Heartbleed bug reminds us how badly passwords suck

The Heartbleed bug was a painful reminder about the weakness of passwords.

The Internet security flaw prompted companies like mutual fund giant American Funds to advise its 825,000 shareholders to change their passwords to protect their data from hackers.

If history repeats, a good number of those users won’t actually heed American Funds’ advice. Nearly 40 percent of Americans say they would rather clean a toilet than change their passwords, according to a Harris Interactive poll.

Enter a new crop of startups that aim to replace passwords with easier, safer and more reliable alternatives.

Fifteen identity security companies raised about $131 million from U.S.-based venture firms last year, up from nine such companies that raised about $55 million in 2012, according to Thomson Reuters (publisher of VCJ). And this year has gotten off to a fast start, with five identity security companies raising $43 million, as of mid-April.

Among the startups that raised large rounds were Okta, OneLogin, Ping Identity and Symplified. Okta locked down $27 million from Andreessen Horowitz, Greylock Partners, Khosla Ventures and Sequoia Capital; OneLogin secured $13 million from Social+Capital and Charles River Ventures; Ping raised $44 million in a round led by DFJ Growth and W Capital Partners; and Symplified closed on a $20 million round led by Ignition Partners.

The startups and their venture backers see an enormous and growing opportunity. The global market for identity management will grow from $4.4 billion in 2012 to $6.99 billion in 2017, according to IDC. Much of that growth is expected to come from the adoption of cloud-based services across small, medium and large companies.

“Businesses are quickly recognizing the opportunities afforded by cloud-based and mobile IT strategies,” Sequoia Capital Partner Doug Leone said in a statement about Okta’s funding.

Startups are approaching the market from a variety of angles. One of the most common is biometric security, using a person’s fingerprint, eye or other body part as an identifier. Retinal scans rose to prominence after being featured in the Tom Cruise blockbuster “Minority Report,” but it turned out they didn’t work with certain eye pigmentations and were unreliable if a person’s eyes were bloodshot or had developed cataracts.

EyeVerify has created a technology that hopes to vastly improve on retinal scans by taking a picture of blood vessels in the whites of the eye, or eye vasculature, to verify the user’s identity.

“We see EyeVerify as an opportunity to get it right,” said Herb Sih, a partner at Think Big Ventures, which recently invested $2.3 million in the company. “This technology allows for as good or better authentication confidence than a fingerprint.”

EyeVerify’s technology, which was developed over 10 years at the University of Missouri, appears to be particularly compelling for smartphones. “People already are looking at their phones all day long, so with a forward-facing camera this could be a very seamless solution,” Sih said.

EyeVerify recently notched a win when AirWatch announced that it would support EyeVerify on its enterprise mobility management platform. Corporate customers of AirWatch will be able to use EyeVerify to lock down all their mobile devices.

Rather than focus on a single biometric solution, Nok Nok Labs is building security architecture that works with a wide range of password alternatives. The company recently raised $16.5 million from DCM, Lenovo Group and Onset Ventures.

Nok Nok is a founding member of the Fast IDentity Online (FIDO) Alliance, which is pushing password alternatives such as fingerprint, geo-location, and voice and image recognition. Corralling different biometric technologies and getting the software to seamlessly and securely connect with a variety of backend systems and Web services is no small undertaking.

“An incident such as Heartbleed shows how hard it is for organizations to securely manage credentials such as passwords,” said Phillip Dunkelberger, CEO and president of Nok Nok. He added that the FIDO approach distributes this risk, as all confidential information (fingerprint templates, voice recordings, and secure PINS) are held locally on the device.

“But the beauty of the FIDO architecture is that it has the flexibility to accommodate any authentication factor, or any combination of factors,” said Onset Partner David Lane.

Using Nok Nok’s architecture, PayPal and Samsung recently enabled consumer payments with fingerprint authentication on the new Galaxy S5 smartphone. S5 users can now shop with the swipe of a finger wherever PayPal is accepted.

“I believe passwords will go away over time,” Lane said. “It should be characteristics of the actual person that authenticates the user, not a preconceived string of letters and numbers.”

For his part, Damien Steel is betting that passwords won’t go away anytime soon. Steel, a director at OMERS Ventures, led the firm’s $6 million investment in PasswordBox last November. The company has created a secure password manager that remembers a user’s passwords or automatically generates complex passwords for each of the user’s online accounts. 

“This is a busy space with lots of companies tackling the problem, but PasswordBox jumped out at us for a number of reasons,” Steel said. For example, the company’s machine learning technology makes the system compatible with sign-in/login forms from 90 percent of all websites and it continually scours the Web for new login forms, he said.

OMERS was also impressed that more than 1 million people signed up with PasswordBox in its first three months of availability. (The company uses a “freemium” model, with free service for up to 25 passwords and a $1-per-month subscription free for unlimited passwords.)

PasswordBox also illustrates the challenges that startups and their investors face in the identity security space. For example, the company must compete with the rise of biometric technologies, including the latest Apple iPhone, which comes preloaded with a fingerprint scanner.

Steel said he isn’t worried.

“Of course we knew the iPhone was coming out with thumbprint authentication before we made this investment,” he said. “The key to PasswordBox is the machine learning and the ability to manage the authentication of individuals across the thousands of websites they use.”

Even if passwords went away tomorrow, there would still be a need for a connection between the authentication technology and all the websites that require a login, Steel said. PasswordBox could morph into the platform used by various biometric vendors “to connect those dots.”

Another challenge facing a company like PasswordBox is the sheer number of solutions already inundating the market. One of those is Google’s ID ring, which offers to remember your passwords for different websites. It’s unclear how PasswordBox will ultimate overcome a free service offered by the most dominant player on the Internet.

Steel insists that Password box could become a billion-dollar standalone company. But, it could also be an acquisition target.

There have been a couple of large exits in the identity security space in the past year. Last July EMC reportedly paid more than $225 million for Aveksa, a developer of an identity and access management platform that had raised about $37 million from Charles River Ventures, FirstMark Capital, FTV Capital and Harmony Partners.

Three months later, Synaptics spent $255 million to buy Validity Sensors, a fingerprint sensor maker that had previously raised about $106 million from at least seven venture firms, including Crosslink Capital, Qualcomm Ventures and TeleSoft Partners.

And in February, Google paid an undisclosed amount to acquire less-than-1-year-old SlickLogin, a developer of a technology that uses uniquely generated sounds as a password alternative.

These recent acquisitions bode well for identity security investors.

Tom Stein is a Palo Alto, California-based contributor. He can be reached at tom.stein@yahoo.com.