No secrets or stored credentials with Badge’s new authentication system

Badge Inc., a digital privacy firm founded by MIT cryptographers, is celebrating the launch of its patented authentication software, which allows users to enroll once and authenticate across devices thereafter without re-registration. According to a press release, the biometric public key system is easily integrated with leading digital identity providers, and eliminates the risk of centrally stored personal identity information and biometric data being exposed to breaches, thus rendering passwords, knowledge-based authentication (KBA) and biometric credential storage obsolete.

“The problem of storing credentials has vexed the security community for decades,” says Ray Rothrock, Badge advisor, venture capitalist and former CEO of Red Seal. According to Badge, by doing away with stored credentials the system eliminates the target of 49 percent of all data breaches. “The pervasive concern of PII being in the open and unprotected is over,” says Rothrock. “Badge enables identity without secrets.”

The product does so by letting users derive private keys on the fly using their biometrics and factors of choice, without having to rely on hardware tokens or secrets. It also dodges the problem of on-device authentication that locks users to a specific device that can be lost or rendered inoperable, leading to cumbersome account recovery processes. Per the release, users enroll once then “seamlessly authenticate across any device using authentication factors that are unique and inherent to them, including biometric factors such as fingerprint or face. These biometric factors can be combined with other factors such as passive attributes, attestation signals, PINs, etc.,” for an MFA method that does not rely on a specific device or token.

“You are your token”

Tina P. Srivastava, co-founder of Badge and an MIT aerospace PhD, says Badge’s core mission is to move the trust-anchor for digital identities to the human instead of hardware. “After losing my own identity in a breach,” says Srivastava, “we went back to the fundamentals. We relied on math to solve the problem and used cryptography to build a user-centric solution that makes people their own roots of trust, rather than their device or token. With Badge, you are your token.”

Badge says enterprise security teams should look to its offering for a cost-effective and simple  credential and identity management tool that mitigates downstream costs caused by ransomware attacks or legal consequences from biometric or personal data breaches.

Available on Okta and Auth0 marketplaces

Badge has partnered with identity-for-enterprise firm Okta for one of its first teamings, making its technology available to customers of both Okta and Auth0 Marketplaces through an integration with Auth0. A release says the Badge integration activates its patented enroll-once, authenticate-anywhere technology, allowing users to authenticate with MFA on any device with their preferred biometrics and factors.

“Badge is revolutionizing privacy for consumers so that enterprises can safely move to a future without the liability of storing user biometric templates, PINs, or secrets,” says Charles Herder, another of Badge’s co-founding MIT cryptography PhDs. “Our partnership with the Okta and Auth0 teams is in line with our commitment to integrate our patented and award-winning technology seamlessly with partners using open standards to extend privacy-preserving authentication to the masses.”

Badge is available now as licensed on-prem software or an annual SaaS subscription. For partners, it provides zero-code integration into IAM workflows using standard protocols, including OAuth 2.0, OIDC, SAML, FIDO, TLS, Kerberos, and others.

Article Topics

Badge  |  biometric authentication  |  biometrics  |  cryptography  |  data privacy  |  digital identity  |  multifactor authentication