The best bets to protect you from lazy passwords

The technology password is on the way to obsolescence.

Amazon filed a recent patent for a payment system called Selfie Pay, which would allow shoppers to purchase an item with a selfie photo instead of a password. But the tech giants aren't the only ones at work on ending the simple password era. A number of start-ups are pioneering various technologies to supplant existing password security.

"It's always been an arms race," said Steve Manzuik, director of security research at start-up Duo Security.

In fact, the first quarter of 2016 was one of the three biggest quarters in the past six years for venture capital funding to password security firms, with more than $123.5 million raised across eight deals. In 2014 and 2015 combined, nearly $700 million was invested in next-generation password start-ups.

Here are some of the leading ideas in the battle to make sure you never have to worry about — or try to remember — your password again.

— Paula Vasan, special to CNBC.com
Posted 6 April 2016

A Wakefield Research survey of cybersecurity experts says the traditional password will not exist in a decade. And that's a good thing. According to SplashData, the top two password choices over the past five years were "123456" and "password."

"When most companies get hacked, it's not because of some complex bug. It's typically because a password gets stolen," Manzuik said, explaining Facebook and Etsy's decision to use Duo Security.

"I don't think the password will be obsolete," he said. "The key is closing the gap on the mistakes we all make with our passwords that basically invite hackers."

Multifactor authentication is the approach of many start-ups, including Duo Security. Duo uses a unique code that changes roughly every minute and is either generated on a device, texted or sent as a mobile push notification to access an account. It's used in conjunction with a traditional password. For other start-ups, the unique factor could be a biometric, like a fingerprint.

Duo Security is free for individuals and up to 10 users. Other plans start at $1 per user/month.

The start-up has raised $50 million from investors, including Benchmark Capital, according to PitchBook, and has more than 1 million users worldwide.

Everykey is also aiming to prevent people from having a single, static password. And it has one notable backer: tech industry renegade John McAfee. McAfee, chief evangelist for Everykey, had this to say last December: "This is a f***ing game changer."

Daniel Thomas, communications officer at Everykey, said today's password is "usually the name of your dog and 1, 2, 3. We just want to be something you don't have to worry about."

Everykey makes a $128 thumbnail-size gadget that sits in your pocket and wirelessly connects to your phone, laptop and digital door locks using Bluetooth. Everykey is unique in using one device to get into all your accounts — your phone, laptop, tablet and PC, your website logins and even potentially your car or the front door of your house.

While $128 might seem steep, the cost of bad passwords can be much bigger for individuals and companies. Cybercrime costs the average U.S. firm $15 million a year, according to an October 2015 report by Hewlett-Packard and the Ponemon Institute of Cyber Crime.

Cleveland-based Everykey raised nearly $149,000 through an Indiegogo campaign and has raised $640,000 in seed capital from an investor that backs Ohio start-ups, Great Lakes Innovation and Development Enterprise.

"We want devices to do all the thinking," said Jerrod Chong, head of engineering at Yubico, a Palo Alto, California-based company that makes the YubiKey, another gadget that generates a new passcode every time you touch it. (Like Duo Security, it has been used by Facebook.)

Yubikey is a multifactor authentication approach but differs from Duo Security in that it uses a hardware token that costs $40 to $50 rather than a phone app Duo users install. Yubico spokesperson Ronnie Manning said hardware devices are a secure option because you take them with you and they're not always connected to the Internet. It also differs from Everykey because users need to put the device into a USB port to use it.

To safeguard an account if a password or PIN gets stolen or compromised, the second factor is required and accessed by tapping a button on the device, or tapping it against a smartphone, to trigger securely stored cryptographic keys.

A single YubiKey can be used for both personal and business accounts, Manning said. "I use a single YubiKey for my work Gmail, Dropbox, Github, Wordpress and also for my personal Gmail, Dropbox, Dashlane accounts."

Funding data was not available, but Yubico has some notable backers: Ram Shriram (a Google founding board member and a former executive at Amazon.com) joined as investor and board member; Marc Benioff (CEO and founder of Salesforce.com); and David Cheriton (professor at Stanford and an early investor in Google).

Many technology experts predict biometric authentication will be the future of password protection. It's already seeping into our daily lives. Apple's iPhone and iPad offer the ability to use biometrics with Touch ID.

Toronto start-up Nymi uses your unique heartbeat for authentication with its $149 wearable band, currently in beta. Confirm your identity once, and then go through your day without worrying.

One caveat: Biometric data like fingerprints and heart rate vary, and variance can be exploited by hackers. Jon Miller, a former hacker who now serves as vice president at antivirus software maker Cylance, said, "The human body isn't the perfect authenticator, but when combined with other factors of authentication, it becomes exponentially more complicated to fake."

This is why Nymi requires two factors: A person trying to access an account has to create the correct heartbeat pattern and possess a particular band. Karl Martin, founder and CTO of Nymi, said, "Our approach is to combine hard-to-spoof biometrics with impossible-to-copy hardware tokens, as well as wireless communication for highly convenient and secure identity authentication."

Nymi has raised $15 million from investors, including MasterCard and Salesforce Ventures, according to PitchBook.

