Startup Trusona is launching what it claims to be a 100% accurate authentication scheme aimed at corporate executives, premiere banking customers and IT admins who have unfettered authorization to access the most valued corporate assets.
The system uses four-factor authentication to assure that the person logging in is the person they say they are. It requires a dongle that is tied to a set of specific devices (phones, tablets, laptops), certain cards with magnetic stripes that the user already owns, and a biometric ID based on how the card is swiped through the card reader on the dongle.
The TruToken dongle is the miniaturization of anti-ATM-card cloning technology made by MagTek that reads not the digital data recorded on cards’ magnetic strips but rather the arrangement of the pattern of the barium ferrite particles that make the strips magnetic. The particles are so numerous and so randomly placed that no two strips have identical patterns, says Ori Eisen, Trusona’s CEO. That also makes the strips unclonable, he says.
In order to use the authentication system, the Trusona app on the user’s device connects to Trusona’s cloud. The user plugs in the dongle, and if the dongle ID and device ID have been paired, the user is prompted to swipe a card with a magnetic stripe that has also been paired with the user. That can be a credit card, driver’s license, library card, etc. The barium ferrite particles must match.
The way the card is pulled through the card reader on the TruToken is also a unique identifier, Eisen says. People pull them through at different speeds, at different angles and from different directions in a manner that is readable and unique, he says.
If all these factors check out, authentication is confirmed to the server the user is trying to log into. All data is encrypted before it leaves the dongle.
The system includes a method to make sure the person associated with the TruToken and the cards is the actual person and not someone who has stolen someone else’s phone and credit card before purchasing the app and dongle. After registering and purchasing the device online, it is delivered to the customer’s home via the U.S. Postal Service and the mail carrier checks the buyer’s passport before turning over the device to make sure the person receiving it is the person who bought it. Eisen says he’s still working out the deal with the post office.
Alternatively, if a corporation wants to set up accounts for multiple staffers, they can issue the devices to their people in person after confirming their identity in whatever way they see fit.
Sign up for CIO Asia eNewsletters.