Vendor Assessment: Secret Double Octopus
How To Kill The Password
A Buyer’s Guide To Passwordless Authentication Technology
| Last Updated | 05 November 2021 |
| Document Id | tch-vendor-assess-sdo |
| Author | simonm@thecyberhut.com |
| Part of Research Product | “How To Kill The Password – Buyer’s Guide to Passwordless Technology” (tch-research-how-to-kill-the-password) |
Company Key Facts
 | Web – https://doubleoctopus.com/ LinkedIn – https://www.linkedin.com/company/secret-double-octopus/ Twitter – https://twitter.com/double_octopus YouTube – https://www.youtube.com/channel/UClDgENwQbCcypNOhfR3NrrQ |
| Founded Date | 2015 |
| Founders | Chen Tetelman, Raz Rafaeli, Shimrit Tzur-David, Shlomi Dolev |
| No. of Employees | ~50 |
| Total Funding | $22.5 million |
| Locations | US (Palo Alto HQ + regional), UK, Israel, Paris & Singapore |
| In Their Own Words | “Secret Double Octopus is a next generation workforce authentication solution provider.” (which includes it’s flagship passwordless MFA solution). The Octopus Authentication Platform offers mid-market to Fortune 100 enterprises the ability to move to a higher security, frictionless and unified authentication platform for MFA and passwordless authentication. From leveraging existing MFA authenticators to supporting legacy on premise applications, no other desktop MFA and enterprise passwordless platform offers as much robustness and flexibility. The company has been designated a Gartner Cool Vendor in 2016.” |
Funding
Source: Crunchbase
Secret Double Octopus have had seed, Series A and Series B rounds of funding totaling $22.5 million. Their most recent round was October 2020.
| Investor Name | Lead Investor | Funding Round | Partners |
| SC Ventures | Yes | Venture Round – Secret Double Octopus | Alex Manson |
| Liberty Israel Venture Fund | — | Series B – Secret Double Octopus | — |
| Jerusalem Venture Partners (JVP) | — | Series B – Secret Double Octopus | Yoav Tzruya |
| KDDI | — | Series B – Secret Double Octopus | — |
| Sony Financial Ventures | — | Series B – Secret Double Octopus | — |
| Global Brain Corporation | — | Series B – Secret Double Octopus | Naoki Kamimaeda |
| Benhamou Global Ventures | — | Series B – Secret Double Octopus | — |
| Yaniv Tal | — | Series B – Secret Double Octopus | — |
| Iris Capital | — | Series B – Secret Double Octopus | — |
| Liberty Israel Venture Fund | No | Series A – Secret Double Octopus | — |
| Benhamou Global Ventures | No | Series A – Secret Double Octopus | Eric Benhamou |
| Iris Capital | No | Series A – Secret Double Octopus | Yaron Rosenbaum |
| Jerusalem Venture Partners (JVP) | No | Series A – Secret Double Octopus | — |
| Yaniv Tal | No | Series A – Secret Double Octopus | — |
| Jerusalem Venture Partners (JVP) | Yes | Seed Round – Secret Double Octopus | — |
Source: Crunchbase
Customer Case Studies
| Customer | Region / Sector | Details |
| Key Mechanical | USA / HVAC & Refrigeration | Founded in 1956, Key Mechanical is a HVAC and refrigeration contractor serving the West Coast, USA. TheCompany specializes in the design, construction and service of HVAC/refrigeration systems with clients including Costco, Whole Foods and Target Express. Key Mechanical suffered a phishing attack related to their Office 365 infrastructure, with a stolen credential being used to ask a client to transfer funds. The attack prompted a view to move away from passwords in their entirety, leveraging the SDO Authenticator to provide AD integrated passwordless authentication. ✔Strong integration with Microsoft AD and O365 ✔Offline support ✔ Phishing risk removed Further Details |
| Anagog | USA / AI driven technology | Anagog, a technology company pioneering on-device artificial intelligence (Edge-AI), was looking for anauthentication solution to simplify employee access to company applications. Anagog was particularlyinterested in a solution that would more efficiently handle authentication to multiple cloud servicesaccounts, so users are not bogged down by the need to manage and recall many passwords. Anagog leveraging SDO to provide not only passwordless authentication via the Octopus authenticator but also SAML identity provider services that allowed single sign-on to cloud resources. ✔Integration to AWS, OpenVPN server, BugSnag, GSuite, Atlassian ✔SAML support Further Details |
Technology Key Facts
| Go To Market Message | Unified Workforce Authentication – Future-Ready MFA to Passwordless Authentication |
| Solutions | Single Sign On, Future-ready traditional MFA, Desktop MFA (traditional & pwdlss), Legacy on-prem app support |
| Products / Platform | Octopus Authenticator / Octopus Enterprise / Octopus Pro / Octopus Starter / Octopus Lite |
| Useful Links | SDO Security WikiSDO BlogPricingIntegrations DirectoryTraining Campus |
Technology Review
Secret Double Octopus (SDO) is focused on ridding the workplace of passwords – through a narrative very much aimed at the limitations of existing passwords and even MFA solutions such as one time passwords.
They see a world where “workplace authentication is reimagined” with seamless integration across a range of different enterprise applications via the Octopus Authentication Platform – all driven by a secure mobile application called the Octopus Authenticator – or simply Octopus App. The app provides the basis for all end user interactions to authenticate into the likes of their Microsoft workstation, Active Directory and a range of workplace services such as remote access, Office 365, VPNs and virtual desktop infrastructure.
