The cool new Internet ideas of yesteryear often create the headaches of today, and some startups at the Demo conference are starting to try to solve those problems.
Young companies at this week's edition of Demo will be pitching a service to secure online transactions, a way to wipe objectionable entries from Facebook profiles, and a tool to simplify terms of service for both developers and consumers.
One of the most common ways to supplement password protection for access to enterprise resources or online services is two-factor authentication. Typically, this involves a constantly changing code that is delivered through a dedicated card, a numeric display on a credit card, or a mobile app. Users have to enter both a password they know and the current code from the device they're carrying in order to get onto a corporate VPN or a banking website.
When Toopher CEO Josh Alexander looked at this system, he saw high cost and inconvenience. The worst of it is, it forces users to take something out of their pockets in order to prove their identity to a website, he said. So, in place of a real-time code, Toopher uses the customer's current location, continuously transmitted by their mobile phone. The company's slogan is "Keep it in your pants."
Eliminating the need for tokens will make Toopher a more viable option for consumer services, which have largely rejected two-factor authentication, Alexander said. "Amazon's not going to pay $40 per year for each user to have a secure token," he said.
With Toopher, users download a smartphone app and register one or more locations as places where they typically do online transactions. The PCs or tablets they regularly use to access the online service also are identified, through cookies or other mechanisms. (Developers of smartphone apps can also set up Toopher to provide two-factor authentication right on their users' phones.) The assumption behind Toopher is that most consumers carry their phones with them everywhere, and criminals are unlikely to try an unauthorized login from the consumer's own computer while near their phone, in their home or office.
If a user registers her home as an authorized location, for example, then the website's authentication system will check the location of her phone after she enters her password. The location data never leaves the phone. If the phone isn't in her home at that time, she will get a prompt on her phone to manually grant or deny the login request, Alexander said. If the phone says it's in one of the authorized locations, the authentication works without the phone even being turned on.
The key to Toopher is that this doesn't require much effort. Though two-factor authentication with changing codes is fairly secure, no one likes to take out another device and copy a number from it, he said.
Sign up for Computerworld eNewsletters.