Hardware Authentication. A Year in Retrospective

Key achievements in challenges in authentication hardware in 2016 and challenges of the coming 2017

Government-sponsored hacking reached absolutely new heights this year, overshadowing even major corporate hacks. Therefore, the public and experts started looking for solutions. This led to increased media attention to emerging forms of reliable end user authentication, including hardware-based wearable solutions. Then investors and corporate roadmaps also reacted, directing their attention to the hardware authentication market.

Stories and Achievements

While 20016 was tough for cybersecurity it was a renaissance for endpoint authentication. We put together the key hardware authentication events of 2016 and added industry forecasts for 2017, providing our part of the story.

Industry in 2016: Hacks and Pilots

Governments continue to be the most active customers in the field. A good example from 2016 is Yubico getting a $2.27 million White House National Strategy for Trusted Identities in Cyberspace grant for developing its hardware authentication pilot.

San Bernardino iPhone Case

FBI–Apple encryption dispute became one of the major legal battles surrounding encryption. Image copyright by Sickchirpse

FBI–Apple encryption dispute became one of the major legal battles surrounding encryption. Image copyright by Sickchirpse

The San Bernardino case and the FBI’s request for modified firmware from Apple was the fist sign that this would be an interesting year for the encryption business. Nevertheless, the most interesting part of the story is not the legal and PR battle between Apple & friends v. the FBI. What stands out is that in the very end the US government hired an independent overseas contractor to bypass the encryption of a major global vendor of smartphones. And they insist on keeping the details of this transaction private.

DNC Hack

2016 Democratic National Committee email leak by WikiLeaks is one of the major unsolicited information disclosures in history. Image copyright by WikiLeaks

2016 Democratic National Committee email leak by WikiLeaks. Hackers allegedly affiliated with the Russian government provide one of the biggest unsolicited information disclosures in history. Image copyright by WikiLeaks

While hardware authentication does not prevent spear phishing and other forms of social engineering attacks, like the one which the Russian authorities used to penetrate the Democratic National Committee computer systems, it substantially limits the damage in case customer credentials get compromised. Interestingly, because it occurred during the elections the DNC hack got major media coverage, becoming a mainstream story. We can’t say this of the OPM data breach of 2015, which had graver consequences for the US government and the local market.

Yahoo Account Key

Around July 2016, account names and passwords for about 200 million Yahoo! accounts were presented for sale on the darknet market site, TheRealDeal.

Around July 2016, account names and passwords for about 200 million Yahoo! accounts were presented for sale on the darknet market site TheRealDeal.

In summer Yahoo Mail  was the brunt of jokes and  accusations of ‘burning your fingers twice’. What the critics missed was the fact that Yahoo! actually became one of the first major online email services to implement a passwordless authentication mechanism. Despite being in a ‘forced to innovate’ situation, this bold step is worth credit.

We hope other major corporations will not wait until their systems are hacked to implement changes. A point worth improving in the new Yahoo! architecture is 2FA, which the system currently does not allow. This can be done using a hardware authentication key like ours.

FitBit Acquires Pebble

Eric Migicovsky, Pebble's CEO and geek hero sold his company to FitBit under pressure from investors.

Eric Migicovsky, Pebble’s CEO and wearables hero sold his company to FitBit under pressure from investors.

Eric is our long time inspiration. The bad news about Pebble is that a great product and, more importantly, its great ecosystem is now gone, setting a bad precedent. The good news is: we have a talented entrepreneur kicked out of his company and looking for his next big thing. Don’t we all know where this might lead?

Google’s FIDO Security Keys Pilot

Google conducted a case study by distributing the FIDO-based Security Keys to our more than 50,000 employees

Google added a hardware authentication option for Gmail back in 2014. Apparently, now the search giant is championing hardware authentication outside its online email service. The image of the key on Google Accounts page is quite suggestive of their current major partner in the field of hardware authentication)

Google conducted an authentication experiment by distributing FIDO-based Security Keys to more than 50,000 of its employees. In December 2017 FIDO published a case study and a paper, explaining the data gathered and the practical outcomes. The study is an important milestone in development and advocacy of hardware keys as a secure and reliable authentication instrument.

