Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

09:15 AM
Connect Directly

Startup Offers Free Version of its 'Passwordless' Technology

Beyond Identity co-founders hope to move the needle in eliminating the need for passwords, but experts say killing passwords altogether won't be easy.

A startup with the goal of eradicating passwords and led by Netscape founder Jim Clark and broadband network pioneer Tom Jermoluk today released a free version of its service that authenticates and authorizes users without the use of passwords.

The free version of Beyond Identity's service includes support from the company during business hours and deployment to an unlimited number of users or customers. Beyond's technology, based on X.509 for asymmetric key cryptography and TLS for encrypted communications, makes the endpoint device its own certificate authority. 

The user's private keys, which are stored locally on the device's protected secure enclave section of memory, authenticate and authorize the user via Beyond's cloud-based service.

Password management headaches and credential theft have long been one of the biggest challenges to organizations, and layering passwords with multifactor authentication (MFA) and other protections has become the norm. But as the recent SolarWinds attack believed to be out of Russia demonstrated, attackers can bypass MFA in order to capture or set up credentials inside their targets.

Related Content:

The Future of Account Security: A World Without Passwords?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Comparing Different AI Approaches to Email Security

Jermoluk, CEO of Beyond Identity, says the global pandemic and subsequent rush to send employees to work from home helped drive the decision to offer the startup's core technology for free to organizations. Cyberattacks rose last year, he notes, many of which targeted vulnerable and valuable credentials of work-from-home employees.

"This lets us contribute to companies who are having this [password security] problem today with their remote workforce," he says, and allows them to use it "forever," without the need to sign up for Beyond Identity's paid service.

"This is a piece of technology that solves a lot of problems, especially for SMBs [small and midsize businesses]," says Jermoluk. They don't need to manage any certificates or purchase any additional products to run it, he adds. "If you have Okta single sign-on, [for instance], you can turn [Beyond's service] on in 10 minutes," he says.

The passwordless authentication technology piece of its identity platform service is now available at no cost for organizations to connect to their single sign-on apps to eliminate passwords, and for website or app providers to offer visitors or customers to their site or apps.

Even so, Jermoluk emphasizes that the free version is not its "full-on product," but it does allow organizations to remove passwords and the associate risks that the aging authentication model brings. He says the goal is to usher in the passwordless era, where credentials aren't so easily and readily targeted and used to breach organizations and steal data.

Richard Stiennon, chief research analyst at IT-Harvest, says Beyond Identity's freebie offering makes sense and jibes with the co-founders' roots.

"The audacity of releasing a free product makes me take a breath: It reminds me of Netscape back in the halcyon days of the Internet bubble," he notes, in a nod to Clark's doing the same with the early Web browser. "This move should not have been a surprise. Also, it is what is required when there are so many identity solutions out there — 309 by my count."

Beyond Identity's advanced, or paid-tier, service includes authentication features that drill down on a device's security posture details and data; continuous authentication and risk policy enforcement; integration with mobile device management and endpoint detection and response (EDR) tools; integration with identity management, security, and compliance tools; compliance reporting features; and 24/7 support.

Cloud-based data platform provider Snowflake recently rolled out Beyond Identity's full product service to its thousands of employees for its business applications, including Gmail, Slack, and Salesforce. The company has no on-premise servers: Its IT environment is mainly Microsoft Azure and AWS, as well as SaaS apps, notes Mario Duarte, vice president of security at Snowflake.

Beyond Identity's passwordless service replaced Snowflake's password management tool and integrates with its Okta IDP. "It sits in front of Okta, and [Beyond Identity] takes care of authentication," Duarte says. Okta trusts Beyond Identity to confirm the user logging in is who they say they are, he adds.

Snowflake has requested that Beyond Identity add a couple of new features, including one that allows them to sign code.

When a programmer writes code and uploads it to Github or another code repository, Beyond Identity would allow that person to "sign" the code to authenticate it came from that programmer, he notes. Duarte says he thinks Beyond Identity will add that feature sometime in the first quarter of this year.

Whether Beyond Identity's freemium offer helps move the needle toward eradicating passwords is unclear. Security experts say passwords aren't likely to die anytime soon.

The company plans to add a consumer-level service that e-commerce or other organizations, such as gaming, insurance, or medical practices, can offer to their clients and customers, where there's no single sign-on like Okta sitting in the middle, Jermoluk says. "So anyone delivering a service function or app can offer a passwordless credential system," he says.

Meanwhile, Beyond Identity recently a $75 million Series B funding round, bringing its total investment to $105 million.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-05
In SPIRE before versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1, the "aws_iid" Node Attestor improperly normalizes the path provided through the agent ID templating feature, which may allow the issuance of an arbitrary SPIFFE ID within the same trust domain, if the attacker controls the v...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel through 5.11.3, as used with Xen PV. A certain part of the netback driver lacks necessary treatment of errors such as failed memory allocations (as a result of changes to the handling of grant mapping errors). A host OS denial of service may occur during m...
PUBLISHED: 2021-03-05
An issue was discovered in the Linux kernel 5.9.x through 5.11.3, as used with Xen. In some less-common configurations, an x86 PV guest OS user can crash a Dom0 or driver domain via a large amount of I/O activity. The issue relates to misuse of guest physical addresses when a configuration has CONFI...
PUBLISHED: 2021-03-05
An issue was discovered in OSSEC 3.6.0. An uncontrolled recursion vulnerability in os_xml.c occurs when a large number of opening and closing XML tags is used. Because recursion is used in _ReadElem without restriction, an attacker can trigger a segmentation fault once unmapped memory is reached.
PUBLISHED: 2021-03-05
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.