Badge privacy-preserving authentication tool launches with Okta integration

Badge has launched a privacy-preserving authentication system designed to enable enterprise authentication across multiple devices, after a single enrolment, and without storing personally identifiable information (PII).

With stored credentials the target of nearly half (49%) of all breaches, according to Verizon’s 2023 Data Breach Investigations report, Badge is seeking to tackle a widespread security challenge.

How Badge works

The deviceless, tokenless authentication system is intended to enable users to move freely across devices and platforms, without losing access to their accounts or compromising security, including allowing multiple users on a single device.

Passwords combined with MFA elements such as security verification questions create user friction and are security weak points, said Badge co-founder Tina Srivastava. “We’ve been using devices as a proxy for our identity, and it works as long as you don’t lose or break your device. But the problem is that when it happens, it’s a headache for users, and an entry point for fraud,” she told CSO.

Instead, Badge combines face, fingerprint or voice with passive or knowledge characteristics as authentication factors and uses cryptography to derive a key on the fly from an individual’s authentication factors. By utilizing authentication elements that are unique to an individual, the key is unique, but it doesn’t lock them to a specific device.

At the time of initial enrollment, Badge allows users to obtain a private key and a public key that is partly dependent on a user’s biometrics or other authentication factors. After enrollment, the biometrics and private key are destroyed, leaving only a public key that doesn’t reveal personal information and is validated through the biometric data initially used.

“This method allows for secure authentication across multiple devices without storing any secrets and the technology addresses the problem of central databases holding sensitive personal data,” Srivastava said.

Badge wants to solve a longstanding cryptography puzzle

Founded by cryptography PhDs from MIT, the patented technology uses advanced encryption and privacy-preserving algorithms to ensure user data remains secure and private.

Srivastava said the team has solved a 20-year open problem in cryptography, with the ability to derive a key on the fly from authentication factors recognized by the IEEE. “We can extend zero trust all the way to the user, because instead of ending at the device where the key is, you are your key, so trust gets extended to the user and reduces the threat surface.”

With human error recognized as one of the consistent weak links in cybersecurity, Srivastava said that it must be implemented correctly but its design is robust, being cryptographically zero-knowledge and quantum resistant. “We think about it this way: with a lot of attacks, a hacker is trying to break the castle walls to steal the crown jewels, which are identity credentials, and a lot of products are focused on building higher walls to protect them. But what if there weren’t any crowns to steal?” she said.

Badge integrates with Auth0 Marketplace

Badge offers integration with Auth0 Marketplace, to extend the functionality of Okta’s Customer Identity Cloud and enabling Auth0 users to integrate Badge into their IAM workflows with simple, code-free configuration.

“This helps with automatic user provisioning. If an IT administrator manages users in Okta, they don’t have to go to a Badge admin panel, they can stay within Okta and add or delete users, and everything automatically flows to that,” Srivastava said.

In the healthcare space, for example, there’s a real challenge with shared devices and it’s these kinds of settings that Badge is looking to target with the Okta partnership by decoupling authentication from a set device. “You only have to enroll once in your lifetime and then you can authenticate on any device and never store any private data on that device,” she said.

Offering on-premises or SaaS models, Badge is built for zero-code integration using standard protocols, including OAUTH 2, SAML, FIDO, OIDC, to extend its compatibility into other platforms.

Beyond this, Badge said it’s had interest from platform providers, OEM manufacturers, and even from the identity verification providers, as many of them face the same customer problem: lost account access. “One of the biggest challenges that all of them face is account recovery. It’s very manual and involves calling help desks trying to recover your information,” she said.

“With Badge, because you can re-derive the key on a new device, you could drop your phone in a swimming pool, buy a new device and be able to use your face to authenticate, rederive the key and get all your credentials and access to your applications, but with the security benefits of not having these centrally stored credentials,” Srivastava said.

Badge also integrates with ForgeRock, Microsoft, Ping Identity and Radiant Logic.