Security company OneID is helping to eliminate one of the weakest links on the internet: the password. The company received $7 million in its first round of funding today, led by Khosla Ventures.
OneID says that to make accounts more secure, we need to change the way we think of our identities online. Currently, most people use “shared secrets” to verify their identity. That is, you choose a username and a password that only you and the website where your account lives know. That combination becomes your identity on the internet, allowing you access wherever you set up accounts. But passwords are very easy to crack, particularly because people create passwords they can easily remember, and often use one password for many different accounts.
Instead of using passwords, OneID founder Steve Kirsch believes we need to use “public key cryptography”. Kirsch explained public key cryptography to VentureBeat as, “I can prove to you that I know a secret without telling you the secret.”
Kirsch’s OneID works by downloading “cryptographic secrets” to your devices. These secrets then create digital signatures that the website you want to access reads. The website never gets hold of your cryptographic secrets, as it is only reading the digital signatures. When you use the “shared secret” or password method, you’re trusting the website not to accidentally blab your secret if it’s hacked. In the case of public keys, your secret is never shared and thus can’t be accessed if a website’s server is hacked.
It could, however, be stolen if a criminal gets access to your device, malware infiltrates the device, or the secrets are phished out of you.
It works similarly to Facebook Connect in that the website you want to access must support OneID logins, and you must have a OneID identity. But why not just use Facebook Connect? Many websites do, as it is touted as a secure verification option, given Facebook has its own security team to watch these points of entry. But OneID founder Steve Kirsch says even these aren’t safe enough. There’s still a username and password involved, and even further, Kirsch says, “you shouldn’t be trusting Facebook with anything.”
According to Kirsch, not even OneID knows the cryptographic secrets that it downloads to your device, whereas Facebook knows your password and could be hacked.
The company was founded in 2011 and has brought on PGP co-founder and Khosla Ventures entrepreneur in residence Alex Doll as chief executive officer. Investors include Khosla Ventures, and North Bridge Venture Partners.