Hideez Tech in 2016: Scaling Up

General market growth helped us to grow as well. 2016 was a year of new hires in engineering and marketing, a successful first round of seed financing and the product launch of Hideez Key in Ukraine and Germany. We are ending this year with our next device in mind and are delighted to have an opportunity to present it to the world at the Consumer Electronics Show in Las Vegas.

Vernadsky Challenge

The Vernadsky Challenge competition was instituted by Max Polyakov of Noosphere Ventures and Dmitry Sholomko of Google Ukraine

The Vernadsky Challenge competition for hardware startups was instituted by Max Polyakov of Noosphere Ventures and Dmitry Sholomko of Google Ukraine.

Achieving the Silver and Audience Choice Awards at the Vernadsky Challenge engineering startups competition in April 2016 gave our team confidence and the support that was so necessary after almost two years of non-stop R&D that was run on our bootstrap budget. The $30 thousand prize also let us launch marketing activities (including this website and blog).

HID Mode

Compatibility and UX are the two gatekeepers in hardware authentication, especially when talking Wireless. We intend for Hideez ecosystem to work on any platform. However, creating a client application for each and every operating system and hardware set is tough. Making sure they all interact in the right manner takes a lot of coding hours and testing. We started playing with Human Interface Device mode for Bluetooth back in September 2016. Now we are testing the firmware upgrade, which will be available in January 2017.

HID is also great news for Apple customers as this protocol is supported by any iPad and iPhone starting with 3GS. HID mode enables very simple but reliable automated password input via encrypted Bluetooth channel. Thus, in combination with a Bluetooth 4.0 dongle it is also a great solution for legacy devices (like systems still running Windows XP) and industrial systems.

Seed Round Finalized

In June 2016 we started negotiations with two separate groups of investors willing to invest in Hideez Technology. In December 2017 these negotiations resulted in a successful seed round. The seed money enables us to continue developing our ecosystem and start building channels to distribute Hideez Key in Europe and America and to continue building our products.

UVCA Ukrainian Pavillion at CES

Ukrainian Venture Capital and Private Equity Association (UVCA) was established to spread the word about Ukraine’s achievements and opportunities and to support individuals and corporations investing in Ukraine's technology sector.

Ukrainian Venture Capital and Private Equity Association (UVCA) was established to spread the word about Ukraine’s achievements and opportunities and to support individuals and corporations investing in Ukraine’s technology sector.

We are truly grateful to UVCA and Western NIS Enterprise Fund for giving us the chance to have a booth at CES 2017 and present our company and its products there. Further, UVCA CES pavilion enables us to cooperate with other startups and cross pollinate our products with ideas from different technology fields, opening new angles.

Hideez Key 2

Hideez Key 2 is our next product featuring dynamic DFID, NFC, water resistant case and four different wearable form factors: key fob, wristband, pendant and clip.

Hideez Key 2 is our next product featuring dynamic DFID, NFC, water resistant case and four different wearable form factors: key fob, wristband, pendant and clip.

Our major product update for 2017 is Hideez Key 2. We will present it at CES on January 5, 2017. Hideez Key 2 is the culmination of 2016 for our hardware and software engineering teams.

Challenges and Forecasts

It looks like 2017 won’t be an easy year for authentication and cybersecurity. This might sound like Captain Obvious, but institutional hacking will continue and will become more sophisticated. There will be more public discussion and more darknet tools available for hacking the hardware manufactured by the major vendors. However, the defenders will be also improving their tools and uniting their efforts. What else could they do under the circumstances?

Industry in 2017: Hardware Authentication Going Mainstream

Multi-factor authentication gadgets and hardware replacing passwords will start being sold next to customers’ doors, like overnight pharmacy, airport kiosk or local electronics stores. We already saw it happening during this Black Friday and winter sales.

Rise of Bluetooth 5 Products

Bluetooth 5 was the major news of 2016 in wireless. While Diffie–Hellman was implemented back in Bluetooth 4.2 specification, Bluetooth 5 further improves on that. Another major improvement is enabling P2P connections. That unlocks opportunities for vendors to build mesh networks. Can you imagine your Hideez Key using at least two of your colleague’s Hideez Keys or other compatible devices to create your personal trust circle?

Open Authentication Standards Take Off

We might see a first draft OAuth 3.0 in 2017. It will definitely be using more hardware authentication functions than the previous versions. There might be some reviewal of SAML, XACML or another XML-based approach. We might also see customer level standards that are easy to process for a person who is not a software developer or hardware engineer. For example, one of the possible routes in this direction are authentication dashboards, showing all your current active authentication sessions. This would be a nice tool to quickly spot and react to unexpected surprises.

New Scanning Surfaces in Biometry

Fingerprints are left in the 2000s. Equipment for iris scans is expensive. Did you know you can unlock your iPhone in winter by scanning the capillaries of your nose instead of your fingertips? The year 2017 will bring new experiments with various body parts than can be used for authentication.

New Vendor Alliances

All these changes are so fundamental that it might look as if they will require several years or a decade to come to life. However, this reasoning ignores the fact that a rapidly growing market will bring new players on board. Moore’s law creates Moore’s outlaws, who in turn cause Moore’s sheriffs to appear.

Yet, it is impossible to build hardware expertise just in several months. That is why the newcomers and the established players will form alliances, with newcomers bringing new resources, industries and fresh ambitions on board and the established players bringing in their expertise and investments.

Major Hardware Hacks

Notably, privacy was only part of the story in Apple’s San Bernardino case. As we know, the iPhone 5C in question was hacked after all. So far hardware hacking was done on a case-by-case basis either by law enforcement for monitoring and forensics or by cybermobsters for gaining illegal profit in many ways. Now we are nearing the time of automated hardware hacks, with firmware alterations and malware installed as a part of a software update you think is coming from a vendor.

Hideez in 2017: Beefing Up Technology and Sales

iOS & macOS

It is tough to manage security and authentication on Apple’s devices when you are not Apple. We were investigating both of Apple’s operating systems for more than a year and now we are nearing the public release of macOS version of Hideez Safe with iOS version to follow in Spring 2017.

Launching US Sales

We expect to complete all US incorporation formalities by February 2017. This will open the road to launching US sales. Building on our sales experience in Ukraine and Germany, we will start with digital channels (like Amazon or Newegg), then try specialized digital and physical retail and then we might complete our first B2B transaction by the end of 2017.

B2B Hardware Authentication Pilots

In 2017 our product will be mature enough to try launching it in B2B. While we plan to start with European pilots, where we know people and business channels, the American market is a lucrative option as well taking into account our mass market product launch in the US.

OpenSource Hideez Key

OpenSource in cybersecurity is not only a method of speeding up the product adoption rate. It is also an effective tool in ensuring code transparency, simplifying security audit procedures and creating a trusted relationship with the end customers. We can’t promise to make our entire firmware open source. However, we definitely plan for 2017 to become the year of our first open source contributions.

Blockchain Project

Cryptocurrencies require maximum device security and are ultra sensitive to malware. Thus, they are a perfect application for our hardware solutions. Hideez ecosystem is autonomous and does not depend on a network connection for verifying a customer. In addition, it provides capabilities for generating a public key on a device.

We are confident that 2017 will be a great year.
Live it with us and please have a happy, secure and reliable holidays.

Author: Gennadiy Kornev

Marketing and Product Advisor of Hideez Technology, content distribution systems architect, project manager, tatko

No Comments

Leave a Comment