If you just got a VPN, we couldn’t see where in the world you were coming from,” he says. “It was very difficult, and it was a problem we couldn’t figure out how to solve.”

So Cloudwear has developed technology that will help to locate the user in question, but not by the IP of the machine they’re using to log in to an online service, but rather by the location of the user’s mobile phone. Via a mobile SDK that can be embedded into a company’s own app (or in an app that Cloudwear provides), the company is able to silently ping the user’s phone and request its current location.

In other words, the process of determining the phone’s current location is practically invisible to the end user.

This is done with user consent, but it doesn’t require any user interaction after the app is first installed and launched on the phone. Instead, as long as the user is logged in to the app, Cloudwear can wake the app up with a silent push notification in order to ask for the location in the background.

In other words, the process of determining the phone’s current location is practically invisible to the end user.

Afterward, the company using Cloudwear can determine how it wants to proceed if a log-in attempt looks suspicious. Even if the hacker hides their real, overseas location, it’s not likely that their spoofed IP address matches up with the actual location of the user’s smartphone. The company could then request the user complete some additional steps to verify their identity, for example, or the company could block the login attempt entirely.

Because of the way this system works, it’s not only applicable to consumer-facing online services, but also to internal corporate systems. Cloudwear says that its trial customers include businesses that host extremely valuable and private data, like those in the healthcare, insurance, finance and tech industries.

Also interesting is that it allows businesses to restrict logins to specific geographic areas – for example, in the demo shown today at Disrupt NY, the company showed how user logins at SpaceX (from where some of its team hails), could be locked down by whitelisting areas of access on a map.

The company is currently testing its product, which also integrates with Azure Active Directory, with a handful of big tech and insurance companies, and is now fielding requests via its website from other interested parties. Pricing for the service is still yet to be determined, though its initial customers are paying, the company confirms.

While no system is entirely hacker-proof (and of course there will be times when determining a phone’s location is not an effective means of securing a log-in attempt) the system could at least be used as an additional layer on top of two-factor security, even if a company didn’t want to forgo using that more traditional means of securing access to online accounts.

Cloudwear is backed by less than half a million in angel funding and is raising a seed round now.