Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/26/2021
09:15 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Startup Offers Free Version of its 'Passwordless' Technology

Beyond Identity co-founders hope to move the needle in eliminating the need for passwords, but experts say killing passwords altogether won't be easy.

A startup with the goal of eradicating passwords and led by Netscape founder Jim Clark and broadband network pioneer Tom Jermoluk today released a free version of its service that authenticates and authorizes users without the use of passwords.

The free version of Beyond Identity's service includes support from the company during business hours and deployment to an unlimited number of users or customers. Beyond's technology, based on X.509 for asymmetric key cryptography and TLS for encrypted communications, makes the endpoint device its own certificate authority. 

The user's private keys, which are stored locally on the device's protected secure enclave section of memory, authenticate and authorize the user via Beyond's cloud-based service.

Password management headaches and credential theft have long been one of the biggest challenges to organizations, and layering passwords with multifactor authentication (MFA) and other protections has become the norm. But as the recent SolarWinds attack believed to be out of Russia demonstrated, attackers can bypass MFA in order to capture or set up credentials inside their targets.

Related Content:

The Future of Account Security: A World Without Passwords?

Special Report: Understanding Your Cyber Attackers

New From The Edge: Comparing Different AI Approaches to Email Security

Jermoluk, CEO of Beyond Identity, says the global pandemic and subsequent rush to send employees to work from home helped drive the decision to offer the startup's core technology for free to organizations. Cyberattacks rose last year, he notes, many of which targeted vulnerable and valuable credentials of work-from-home employees.

"This lets us contribute to companies who are having this [password security] problem today with their remote workforce," he says, and allows them to use it "forever," without the need to sign up for Beyond Identity's paid service.

"This is a piece of technology that solves a lot of problems, especially for SMBs [small and midsize businesses]," says Jermoluk. They don't need to manage any certificates or purchase any additional products to run it, he adds. "If you have Okta single sign-on, [for instance], you can turn [Beyond's service] on in 10 minutes," he says.

The passwordless authentication technology piece of its identity platform service is now available at no cost for organizations to connect to their single sign-on apps to eliminate passwords, and for website or app providers to offer visitors or customers to their site or apps.

Even so, Jermoluk emphasizes that the free version is not its "full-on product," but it does allow organizations to remove passwords and the associate risks that the aging authentication model brings. He says the goal is to usher in the passwordless era, where credentials aren't so easily and readily targeted and used to breach organizations and steal data.

Richard Stiennon, chief research analyst at IT-Harvest, says Beyond Identity's freebie offering makes sense and jibes with the co-founders' roots.

"The audacity of releasing a free product makes me take a breath: It reminds me of Netscape back in the halcyon days of the Internet bubble," he notes, in a nod to Clark's doing the same with the early Web browser. "This move should not have been a surprise. Also, it is what is required when there are so many identity solutions out there — 309 by my count."

Beyond Identity's advanced, or paid-tier, service includes authentication features that drill down on a device's security posture details and data; continuous authentication and risk policy enforcement; integration with mobile device management and endpoint detection and response (EDR) tools; integration with identity management, security, and compliance tools; compliance reporting features; and 24/7 support.

Cloud-based data platform provider Snowflake recently rolled out Beyond Identity's full product service to its thousands of employees for its business applications, including Gmail, Slack, and Salesforce. The company has no on-premise servers: Its IT environment is mainly Microsoft Azure and AWS, as well as SaaS apps, notes Mario Duarte, vice president of security at Snowflake.

Beyond Identity's passwordless service replaced Snowflake's password management tool and integrates with its Okta IDP. "It sits in front of Okta, and [Beyond Identity] takes care of authentication," Duarte says. Okta trusts Beyond Identity to confirm the user logging in is who they say they are, he adds.

Snowflake has requested that Beyond Identity add a couple of new features, including one that allows them to sign code.

When a programmer writes code and uploads it to Github or another code repository, Beyond Identity would allow that person to "sign" the code to authenticate it came from that programmer, he notes. Duarte says he thinks Beyond Identity will add that feature sometime in the first quarter of this year.

Whether Beyond Identity's freemium offer helps move the needle toward eradicating passwords is unclear. Security experts say passwords aren't likely to die anytime soon.

The company plans to add a consumer-level service that e-commerce or other organizations, such as gaming, insurance, or medical practices, can offer to their clients and customers, where there's no single sign-on like Okta sitting in the middle, Jermoluk says. "So anyone delivering a service function or app can offer a passwordless credential system," he says.

Meanwhile, Beyond Identity recently a $75 million Series B funding round, bringing its total investment to $105 million.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32077
PUBLISHED: 2021-05-06
Primary Source Verification in VerityStream MSOW Solutions before 3.1.1 allows an anonymous internet user to discover Social Security Number (SSN) values via a brute-force attack on a (sometimes hidden) search field, because the last four SSN digits are part of the supported combination of search se...
CVE-2020-23263
PUBLISHED: 2021-05-06
Persistent Cross-site scripting vulnerability on Fork CMS version 5.8.2 allows remote attackers to inject arbitrary Javascript code via the "navigation_title" parameter and the "title" parameter in /private/en/pages/add.
CVE-2020-23264
PUBLISHED: 2021-05-06
Cross-site request forgery (CSRF) in Fork-CMS before 5.8.2 allow remote attackers to hijack the authentication of logged administrators.
CVE-2021-27941
PUBLISHED: 2021-05-06
Unconstrained Web access to the device's private encryption key in the QR code pairing mode in the eWeLink mobile application (through 4.9.2 on Android and through 4.9.1 on iOS) allows a physically proximate attacker to eavesdrop on Wi-Fi credentials and other sensitive information by monitoring the...
CVE-2021-29203
PUBLISHED: 2021-05-06
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software, prior to version 1.22. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gai...