UnifyID @ HackMIT

I just got back from HackMIT, and what a crazy, intense experience it was. For those who don’t know, HackMIT is a 24-hour hackathon with over 1,000 students from all over the country and the world, all hacking on some very cool stuff. I was on the judging panel as well as acted as a mentor, helping students debug issues with a wide variety of technologies like node.js/Express, cocoapods and Swift 3, Ethereum smart contracts, Angular and Javascript, 502 errors on HTTP requests, and a bunch of other issues. A few students came up to me after they recognized UnifyID from our TechCrunch video and wanted to take photos together.

I met a lot of great students from all over the US, Europe, and South America. I also gave a tech talk where we demonstrated our implicit authentication technology in action with a volunteer from the audience. Being a technical crowd, I was able to dive deep into the technical aspects with some of the actual data in a Jupyter notebook. People were amazed by some of the unique aspects to human movement and how much information you can get from the accelerometer and gyroscope in your phone!

HackMIT had tons of free food/drinks/activities. They had no soft drinks because they were encouraged to avoid unhealthy drinks, but they had plenty of Red Bull (?). And unlimited Soylent, too. Plus food/snacks at all hours of the day and night, like fresh smoothies at midnight and hot waffles with chocolate in the morning. And crazy activities like the 2am shakedown and the 7 minute workout outside in the wee hours of the morning.

Many/most teams stayed up all night hacking. There was a wide variance in hacking ability but the top teams were truly astonishing in what they were able to build in 24 hours. All of the top ten were amazing and it was hard to choose.

a8d03f4d3a3c6932a895ff34069b12d3

The ultimate winner was “WindowShare”. They built an awesome cross-platform tool where you can drag any window between computers and it seamlessly copies the program’s file and opens it on the other machine. Like if you open a text file in TextEdit on a Mac, you can drag the window over and the contents appear in a Notepad window on the Windows machine. Likewise for images and Chrome windows/tabs. They also implemented remote mouse so you could move your mouse on the other screen as well and control it without messing up the original mouse. They implemented in Java with JNI and socket communication.

The runner-up was a book-reading bot that used the phone, OCR, and text-to-speech to read (physical) books aloud. It also used a motorized mechanism including a computer fan to reliably turn pages.

We also added a honorable mention: “Fretless”, an MIT team that built a Guitar Hero like contraption that hooks to your violin. It takes a MIDI file and lights up where you are supposed to press your fingers so you can learn how to play real songs.

All of the top ten projects were amazing and the teams got a ton done in 24 hours! To everyone who participated, I say “Hack on!”

Introducing UnifyID

After a year and a half of intense heads down work, we are very happy and proud to finally present UnifyID to the world.

Our goal at UnifyID is to solve one of the oldest and most fundamental problems in organized society: How do I know you are who you say you are?

The Status Quo

The traditional (digital) approach to authentication is to use a password. But when you think about it, the whole notion of passwords is pretty absurd. A password is this: I have a secret, and I tell you that secret, and that’s how you know it’s me. The problem is, I’m not very good at coming up with secrets and since I can’t keep track of very many secrets, I keep using the same ones over and over again. It’s frustratingly easy to get phished and tricked into sharing my secret, and don’t even get me started on using public records like my mother’s maiden name as a shared “secret” to authenticate someone!

In the interim, some people say to use a “password manager” to help keep track of all your passwords. Password managers are a band-aid solution. Password managers help you manage your ever growing list of passwords and accounts. They don’t solve this fundamental problem that someone can impersonate you by just knowing a secret. And they are a great honeypot so when your master password is keylogged, leaked, phished, or stolen, instead of just giving up one secret, you just gave up all your secrets.

Another approach is to use biometrics, like your fingerprint, to identify you. Fingerprints are convenient except for the fact that 1) you leave them everywhere you go, and 2) they are very, very difficult to change when they are compromised. Other biometrics are intrusive, annoying, and flaky, and often don’t add much security at all.

A third approach is to use a device to authenticate yourself. This technology has been around for a long time but has never taken off in a mainstream way, despite massive user education campaigns and huge, well-funded industry pushes. The main reason is it adds so much friction to the user experience. You now have something extra you need to carry around. You need to read off a code and type it in before a timer expires. If you forget your device, you are locked out.

Realizing people don’t want to carry extra things around, more recently vendors have moved to “soft tokens”, which are apps on your phone that provide similar functionality and trade off security for the convenience of not having to carry around an extra physical token. Or, services will send you a text message with a code you need to type in, which is not only annoying, but also doesn’t add much security.

