Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/26/2021
09:15 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Startup Offers Free Version of its 'Passwordless' Technology

Beyond Identity co-founders hope to move the needle in eliminating the need for passwords, but experts say killing passwords altogether won't be easy.

A startup with the goal of eradicating passwords and led by Netscape founder Jim Clark and broadband network pioneer Tom Jermoluk today released a free version of its service that authenticates and authorizes users without the use of passwords.

The free version of Beyond Identity's service includes support from the company during business hours and deployment to an unlimited number of users or customers. Beyond's technology, based on X.509 for asymmetric key cryptography and TLS for encrypted communications, makes the endpoint device its own certificate authority. 

The user's private keys, which are stored locally on the device's protected secure enclave section of memory, authenticate and authorize the user via Beyond's cloud-based service.

Password management headaches and credential theft have long been one of the biggest challenges to organizations, and layering passwords with multifactor authentication (MFA) and other protections has become the norm. But as the recent SolarWinds attack believed to be out of Russia demonstrated, attackers can bypass MFA in order to capture or set up credentials inside their targets.

Related Content:

The Future of Account Security: A World Without Passwords?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Comparing Different AI Approaches to Email Security

Jermoluk, CEO of Beyond Identity, says the global pandemic and subsequent rush to send employees to work from home helped drive the decision to offer the startup's core technology for free to organizations. Cyberattacks rose last year, he notes, many of which targeted vulnerable and valuable credentials of work-from-home employees.

"This lets us contribute to companies who are having this [password security] problem today with their remote workforce," he says, and allows them to use it "forever," without the need to sign up for Beyond Identity's paid service.

"This is a piece of technology that solves a lot of problems, especially for SMBs [small and midsize businesses]," says Jermoluk. They don't need to manage any certificates or purchase any additional products to run it, he adds. "If you have Okta single sign-on, [for instance], you can turn [Beyond's service] on in 10 minutes," he says.

The passwordless authentication technology piece of its identity platform service is now available at no cost for organizations to connect to their single sign-on apps to eliminate passwords, and for website or app providers to offer visitors or customers to their site or apps.

Even so, Jermoluk emphasizes that the free version is not its "full-on product," but it does allow organizations to remove passwords and the associate risks that the aging authentication model brings. He says the goal is to usher in the passwordless era, where credentials aren't so easily and readily targeted and used to breach organizations and steal data.

Richard Stiennon, chief research analyst at IT-Harvest, says Beyond Identity's freebie offering makes sense and jibes with the co-founders' roots.

"The audacity of releasing a free product makes me take a breath: It reminds me of Netscape back in the halcyon days of the Internet bubble," he notes, in a nod to Clark's doing the same with the early Web browser. "This move should not have been a surprise. Also, it is what is required when there are so many identity solutions out there — 309 by my count."

Beyond Identity's advanced, or paid-tier, service includes authentication features that drill down on a device's security posture details and data; continuous authentication and risk policy enforcement; integration with mobile device management and endpoint detection and response (EDR) tools; integration with identity management, security, and compliance tools; compliance reporting features; and 24/7 support.

Cloud-based data platform provider Snowflake recently rolled out Beyond Identity's full product service to its thousands of employees for its business applications, including Gmail, Slack, and Salesforce. The company has no on-premise servers: Its IT environment is mainly Microsoft Azure and AWS, as well as SaaS apps, notes Mario Duarte, vice president of security at Snowflake.

Beyond Identity's passwordless service replaced Snowflake's password management tool and integrates with its Okta IDP. "It sits in front of Okta, and [Beyond Identity] takes care of authentication," Duarte says. Okta trusts Beyond Identity to confirm the user logging in is who they say they are, he adds.

Snowflake has requested that Beyond Identity add a couple of new features, including one that allows them to sign code.

When a programmer writes code and uploads it to Github or another code repository, Beyond Identity would allow that person to "sign" the code to authenticate it came from that programmer, he notes. Duarte says he thinks Beyond Identity will add that feature sometime in the first quarter of this year.

Whether Beyond Identity's freemium offer helps move the needle toward eradicating passwords is unclear. Security experts say passwords aren't likely to die anytime soon.

The company plans to add a consumer-level service that e-commerce or other organizations, such as gaming, insurance, or medical practices, can offer to their clients and customers, where there's no single sign-on like Okta sitting in the middle, Jermoluk says. "So anyone delivering a service function or app can offer a passwordless credential system," he says.

Meanwhile, Beyond Identity recently a $75 million Series B funding round, bringing its total investment to $105 million.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...