Badge has launched a privacy-preserving authentication system designed to enable enterprise authentication across multiple devices, after a single enrolment, and without storing personally identifiable information (PII).
With stored credentials the target of nearly half (49%) of all breaches, according to Verizon’s 2023 Data Breach Investigations report, Badge is seeking to tackle a widespread security challenge.
How Badge works
The deviceless, tokenless authentication system is intended to enable users to move freely across devices and platforms, without losing access to their accounts or compromising security, including allowing multiple users on a single device.
Passwords combined with MFA elements such as security verification questions create user friction and are security weak points, said Badge co-founder Tina Srivastava. “We’ve been using devices as a proxy for our identity, and it works as long as you don’t lose or break your device. But the problem is that when it happens, it’s a headache for users, and an entry point for fraud,” she told CSO.
Instead, Badge combines face, fingerprint or voice with passive or knowledge characteristics as authentication factors and uses cryptography to derive a key on the fly from an individual’s authentication factors. By utilizing authentication elements that are unique to an individual, the key is unique, but it doesn’t lock them to a specific device.
At the time of initial enrollment, Badge allows users to obtain a private key and a public key that is partly dependent on a user’s biometrics or other authentication factors. After enrollment, the biometrics and private key are destroyed, leaving only a public key that doesn’t reveal personal information and is validated through the biometric data initially used.