End our reliance on passwords - Interview with Yaser Masoudnia and Bam Azizi from WiActs

Bam and YaserDear Readers,

Today we would like to share with you our very fascinating talk with WiActs. It's a Sunnyvale base startup, has developed an Identity Management and Single Sign-On solution for enterprises based on multi-factor authentication system. WiActs’ platform called, “id,” authenticates users using biometrics and other hidden features on users’ smartphones.  WiActs “id” gives users the luxury of secure login on all their accounts but without the need for passwords. In this world where weak password management is the main reason behind data breaches, substituting passwords with more secure authentication solutions takes cyber security to the next level. Moreover, WiActs identity management system allows the IT admin to securely provision and deprovision users and control their access of their accounts.

The company was founded by Yaser Masoudnia, PhD., CEO of WiActs, and Bam Azizi, CTO of WiActs. The company is well received among a wide range of companies from small tech companies to large financial institutions and healthcare providers. We asked Yaser Masoudnia and Bam Azizi to tell us more about their solution.

 [eForensics Magazine]: What gave you the idea to develop WiActs “id”?

Yaser[Yaser Masoudnia]: From our previous work experiences, both my co-founder, Bam, and I knew first-hand the headache of working with dozens of SaaS apps on daily basis, each of them protected by a different set of credentials such as passwords and second factors. Keeping track of all these credentials was a big struggle for us as end-users. Additionally, every time that we wanted to reset our password; we needed to take extra steps and then ask the IT admin for further instructions. It would often take them up to a couple of weeks to do so because they were too busy dealing with large number of users with several accounts and SaaS apps. That was one of the main reasons why we decided to address the authentication and identity management problem.

[eFM]: Who are your customers?

[YM]: Our customers are a wide range of companies from small tech startups to large financial institutions. Until recently, only large enterprises had security concerns and would buy identity management, single sign-on, and second-factor authentication solutions, but this market is dramatically changing. Nowadays, we see a significant increase in the number of medium sized companies and even small, yet, fast-growing companies who have convenience and productivity concerns in addition to security concerns. They are now becoming more interested in entering the market for identity management and single sign-on solutions. In terms of the industries, our customers come from different industries, such as insurance providers, healthcare providers, tech companies, entertainment companies, educational institutions, online vendors, banking and financial institutions.

[eFM]: What is the problem that your product solves for these companies?

[YM]: The biggest problem of using conventional credentials, such as passwords and second factors, is the inconvenience they create for the end-users and IT admins who manage their accounts. This causes a number of insecure practices that pose threats to the security of every company. In light of the latest news of cyber-attacks compromising second factors and hackers breaking into thousands of Gmail accounts, we are reminded that second factors are vulnerable to a number of threats including social engineering and phishing. At WiActs, we are here to solve this problem.

[eFM]: So do you believe that insecure practices and sloppy security management comes primarily from inconvenience, not from lack of awareness?

[YM]: Both. In many cases, users doesn’t have enough information and not trained. Even in companies that offer cybersecurity training, employees and IT admins think that attacks only happens to others not us. We don’t have enough sensitive information for anyone to attack us. It is only when their information is compromised that they start looking for solution to prevent future attacks. But it is in fact too late then and damage is done.

[eFM]: How do you plan to solve this problem?

Bam[Bam Azizi]: We offer the next generation of identity management solution that is comprised  of strong hidden multi-factor authentication, well-designed single sign-on, and user provisioning. Our solution allows companies to secure their users’ access, employees’ access, and partners’ access to all of their accounts, on all of their devices, without conventional credentials such as passwords.

[eFM]: What do you mean by next generation of identity management?

[BA]: Our identity management solution is designed around strong multi-factor authentication that substitutes passwords and second factors. Basically, every time users try to get access to any of their accounts, on any of their devices, they simply enter their username into the log-in page, which we provide for their company. After clicking the log-in button, they receive a notification on their previously registered smart device directing them to our authentication app called “id”. Once they’re locally authenticated based on their biometrics, we extract several hidden features from their phones to authenticate them. Once the users get successfully authenticated, they will gain access to their launch pad, where they can access all their apps.They don’t need to enter another username or password.

[eFM]: How long does that process take?

[YM]: Login process with WiActs “id” takes as long as entering a long password. But remember, once the user is authenticated and gains access to their launchpad, all of their accounts and apps are simply just a click away, more convenient than entering a password. It doesn’t get any faster and easier than this.

[eFM]: Are passwords really that unreliable, or is it the people that use them?

[YM]: Both. First, no matter how safe and complicated is your password, it is still vulnerable to different type of attacks including social engineering and especially phishing. Over 75% of attacks happen based on stolen credentials. Secondly, user's unsafe practices, such as setting up weak passwords, makes companies’ accounts more vulnerable to attacks. Since we eliminate passwords and the role of users in setting and entering conventional credential, “id” makes the authentication process immune to cyber-attacks.

