SecureAuth on Wednesday said the U.S. Patent and Trademark Office granted the company seven patents that will help it offer passwordless and continuous authentication to users with an eye towards delivering authentication with much less friction.
Paul Trulove, chief executive officer at SecureAuth, said the patents are the foundation for the next generation of authentication that does not rely on passwords and binary 2FA/MFA (including biometric), transforming to a data science approach that treats authentication "as a continuum" by ingesting both human and non-human digital behavioral models.
“The industry has been focused primarily on traditional ways of authentication with passwords, and antiquated ways of verifying identities to more efficiently and securely let users in,” Trulove explained. “These patents enable stronger security to protect against identity, privilege, and policy configuration and related attacks — which are around 90% of all cyberattacks. The patents really strengthen the security posture around identity, streamlines processes and reduces user friction throughout the user’s digital journey.”
Jack Poller, a senior analyst at Tech Target’s Enterprise Strategy Group, described passwordless as just the start of reducing identity-related risk. Poller said organizations can also continuously authenticate the user, ensuring that a malicious actor doesn’t get access to the identity after the user has authenticated at the beginning of a session. Poller pointed out that asking the user to re-authenticate frequently can be very frustrating and the added friction impedes productivity and user satisfaction: so organizations (and identity security vendors) have to balance security with user experience.
Poller said that some of the patents issued to SecureAuth cover different forms of biometrics and the ability to continuously authenticate the user without introducing excess friction. Other patents cover the ability to verify identity information with a third-party, such as the DMV, other government ID agencies, credit reporting agencies, and others providing identity services. Poller said these types of identity verification services are useful for customer identification, particularly for retail and banking, enabling the organization to comply with “know your customer” (KYC) laws. It also helps retail organizations offer a form of dynamic authorization levels.
“For example, a retail website might allow anyone to register and purchase goods or services up to a certain value,” Poller explained. "A user who wants to go above the limit would have to provide additional information, such as driver’s license, to enable the retail vendor to perform an instantaneous ID verification and credit check. In fact, one of SecureAuth’s patents covers policy orchestration of authentication and authorization for just such a use case. Overall, the patents provide a roadmap for the identity industry as we move from passwords and MFA to continuous passwordless authentication, dynamic authorization, and decentralized IDs.”