In a Nutshell: Large-scale security breaches are on the rise, leaving businesses vulnerable and in need of a security solution that will keep user information safe. Enter HYPR, a decentralized authentication platform that addresses the root problem of hacks — password storage. HYPR helps financial corporations such as Mastercard, secure user credentials by storing them safely on mobile devices. Providing one of the first true password-less security solutions, HYPR easily integrates with enterprise applications for top-level security that doesn’t affect user experience and prepares companies for the future.
In January 2019, security researchers announced that nearly 773 million email addresses and passwords — including login credentials for more 2,000 websites — had been exposed to hackers through a public cloud service.
A breach of that scale has consumers scrambling to reset the passwords on their most sensitive accounts. And companies must prepare for the threat of credential stuffing — a type of cyberattack in which hackers automate hundreds of millions of combinations of stolen usernames and passwords.
But some enterprises have fewer reasons to worry about this growing security threat. One of those is multinational financial services corporation Mastercard.
Responding to a consumer shift away from physical credit cards in favor of digital options, Mastercard is pursuing its vision of a mobile payment future. Yet, the challenge became protecting its massive network of banking partners and mobile users against data breaches with robust, standards-based authentication (FIDO, or Fast ID Online) that wouldn’t interfere with the user experience. That led Mastercard to partner with HYPR.
“As Mastercard moved payment credentials to the mobile phone, they needed a higher level of security than they had before. That’s where HYPR came in,” said George Avetisov, the New York-based company’s CEO and Co-Founder.
HYPR, which had launched in 2014 and unveiled its cutting-edge security tech at CES 2015, delivered precisely what Mastercard was looking for: the first decentralized authentication platform (DAP) designed to eliminate passwords — the prime target of credential reuse, phishing scams, and financial fraud.
Since integrating the HYPR security solution in 2017, Mastercard has reduced mobile payment fraud, essentially stopped credential reuse attacks, and enhanced its user experiences with faster, hassle-free transactions. And all of those accomplishments align with its goal of ushering in a new era of digital payments.
“The core component of what we do fits very neatly into Mastercard’s long-term vision. That’s how we came to work on this much larger project, which, from my view, is far ahead of where most credit card companies are today,” Avetisov said.
Addressing the Root Security Problem of Shared Secrets
Large-scale data breaches don’t just affect consumers — they’re devastating and costly to merchants and financial enterprises. And the way institutions store user login information is at the root of the problem.
“Enterprises are storing passwords and the keys to our digital identity, essentially centralizing them in one place. When they get breached, millions of people are impacted. The worst part for a large enterprise or bank is not that it is impacted by internal breaches, but it’s also impacted by external breaches,” Avetisov said. “Every time Yahoo, LinkedIn, or Twitter gets hacked, those passwords get used against you. There’s a lot of collateral damage from every breach.”
During his days as a private merchant, Avetisov personally experienced this pain point.
“When you’re doing ecommerce, you get hit with a lot of fraud. I was on the receiving end of every fraud imaginable — credit card, money transfer, PayPal. As a merchant, you’re very unprotected,” Avetisov said. “Consumers get their money back, and card issuers don’t lose much, but merchants lose money in chargebacks. So, I had a personal mission to understand why digital authentication, and consumer authentication specifically, was so broken.
Drawing on his background in ecommerce, digital payments, and fraud prevention, Avetisov co-founded HYPR to solve this problem, innovating authentication technology that hadn’t changed for years. In doing so, HYPR designed a solution with profound implications for the future of financial enterprises.
While many companies now offer password-less experiences — i.e., not being required to log in every time you visit a website — they still rely on passwords stored in a company-held database. HYPR, on the other hand, provides true passwordless security.
“There are roughly 200 vendors in user authentication, but only about a dozen enable true passwordless security. We’re one of the few companies that actually get rid of passwords,” Avetisov said.
The HYPR platform replaces passwords with FIDO-Certified PKI authentication — hardware-backed storage of payment credentials on the user’s mobile device — which are secured by HYPER’s Advanced Device Protection (ADP).
For users, everything stays the same; they can visit a company’s mobile app, enter a personal touch ID/pin, and log in. Since HYPR secures the user’s credentials right on the device, passwords never leave the phone, and the company never actually accesses the user’s credentials.
So, instead of attacking the enterprise — one target — hackers looking to steal login information from an enterprise deploying HYPR must attack each device individually, which is practically impossible.
“With true passwordless security, an enterprise can effectively eliminate credential reuse, phishing attacks, and account takeover fraud, which is why companies like Mastercard and large banks/enterprises have adopted HYPR,” Avetisov said.
Demonstrating the Advantages of No-Password Authentication in the Digital Payment Age
HYPR works with clients ranging from global credit card companies to banks, ATM companies, and retailers, so more than 25 million people across the globe can enjoy truly password-free security. As HYPR’s client list continues to grow, its goal is to increase that to 100 million people by the end of 2019.
As HYPR works with new clients, it encounters three basic levels of readiness, and each stage dictates how it can contribute to the enterprise’s ongoing security.
“Enterprises we work with fall into one of three categories: those ready to adopt a solution like ours; those who went a different direction and are perhaps trying to re-architect; and those who just know they have a problem. The last group is the largest, and it’s my favorite type of company to work with,” Avetisov said.
The reason, he said, is because it is an opportunity to explain — and demonstrate — to the enterprise the importance of a truly passwordless security platform.
“When we show them HYPR, it’s not about demonstrating a product; it’s about demonstrating that there’s a solution to their problem. The underlying mechanics of that solution aren’t important to them, just the fact that it is true passwordless security,” Avetisov said. “We understand that, for an enterprise, the ‘why’ is much more important than the ‘how.’”
HYPR Can Help Financial Institutions Save Money and Eliminate Fraud
Mastercard’s recent drop of the capital “C” from its branding is symbolic of the industry’s movement beyond the card and into a future of mobile-based payments. While streamlined to fit the connected, fast-paced lifestyles of consumers, digital payment platforms are not without their challenges — and the rise of credential re-use and related fraud is at the top of the list.
By adopting HYPR’s security platform, enterprises can address the core weakness of centrally stored passwords. The solution can eliminate fraud at the source, provide top-level user security and experiences, and capitalize on a mobile device’s most significant advantage: the ability to secure user credentials safely in the palm of his or her hands.
“When you speak to our companies and ask them why they invest in HYPR, they believe in the long-term mission of a passwordless world,” Avetisov said. “It goes beyond just solving for user fraud or making your chief security officer happy; it’s a deeper mission of changing the way consumers authenticate.”