Join today’s leading executives online at the Data Summit on March 9th. Register here.
If multifactor authentication (MFA) is one of our best hopes for making a dent in cybercrime, it could be a while before everyone’s actually using it. Despite the proven effectiveness of requiring multiple forms of authentication at log-in, recent stats from Microsoft show that just 22% of accounts authenticated through Azure Active Directory utilize MFA.
Meanwhile, identity-focused attacks are surging. In 2021 alone, Microsoft says it blocked more than 25.6 billion attempts to break into accounts of enterprise customers using brute-force password attacks.
Are businesses not aware? Or maybe they just don’t care? More likely, it’s a third reason: The typical MFA user experience is inconvenient. Having to verify through a second device such as a smartphone, or through fetching a code out of your email, is a pain, and it slows everything down. With MFA adoption still modest, it would appear that for many businesses, the trade-offs are just too significant.
But if the user experience issues could be solved, perhaps expanding the adoption of MFA won’t take quite as long. That’s the aim, at least, at Beyond Identity. The startup has developed a solution for MFA that’s focused on “cutting out the friction — making it truly invisible to a user, or to a company, that they’ve turned on MFA,” said Tom “TJ” Jermoluk, cofounder and CEO at Beyond Identity.
As part of that, Beyond Identity also does away with passwords, while harnessing a zero trust approach that ensures only valid users can authenticate, Jermoluk said.
Today, the company announced it has raised a $100 million series C funding round to accelerate the commercial deployment of the product, which is already being used by customers including Snowflake, Intuit and Roblox. The round brings along a $1.1 billion valuation for Beyond Identity — especially notable since the company is just two years old at this point, having been founded in early 2020.
The round was led by Evolution Equity Partners and included backing from New Enterprise Associates, Potentum Partners, Expanding Capital and HBAM. Jim Clark, who is Beyond Identity’s cofounder and chairman, and previously cofounded companies including Netscape, also took part in the round as an investor.
Crucially, with Beyond Identity, the password is completely eradicated. It’s not just that the password is obscured to the user — there’s actually no password to start with.
This has benefits both for the ease of the user experience and for security. Compromised passwords are responsible for 81% of hacking-related breaches, Verizon has reported — and if credentials are stored in a central repository, a breach of that repository can be devastating.
Zero trust approach
Going passwordless, as with Beyond Identity’s MFA platform, takes yet another potential vulnerability out of the equation and makes the platform essentially “un-phishable,” the company says. Still, Jermoluk wants to be clear that Beyond Identity is more than just a “passwordless company.”
“We’re a full fledged platform — we’re not a point solution,” he said in an interview with VentureBeat. “The thing we do, that the others don’t do, is we have a complete zero trust risk engine.”
This means that the platform assesses numerous different contextual factors — 70 in all — to determine whether a user that is trying to log-in is really who they claim. The factors include time, geolocation, IP address, firewall status, disk encryption status and the patch level of software on the device.
“It allows you to check out all these different factors, and make these granular risk decisions about what application people can get to — or what they can do in those applications at any given time,” Jermoluk said.
The solution can also integrate data from endpoint detection and response products, such as CrowdStrike and SentinelOne, to further enhance the decision-making engine, he said.
As an example, if a user typically logs into an application once a day, but suddenly logs in 10 times during a single day, that could be an indicator that something is amiss. Beyond Identity’s zero trust risk engine, therefore, “allows us to have this visibility that nobody else can get” in an identity security solution, Jermoluk said.
The ultimate goal for Beyond Identity, he said, is “to have this platform be adopted as the de facto zero trust platform.”
Ease of use
Beyond Identity integrates with major single sign-on platforms including Okta, ForgeRock, Microsoft and Ping Identity. When a user opens an application on their PC or smartphone, using the Beyond Identity system, the user can be automatically logged in without needing to enter any information (or by just entering their username if it’s not already stored).
With Beyond Identity’s technology, the device itself provides both of the factors needed for authentication. The solution cryptographically embeds the user’s credentials into the device, serving as one of the necessary factors. The other factor is met through the use of biometric authentication to unlock the device.
“You just go right to the app. You don’t know any of that’s going on. All of that happens behind the scenes,” Jermoluk said.
When Beyond Identity first began rolling out its solution with customers, the reaction from many users after logging in was, “Hey — you guys didn’t do anything,” he said.
“It was just so invisible,” Jermoluk said. “So we actually had to tweak the user interface to have a little message come up that says, ‘We are now authenticating you to your application.’”
The key to unlocking all of the capabilities on the platform, he says, is the company’s technology for cryptographically binding identity information to devices.
To accomplish this, Beyond Identity leverages some of the same technical underpinnings that made Clark’s famed previous company — Netscape, which he founded with Marc Andreessen in 1994 — into such a game-changer. Netscape invented the Secure Sockets Layer (SSL) protocol to provide a secure channel for devices connecting over the internet. And its successor, Transport Layer Security (TLS), remains in use today, including for enabling HTTPS connections.
In order to cryptographically embed user’s identities into their devices, Beyond Identity makes use of the X.509-based, asymmetric-key cryptography that forms the basis for TLS.
“It’s already been proven to be scalable and secure. It’s been in use for 25 years now,” Jermoluk said.
What the company figured out was how to extend this cryptography to identity authentication through “binding the identity in the device — make it full-time MFA, by default, without having any friction,” he said. “So our users don’t have to look at a one-time code or a push notification, or any of that. Because you just use your biometric to get on the device, and then the private key signs the certificate.”
Ultimately, Beyond Identity brings the opportunity to “solve so many of the different problems that have existed [in security] with one platform,” Jermoluk said.
Along with its workforce product for corporate MFA usage, Beyond Identity also offers a product for companies such as e-commerce providers to authenticate consumer log-ins, along with an MFA product for developers that aims to assist with issues such as software supply chain compromises. The platform supports Windows, macOS, Linux, iOS and Android devices.
The company reports that it has 40 customers in total. One of its earliest customers was Snowflake, which adopted the platform in late 2020 and has since expanded the solution to its entire workforce and signed a three-year contract when the time came to renew, Jermoluk said.
“They’re a very high-tech company. They know their stuff in security. They’re very concerned with data privacy because of their business model. And they love it,” he said.
In addition to the security benefits Snowflake has gotten from using Beyond Identity’s solution, employees have embraced the tool in a major way, said Mario Duarte, vice president of security at Snowflake, in a video posted on the Beyond Identity website.
“There isn’t a day that we don’t receive an email from our employees, raving about what Beyond Identity is doing for them,” Duarte said. “People really dig it, because they don’t have to worry about passwords anymore.”
While the Beyond Identity solution has gotten some strong early traction, the goal is to achieve ten times the level of growth in 2022, Jermoluk said.
“Last year was more about engineering. This year, the focus is on growing the revenue and the customer logo count,” he said. “We’re really expecting this to be a big breakout year in terms of growth.”
New York-based Beyond Identity currently has a headcount of 180, and expects to end the year with at least 250 employees — though the company would like to hire more than that if it weren’t for the challenges of hiring right now, Jermoluk said. “If I can find a way to get to 300, I will,” he said.
Jermoluk — whose career previously included serving as the CEO of @Home Network, president of Silicon Graphics and a general partner at Kleiner Perkins — said he previously was not planning to return to an operating role in a company, until the idea for Beyond Identity was born.
“Jim Clark and I have been partners 35 years. So I’ve done a lot of these startups. And the last 10 years, I’ve been an active board member at our startups, but I haven’t run any of them directly,” he said. “The reason I’m back [is that] this is really big. This is big and disruptive, and has a chance to be a really important company. And I would like to leave that mark.”