Interview With John Whaley – UnifyID by Safety Detectives

John Whaley: Founder and CEO of UnifyID

Aviva Zacks of Safety Detectives sat down with John Whaley, Founder and CEO of UnifyID. She asked him about his company’s challenges and solutions.

Safety Detectives: What was your journey to cybersecurity and what do you love about it?

John Whaley: I went to MIT for undergrad where I majored in computer science and learned about how security is implemented in the real world. During my Ph.D. at Stanford, my thesis was on the static analysis of source code to automatically find bugs, security flaws, and security holes within the software.

I founded my first company out of Stanford which was in the security space, and now I’ve started a second company in the space as well.

SD: What motivated you to start UnifyID?

JW: What I found was that every time you type a key on the keyboard, it sends a network packet, the content of which was encrypted, but you could look at the timing between the packets and then, based on that, you could determine the timing of a user’s keystroke as they typed. So we built a demo of this solution for a security conference.

It turns out that if you know the timing of somebody’s keystrokes, then you can figure out with fair reliably what it is that they are typing because, as you move your fingers around a keyboard, the spacing between them and the duration of the time between keystrokes can leak the information about what you are typing.

We used Wireshark in the demo to capture a packet trace between the client and the server for some of these major products. Then we dumped that packet trace into a tool that would look at the timing between each of the packets, and then based on that, try to make a prediction about what the user was typing.

SD: What have been some challenges?

One of the challenges we had in building the demo was the fact that everyone has their own unique way of typing. And so, you could train a model that would work well for one person, but it wouldn’t necessarily work well for other people. That’s where we first got interested in noticing habits and idiosyncrasies that we could use for identity authentication. I noticed that passwords were a real challenge. Moving forward, we knew that the password alone was not going to be the way that people would be authenticated. While the password is not completely going away yet, we are starting to see its limitations and the need for additional authentication factors to provide secure digital experiences.

SD: Which industries use UnifyID and why?

JW: We have a lot of interest from the financial services industry because fraud is very costly in that area; they have a need for high security but there’s also a need for seamless user experience. The other areas are cryptocurrencies and crypto exchanges. Any type of case where there is a sharing economy where you need to authenticate not only the user, but also the worker, because the worker may not be a full-time employee of the company, and they want to make sure that the correct person is the one making a delivery or walking your dogs.

In many cases, people use our technology for streamlining physical access: for unlocking doors and cars for example, where you want security and you also want a seamless user experience.

SD: What do you feel is the worst cyberthreat today? 

JW: The biggest cyber threat continues to be the attacks that go after the end-user. We’ve reached a point now where firewalls are no longer easy targets. It is now much easier and much more lucrative to go after individuals and try to steal their identity during the authentication process by tricking them into authenticating. This way the attacker hijacks the individual’s session to take over their account and then either transfer money out or use the hijacked account as a launch point for new attacks.

When I was young, hackers were hobbyists who were hacking for fun to prove something. There was not a lot of money in it, and it was not particularly malicious. Fraud is now a cybercrime and cyberattacking is now a large industry. There is a lot of money in it. The attacks have gotten very sophisticated. Attackers will steal someone’s identity, wreck their credit, and use that to launch different types of attacks to try to extract money out of even more people.

Until now, humans have always been the weak link in security—getting tricked into either clicking through a phishing site, entering their password in the wrong place, or getting socially engineered over a phone call. WIth UnifyID’s behavioral biometrics technology based on motion and the way each one of us behaves, humans become a strong link in security just by behaving the way they usually do.

“Suddenly there is a much greater need to remotely authenticate people…”

John Whaley

SD: How important is multifactor authentication in the light of COVID-19 and the increase of employees working from home?

JW: The number of attacks has increased by almost 800% since the start of COVID-19. In the recent past, you were able to implicitly be authenticated due to the fact you were physically at the office, which takes security measures to let you into the building itself. Now, with everyone working remotely, suddenly there is a much greater need to remotely authenticate people as now a larger number of us works remotely.

One of the additional drivers for hacking is the current economic situation. In the current world environment, more and more people are out of work and lacking positive economic prospects. These conditions could drive more people to engage in hacking.

Interview originally published on Safety Detectives.

Recapping our Summer 2017 Internship Program

This summer we ran our largest internship program yet at UnifyID. We hosted an immensely talented group of 16 interns who joined us for 3 months, and there was never a dull day! While bringing in interns for the summer does create an energetic cadence, fresh viewpoints challenge us to grow as a company too. 12 weeks can feel like both a sprint and marathon, but in start-up days, even the hour can be precious.

