London-based Callsign has closed a $35 million Series A, led by Accel and early stage investor PTB Ventures, for an authentication platform which uses deep learning technology to power adaptive access control for enterprises — saying it can verify a person is who they say they are just from a swipe on a touchscreen.
Other investors in the Series A include Allegis Capital and cybersecurity industry veteran David DeWalt’s NightDragon Security.
The company, which was founded in 2012 — though only launched its platform to major customers 18 months ago — name-checks the likes of Lloyds Bank and Deutsche Bank as clients, and says the platform has been deployed “to hundreds of thousands of users” globally at this stage.
Its approach essentially combines multi-factor authentication with fraud analytics powered by deep-learning technology to offer a authentication platform that can adapt to potentially suspicious signals to combat the threat of unauthorized logins.
The wider aim is to help enterprises mitigate the risk of unauthorized access after login credentials have been stolen or compromised via a data breach or phishing attack.
It’s worth noting that Callsign does not replace any existing authenticator technologies — rather the aim is to enable businesses to more effectively deploy these technologies, based upon the intelligence it gathers and the policies it allows enterprises to flexibly set.
The platform works by analyzing a variety of signals in real-time, pertaining to each login attempt, and then adapts dynamically to offer “the most appropriate security challenge(s)” — based on its analysis of “hundreds of data-points”, according to founder and CEO Zia Hayat.
This means it might prompt for a user for a password, PIN, fingerprint, face, voice biometric — or “even nothing” — at the point of login.
The approach aims to balance “security with user experience”, says Hayat.
AI and crypto mechanisms
He describes its core tech as “AI and crypto mechanisms combined with a highly intuitive policy manager”. “We have several patents (both granted and filed) as well as trade secrets,” he adds. “We have developed our own unique AI models in-house based upon a combination of techniques that our team (mainly ex-BAE Systems and Lloyds Banking Group data scientists) have developed in the deep learning space.”
Examples of the kinds of signals it’s looking at to verify identity include GPS, Cell tower ID, IP, WiFi, gyroscope, accelerometer, Force Touch, screen co-ordinates, timings of taps, mouse movement coordinates, tcp/ip settings, clock settings, browser type — “and many more”.
“The purpose of this data analysis (this is our unique AI) is to spot potentially suspicious usage and then adapt the authentication journey (security challenges),” Hayat tells TechCrunch via email. “For example if the user has the correct password but the circumstances around this are unrecognised then the system may request that the user provides a fingerprint as well.”
“From an operational perspective, the system allows businesses… to easily define and evolve policies that adapt to changing circumstances (i.e. threat landscape), either automatically based upon the data analysis or manually (by security ops team) based upon other intelligence.”
According to Hayat it takes around six to 10 logins to “sufficiently train” the platform to identify each user. Before which a “non-trained journey is executed” — which means a user is always prompted for a fixed number of factors, such as PIN and fingerprint, with the specific combination set by the customer.
Callsign’s platform — which it calls Intelligence Driven Authentication (IDA) — can be deployed with “out-of-the box mobile authenticators” or made to mesh with an enterprise’s existing authenticators or data sources, according to Hayat.
He further notes it can also support integrating with different identity and access management providers, such as ForgeRock, to offer an “end-to-end solution”.
As well as using AI to power authentication decisions, Hayat says Callsign’s platform supports manual adaption — which he says might be useful if, for example, a business realizes that a specific authenticator type has been hacked. “They can then swap the usage of this with another authenticator within minutes rather than days/weeks/months it takes today,” he adds.
Giving an example of how the platform might function generally, he sketches the scenario of an employee wishing to login to a SaaS service from a non-corporate and therefore non-trusted machine. “The system will recognise this is a non-trusted machine and will therefore avoid asking the user to enter their corporate password (only username/email will be promoted for), instead the user may receive a notification to their mobile device asking to authenticate via this channel. This enables to do what they need to without compromising security,” he says.
Another possible scenario he describes is a customer wanting to login to a banking or retail website to make a purchase.
“They have the correct password but the way they entered it was unrecognised (i.e. AI finds muscle memory mismatch), additionally the device the customer is coming from is unrecognised (i.e. AI profiles the device and finds the user has never been seen on this before) but the location does seem to be one that is recognised (i.e. AI profiles a number of metrics and decides that this is a known location) for this given customer.
“As a result, dependant upon the policies the business has set, the user may be prompted for an additional authenticator (e.g. face) or simply let through because location is recognised with correct password, meaning the user may be on a borrowed/new device.”
Expansion plans and market positioning
While financial services (banking and insurance) has been Callsign’s main first customer focus, Hayat says it’s now starting to broaden that base, with deployments beginning “across verticals — government, retail, healthcare, legal & accounting and telecoms”.
The Series A investment will be put towards scaling up sales, marketing, support and engineering across geographies, according to the CEO. “Specifically we’ll be going full into the US, Far & Middle East”, he tells TechCrunch.
As part of its expansion plans it will also open offices in the Bay Area and New York City in the next few months.
In terms of competition, Callsign competes with a plethora of others, with Hayat naming the likes of AimBrain, Behaviosec, BioCatch, ThreatMetrix, NeuStar and Transmit Security — but he argues its approach is different because he claims these rivals “only assess events through a limited lens(es)” and therefore “have much higher false rejection/acceptance rates”.
“Callsign analyses all events through a combination of all the different angles (device, location and behaviour), whereas the competition only assesses through one or at most two,” he adds.
For Callsign’s platform, he says the false rejection rate (i.e. where a user cannot be identified from a combination of implicit and explicit factors) is “less than 0.00005%”, while the false acceptance rate (i.e. where a fraudster is able to pass all implicit and explicit factors) is “less than 0.00002%”.
“Both of these are coming down further all the time as we build up more data,” he adds.
He also notes the platform can be deployed piecemeal, i.e. with a customer just using one or more parts, meaning businesses don’t have to undertake a major transformation to begin making use of the service.
Another differentiation he flags pertains to privacy — claiming Callsign has designed its algorithms to operate “in a highly privacy aware fashion”.
“Specifically they use much less entropy (or information) than any other algorithms in this space, hence we can identify a user from just a swipe across their mobile screen. In addition all data is transformed on the device before being transported to the server for processing, this means raw information (timings, accelerometer, gyroscope, touch coordinates, geo-coordinates etc) are not stored on the server,” he says, adding: “You can think of this as all data going through a unique (one way transformation) on the device before the server processes and stores it.
“In the future all we’re doing is assessing for relative, as opposed to, absolute accuracy. Therefore you can be located at home but the coordinates the system lodges will not be that of your actual home location, they will be a consistent transformation. If somebody manages to get access to databases in which user data is stored, firstly they would need to hack both Callsign and our business customers (as encryption keys are known and managed by the businesses themselves) and then they would need to somehow transform this to the actual data.”
“All of this has had to go through approvals with tier 1 banking customers,” he adds.