Tel Aviv, Israel-based Secret Double Octopus has raised $15 million in a Series B funding round from Sony Financial Ventures, KDDI, and Global Brain as well as prior investors. The firm provides passwordless authentication for enterprises, and is eyeing the growing WFH market.
“As many workers use unsecured Wi-Fi networks and personal devices to connect to their corporate networks and assets, organizations must quickly maneuver to enable access to corporate applications and workstations in a highly secure method,” says the company announcement. “Removing passwords prevents credentials theft, Man-in-the-middle attacks, identity theft, phishing and other forms of popular attack vectors. Furthermore, moving to Passwordless Authentication reduces Helpdesk and password management costs and minimizes IT operations.”
Secret Double Octopus was founded in 2015 by Chen Tetelman (VP, R&D), Raz Rafaeli (CEO), Shimrit Tzur-David (CTO), and Shlomi Dolev (CSO). It uses a biometrically protected mobile phone to eliminate the need for passwords. When users seek to logon to their workstation or VPN service, a mobile phone authenticator app receives a pushed authentication request notice via the Octopus Cloud Service. These notices are delivered using what the firm describes as its “unique secret sharing technology”, described elsewhere as being “originally developed to protect nuclear launch codes.”
The user then provides the app with biometric proof of identity — usually a fingerprint via the phone’s fingerprint sensor — and taps an ‘approve’ button on the app. The authentication attestation is then relayed from the app through the cloud service to the Octopus Authentication Server and on to the relying system — which grants access on receipt of proof of identity.
Octopus also supports FIDO2-compliant authenticators where the user has no phone or is reluctant to install company apps on a personal device. Here the FIDO device is plugged into one of the workstation’s USB ports. A challenge generated by the FIDO server is relayed via the Octopus Credential Provider on the workstation. The user’s response — typically by tapping the authenticator or providing a fingerprint — is relayed back to the FIDO server which sends an authentication approve or reject notice to the relying system.
Finding an alternative to the use of passwords for user authentication is considered a priority. Passwords are too easily stolen or forgotten — and the sheer number of different passwords users now need to manage is a problem. For the user, managing multiple strong passwords is now a high friction issue, while for the business the malicious use of stolen credentials is a primary cause of network breaches.
Secret Double Octopus believes it has found a solution primarily through the use of mobile phones. User passwords are eliminated while security is increased by the built-in multi-factor nature of the solution.
Total funding for the firm has now reached $22.5 million, following a Series A round of $6 million in January 2017, and initial seed funding of $1.5 million in January 2016.
Related: Silicon Valley Legends Launch Beyond Identity in Quest to Eliminate Passwords
Related: ZenKey: How Major Mobile Carriers Are Teaming Up to Eliminate Passwords
Related: The Human Element and Beyond: Why Static Passwords Aren’t Enough
Related: From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
Previous Columns by Kevin Townsend: