Friday, April 30, 2010
Interview with Curtis Staker and William Goldbach, Confident Technologies
Story by Benjamin F. Kuo
Last week, San Diego-based Confident Technologies (www.confidenttechnologies.com) announced that it had acquired the assets of Vidoop, and created a company focused on security and authentication of users. The firm is headed by Curtis Staker, former president of Websense, and also includes an experienced executive team of other former Websense executives. We spoke with Curtis, along with William Goldbach, Executive Vice President at the firm, about the company. (Photo: Curtis Staker, left; William Goldbach, right).
Let's start with the products. What does Confident Technologies do?
Curtis Staker: The essence of what we are doing, is creating image-based technology which can be used either as an augmentation, or in place of what is out there for authentication software. You may have seen the CNN headlines about password hemorrhages, and the 54 billion dollars in identity theft expenses it has cost companies and individuals, and it's a pretty hot topic. The reason why, is what is out there for usernames and passwords is not working very well. It's outdated and antiquated, and if you think about how people use usernames and passwords, people have bad habits. I don't know how many passwords you have, but on average, we see people have thirty to forty passwords per person, and they're logging into eight to ten websites during the day. But, even so, those passwords tend to have lots of similarities--they're easy passwords. What we've uncovered, is that of the top 5000 most common passwords, about 20 percent of the population is using one of them. There are lists you can find of these, and if you think about a 55kb DSL line, and a reasonably sized website, you can probably find 100 passwords in just seventeen minutes. That's just through brute force testing of those 5000 passwords. And, once you have the first 100, it just gets quicker, and quicker, and quicker. The reason passwords don't work, is because if you want a stronger password, when a system forces you to use a certain number of characters, or put numbers or special characters into a password, people can use keystroke logging to force themselves into your network or your PC. Plus, there's always shoulder surfing--when people write them down, and are grabbing for your daytimer or spreadsheet for passwords--that's treating passwords like it's the 1950's, and leaving your front door key under a door mat.
What we've done, is for authentication, we have created a way to have a unique password to give you access to a web site very time. For people, alphanumeric strings are not a natural thing to remember, but images are. Our technology, instead of having your remember a password, instead has you remember three categories of images. That might be a car, boat, or an airplane. Instead of remembering a password, each time you try to log in an image grid comes up--and image shield, as we call it. It has nine pictures or more on screen, and in each location there are pictures that contain pictures from your category or have different letters in different locations. That enables a truly unique login every time. It's a very different approach, but is more secure and more intuitive.
The Confident authentication suite of software, which also includes out of band technology. When you're sitting at a computer with a known, registered IP, we know it is you and your particular category of images, and you can log in. But, say you are at the American Airlines lounge, you need multiple factors of authentication. Those kinds of factors are what you know, what you have, and who you are. In the case of what you have, is if you're in the airline lounge, you probably have your cell phone, and that second factor is your cell phone. We call your cell pone with a one-time password or single-key login. There is other technology out there like that, but it's not as complimentary to our image authentication. The other thing we will be releasing in coming weeks is an image-based CAPTCHA product. CAPTCHA usually are those warped letters, which are hard to read. We have an image based CAPTCHA called ConfidentCAPTCHA, which instead of having you try to read through squiggly lines, which is difficult, and often causes web sites to be abandoned, we have an image grid, and might have you click on a refrigerator, house, and person--which changes every time--which remarkably reduces the probability of bots breaking through. You can also dial in the level of security, so you can have a 5 by 5 grid, or less if you want to secure a known user. There are 200 million CAPTCHAs a day, and it might be much higher than that, and there's one number that says 4 percent, and as much as 20 percent of those are abandoned because people can't read those squiggly characters. If so, that's a lot of abandoned transactions just because people can't read the CAPTCHA.
What's the story behind the company, and your purchase of Vidoop?
Curtis Staker: We completed an asset purchase of Vidoop in January. We bought the assets from Vidoop, which was an LLC that was first established in late 2005 in Tulsa, Oklahoma. It was funded in 2006 with about $8M in investments, and we were fortunate to have the benefit of that investment in the development of the intellectual property. We also assumed over 50 pending patents, from ten different patent families.
