Confyrm: Prevent account takeovers by ‘sharing signals’
Awarded in 2014
02 November, 2015
category: Corporate, Digital ID, Government
Confyrm was awarded $2.4 million in 2014 to demonstrate ways to minimize loss when criminals take over online accounts or create fake accounts. The project aims to tackle a key barrier to federated identity: knowing whether accounts used in identity solutions are legitimate and being controlled by their rightful owner.
Confyrm will demonstrate how a “shared signals” model can mitigate the impact of account takeovers and fake accounts through early fraud detection and notification, says Andrew Nash, founder and CEO at the company. The company is working with partners to build out use cases for sharing information between enterprise, consumer and government participants.
The premise is simple. If an ID provider notices a password change or suspicious behavior, this system would take action. Google demonstrated Confyrm’s system at the Cloud Identity Summit in the instance of a password reset, Nash says.
The demo showed a user legitimately changing a password, as well as what happens when the user visits sites that had previously been federated with that identity. Depending on the type of transaction the user attempted to conduct, different actions were required. If the user was simply looking at information, no further action was necessary. But if a purchase was being made or a risker transaction conducted, more information would be requested of the user.
“What we’re doing is sharing account level information that allows you to understand this inter-network or connection of all of these accounts that you have built up over time,” Nash says. “This shows how something that happens to one account manager might be useful for another to know in order to keep you safe, but we want to do this while hiding your identity to the best of our ability.”
Little information has been released about the pilot partners, except that they include an Internet email provider, a mobile operator, a financial services company and multiple e-commerce sites. The pilot is in the early stages, so no outcomes are available.
“We are actually providing value that is independent of identity technologies, protocols and infrastructures,” Nash says. “We can improve the value of really basic password-based systems right now so we can make an impact over the next year or two that will directly improve the trust and the confidence in consumer identities.”
Lessons learned
The most important thing is to keep the technology simple, Nash says. If an ID provider notices a breach or abnormal behavior, it must make sure to communicate that simply to the user.