Will stealthy Certus let you forget all your passwords?


How is this for a fantasy come true: never having to remember — or reset — another password?

A stealthy startup with employees in Boston and San Francisco is developing a technology that would use an app on your smartphone to make the act of logging into a website not only less frustrating, but more secure. Certus Technology Systems has already raised about $375,000 in seed funding from individual investors, and is conducting its first pilot test with a financial services customer now.

“The basic idea is that a smartphone can serve as a high-tech authentication device, communicating with your laptop or tablet using high-frequency sound waves,” says Andrew Grochal, Certus’ VP of operations. “Every time you log into a site, we’re generating a unique, one-time use password that only exists for a split second. It’s a kind of sound fingerprint that your smartphone creates, and the other device hears.” (The phone gets this one-time-only sound “password” from a server, and then the device that hears it checks with that server to make sure it is the correct one before granting access.)

Certus can also use the smartphone’s unique ID, an identifier built into its app, and the phone’s location to authenticate that you are the person who should have access to a given brokerage account, for instance. “If you always log in from your home in the Back Bay, and then one day you’re logging in from China, we can pose some additional challenge questions for you,” Grochal says. Additional layers of authentication the company is considering include voice and facial recognition. (See below.)

certus-voiceCertus’ CTO is Jack Wolosewicz, who founded the company in early 2013. Previously, Wolosewicz started Verance Corporation, which created and licenses a digital watermarking technology intended to prevent music and video piracy.

Certus has four employees in Boston, and two in San Francisco, including Wolosewicz. Much of the $375,000 the company has raised went toward building the product, Grochal says; now that the first pilot tests with customers are happening, he says the company will focus on raising a larger funding round.

Grochal says he isn’t allowed to divulge the names of the financial services firms testing the technology, but says the first pilot is taking place in Boston with a publicly-traded company. “We get put through the wringer in talking to prospective customers,” he says. “They have big security departments and they ask a lot of good questions.” The company’s technology is integrated with OAuth and OpenID, two widely-used protocols for authenticating users and permitting them to access files or accounts.

If you’re using a smartphone to gain access to your e-mail, bank accounts, and medical records, what happens if your phone is lost or stolen? “We can shut down the app remotely if you tell us that it’s missing,” Grochal says. “And of course, the phone itself may have a PIN code or a fingerprint recognition system that you need before you can even get to our app.” He adds that most people realize their phone is missing “within 20 minutes,” whereas a bank card or credit card can be lost for days before you notice. And the sound password that Certus generates expires a split second after your smartphone uses it. “If you hack a password database, you get passwords which can be used all over the internet,” Grochal says. “If you were able to hack the system here, you might get a list of expired codes but not a whole lot else.”

In February, Google acquired a company developing similar technology, SlickLogin. That could be good for Certus (allowing them to bring an independent solution to the market) or bad (Google, you may have noticed, has a lot of money to throw at R&D, product development, and marketing.) Certus has filed four patents related to its product, and Grochal calls SlickLogin “a simplified version of everything we are building here.”

Is it possible that our collective future won’t involve 23-character passwords that use capitals, lowercase letters, numbers, and at least five punctuation marks? I’m hoping it won’t…

Here’s a video overview of the product produced by the company.

(I mentioned Grochal’s last startup, Mixer, in this 2013 column about how tech startups were trying to enhance face-to-face networking events.)

Scott Kirsner writes the Innovation Economy column every Sunday in the Boston Globe, in which he tracks entrepreneurship, investment, and big company activities around New England.
Follow Scott on Twitter - Facebook - Google+