Callsign – Artificial Intelligence for Authentication
If you sit and think about it for a moment, a made up string of characters is the only thing keeping the world’s criminal population from commandeering all your assets. Every online account you have is secured by nothing but a string of characters that anyone can type in. To make matters even worse, you’re not supposed to use the same password for multiple online accounts. Of course all these different passwords you’re supposed to memorize have to:
- Have more than 8 characters
- Use upper and lower case letters
- Use numbers and special characters
- Be reset every 90 days and be used more than once
- Blah, blah, blah
There is no way you’re going to remember 10 passwords that meet each of the above criteria for the 15-20 websites you log into for various reasons. This means we’re all supposed to store a big list of passwords somewhere that we reference every time we login to an online account. The truth is, very few people do that and we all end up using the same password for all our logins. This means that if one website you use gets hacked, the hacker can then try that ID and password combination on lots of other sites and then you’re fcuked. This makes us wonder, why have our technological aspiration jumped straight to “brain computer interfaces” without solving the basic problem of password authentication first?
There are a number of realistic ways to do this using biometrics. The Chinese seem to think it’s your face, and they’re making some good strides with technology like “smile to pay”. Other companies like BioCatch are using the way in which you touch your smartphone to determine if it’s actually you (pressure, motion, etc.). What both of these methods have in common is that they are practically seamless to interact with. It’s that seamless experience that makes our next company an easy sell.
Founded in 2011, London England startup Callsign has taken in $35 million in disclosed funding, all of which came in the form of a Series A that was announced just a few days ago. The technology they are working on is called Intelligence Driven Authentication or IDA which is the notion of going beyond traditional “two factor authentication”. Allow us to explain.
Remember how we talked about hackers stealing your password and then using it on other websites? One way to mitigate this problem is through using “two factor authentication”. For example, when we log into Interactive Brokers to check how much income we’ve made from our dividend growth holdings, we have to enter a password and then we’re prompted on our smartphone to enter a 4-digit pin after which we can access our account. Even if a hacker knew our password, they wouldn’t be able to get past that “second authentication factor”. That’s a two-factor example, but you can have any number of factors as seen below:
As you can see above, two-factor is the mobile device example we gave you earlier. Multi-factor then incorporates additional layers of security, like biometrics. To the far right is IDA from Callsign, which is said to be the most comprehensive option. Callsign has developed deep learning algorithms that assess hundreds of data points to make sure that the person who is using the device is actually you. As we learned before in our article on BioCatch, there are “invisible challenges” that can be issued to the user that are “frictionless” which means you won’t even notice they are happening.
Let’s say you log into your bank account on your laptop. Now let’s just say for the sake of argument, a criminal steals your laptop from you and decides to transfer $500 out of your account (anything larger might raise red flags). Since your password is stored in your browser, the criminal can easily login. Here’s what might happen next:
- As part of the transfer, the criminal has to enter the destination bank name. The algorithms notice that the way this bank name is typed does not resemble how you usually type. It becomes suspicious.
- The algorithm then makes the mouse cursor disappear. The criminal does that little wrist wiggle we all do which makes the cursor appear. The algorithm is even more suspicious now because that wiggle doesn’t match your wiggle. Remember this cool diagram from our article on BioCatch?
- The algorithm then throws up a date wheel for you to select the date of a transfer. It knows how you use this date wheel and the criminal uses it quite differently. The algorithm is practically convinced that it’s not you now.
- As a last step, the algorithm prompts you to type your full name. There is no way anyone can emulate the way you type your name. The criminal fails the last test and the algorithm kicks them out and locks the account.
In the case of Callsign, they say that just a simple screen swipe can authenticate the user. Other variables taken into account include the location from which the login attempt is being performed, the time of day, your internet provider and browser, and even the accelerometer in your smartphone which telegraphs the way you hold your phone. As we showed you in our previous example, once the algorithms become suspicious, they can then ask for hard data like your fingerprint, “smile at the camera”, voice signature, or even just the good old password during which they can see how you type it.
According to an article by Reuters, Callsign’s technology is already being used by Lloyds Bank and Deutsche Bank with hundreds of thousands of users being authenticated across the globe. Callsign claims that they’re better than competitors like BioCatch because they’re using more variables and consequently, they have much higher levels of accuracy. Here’s an excerpt from a pretty decent article by Tech Crunch which talks about the incredible levels of accuracy that Callsign claims:
For Callsign’s platform, he says the false rejection rate (i.e. where a user cannot be identified from a combination of implicit and explicit factors) is “less than 0.00005%”, while the false acceptance rate (i.e. where a fraudster is able to pass all implicit and explicit factors) is “less than 0.00002%”.
At some point, we should be able to do away with passwords entirely. Simply typing your name, then doing some small series of tasks, should be enough for an algorithm to determine if it’s you. Any new online account you open up could start out with the traditional password method and then over a period of time, train itself to recognize you. One can imagine a standard online exercise that can be used for this. The incentive for the user to spend 15 minutes going through the exercise is that their account will be more secure and they no longer have to memorize a password.
Callsign is far from being the only player in this space. In addition to BioCatch which we highlighted before, there’s also an Israeli company called Transmit Security which emerged out of stealth around the beginning of this year with $40 million in funding that the founders pitched in on the back of their successes building and selling other startups. They count several major Israeli banks as customers, and share the same goal of Callsign – to rid the world of traditional passwords:
One other key point mentioned above is this notion of an “omni-channel customer experience”. This means that all the methods you use to access an account (online, mobile, branch, customer service, etc.) should share the same authentication methods. Our foreign correspondent in Hong Kong said that just this week, fingerprint readers are appearing on ATMs. No doubt there are dozens of other startups playing in this space in addition to the three we’ve covered so far, and with the vast number of online accounts we all have, there is plenty of room here for more than one winner.