Are your bank passwords the same as your social media, email or retail passwords?
The answer is probably yes. Unfortunately, re-using passwords sets the stage for hackers to breach the companies you do business with.
Passwords are a type of “shared secret” — they work as a method of authentication because, ideally, only the password-holder and the enterprise know them.
When hackers get their hands on one application’s passwords, however, they can breach more applications by automating login requests using the usernames and passwords they already have. This is called credential stuffing, and it’s a big problem for enterprises — there were 50 billion credential stuffing attacks detected in the last year. There are even tools dedicated to the illegal practice, like SNIPR and Modlishka.
The shared secret system lends itself to this kind of cyber attack. In fact, 81 percent of breaches take advantage of shared secrets, according to George Avetisov, CEO of cybersecurity firm HYPR.
But users shouldn’t be blamed for re-using passwords, he said. Sticking with the same password is human nature, he added, and it’s up to enterprises to implement a system that works better.
HYPR announced today it raised $18.3 million in Series B funding to make companies safer by eliminating passwords and shared secrets.
HYPR helps its customers switch to public key cryptography systems to protect themselves from ever-more-common cyber attacks. In that type of system, the central organization or company has a public key (think of that as the lock on a door) and each user has an encrypted private key (think of that as the key that goes into the door).
Blockchain is one type of public key cryptography. So is the chip on your credit card. For a business like a bank, users could use their mobile devices as private keys.
Yes, mobile phones can get lost or stolen. But, like a lost credit card, users would simply place a hold on their private keys. Keeping track of a phone is a lot easier than keeping track of a plethora of passwords, so this system saves users the headache of recovering lost passwords and saves time for call center workers
“People have been talking about this for years, so why hasn’t it happened? It’s because it’s not easy for customers to switch over,” Avetisov said. “Enterprises don’t necessarily have the resources, the budget or the people to do this.”
HYPR is designed to make the switch to passwordless authentication easy, according to Avetisov. It already lists large companies like Mastercard and T-Mobile among its customers, and that list is poised to grow. By 2022, 60 percent of large and global enterprises and 90 percent of midsize enterprises will use passwordless authentication more than half the time, Gartner predicted.
HYPR will use this new funding to build out its platform, focusing on customer experience at each step of the process.
“We want to make sure the customer experience is amazing from start to end, and everything that happens beyond deployment,” Avetisov said. “We are really expanding the customer success and engineering side of this company.”
To that end, HYPR plans to double its headcount to more than 100 in the next 12 to 18 months. New hires will get to work at the forefront of cyber innovation alongside a talented team, Avetisov added.
“You don’t need to be from [the cyber security space]. We have people here from user experience, product, DevOps, infrastructure. We have some of the best engineers on the planet,” he said. “And if you want to break into cyber, HYPR’s a great place to do that.”
While New York may not be the seat of the cybersecurity startup scene, Avetisov said he’s looking forward to seeing the industry gain prominence in the city he calls home.
“The founding team here, everybody’s first-generation immigrants in New York,” he said. “I think the New York culture has really permeated throughout the company. We focus on speed, we focus on making the customers happy. Really all the things you would expect from a New Yorker, they’re part of this company.”