The common thread among all of these approaches are 1) they are annoying, and 2) they don’t add much security. These are the two problems we are solving at UnifyID.

absurdpasswords

The Genesis

A few years back, Kurt and I worked on a demo where we captured encrypted packet traces, and by simply looking at the timing between the packets, we could determine the timing of a user’s keystrokes, and ultimately, what the user had typed. People were impressed by the demo but ultimately the interesting and challenging part was the fact that each individual had his or her own unique way of typing. In fact, after we saw you type around four sentences of text, we could uniquely identify you.

We began to look at other aspects we could passively detect that were a) unique per individual and b) did not require any conscious action on the part of the user. We looked at the various sensor data you could get from phones, computers, and wearables. We used signal processing and machine learning to stitch together the various noisy signals from multiple devices. It took a lot of work, but what we discovered was both shocking and heartening: It turns out people are both very predictable and very unique in their behaviors, actions, and environments. In essence, there is only one you in the world, and it was possible to authenticate you based on the sensors already around you. UnifyID was born.

The Future is Implicit

This technology is called implicit authentication. The basic idea is to be yourself, and there is enough that is unique about you that it is possible to authenticate you implicitly; that is, without you having to make any explicit action.

Implicit authentication is not new. In fact, this is how authentication worked since the prehistoric era. People used how you looked, how you moved, how you talked, your possessions, the context in which they encountered you, and how you acted to figure out who you were. Our brains are trained to identify people based on these characteristics and to pick up on subtle clues when something is off. Much like what human beings can do naturally, we discovered it is possible to train a machine learning system to do the same.

The result is truly magical. It makes security much more seamless and natural. You can be yourself, and the devices and services you interact with will naturally recognize you based on your unique characteristics. No passwords to remember, no codes to read off your phone. You are not tied to one device, or have something extra to carry around. The future is implicit.

The applications of this technology are endless, but one key area is in authenticating transactions and preventing account takeover. With our implicit authentication system, we can identify the human behind the device and give a confidence level that they are who they say they are. UnifyID also does continuous authentication, which means we can detect when changes happen and automatically challenge or log out the user.

Balancing Security and User Experience

There has always been a balance between security and user experience. For too long, security solutions have sacrificed user experience in the name of security. But you can’t look at security and user experience independently. Any security solution that does not take into account the user experience will not be successful in the real world. If you make security policies too annoying or add too much friction, people will either find ways around your security policies, or will just be miserable and unproductive.

UnifyID was designed with the user experience in mind. In fact, UnifyID is truly a subtraction from the user experience. Usernames? Passwords? Security questions? Passcodes? When enough signals match, these are completely eliminated from the user experience. In the cases where they don’t match, we issue you a challenge to prove your identity. But even the challenges are designed with the user experience in mind. You can use challenge factors like fingerprints and facial recognition, among others in active development. And the more you use the system, the more the machine learning algorithms adapt to your unique behaviors and environment. UnifyID is not only more convenient, it is also more secure.

UnifyID utilizes combinations of deep neural networks, decision trees, Bayesian networks, signal processing, and semi-supervised and unsupervised machine learning. Our system is able to discover what makes each individual unique and finds correlations between multiple factors that greatly boost the accuracy. “Machine learning” is not just a buzzword for us. We have a great team of machine learning and security experts from MIT, Stanford, Berkeley, and CMU, and are working with world-class advisors in both academia and industry. I’m very proud of the team we have built so far. (And if you want to work on the next revolution in authentication and have fun doing it, we are hiring!)

Nikhil

One example of an implicit factor we use is how you walk. It turns out that an individual’s gait is quite particular to them, and has a number of influences including unique physiology, length of femur, muscle memory, the culture you grew up in, and more. In fact, we can identify you with only four seconds of your walking data from your phone sitting in your pocket. And that is just one of over a hundred different attributes we use to authenticate you.

Experience the Future of Authentication

At UnifyID, we believe it is time for authentication to be about you. Humans have always been considered to be the “weak link” in security. At UnifyID, we turn that around and use what is unique about each individual to enhance security. The best way to authenticate yourself is to be yourself.

UnifyID is the first holistic implicit authentication platform available on the market. We are excited to announce a limited private beta for individuals to test ride the future of authentication in their Chrome browsers and iPhones today.

Embrace your uniqueness. After all, there is no one in the world more you than you.