In the digital age, who among us has not forgotten a password from time to time or, worse, gotten locked out of a critical account because one digit of the password was typed incorrectly three times in a row?
Mickey Boodaei feels our pain. The veteran Israeli cybersecurity executive’s latest product, BindID, launched in February, does away with passwords entirely.
BindID uses the biometric sensors built into every new smartphone to log you in securely and seamlessly. No more text messages sent with a clock ticking down 15 minutes to respond; no more complex combinations of numbers, letters and symbols to memorize.
All you need is a fingerprint or a scan of your face.
“Most people have around 200 different accounts that are password protected,” Boodaei tells said. “It’s a nightmare in terms of customer experience.”
Boodaei describes a typical experience: A website asks for your email address. You think you’re a new user, but the site says you have an account already. You request a password reset. It sends a text message to a phone number you no longer use.
“One of the key elements in improving the identity experience is getting rid of passwords,” Boodaei says. “It’s something the industry talks about all the time. Passwords are impractical, burdensome and among the weakest links in security.”
Passwords also diminish customer loyalty and lead many potential customers to abandon the process of purchasing goods and services or setting up an account.
BindID is a product of Transmit Security, which Boodaei founded in 2014 after selling his cybersecurity startup, Trusteer, to IBM for a reported $1 billion the previous year.
Boodaei and his Transmit cofounder, Boston-based Rakesh Loonkar (who was also Boodaei’s right hand man in Trusteer) invested some $40 million of their own money into their new company.
Just a few years later, Transmit Security is generating $100 million a year in revenue and has never taken a shekel of outside funding. The company “only used a couple million out of that [$40 million] before we became profitable,” Boodaei notes.
Transmit now employs 100 people with headquarters in Tel Aviv and additional offices in Boston (the company’s US headquarters), London, Berlin, Tokyo, Hong Kong, Madrid, Sao Paulo and Mexico City.
Transmit Security cofounders Mickey Boodaei and Rakesh Loonkar cutting the ribbon at their Boston headquarters. Photo courtesy of Transmit Security
Transmit’s first product, FlexID, is a platform that allows large enterprises to build and manage their users’ “identity journeys” – everything from opening an account, asking the user to provide identification information and allowing changes to the user’s profile.
FlexID connects a company’s backend infrastructure to its frontend consumer-facing applications.
The product caught on “with some of the biggest banks in North America and some of the biggest insurance companies and merchants,” Boodaei says.
BindID was created to “pre-build” identity journeys for smaller customers without deep pockets.
How does it work?
Imagine an ecommerce company. Instead of forcing users to choose yet another user ID and password combination, BindID uses the biometric reader on your iPhone, Android or in some cases laptop. You’ve already registered your fingerprint or face; BindID is able to tap into that information directly using the “FIDO2” protocol. (FIDO stands for “fast identity online.”)
Interoperability and data transfer protocols like FIDO2 are “now very mature and implemented in all the operating systems and browsers,” Boodaei says.
Because biometric identification is unique to every individual user, there’s never a need for a password.
If your computer doesn’t have a biometric reader built in, the BindID software will display a QR code on the device that can scan using your phone. BindID then checks the biometric data on the mobile device to make sure it’s really you, displays a simple authorization screen (“touch here if it’s you”) and the computer-based application magically opens up.
A website can require biometric authorization each time you access an app, or it can remember you for future interactions and ask you to confirm your identity only when you get to a sensitive stage such as entering your credit card details.
The beauty of BindID’s approach is that no additional apps or extensions need to be downloaded or installed. A website running BindID’s software can speak to the biometric data on the phone without any intermediation.
On the road
What if you’re traveling overseas and you change the SIM card on your phone to work in the new location and you subsequently need access to your bank or a ticket booking site? In the past, the site would send a confirmation code to your home country’s phone number, which you can’t access on the road.
No problem with BindID.
“The binding is between the biometrics on the device and the website you’re trying to log into, not between your SIM card and the website,” Boodaei explains. “Your identity is not the number on your SIM but the biometrics on the phone. Sending text messages when you’re roaming makes for a very bad customer experience.”
Indeed, this “binding” between device and identity is where BindIDgets its name.
Transmit Security now has “dozens of large customers” for FlexID and BindID, Boodaei says. Among the customers listed on the Transmit website are MassMutual, UBS, HSBC, Sun Life Financial and Lowe’s Home Improvement.
Customers also include six of the seven largest financial institutions in the United States, two of the largest US merchants, and many financial organizations, merchants and online service providers in Europe, Asia and Latin America.
BindID’s pricing depends on the size of the customer. “For small organizations, it could be in the thousands of dollars per year,” Boodaeisays. “For big ones, it could be in the hundreds of thousands of dollars a year.”
No more password theft
Cybercrime costs the global economy $2.9 million every minute. And more than 80 percent of data breaches start with password theft. Furthermore, some 20% to 50% of all help desk calls refer to password resets.
To address that risk, a company implementing BindID’s software has the option to delete all passwords from its databases, an important step in improving security and complying with global data privacy regulations.
Boodaei firmly believes that “the future is passwordless. We are offering organizations a way to jump on the passwordless train.”