As first time founders, we’ve been heads down in product and development work and have unfortunately neglected our blog until now. It’s finally time for our first post!
We’ve learned a lot over the last year, from starting out with an authenticator app, to focusing on mobile SDKs, going through Y Combinator, and raising a seed round. We’ll do a separate blog post on our learnings, but we thought it would be helpful to first explain why we built Keyri, why we exist, and what we’re solving.
You’ve been hacked. Whether you know it or not, your passwords are sitting in massive lists on the dark web. You’ve probably had at least one frustrating experience where a bad actor used your credit card or stole something from you. But what are you supposed to do? It’s not your fault that you were hacked and you don’t have any real options to keep from getting hacked again.
So what are your options? You start with passwords – password-based authentication was first created in 1961 as a stopgap solution for controlling access to mainframe resources. That’s 60 years ago. In 60 years, the biggest innovation in desktop authentication has been password + some type of second factor (i.e., text one-time passcode, authenticator code, email link, etc.). That’s… ridiculous. Pick virtually anything else we did in 1961 and look at what we’re doing now. I’m willing to bet there’s been more innovation than consumer-facing authentication.
Anyway, we’ve established that your passwords are sitting on the dark web, and that’s without thinking about other ways that bad actors get into your account. In response to these issues, companies started implementing 2-factor authentication methods (2FA) like the ones I mentioned above. The problem is, most of these methods don’t add much additional protection, and those that do are too cumbersome for you to realistically adopt. Now we’re starting to get to why we built Keyri.
Let’s start with solutions that don’t add much protection but are easy enough to navigate. I like to think of these as additional fences. What do you do if someone jumps over your 3-foot fence and breaks into your home? You don’t build a 4-foot fence directly behind it and hope the next burglar won’t make it over both fences. Instead, you’d build a single, impenetrable 10-foot fence to replace the shorter one that didn’t work. That’s the problem with solutions like text and email one-time passcodes, email magic links, push notifications, and authenticator app codes. They all act as additional fences that might slow down some burglars from jumping over them, but they’re not the 10-foot impenetrable ones we need.
In this analogy, the most common burglar that can get over these fences is phishing. Phishing is when a bad actor convinces you they’re from some reputable company sends emails purporting to be from actual companies in order to induce you into revealing your personal information, like passwords and even the one-time passcodes (OTPs) we see all over the internet these days. Phishing attacks range from the common African prince that wants to send you money if you send him money first, to emails or texts from bad actors that send you to websites that look exactly like the one you’re trying to log in to but are actually controlled by the bad actors. These malicious sites intercept all the login credentials bad actors need to log in to your account on the real website you were trying to log in to. Regardless of what sort of OTP solution companies have put in place (text/email/app), they can be intercepted trivially (more on this to come from Zain in future posts, including a quick how-to guide on phishing). In short, these solutions aren’t really solutions.
So what about solutions that fix this phishing problem? Well, since they fix the security problem, of course they’re incredibly cumbersome. The best example of this is hardware security keys. You may or may not have ever used a hardware security key. The most common one is a Yubikey, which is a USB hardware key that plugs into your computer to authenticate that you are who you say you are. Can you imagine keeping a USB security key with you at all times? How about keeping multiple copies of those USB keys all around your house and manually syncing every one whenever you sign up for a new online account? Very few people will put up with this sort of experience. I work in security and I don’t even want to.
That’s why we’re here. We’re tired of getting hacked. We’re tired of struggling to log in to accounts we own. We’re disappointed by the lack of real innovation in authentication.
And so, we’ve built a solution that effectively turns your phone into a hardware security key – you know, that thing that you have in your hand, in your pocket, or on your desk at all hours of the day.
We know that sounds appealing, and we’re working with companies to go live on their login pages. As a consumer it’s as simple as scanning a QR code on the company’s login page with your camera app, passing FaceID / TouchID verification (or the Android equivalent) and you’re logged in on your computer’s browser. That’s it – no typing out usernames, no remembering passwords, no extra steps, no software to download. Of course, this is just the tip of the iceberg – below it there are many layers of security intrinsic to the process, but I’ll ask you to trust me on that point for now or visit our website for more detail. I’ll let Zain cover that in a future, tech-focused post. For you, as the consumer, just scan a QR code and you’re in, no worries about phishing, the dark web, or getting hacked. All you need is your phone.
Have any questions or suggestions? Feel free to email me at firstname.lastname@example.org or visit our website at keyri.com. I look forward to changing authentication with you so getting hacked becomes a thing of the past!