Passwords and usernames, says Brian Spector, CEO of CertiVox, are “the Achilles heel of the Internet”.
He points to the recent LinkedIn password breach, in which 6.5 million password-username pairs were stolen from the business networking site in June 2012.
The fact that many people reuse their passwords mean that the scope of this security breach may still be unfolding today.
CertiVox hopes to replace passwords and usernames with PIN codes, such as those used for cash machines. The company specialises in what is known as ‘elliptical curve cryptography’, a kind of encryption Spector says is harder to break but, crucially, less compute-intensive than conventional techniques. This means it can be used on mobile devices and in browsers.
The company’s SkyPIN technology offers browser-based two-factor authentication. A security token, similar to an RSA certificate, is stored in the browser’s local memory. If the user wants to access a website that supports SkyPIN, it authenticates the token and asks them to enter their PIN.
Spector says this is fundamentally more secure than usernames and passwords, as there is no central database on the site operator’s side that could be compromised.
“Let’s say a hacker was somehow able to extract the mathematical token out of your browser’s storage,” he explains. “Without knowing what the four-digit PIN is, the token is meaningless.”
CertiVox also offers SkyKey, a method of securely transferring cryptographic keys, and is preparing to launch PrivateSky, a hosted version of both services for companies that do not want to host the functionality themselves.
Spector is a US native who moved to the UK while working for Cambridge-based hardware encryption specialist nCipher, which was acquired in 2008. “That was my first introduction to the wealth of cryptographic talent here in the UK, which is one reason why we set up over here.”
CertiVox started life as a ‘virtual company’, but after receiving some funding in 2009 it decided to find an office. Spector chose Rivington Street in Shoreditch, in part due to the area’s reputation for creativity and design.
“I always wanted us to be a different kind of encryption company,” he says. “I worked for RSA for several years, and I always had in my mind that CertiVox would be the web 2.0 version of RSA.”
That means focusing on the end-user experience, he says. “In general, the user experience for software products is astonishingly bad. PrivateSky is a consumer- facing product, and we wanted to make it the easiest solution to use –something that my mum can operate.
“We wouldn’t have got the right kinds of developers if we’d set up in Reading. Those people are in Shoreditch.”
Spector says that he is seeing more enterprise-focused technology companies move into the region. “There are a ton of enterprise start-ups around now: a lot more than there were two years ago.”
He says while the Tech City dream might be to produce the next consumer web success story, there is a growing realisation that there is real money to be made selling to businesses. “Not everybody can be the next Pinterest or Instagram; that’s a lottery shot,” he says. “But selling to SMEs and large enterprises, if you can get over the hump, is actually a decent way to make a living.”
There is one disadvantage to the Tech City hype, however, Spector says: “Our rent has gone up by 40% over the past couple of years.”