C can you talk about how you ended up at Confident Technologies?
Curtis Staker: I left Websense to be Chairman of GFI Software, and post GFI I was on boards and served as CEO and was involved in other interim CEO activity. I decided I wanted to go on-grid and go full time. But, it was important that was in Southern California. GFI was headquartered in Malta, and that was a big commute after two and a half years.
William Goldbach: I had a smaller commute, just up to the Bay Area, where I was at Scansafe, working on web filtering. They were just purchased by Cisco, and until last year I was doing independent consulting and board work as well.
So what triggered the buy and made you decide to start the company?
Curtis Staker: I was actually invited into the opportunity by a pretty dynamic guy, Jay Kear, who is Orange County. If you look at this opportunity, it feels a lot like when we were at Websense. In early 2000/2001, there was still a bit of debate whether or not personal Internet use in companies was really that rampant, or non-productive. We had an opportunity change the way the Internet was used in business, and to change the world. Instead of the Internet being bad, with the filtering and security tools, we made it a productive tool. Looking at this opportunity, we're looking at the front door to the consumer, facing an issue the web has never addressed. We feel that we can be an enabler of productive, secure, and intuitive use of the web for commercial purposes, whether that's for a social networking site, for communications, medical records, or financial services. Forty-seven percent of people still don't use online banking. It costs banks 6 cents when you go online, and $20 when you go into a branch. Yet, only four percent of the U.S. retailmarket is done through e-commerce. The reason why people don't adopt it, is because of security and ease of use. Every day you see things scaring people away from some aspect of ecommerce. There's the 25 million credit card numbers lost by Ticketmaster to fraud or TJ Maxx with 40 million credit card compromised. There's an unbelievable amount of information, products, and services out there on the Internet, but many people are not using them because they don't feel that secure, or because they have to deal with 120 different passwords. The exciting part of this, is it's a true enabler of making these resources more broadly utilized.
It sounds like a lot of this might be aimed at financial customers?
Curtis Staker: It's certainly financial customers. Financial services are a pretty direct first target, because this can be implemented either as a replacement for password technology, or as a layer of security behind it. It's used in place of challenge questions, because where you went to high school or your mother's maiden name can be found in pretty logical places. So, there are 200 major financial firms in the U.S., serving millions and millions of end users. Those are people like Citigroup, Morgan Stanley, and Wells Fargo. We are also in healthcare, where they need to have a secure, intuitive way to log on to protect that information. Social networking sites, and even the general enterprise has need for this. We talked about CAPTCHA, and everyone has to have that on their web site. There's a very broad opportunity for us there, and if you think about that, that's also something that could be used as a marketing and branding tool, because we're using images for authentication.
Lots of banking sites I see nowadays seem to have additional security features, some even images, as part of their sites. How is this different?
Curtis Staker: The image authentication support is indeed a unique approach. There are, if you loko at sites like Bank of America, images, but it's the same image every time, and it's not used for authentication. It's just an anti-phishing tool, so you can verify you are on their web site. It's not used for authentication. We've really got a unique approach to authentication.
William Goldbach: For our marketing strategy, we're not looking at a direct placement model, but are using one where we would be a layer in someone else's authentication process. We're more than happy to act as one layer of their security strategy.
Is this software-as-a-service, or on-premise software?
Curtis Staker: We deliver either in the cloud, as software-as-a-service, but if you look at very large institutions, financial or otherwise, they need to have a virtual appliance which can be installed at a data center. That allows us to remove that obstacle when we introduce the technology, by having flexible deployment options.
Finally, how is the firm backed?
Curtis Staker: We have used a bridge loan, at this point, all from private investors. We've been able to do that, and not had to start from scratch, because we were able to restart and take advantage of what was in the technology we acquired. We're using that investment for product development, to put the management team in place, and to commercialize it so you have an enterprise class product.