Startup touts four-factor authentication for VIP-level access

Trusona’s system involves an app, a dongle, the post office and the subject of ‘Catch Me If You Can”.

Startup Trusona is launching what it claims to be a 100% accurate authentication scheme aimed at corporate executives, premiere banking customers and IT admins who have unfettered authorization to access the most valued corporate assets.

The system uses four-factor authentication to assure that the person logging in is the person they say they are. It requires a dongle that is tied to a set of specific devices (phones, tablets, laptops), certain cards with magnetic stripes that the user already owns, and a biometric ID based on how the card is swiped through the card reader on the dongle.

The TruToken dongle is the miniaturization of anti-ATM-card cloning technology made by MagTek that reads not the digital data recorded on cards’ magnetic strips but rather the arrangement of the pattern of the barium ferrite particles that make the strips magnetic. The particles are so numerous and so randomly placed that no two strips have identical patterns, says Ori Eisen, Trusona’s CEO. That also makes the strips unclonable, he says.

In order to use the authentication system, the Trusona app on the user’s device connects to Trusona’s cloud. The user plugs in the dongle, and if the dongle ID and device ID have been paired, the user is prompted to swipe a card with a magnetic stripe that has also been paired with the user. That can be a credit card, driver’s license, library card, etc. The barium ferrite particles must match.

The way the card is pulled through the card reader on the TruToken is also a unique identifier, Eisen says. People pull them through at different speeds, at different angles and from different directions in a manner that is readable and unique, he says.

If all these factors check out, authentication is confirmed to the server the user is trying to log into. All data is encrypted before it leaves the dongle.

The system includes a method to make sure the person associated with the TruToken and the cards is the actual person and not someone who has stolen someone else’s phone and credit card before purchasing the app and dongle. After registering and purchasing the device online, it is delivered to the customer’s home via the U.S. Postal Service and the mail carrier checks the buyer’s passport before turning over the device to make sure the person receiving it is the person who bought it. Eisen says he’s still working out the deal with the post office.

Alternatively, if a corporation wants to set up accounts for multiple staffers, they can issue the devices to their people in person after confirming their identity in whatever way they see fit.

While the barium ferrite and card-swipe readings can help identify the user, they can also prevent attackers from capturing the data from one session and replaying it for a later one, Eisen says. They register a high percentage of matching factors in order to confirm the user, but they are never exactly the same, so if identical attempts occur, that indicates a compromise.

For example, with the card swipe, a 60% match is enough to confirm the card is authentic. In a demonstration of the technology, the first swipe registered 83% and a second swipe of the same card registered 79%. A swipe of two legitimate Arizona driver’s licenses issued to Eisen registered only a 4% match.

The system includes a means to derail attempts to physically force a legitimate user to log in, say at gunpoint. Users can register so-called duress cards with the service that, if run through the scanner, signal that the user is being forced to authenticate against their will. The attempt is shut down.

In addition to the $99 cost of the dongle, Trusona charges $1 per transaction. Each customer can have three devices, three tokens and three magnetic cards registered to their account. Eisen says the product is aimed at users whose authorizations carry a lot of weight, such as bank customers who are capable of moving thousands or millions of dollars or corporate executives with access to critical data.

Founded in 2015, Trusona is the second company founded by Eisen, who used to run fraud detection for American Express, in collaboration with Frank Abagnale, the former con-man and subject of the movie “Catch Me If You Can,” who is now a consultant to the FBI on working fraud and identity theft cases. The earlier company, 41st Parameter, which dealt with fraud prevention, was bought by Experian.

The two men worked together to hone the Trusona architecture. Eisen would work out what he thought was a feasible solution, and Abagnale would poke holes in it. Eisen would fix them and Abagnale would try again until they came up with the system.

They say they are motivated by helping to stop the crime typically funded by thefts related to identity compromises such as drug dealing, human trafficking and child pornography. “We want to leave a better network to the next generation than the one we got,” Eisen says.

Trusona is based in Scottsdale, Ariz., and has received an $8 million investment from Kleiner, Perkins, Caulfield and Byers.

Join the CSO newsletter!

Error: Please check your email address.

More about American ExpressByersFBIMagTek

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts