The old-fashioned password gets little respect from hackers these days. In fact, it’s barely a speed bump for them to get past. The hacker can find your password or even the answers to your “security” questions for sale on the internet black market. UnifyID, a participant in this year’s TechCrunch Disrupt SF Battlefield competition, sees a system that’s hopelessly broken — and they think they have a way to fix it.
The trouble with today’s approach, says co-founder Kurt Somerville, is that it uses a system of secrets and you reveal the secret to get into the program or service. In his view that technique isn’t sustainable or scalable, and his company has a better way — implicit authentication.
With UnifyID, instead of supplying a password, the system begins to build an understanding about who you are, the devices you use, the places you go, the sensors you interact with throughout a day, even the way you walk and the cadence of your typing. As you begin to build a reasonable profile, the software can compute a score based on the likelihood that it’s you.
This technology is designed to know it’s you because you’re unique and you have different ways of behaving that make you, you.
The first product, which is being made available in private beta this week at TechCrunch Disrupt in San Francisco, is a Chrome browser extension with an iOS mobile app. (An Android app is coming some time in the future). You install the browser extension and the mobile app and it begins to learn about you and your behavior. You go to a website, and instead of asking for a user name and password, it logs you in using your Unify ID, so long as it’s confident it’s you. If there’s a question (and there is more likely to be a question when you first start using the product), it will send a challenge to your phone such as asking for your Touch ID.
If you’re concerned about a company collecting this much data on you, they say that users are in complete control of their data. Data lives for the most part on the local device, not the back-end cloud servers and, to ensure the company can’t get at any data it does collect, it’s all encrypted. Even if they had the intention of selling data, they couldn’t because they don’t hold any actionable data.
The initial product is free as a kind of showcase for the technology, but the company, which has an undisclosed seed round, plans to sell the ability to embed this technology to companies.
You may be thinking that other companies have tried a similar approach, and you would be right. Google has been working on a similar system for Android, but co-founder John Whaley says there are some key differences between what they are doing at UnifyID and what Google is doing.
“Their technology is focused on a single device and platform: Android, and is purely local to the device. From our experience the accuracy and security goes way up once you combine sensor data from multiple devices,” he says.
What’s more, he thinks the big four — Microsoft, Google, Facebook and Apple — will likely try to build similar systems, not as a single identity system for all, but for their individual platforms, and Whaley sees that as a fundamental problem — one his company is hoping to solve.
“It is of course validating for us that other players recognize this opportunity. One of the biggest challenges of a small startup like ours is to educate the market to the future of authentication,” Whaley said. These companies have a big megaphone to get the public behind new types of authenticating, but he believes there’s still room for a company like his to innovate.
“That being said, I think the space is ripe for innovation and a new and cool enough technology can have a major impact.”