Almost all our interns mentioned a desire to contribute to the technology of the future when asked why they chose to work at UnifyID, and we think this is a testament to the quality of our internship program—interns are able to contribute their talents in a meaningful way, whether on our machine learning, software engineering, or product teams.

Our machine learning interns focused on research, under the guidance of Vinay Prabhu. Much of their work has been on figuring out how to integrate new factors into our algorithms or develop datasets of human activity for future use. Three of our paper submissions were accepted to ICML workshops to be held in Sydney this year. This brings the total number of peer reviewed research papers accepted or published by UnifyID in the last few weeks to seven! What is especially exciting is the fact that these were the first peer-reviewed papers for our undergraduate interns in what we hope will be long and fruitful research careers.

Our software engineering interns have been integral in supporting our product sprints, which have been centered around deploying initial versions of our technology to our partners quickly. As one of our interns, Joy, said: “From mobile development to server work to DevOps, I learned an insane amount from this incredible team.”

Our product interns were involved across teams and worked on projects varying from product backlog grooming and retrospectives to beta community management to content marketing to analyst relations to technical recruiting to team building efforts. Having worked across multiple facets of the business, they were able to wear many hats and learn a great deal about product development and operations.

Aside from work, there’s no shortage of events to attend in the Bay Area, from informal ones like Corgi Con or After Dark Thursday Nights at the Exploratorium, to events focused on professional development like Internpalooza or a Q&A with Ben Horowitz of a16z, who provided his advice on how to succeed in the tech world. Our interns were also able to take part in shaping our team culture: designing custom t-shirts, going on team picnics, and participating in interoffice competitions and hackathons.

A serendipitous meet up at Norcal Corgi Con!

Though we are sad to see them go, we know that they all have a bright future ahead of them and are so grateful for the time they were able to spend at our company this summer. Thank you to the Summer 2017 class of UnifyID interns!

  • Mohannad Abu Nassar, senior, MIT, Electrical Engineering and Computer Science
  • Divyansh Agarwal, junior, UC Berkeley, Computer Science and Statistics
  • Michael Chien, sophomore, UC Berkeley, Environmental Economics and Policy
  • Pascal Gendron, 4th year, Université de Sherbrooke, Electrical Engineering
  • Peter Griggs, junior, MIT, Computer Science
  • Aditya Kotak, sophomore, UC Berkeley, Computer Science and Economics
  • Francesca Ledesma, junior, UC Berkeley, Industrial Engineering and Operations Research
  • Nikhil Mehta, senior, Purdue, Computer Science
  • Edgar Minasyan, senior, MIT, Computer Science and Math
  • Vasilis Oikonomou, junior, UC Berkeley, Computer Science and Statistics
  • Joy Tang, junior, UC Berkeley, Computer Science
  • Issac Wang, junior, UC San Diego, Computer Science
  • Eric Zhang, junior, UC San Diego, Computer Engineering

Bay Area feels

UnifyID Scores a Unanimous Win at RSA Innovation Sandbox!

Behind every great idea, there lies a kernel of unequivocal human truth and a long road of execution to realize those intentions. On Monday, February 13th, the UnifyID team delivered and unanimously won RSA’s 2017 Innovation Sandbox competition.

“UnifyID demonstrated they were the most innovative by proving there is a way to actually leverage the individuality of humans to improve security.”
– Linda Gray Martin, Director & General Manager of RSA Conference. 

UnifyID Founder and CEO, John Whaley captivated a 1,200-person standing-room-only audience on its toes after a 3-minute pitch and 3-minute rapid-fire line of questioning from a panel of venture capitalists, entrepreneurs, and large security company judges.

Watch the 3-minute pitch below!

Many thanks to RSA and all our supporters who also saw that unequivocal human truth: there is only one you in the world.

We are on a mission to change the world and build a revolutionary identity platform based on implicit authentication to make your security seamless.

UnifyID Anoints 16 Distinguished Scientists for the AI Fellowship

Fast Growing Startup Uses Machine Learning to Solve Passwordless Authentication

Today, UnifyID, a service that can authenticate you based on unique factors like the way you walk, type, and sit, announced the final 16 fellows selected for its inaugural Artificial Intelligence Fellowship for the Fall of 2016. Each of the fellows have shown exemplary leadership and curiosity in making a meaningful difference in our society and clearly has an aptitude for making sweeping changes in this rapidly growing area of AI.

Of the company’s recent launch and success at TechCrunch Disrupt, claiming SF Battlefield Runner-Up (2nd in 1000 applicants worldwide), UnifyID CEO John Whaley said, “We were indeed overwhelmed by the amazing response to our first edition of the AI Fellowship and the sheer quality of applicants we received. We also take immense pride in the fact that more than 40% of our chosen cohort will be women, which further reinforces our commitment as one of the original 33 signees of the U.S. White House Tech Inclusion Pledge.”

