Usher Identity Software Aims To Replace Passwords, Security Questions With Mobile App

Picture yourself enjoying the beach in a foreign country. You’re relaxed. So you order a margarita -- only to have the bartender come back and say your credit card has been declined because your card provider didn’t know you’d be traveling abroad. Nothing kills a buzz like spending a half hour on the phone attempting to prove your identity, so you have good reason to be interested in the general release Thursday of new software that aims to redefine how mobile users access their information.

The analytics firm MicroStrategy Inc. has released to corporate America a new application called Usher that, assuming it’s successful, could replace online passwords, digital key censors and even driver’s licenses. There’s a lot to the app -- available free for Android and iOS devices -- but it’s easiest to think of it as sounding the death knell for security queries such as “What’s your mother’s maiden name?” or “What are the last four digits of your Social Security number?” It’s comparatively simple for a hacker to discover the answers to those questions, and even find out your password, risks Usher is trying to manage.

If your bank has a deal with MicroStrategy centered on Usher, you can accurately and quickly prove your identity over the phone. Instead of going through the usual security queries -- “How much was your last deposit?” -- you will be sent a randomized four-digit security code through your mobile device. You then provide that code to the customer-service agent, who verifies your identity by entering a code, designed to expire after a predetermined time limit, into his or her own Usher program.

Banks aren’t Usher’s only potential clients. MicroStrategy is advertising the app as a full-scale solution to corporate security. It hopes to see a time when Usher will be the primary method of identity verification.

Password Killer?

Along with the security aspects of the app, Usher enables Bluetooth peer discovery, which allows users to unlock their personal computers without typing in passwords when their mobile devices connect to PCs via Bluetooth, enter locked offices or drive into a gated parking garages. MicroStrategy President Jonathan Klein indicated he expects users to verify their identities to authorize wire transfers or quickly pass through security lines after proving they are who they say they are via the four-digit code.

“We think we have a password killer,” Klein said. “We’ve all kind of hated them for a while, but it’s reached a fever pitch because no one has come out with a solution to replace them.”

MicroStrategy is just the latest in a wave of companies attempting to make Internet security more, well, secure. In many cases, firms are trying to attract customers by doing the work for them: The less you have to think about your password, the better. For example, Dashlane Inc. is a password-management outfit that promises to scramble and encrypt customer passwords, sending alerts if and when a breach appears to have taken place.

From Facebook Inc. and Google Inc. to the Bank of America Corp. and JPMorgan Chase & Co., corporate giants on the Web are also enabling two-factor authentication. The method simply forces a user to verify identity not with one but with two mechanisms, such as first entering a password and then responding to an email asking whether he or she intends to log in to a site. Based on the number of hacks that have taken place, though, it’s clear that many corporate executives Chase, the Sony Pictures Entertainment unit of the Sony Corp. and elsewhere still have a lot to learn.

Along with its expiring four-digit code, Usher software encompasses facial recognition and quick-response-code authentication.

MicroStrategy is fishing for corporate clients that could deploy Usher on mass scales. The military contractor Northrup Grumman Corp. is already signed up, while Georgetown University students have used a beta version of the app to take attendance. A pilot program is also under way for city employees in Jacksonville, Florida. In addition, the Saudi Arabian foreign-affairs ministry is an early adopter.

Corporate pricing for as many as 10,000 users is as much as $10 per user per month.

A ‘Holistic Approach’

Usher’s release to the general public comes after three years of development and more than $100 million in investment, Klein said.

There’s also a program, Usher Analytics, for administrators that lets them access a bunch of data about when people log into the corporate network or walk through the office doors. Klein said Usher Analytics, meant to detect security anomalies and identify where money is being wasted, was developed only with the knowledge MicroStrategy gained after its data-analysis software was used by companies such as Facebook, Lowe’s Cos. Inc. and the Starbucks Corp.

“There are unquestionably companies who are using factors of this, but no one has taken this holistic platform approach,” Klein said. “We’re not so naive to think this is foolproof, but the real differentiator is the analytics to detect if someone is trying to break in somewhere.”

The Usher release coincides with a surge of interest in fingerprints, facial recognition and behavioral analysis as means of identification. Roman V. Yampolskiy, director of the Cyber-Security Lab at the University of Louisville, predicted biometrics and multifactor authentication will soon replace passwords as high-profile hacks get more serious and the general public’s trust in technology continues to rise.

“The thing about behavioral biometrics is you don’t have to do anything, you just go about your day,” Yampolskiy said. “There’s a huge need to authenticate people online, and it’s very difficult for someone to steal your biometric password.”