Startup touts four-factor authentication for VIP-level access

Trusona’s system involves an app, a dongle, the post office, and the subject of 'Catch Me If You Can'

Startup Trusona is launching what it claims to be a 100 percent accurate authentication scheme aimed at corporate executives, premiere banking customers and IT admins who have unfettered authorization to access the most valued corporate assets.

The system uses four-factor authentication to assure that the person logging in is the person they say they are. It requires a dongle that is tied to a set of specific devices (phones, tablets, laptops), certain cards with magnetic stripes that the user already owns, and a biometric ID based on how the card is swiped through the card reader on the dongle.

The TruToken dongle is the miniaturization of anti-ATM-card cloning technology made by MagTek that reads not the digital data recorded on cards' magnetic strips but rather the arrangement of the pattern of the barium ferrite particles that make the strips magnetic. The particles are so numerous and so randomly placed that no two strips have identical patterns, says Ori Eisen, Trusona's CEO. That also makes the strips unclonable, he says.

In order to use the authentication system, the Trusona app on the user's device connects to Trusona's cloud. The user plugs in the dongle, and if the dongle ID and device ID have been paired, the user is prompted to swipe a card with a magnetic stripe that has also been paired with the user. That can be a credit card, driver's license, library card, etc. The barium ferrite particles must match.

The way the card is pulled through the card reader on the TruToken is also a unique identifier, Eisen says. People pull them through at different speeds, at different angles and from different directions in a manner that is readable and unique, he says.

If all these factors check out, authentication is confirmed to the server the user is trying to log into. All data is encrypted before it leaves the dongle.

The system includes a method to make sure the person associated with the TruToken and the cards is the actual person and not someone who has stolen someone else's phone and credit card before purchasing the app and dongle. After registering and purchasing the device online, it is delivered to the customer's home via the U.S. Postal Service and the mail carrier checks the buyer's passport before turning over the device to make sure the person receiving it is the person who bought it. Eisen says he's still working out the deal with the post office.

Alternatively, if a corporation wants to set up accounts for multiple staffers, they can issue the devices to their people in person after confirming their identity in whatever way they see fit.

While the barium ferrite and card-swipe readings can help identify the user, they can also prevent attackers from capturing the data from one session and replaying it for a later one, Eisen says. They register a high percentage of matching factors in order to confirm the user, but they are never exactly the same, so if identical attempts occur, that indicates a compromise.

For example, with the card swipe, a 60 percent match is enough to confirm the card is authentic. In a demonstration of the technology, the first swipe registered 83 percent and a second swipe of the same card registered 79 percent. A swipe of two legitimate Arizona driver's licenses issued to Eisen registered only a 4 percent match.

The system includes a means to derail attempts to physically force a legitimate user to log in, say at gunpoint. Users can register so-called duress cards with the service that, if run through the scanner, signal that the user is being forced to authenticate against their will. The attempt is shut down.

In addition to the $99 cost of the dongle, Trusona charges $1 per transaction. Each customer can have three devices, three tokens and three magnetic cards registered to their account. Eisen says the product is aimed at users whose authorizations carry a lot of weight, such as bank customers who are capable of moving thousands or millions of dollars or corporate executives with access to critical data.

Founded in 2015, Trusona is the second company founded by Eisen, who used to run fraud detection for American Express, in collaboration with Frank Abagnale, the former con-man and subject of the movie "Catch Me If You Can," who is now a consultant to the FBI on working fraud and identity theft cases. The earlier company, 41^st Parameter, which dealt with fraud prevention, was bought by Experian.

The two men worked together to hone the Trusona architecture. Eisen would work out what he thought was a feasible solution, and Abagnale would poke holes in it. Eisen would fix them and Abagnale would try again until they came up with the system.

They say they are motivated by helping to stop the crime typically funded by thefts related to identity compromises such as drug dealing, human trafficking and child pornography. "We want to leave a better network to the next generation than the one we got," Eisen says.

Trusona is based in Scottsdale, Ariz., and has received an $8 million investment from Kleiner, Perkins, Caulfield, and Byers.

This story, "Startup touts four-factor authentication for VIP-level access" was originally published by Network World.

Source: InfoWorlds