[eFM]: Does “id” when working with various applications eliminate passwords altogether? Has the company’s Twitter account still got a password somewhere?

[BA]: With over 500 apps that are federation authentication enabled, passwords are completely eliminated. With accounts like Twitter that only password based authentication, we have a new approach that we are in the process of filing utility patent. Therefore, I can’t explain it further.

[eFM]: What makes your solution different from other identity management solutions?

[BA]: Let me put it this way, they are the painkillers, where our solution is a cure. What I mean is that they hide all passwords behind a one master password. This means that if that one password is compromised, then all of the user’s accounts and passwords have been compromised as well. In our solution there are no passwords that can be obtained by introducers and hackers. Unlike WiActs, none of the existing single sign-on solutions are able to offer the low friction, hidden multi-factor authentication that doesn’t add an extra step to authentication. They don’t offer geo-fencing nor geo-location authentication that tremendously improve user experience and security.

Let’s keep in mind that in today’s market an IT admin of a company not only needs to purchase an identity management system and single sign-on solution but further shop for a second factor authentication that can be separately integrated with the system they already have in place. Not to mention, because the integration process is not only labor-intensive and expensive, in most cases it requires extensive training and coding experience. Our solution is designed to be the easiest solution to be implemented by IT departments. It doesn’t need the extensive training or coding. It doesn’t need a second factor to be added on top of it. The IT admin can assign apps and accounts to all of their users simply with a few clicks of a mouse.

At the same time, all that the users need to do is to download the WiActs “id” app on their smart phones and scan a QR code which is provided for them. Then, they will have easy, secure, and password-less access to all of their accounts. There is absolutely no learning curve to using “id.”

[eFM]: On your website you state that there is no reason to compromise between privacy and security, no need for sacrificing convenience. Don’t you think that this simplification occurs just on the surface, for both the end user and the IT admin, but at the same time makes security more obscure? Do you see a problem with security becoming “magical” and difficult to understand for users?

[YM]: No, right now people know about the threats of cyber-attacks and still risk their privacy and information for the sake of convenience. Using WiActs “id”, we take the responsibility of securing multiple accounts from users and admins and make the process easy for them. This doesn’t make it any less secure because we take care of the security in the background.

[eFM]: One of the ways to avoid compromising privacy in your platform is that the biometric data is not transferred out of the device used to log in - that of course means having the device handy is the only way to log in. Still, people lose their phones, smart devices get hacked. If a company uses “id” doesn’t it make all smartphones in that company an obvious target?

[YM]: Even if that is the case, it doesn’t compromise the security of “id”. All the information on the smartphones is encrypted and the key to encryption is not saved on the app. Therefore, if someone hacks into your phone, there is nothing they can get out of the “id” app. In case of lost or stolen phones, because we use our smartphones so much these days that we usually realize in a matter of minutes if our phone is not with us. As soon as the user contacts us with the news of misplaced or stolen phone, we will disconnect their phone from our system.

[eFM]: What sort of accounts and apps are “id” compatible with?

[BA]: Right now, “id” is compatible with over 5,000 popular business SaaS and web apps. Within the next two months, it will be compatible with almost every app. I strongly believe that we have to end our reliance on passwords for our authentication solutions. I recommend to every small, medium, and large enterprise to consider WiActs as a free trial, and they will quickly realize that not only does the IT admins not want to go back to the previous solutions, but that their users are happier and more productive with the ease of using “id.”

[eFM]: What are the biggest challenges you see standing before your company? How about before the whole cybersecurity field?

[YM]: The facts that biggest challenges is that companies and people don’t take the threat of cyber security seriously. They don’t think it can happen to them, only to others.

[eFM]: If you had to point out the single most important trend in cybersecurity right now, what would it be?

[BA]: Sharing too much information with third-party. As we work with various companies, a wide range of sensitive information is shared with them. When we share information, we lose control over that information and our privacy. Hackers increasingly target these third-party providers and consequently valuable information of many users are compromised. Example of companies suffered from these attacks are Target, Ashley Maddison and Even IRS. It is important for companies to put a well-structured mechanism in place to protect the information of their employees, customers and business partners.

Another trend is bring-your-own-device (BYOD). Very limited number of companies has a guideline for using BYOD and this causes security threat both from external attacks and internal mismanagement of devices. The reality is that employees will bring their devices including smartphones to work even if it is against the guideline. Therefore, the best solution is to use provisioning and deprovisioning to manage the use of personal devices for work purposes. In our case, we use employees smartphones to our advantage.

[eFM]: Do you have any advice or thoughts you would like to share with our readers?

[YM]: Take cyber security attacks seriously, it can happen to anyone. Don’t use easy to remember simple passwords: absolutely no pet name, name of significant other, street address and similar things. Don't use sticky notes and spreadsheets to remember passwords. Don’t overshare on social media. Don’t use similar passwords for all accounts.

WiActs webpage

Twitter @Wiacts

LinkedIn WiActs

Don’t forget to leave your comments below! 

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Notify of
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013