The final 16 fellows hail from Israel, Paris, Kyoto, Bangalore, and cities across the U.S. with Ph.D., M.S., M.B.A., and B.S. degrees from MIT, Stanford, Berkeley, Harvard, Columbia, NYU-CIMS, UCLA, Wharton, among other top institutions.

  • Aidan Clark triple major in Math, Classical Languages and CS at UC Berkeley
  • Anna Venancio-Marques Data Scientist in Residence, PhD École normale supérieure
  • Arik Sosman Software Engineer at BitGo, 2x Apple WWDC scholar, CeBIT speaker
  • Baiyu Chen Convolutional Neural Network Researcher, Masters in CS at UC Berkeley

  • Fuxiao Xin Lead Machine Learning Scientist at GE Global Research, PhD Bioinformatics

  • Kathy Sohrabi VP Engineering, IoT and sensors, MBA at Wharton, PhD EE at UCLA
  • Kazu Komoto Chief Robotics Engineer, CNET Writer, Masters in ME at Kyoto University

  • Laura Florescu Co-authored Asymptopia, Mathematical Reviewer, PhD CS at NYU

  • Lorraine Lin Managing Director, MFE Berkeley, PhD Oxford, Masters Design Harvard
  • Morgan Lai AI Scientist, MIT Media Lab, Co-founder/CTO, M.Eng. CS at MIT
  • Pushpa Raghani Post Doc Researcher at Stanford and IBM, PhD Physics at JNCASR

  • Raul Puri Machine Learning Development at Berkeley, BS EE/CS/Bioeng at Berkeley
  • Sara Hooker Data Scientist, Founder non-profit, educational access in rural Africa
  • Siraj Raval Data Scientist, the Bill Nye of Computer Science on YouTube

  • Wentao Wang Senior New Tech Integration Engineer at Tesla, PhD ME at MIT

  • Will Grathwohl Computer Vision Specialist, Founder/Chief Scientist, BS CSAIL at MIT

 

This highly selective, cross-disciplinary program covers the following areas:

  • Deep Learning
  • Signal Processing
  • Optimization Theory
  • Sensor Technology
  • Mobile Development
  • Statistical Machine Learning
  • Security and Identity
  • Human Behavior

Our UnifyID AI Fellows will get to choose from one of 16 well-defined projects in the broad area of applied artificial intelligence in the context of solving the problem of seamless personal authentication. The Fellows will be led by our esteemed Fellowship Advisors, renown experts in machine learning and PhDs from CMU, Stanford, and University of Vienna, Austria.

Please welcome our incoming class! ✨

 

Read the original UnifyID AI Fellowship Announcement:

https://unify.id/2016/10/10/announcing-the-unifyid-ai-fellowship/

 

Initial Release:

http://www.prweb.com/releases/2016/unifyid/prweb13804371.htm#!

Introducing UnifyID

After a year and a half of intense heads down work, we are very happy and proud to finally present UnifyID to the world.

Our goal at UnifyID is to solve one of the oldest and most fundamental problems in organized society: How do I know you are who you say you are?

The Status Quo

The traditional (digital) approach to authentication is to use a password. But when you think about it, the whole notion of passwords is pretty absurd. A password is this: I have a secret, and I tell you that secret, and that’s how you know it’s me. The problem is, I’m not very good at coming up with secrets and since I can’t keep track of very many secrets, I keep using the same ones over and over again. It’s frustratingly easy to get phished and tricked into sharing my secret, and don’t even get me started on using public records like my mother’s maiden name as a shared “secret” to authenticate someone!

In the interim, some people say to use a “password manager” to help keep track of all your passwords. Password managers are a band-aid solution. Password managers help you manage your ever growing list of passwords and accounts. They don’t solve this fundamental problem that someone can impersonate you by just knowing a secret. And they are a great honeypot so when your master password is keylogged, leaked, phished, or stolen, instead of just giving up one secret, you just gave up all your secrets.

Another approach is to use biometrics, like your fingerprint, to identify you. Fingerprints are convenient except for the fact that 1) you leave them everywhere you go, and 2) they are very, very difficult to change when they are compromised. Other biometrics are intrusive, annoying, and flaky, and often don’t add much security at all.

A third approach is to use a device to authenticate yourself. This technology has been around for a long time but has never taken off in a mainstream way, despite massive user education campaigns and huge, well-funded industry pushes. The main reason is it adds so much friction to the user experience. You now have something extra you need to carry around. You need to read off a code and type it in before a timer expires. If you forget your device, you are locked out.

