Do you struggle to remember passwords for your online accounts? Do you ever write passwords on a piece of paper and tuck them under your keyboard? Do you use the same password for everything, even though you know it puts all your accounts at risk if one is hacked?
If you answered yes, you’re like most of us. And Toronto-based SecureKey Technologies Inc. thinks it can make your life easier and more secure.
Founded in 2008, SecureKey is not a household name, and it probably never will be. “We’re not intent on becoming a consumer brand,” says chief executive officer Charles Walton.
But three of Canada’s biggest banks know who SecureKey is. They have signed a deal that will allow their customers to use their online banking IDs and passwords when using Government of Canada online services.
“While SecureKey is not known to most, the company is well known and respected in the financial services industry,with backing from Intel Corp. and some of the largest players in secure payments,” says Paal Kaperdal, Toronto-Dominion Bank’s senior vice-president of online banking.
MasterCard, Visa and Discover all own stakes in SecureKey as well. MasterCard already uses its technology in its PayPass Wallet. Mr. Walton won’t talk publicly about Visa or Discover, but the companies’ investment clearly indicates they are interested.
Annual revenue at SecureKey, which has 120 employees, is less than $10-million and the company is “working toward profitability,” Mr. Walton says. In the coming year, besides building its presence in Canada, SecureKey plans to extend its reach into the United States and Britain.
Intel’s stake in the company says a lot. Through its Intel Capital arm, the Santa Clara, Calif., chipmaker was a prime investor in a Series A round of financing in February of 2011, and led SecureKey’s $30-million Series B investment round this spring.
Intel is incorporating SecureKey technology in chip sets it sells to computer manufacturers, meaning SecureKey seems on its way to becoming a part of most computers. Mr. Walton says SecureKey is working on other deals to put it in smartphones, too.
SecureKey’s approach to security is two-pronged. The first prong is to allow ordinary computers and mobile devices to read credit and debit cards. That’s the piece Intel is building into its chips. It means you could tap your credit card against your PC or your smartphone and the device would recognize the card. That would make online transactions more secure, because they would require the actual card, not just the card number.
The second part of SecureKey’s vision is using one secure set of credentials to deal with multiple entities online. The recently announced SecureKey Concierge deal involving the Canadian government, the Bank of Montreal, the Bank of Nova Scotia and TD is an example.
Government departments get to take advantage of the banks’ online security, while banks gain customer loyalty by offering an additional service. And customers, Mr. Boysen says, avoid the need to remember passwords for government sites they may visit infrequently.
“There are a lot of things to keep track of in terms of logins and passwords and so on,” says Mike Henry, senior vice-president and head of Canadian retail payments, deposits and lending at Scotiabank.
The first time someone uses a bank user-ID for access to government services, the federal website will ask a number of questions to verify the person’s identity, says Andre Boysen, SecureKey’s executive vice-president of digital identity and authentication services. After that, the banking ID will suffice.
Some people may hesitate to use their online banking accounts to deal with government departments, especially the Canada Revenue Agency. But Mr. Boysen points out that SecureKey’s system does not give the government banking data or tell banks what government services their customers use. The bank just passes an anonymized security token via SecureKey to the government department, confirming the person’s identity.
SecureKey wants to extend this kind of service to other levels of government and to business. Mr. Walton says the province of British Columbia will join SecureKey Concierge next year, as will some municipalities.
The same idea could work in business settings, he says. For instance, a large manufacturer needs to offer many suppliers electronic access to documents. Rather than issuing security keys to employees of all its suppliers – which Mr. Walton says could lead to employees “walking around with a keychain of these cards” – the supplier’s employee access card could serve as a credential for access to its partner’s systems.
This “credential brokerage” idea isn’t new.
“This is a concept that has been around for a fairly long time,” says Chris Anderson, partner and national practice leader for information security services at Grant Thornton Consulting in Toronto – “in theoretical terms probably 30-35 years.” Identrus, a consortium of major U.S. and European banks, launched a similar project in 1999, but it never gained critical mass, Mr. Anderson says.
“You have to get enough people into the community to make it take off,” says Mr. Anderson. Can SecureKey do what Identrus could not?
“I honestly don’t know,” he says. “I do think there are a lot of positive indicators.”