Cyber-security startup Acceptto is set to officially emerge from stealth on Nov. 27, bringing to market its' new approach to reducing identity fraud with a cognitive authentication platform.
The foundation of Acceptto's platform is the company's eGuardian engine which enables the cognitive authentication capabilities. With cognitive authentication, rather than relying on usernames and password or simple token based multi-factor authentication, Acceptto is looking to build a resilient immutable identity for users.
"Cognitive authentication is a self-learning, machine learning approach that learns about individuals and their habits and transactions, then detects anomalies and abnormalities," Shahrokh Shahidzadeh, CEO of Acceptto told eWEEK. "We employ a lot of machine learning, artificial intelligence and predictive analytics that can reduce the false positives to a point that we can claim we are frictionless for the good users, while we create friction for suspect users and threat actors."
The launch of the cognitive authentication platform, marks the emergence of Acceptto from its stealth mode of operations. Shahidzadeh began working on Acceptto in June 2016, after spending 22 years working in various roles at Intel. Alongside the product announcement, Acceptto is also raising an undisclosed amount of venture capital as part of a Series A round of funding from Aetna Ventures, Millennium Venture Partners and Celeres Capital.
The Acceptto product platform combines elements of Identity and Access Management (IAM) with User and Entity Behavior (UEBA) analytics. Shahidzadeh explained that the eGuardian technology is the core architecture of the Acceptto platform, and it looks at users activity and graphs that to understand normal behavior. He added that eGuardian includes a policy orchestration engine and risk metrics. The eGuardian system is a mix different artificial intelligence approaches that are continuously learning. On top of the eGuardian engine, Acceptto has multiple product modules for different use-cases.
"One of the products is called, It's Me, which is basically a method and ability to authenticate yourself in an out-of-band mechanism," Shahidzadeh said.
The It's Me product includes both device and browser fingerprinting to help authenticate users as well as an understanding of common behaviors for a given user or type of action. For interactions that are identified as being particularly risky or abnormal, Acceptto can inject an additional dynamic level of assurance to further validate a user. On the policy side of Acceptto, the system has APIs which enable integration with SIEM (Security Information and Event Management) and other common network security platforms for further investigation and analysis.
How It Works
Shahidzadeh explained that Acceptto has an engine that organizations can use to integrate the Acceptto platform with traditional identity platforms that have already been deployed.
"You basically take our API and insert it in, allow some data exchange between the Active Directory and us, as a post-primary authentication method," he said.
Shahidzadeh said that Acceptto integrates in a similar way to traditional two-factor authentication (2FA) systems, though he emphasized that his company's technology is not a binary authentication approach. Rather than simply providing users with a second password or token in order to authenticate, he said that Acceptto brings in a significant amount of data in order to validate the identity of a given user.
"This includes the data that we capture from your mobile device, and from your desktop versus your laptop, location, times of access, and duration," he explained.
Additionally, Acceptto will look at the activity of the given user to see if the requested access activity is normal for the user. While there are multiple competitive options in the industry today for Multi-Factor Authentication (MFA), Shahidzadeh said that the cognitive approach taken by Acceptto is different as it assumes that some aspect of a user's identity has already been breached somewhere, in some way.
"We have this fundamental architectural guardrail that assume that all your identity attributes are already breached, you just don't know about it," he said. "Credentials that you have not yet provided or have not yet created are breached already and the reason is because the systems have been breached."
Shahidzadeh said that what Acceptto does that is different, is rather than relying on any individual identity attribute or token, his company's platform takes a broader view.
"We are talking about a system that is so cognitive that it covers both egocentric and allocentric aspects of the cyberspace and physical space combined," Shahidzadeh said.
Allocentrisim is an approach to understanding an entity in terms of how others view it. Egocentric is the opposite approach, taking a view on how the user's own device and attributes are viewed.
"One of our biggest challenges going forward is the amount of data fusion between both the cyber and physical space," Shahidzadeh said. "On the technical side in 2019 most of our focus is going to be on how to make sense of all the data that is coming to us from all the different enterprises that we are bringing on-board."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.