Realizing people don’t want to carry extra things around, more recently vendors have moved to “soft tokens”, which are apps on your phone that provide similar functionality and trade off security for the convenience of not having to carry around an extra physical token. Or, services will send you a text message with a code you need to type in, which is not only annoying, but also doesn’t add much security.

The common thread among all of these approaches are 1) they are annoying, and 2) they don’t add much security. These are the two problems we are solving at UnifyID.

absurdpasswords

The Genesis

A few years back, Kurt and I worked on a demo where we captured encrypted packet traces, and by simply looking at the timing between the packets, we could determine the timing of a user’s keystrokes, and ultimately, what the user had typed. People were impressed by the demo but ultimately the interesting and challenging part was the fact that each individual had his or her own unique way of typing. In fact, after we saw you type around four sentences of text, we could uniquely identify you.

We began to look at other aspects we could passively detect that were a) unique per individual and b) did not require any conscious action on the part of the user. We looked at the various sensor data you could get from phones, computers, and wearables. We used signal processing and machine learning to stitch together the various noisy signals from multiple devices. It took a lot of work, but what we discovered was both shocking and heartening: It turns out people are both very predictable and very unique in their behaviors, actions, and environments. In essence, there is only one you in the world, and it was possible to authenticate you based on the sensors already around you. UnifyID was born.

The Future is Implicit

This technology is called implicit authentication. The basic idea is to be yourself, and there is enough that is unique about you that it is possible to authenticate you implicitly; that is, without you having to make any explicit action.

Implicit authentication is not new. In fact, this is how authentication worked since the prehistoric era. People used how you looked, how you moved, how you talked, your possessions, the context in which they encountered you, and how you acted to figure out who you were. Our brains are trained to identify people based on these characteristics and to pick up on subtle clues when something is off. Much like what human beings can do naturally, we discovered it is possible to train a machine learning system to do the same.

The result is truly magical. It makes security much more seamless and natural. You can be yourself, and the devices and services you interact with will naturally recognize you based on your unique characteristics. No passwords to remember, no codes to read off your phone. You are not tied to one device, or have something extra to carry around. The future is implicit.

The applications of this technology are endless, but one key area is in authenticating transactions and preventing account takeover. With our implicit authentication system, we can identify the human behind the device and give a confidence level that they are who they say they are. UnifyID also does continuous authentication, which means we can detect when changes happen and automatically challenge or log out the user.

Balancing Security and User Experience

There has always been a balance between security and user experience. For too long, security solutions have sacrificed user experience in the name of security. But you can’t look at security and user experience independently. Any security solution that does not take into account the user experience will not be successful in the real world. If you make security policies too annoying or add too much friction, people will either find ways around your security policies, or will just be miserable and unproductive.

UnifyID was designed with the user experience in mind. In fact, UnifyID is truly a subtraction from the user experience. Usernames? Passwords? Security questions? Passcodes? When enough signals match, these are completely eliminated from the user experience. In the cases where they don’t match, we issue you a challenge to prove your identity. But even the challenges are designed with the user experience in mind. You can use challenge factors like fingerprints and facial recognition, among others in active development. And the more you use the system, the more the machine learning algorithms adapt to your unique behaviors and environment. UnifyID is not only more convenient, it is also more secure.

UnifyID utilizes combinations of deep neural networks, decision trees, Bayesian networks, signal processing, and semi-supervised and unsupervised machine learning. Our system is able to discover what makes each individual unique and finds correlations between multiple factors that greatly boost the accuracy. “Machine learning” is not just a buzzword for us. We have a great team of machine learning and security experts from MIT, Stanford, Berkeley, and CMU, and are working with world-class advisors in both academia and industry. I’m very proud of the team we have built so far. (And if you want to work on the next revolution in authentication and have fun doing it, we are hiring!)

Nikhil

One example of an implicit factor we use is how you walk. It turns out that an individual’s gait is quite particular to them, and has a number of influences including unique physiology, length of femur, muscle memory, the culture you grew up in, and more. In fact, we can identify you with only four seconds of your walking data from your phone sitting in your pocket. And that is just one of over a hundred different attributes we use to authenticate you.

Experience the Future of Authentication

At UnifyID, we believe it is time for authentication to be about you. Humans have always been considered to be the “weak link” in security. At UnifyID, we turn that around and use what is unique about each individual to enhance security. The best way to authenticate yourself is to be yourself.

UnifyID is the first holistic implicit authentication platform available on the market. We are excited to announce a limited private beta for individuals to test ride the future of authentication in their Chrome browsers and iPhones today.

Embrace your uniqueness. After all, there is no one in the world more you than you.