Friday, May 26, 2006

Interview with Multi-Factor Authentication

For our interview today, I spoke with Craig Lund and Garret Grajek, founders of Multi-Factor Authentication (www.multifa.com), a startup company in the security software area that is based in Irvine. Craig is CEO of the firm, and Garrett is President. They gave me a demo of their web and phone-based security software, and explained a bit about how they're trying to reach the market with an integrated product that allows companies to use a cell phone to authenticate users, instead of a traditional, hardware-based private key.

Ben Kuo: Nice talking to you guys today, thanks for the interview.

Craig: I've got to say, both Garrett and I have spent the greater part of ten years getting on that Monday morning shuttle up to San Jose, so I'm a big fan of the So Cal tech industry. We've been working at a lot of Silicon Valley companies and funded firms, and one of the things that Garrett and I said when we founded Multi-Factor, is that since we both live in Orange County, there's a fantastic talent pool here, it's a great technology center, and we're headquartering this company here. We plan to be a big contributor to that.

BK: Great! Tell me a bit about you and the company...

Craig: I've been in the tech industry for longer than I care to admit now, about 25 years. I started out at Digital Equiment Corporation selling the VAX, and have been in the hardware/software business all my life. I was the Americas sales lead for the IBM security division--all the Tivoli security products, eight different lines, about a hundred people, and $100M in revenue, for all of Canada, the US, and Latin America. Even probably more relevant to what we're doing now, is I was one of the original sales vice presidents at Netegrity, and I literally took that from a Rev 1 startup in the late 90's to what became nearly a billion dollar market cap firm. At that time, had over 3000 customers. When I joined, we had only four. It's a pretty relevant background to building a company up from scratch. I'm hoping to repeat that Netegrity experience here. I've also got all of the general management experience from IBM.

Garrett: My background is similar to Craig's, in similar companies, but in a different domain. I was a security engineer and went out to gather requirements from customers, and actually implemented and architected solutions for companies for the enterprise. My additional experience which is relevant to Multi-Factor is at Cisco. What I learned at Cisco, in addition to the access and identity management solutions from IBM, Netegrity, and RSA, Cisco trained me in some very interesting technology, such as Voice Over IP and SIP servers, which we've integrated into our product. It's very unique, and it allows us to provide authentication without causing the end users to carry a token.

BK: Did you two work together at IBM and Netegrity, then?

Craig; Actually, I ran the sales and support organization. Garrett was our lead when we were building out that practice. Garrett was the go to guy for the team when we needed to do an important install, such as E-Trade. Garrett slept over that night literally at E-Trade when we did an install.

BK: So what does Multi Factor Authentication do?

Craig: What we did is combine some of the tried and true technologies, particularly digital certifications--very good authentication technology--and brought alot of our own intellectual property into it. We made those traditional technologies actually usable and deployable. We also integrated some very unique stuff around SIP servers and things like that, and created a complete solution around this. There are companies offering pieces of this, but we integrated this all together and have offered some new functionality. Most importantly, from the ground up, we developed this thing to be very, very cost effective from a licensing perspective and deployability. It's pennies on the dollars from traditional authentication methods. Applications include financial applications and e-commerce transactions, and are targeting Microsoft applications, where we have a browser-based authentication method for Outlook web access, and corporate VPN authentication. We actually use a one-time generated password through a cell phone to allow someone to log into a web site securely.

BK: Explain a bit about how your technology works--how does this compare to the state of the art?

Garrett: What companies are wrestling with is that they have a small computer, the size of a key fob, that has six digits that change each minute. This key fob is then utilized when someone goes to a web site or VPN, which they put in as a one-time password to log in. The security is that the one time password is only known by the user and is synced up with the back end for a system. This is a wonderful solution, since it is a one-time password which can't be replayed and can't be written down and found. The problem is in the delivery mechanism. The actual token costs between $25 and $40 per user. There's also a 2x cost on the deployment, management, and dealing with loss and theft of that token.

Craig: So what we do is we use the browser as a second form of identification. How we do that is we securely register the user's browser, through what is called "out of band" in the industry. We use text-to-speech, using randomly generated keys to create a one-time password. It's exactly the same as those keys, but instead we call out to an office or cell phone. So we send out that password, then we use an X.509 certificate, which is an incredibly secure authentication means. We have developed a system that requires no modification to existing infrastructure, and no managing of those credentials.

Garrett: What's really important here is not only are we using a call mechanism, we're coupling this with an identity registration system. The best registration system system, which has been in development since the mid 90's, which is the public key infrastructure, the X.509 infrastructure. All the problems we see today--phishing, man in the middle attacks, replay attacks--those are technologies that are a play on the cookie. The cookie is a very weak mechanism to keep session information between a browser and a web servers. People don't know this, but web servers do not understand the concept of sessions. Every time you hit a page, they simply put up a page. The problem with cookies is they're extremely susceptible to attack. X.509 certificates are not suspectible to these attacks.

BK: Where's the company now, how long have you been around, and where are you in terms of launch?

Craig: We've been around for six months, we've put in ninety percent of our efforts around the product, and we're now just getting into the phase of working with companies to start marketing and selling the product. We just hired our first telesales representative, and are looking to put an office out on the East coast. We're just getting into the sales and marketing phase of the company now. We're also GA on the product, we've got several pilots out with our core product, and coming down the pike we're looking at the telephony side of the product and expanding the phone capabilities. We've taken bootstrap and small angel investments right now, we're in dialog now with investors, and are definitely open to talking with others. Finding that match of what the money versus what both sides agrees is the value and equity is an interesting process.

BK: How about customers?

Craig: We've got some interesting customers who are looking at this product--big banks, and others who are in proof of concept, however we are just getting into this phase and don't have any customers in production yet.

BK: Are you getting good response to what you're doing?

Craig: Yes, we are, because we designed this thing to fit into almost any environment. We're banking on selling a lot of this, because our per-user price for all this functionality for $2.99 per user per year. Literally we're getting a little bit this is "too good to be sure", people are asking us what's the catch. Our challenge is execution, and getting ten customers who will say nice things about us. I think when we get ten, we'll get a hundred.

BK: Thanks!