This Startup Thinks Your Password Sucks -- And It's Doing Something About It
The password had its time and place. But as cybercriminals continue to get more sophisticated, Marc Boroditsky says that time and place isn't here or now.
"If you look at the password, it's not even technology…it's a process that's left over from the horse and buggy era, and we're using it to protect our financial information, our health information, our online activities," he says, exasperated. "It was always inevitable that passwords would be replaced."
As president and COO of Authy, Boroditsky's mission is to do just that: create a more secure sign-in standard for the masses. Authy, which was founded by security pro Daniel Palacio in 2011, is a free app that generates a continuously changing code on your mobile device, which you then enter after your password in order to gain access to any site you want to keep secure.
Developers can add Authy's two-step authentication process to any website or mobile app simply by dropping a few lines of code into their system. Unlike main competitor Google, which provides free two-step authentication solutions to developers, Authy charges websites per authentication (Facebook, for example, is charged a fee every time someone uses Authy to sign into the social network).
The difference is in usability, according to Boroditsky. Google's system is complicated unless you know what you're doing; Authy is more plug and play. "There is no need to worry about how to register users, what happens when a user is authenticated…we take care of all of that. We've built a standalone service," he says, one that has been integrated into 5,700 apps to date.
The company's target customers are medium-sized businesses that lack the resources and technical staff to develop their own security systems; it's already signed on some pretty big names, including Coinbase, Twitch and Cloudflare.
For consumers, the process is easy: Simply download the Authy app onto your device of choice, and after typing your username and password into an Authy-integrated site such as Gmail, Facebook, Dropbox or Bank of America, Authy will send you a temporary code that you'll need to enter before gaining access.
In September, just after news broke of Apple's iCloud leak, in which hackers stole sensitive personal photos from a long list of celebrities and posted them online, Authy announced that it had raised $3 million in Series A funding from investors including Box CEO Aaron Levie, Match.com CEO Sam Yagan, Winklevoss Capital, and Salesforce.com.
The timing was darkly fortuitous.
While it's obvious to Boroditsky – along with, he says, everyone else "in the tech forward part of the market" -- that the password has been dead for years, he's finally beginning to see the rumblings of acknowledgment from the general public.
The iCloud leak helped on this front. (The steady stream of reported breaches taking place at popular chain stores across the country hasn't hurt, either). "That's how security works, unfortunately," Boroditsky says. "It's a flaw of human nature not to anticipate, only to react."
But consumers are learning from what they see played out in the headlines. Since the iCloud debacle, Boroditsky says his download volume increased by more than 100 percent. Currently, the company has more than 1 million users.
Boroditsky predicts that a two-step verification sign-in will be standard protocol in less than three years. For highly sensitive transactions – Bitcoin exchanges or major ecommerce payment systems – it already is the norm, and he forecasts that mainstream sites will gradually follow suit, first by adding an optional two-step model and then, as consumers adopt, making it a mandatory requirement. Of course, his hope is that Authy will be working behind the scenes throughout.
"Customers have said to me, 'I use two-factors anywhere I can,'" he says. "They recognize that a single string of letters and numbers is just not enough to protect what you do online anymore."