It's a nascent technology, but with webcams now a standard on computers and phones, facial recognition is becoming more feasible. We already use it to tag friends in photos on Facebook. Many local police use the FBI's facial recognition software to identify criminals. And Google uses it to help users find photos and videos of themselves.

This technology is catching on in mobile banking, according to Gilles Florey, the CEO of KeyLemon, a Switzerland-based biometric tech company. He predicts using facial recognition to access our finances online will be a standard option among most banks within the next year or two and then across other industries.

KeyLemon's main product (Oasis) is software that enables fast implementation of facial recognition on mobile devices and is designed for corporations.

KeyLemon, founded in 2008, has raised $1.5 million from European-based investors, including Swisscom Ventures and the investing arm of Swiss biotech company Debiopharm. Its clients are mostly banks (in the Netherlands and Turkey), but the company wouldn't be more specific. It claims to have 3 million individual users of its facial recognition software, costing companies "around a few dollars per user per year," depending on the market, volume and field of application.

Amazon contends in its patent for "Selfie Pay" that facial recognition technology is more secure than a password or PIN. And KeyLemon is far from alone in trying to be the player to break through in this niche.

Released in July 2015, Microsoft has built-in facial recognition tech with Windows 10. With its Windows Hello software (and with compatible devices), you can log in with facial recognition for the first time. It uses special infrared cameras that scan a face and then allow you to sign into a Windows 10 machine, an operating system that Microsoft estimates will have 1 billion active users in about three years.

Over the past year, facial recognition software has been built into Dell notebooks, mainly for the corporate space (80 percent of usage). Dell spokesman Matt Davis said it's more prevalent in corporate laptops because people need to log in multiple times a day.

Google Nexus Android devices have some built-in facial recognition security features, too.

Socure, a New York City-based start-up that is beta-testing a facial biometrics tool, said it's used mainly among financial institutions, like remittance companies, when authenticating risky transactions — for example, if a customer transfers an unusually large sum of money to a first-time contact outside of their usual network. Socure thinks there is strong potential for this approach among sharing-economy companies.

Artificial intelligence company Cylance is already working with governments as well as Fortune 500 companies on cybersecurity, and it thinks machine learning and artificial intelligence will soon require a computer to recognize you by how you interact with it. Data points, of which there are millions, include the speed you type and the amount of time you spend on particular keys.

Cylance CEO Stuart McClure (pictured here) said its current work as a cybersecurity firm should lead to password breakthroughs within two years. "We look at over 15 million features or characteristics of a file in our work right now as a cybersecurity company," McClure said. "We can tell if a possible attack on security is going to be malicious or not. We want to apply the same logic on the password. Like the temperature of your finger. Or your more frequent placement on glass. There are hundreds of thousands if not millions of qualities that can be extracted," he said.

"There's nothing on the market right now that totally replaces it. ... We want to eliminate the password from the face of the Earth for anyone who has a computer," McClure said.

While still in its infant stages, McClure estimated pricing for the password-replacement tech could be $50 to $100 a person.

Cylance has raised $77 million, according to PitchBook, and its investor list includes many big-name corporations, Silicon Valley and Wall Street firms: Capital One Ventures, Dell Ventures, Draper Fisher Jurvetson, Khosla Ventures, Blackstone Group and Kohlberg Kravis Roberts.

Lastly, LastPass.

Modern browsers like Google Chrome and Apple Safari offer to remember and store your passwords. Still, start-up LastPass, while less futuristic than some of the ideas in this niche, is a software password manager that thinks it can succeed as a stand-alone. The user has to remember one so-called master password that goes into what LastPass calls the vault. That's where LastPass also stores unique passwords they've generated for you.

LastPass noted in a blog post that "while using your browsers to locally store passwords may be convenient, it is very insecure, leaving you and your passwords vulnerable if you were to be hacked."

The start-up also has a more recent free, two-factor authentication app, dubbed the LastPass Authenticator, for users already subscribed to the LastPass password manager.

LastPass was the victim of a hack itself in June 2015. In a blog response, LastPass said it was designed to make sure it never has a user's master password and found no evidence encrypted user data was taken. Users did not need to change passwords in the LastPass vault.

LastPass costs $12 a year for individuals. Companies usually opt into the enterprise version for $24 a year per user.

In October 2015, LogMeIn, a cloud connectivity company, acquired LastPass for $110 million, according to published reports. LastPass, founded in 2008, has more than 8 million users, and more than 600,000 customers, including Hootsuite, GoodData, MailChimp.

Here are the top 10 most-funded start-ups in the password security space, according to PitchBook:

1. Okta (San Francisco): $232 million

2. Pindrop Security (Atlanta): $122.5 million

3. Validity Sensors (San Jose, California): $120 million

4. Digital Signal (Chantilly, Virgina): $118.5 million

5. Centrify (Santa Clara, California): $94 million

6. ThreatMetrix (San Jose, California): $68.5 million

7. Marble Security (Menlo Park, California): $58 million

8. WS02 (Mountain View, California): $58 million

9. ForgeRock (San Francisco): $52 million

10. Duo Security (Ann Arbor, Michigan): $50 million