password-protection-croppedWhile waiting to go on-camera last week at Yahoo Finance, I was mulling about, chatting up the other guests outside the studio. A woman was seated nearby with her laptop, and when I introduced myself as a cyber security professional, she summarized her view of my life’s work in three words: Man, these passwords. And then, she offered a concise and entirely correct solution to the problem – also in just three words: We need AI.

During moments like these, I wonder why I bothered to get a PhD. In fact, I think all the effort spent staring at cyber security solutions might have a blinding effect to solutions staring us in the face. In fact, maybe our problems are best met with a fresh look, offered by someone with no bias or tendency toward complexity. In fact, maybe the best such person would be someone just out of high school.

A week before the holidays, I spent time with a colleague, Ryder Gaston, a veteran of our industry, including fifteen years with RSA and CA. Ryder is now with a start-up called Pinn, and he was excited to tell me about their approach to that nagging problem: Passwords. Ryder explained their solution: AI. And he mentioned the background of their founder: Just out of high school. Hmmm. As you would expect, I wanted to hear more:

“Everyone knows that two factors are better than one,” Ryder explained, “so it should come as no surprise that improved proof of identity comes with more factors. And with the use of artificial intelligence, we can automate the processing of many different factors dynamically, based on the unique characteristics of a human being. Our vision is to drive this processing into the mainstream using a combination of hardware and software.”

The Pinn solution, called AuthX, is built on so-called X-factor authentication or XFA, which strongly binds a person or entity to a digital identity. The platform orchestrates proof factor combinations to validate identity based on situational risk. A policy engine manages this risk attribute, adapting required authenticators based on level of risk. This is complemented by audit analytics that watch, remediate, and learn from observed authentications.

Gaston took me through six currently supported proof factors in the AuthX XFA ecosystem: Biometrics using palms, keystroke analysis using dozens of variables, behavioral attributes of users, facial biometrics, various local attributes related to devices, and PKI-based chains of trust. These proof factors are woven into the dynamic determination of identity – again, based on the situational determination of risk level for a given authentication request.

I asked Gaston about the design and implementation of AuthX, and as one would expect, SDKs are available for mobile platforms. “One of our important use-cases,” he explained, “involves directly embedding the AuthX software into an app. This allows for auto-login to the app, based on the advanced, AI-based processing in our software. We can even embed the capability into an HSM for deeper levels of trust.”

Now, naturally, the discussion worked its way to Pinn’s founder and CEO, Will Summerlin. And sure enough, the young man was competing as a wrestler, enjoying mock trial, and running the student council at Serra High School just a few years back, when I was in my last year as CSO at AT&T. I asked Ryder how Summerlin has made the adjustment from leading the student body to leading a Silicon Valley start-up.

“This is a special young man,” Gaston offered. “He’s literally been working this XFA concept and associated adaptive technology for almost six years, starting back when he was still in school. And now he’s assembled an experienced, expert team around him to drive the vision.” This all sounded reasonable to me, and I can personally attest that executives like Ryder Gaston certainly have the chops – and the business contacts – to make this work.

The number one business challenge I can see for Pinn, and I shared this with Gaston during our discussion, is intense competition from many different angles in this push to passwordless, adaptive authentication. Every company I know in this general space has gotten excited about the prospects of machine learning tools and adaptive risk-based multi-factor proof, so the field is certainly getting a bit crowded.

But as I alluded to above, maybe it takes the type of fresh perspective I found outside Yahoo's studio to see things clearly enough to create straightforward solutions to tough problems. And maybe young Will Summerlin has the right elements to lead Pinn on this important mission. The good news is that Summerlin appears to be on the right track, and I expect to be writing about Pinn solutions for many years to come.

Give Ryder Gaston a call and let us know what you learned.