SDO realizes that many organisations have likely invested in a range of existing identity and authentication solutions and provide a range of different integration options – many based on standards such as SAML, OpenID Connect, OAuth2 and generic REST APIs.
Another aspect that encourages adoption of the SDO infrastructure is a concept known as BYOA – bring your own authenticator which SDO supports. The concept here is to integrate existing MFA solutions into the SDO infrastructure to allow for staged migrations to maintain a return on investment on existing tools.
Passwordless Authentication
The SDO approach to passwordless, is firmly aimed at internal identities – where a wide range of applications are used, existing MFA solutions have been procured, yet identity is now being moved front and centre as part of zero trust and continual security style architectures. This amplifies numerous issues around password use – namely insecurity and end user unhappiness. SDO supports the business case where operational cost and increased efficiency can be achieved by migrating to a centralised passwordless authentication model.
Next-Generation MFA
Whilst passwordless is a panacea for many organisations, the immediate aim is likely to be consolidation of existing multi factor authentication providers through the divestment of legacy approaches such as email and SMS based one time passwords (OTP) and the migration away from hardware based factors.
SDO takes the angle that is business friendly in its language and design. They talk about a “universal” approach to MFA that should integrate across a range of systems including Workstations and Virtualisation, Cloud & SaaS applications, IDPs, Remote Access & VPN, Privileged Access Management and DevOps.
Admin Authentication
An interesting area SDO emphasizes is that of applying modern passwordless MFA to privileged access management (PAM) and administration accounts. Long the focus of many security controls due to the “keys to the castle” breaches, administrative, shared accounts and emergency access should not rely on password based authentication – with SDO offering simple app based “swipe” based authentication via their trusted push notification system. They claim to provide full visibility too on shared account access and use. They provide a range of out of the box integrations with PAM providers such as Thycotic, Centrify, BeyondTrust and CyberArk.
Single Sign On
Many of the larger enterprises will have invested heavily in single sign on (SSO) and identity provider (IDP) services. These complex middleware platforms typically have long lifespans – often between 3 and 7 years and provide a range of access management and federation services to internal on premises applications as well third party cloud applications too.
SDO provides a range of out of the box solutions to integrate with the likes of Okta, ForgeRock and Ping Identity. In addition their SSO portal provides direct SAML based access to a host of cloud systems too.
Desktop MFA
The main entry point to systems access each day for many employees is their Windows desktop. Here SDO supports the use of a credential provider that replaces the standard Windows login dialog with the SDO desktop client.
This client and the supporting infrastructure provides some interesting use cases. The first is the ability for the end user to still be in control of their Windows AD password, but login without it for the majority of the time.
The end user essentially resets their AD password to a value of their choosing – with the password stored in an on-premise Octopus Vault. The password is encrypted using the user’s newly minted public key.
This storage approach provides an interesting distributed security model for the storing of the passwords – which should restrict an adversary being able to all access all passwords within the password vault simultaneously due to the use of different encryption keys per password.
The end user is able to retrieve their password (via decryption using their securely stored private key) with the password then copied into memory for replay into legacy systems that still require the AD password.
In addition to this mode of usage for desktop MFA, SDO also supports traditional password-based MFA for desktops and a full passwordless solution for desktop MFA, both of which offer offline support when the Octopus Authenticator is used (vs 3rd party authenticators which are also supported).
Remote Access
Whilst many organisations are looking to phase out VPN technology in favour of the likes of SASE (secure access service edge) and distributed zero-trust based perimeter security, VPN and remote access systems still prevail. This use has been amplified during the Covid-19 pandemic. The addition of MFA to these solutions is now a key control point and SDO provides out of the box support for a range of remote access solutions by the likes of Palo Alto, F5, Checkpoint and zScaler.
In addition to their mobile authenticator support for VPN, SDO’s support includes using FIDO keys to login to VPN and other modes.
How Do They Deliver This?
SDO provides several interesting capabilities with respect to passwordless MFA.
Secret Sharing
SDO has several patents, one in relation to the splitting of a data payload across public and private networks. In this case the data payload is the session key that provides the trigger for user interaction on the installed Octopus App. This splitting of the session key across multiple channels removes the risk associated with single channel MITM (man in the middle) attacks.
The key is split into different channels such as the standard HTTPS/TLS connection, via a push notification and the final third minted into the application and stored securely on the device in the Secure Element or Trusted Execution Environment.
AD Password Rotation
Whilst the use of passwordless authentication into Windows Active Directory is a common goal, the underlying password can still exist. SDO provides a feature to improve security for this legacy password in the form of a policy driven rotation capability. If the end user is not setting their password, it can be set to a system generated value and changed using a high-frequency rotation policy. This can further remove the risk of automated password attacks.
Decentralised Vaulting
SDO provides an on-premises password vault that stores the rotated temporary passwords. These passwords are encrypted using the public key of the user’s asymmetric key pair – with the private key being securely stored within the Secure Element or Trusted Execution Environment on the mobile device.
Octopus App
The main user interaction occurs via the Octopus App, which SDO describes as being “simple, secure and universal”. It is available for both Android and iOS as expected of most authentication apps.
A couple of interesting features other than the secret sharing aspect, is the ability to perform “offline” authentication via the app into an integrated workstation via the use of BLE (bluetooth low energy). If the workstation is disconnected from the network, it can still be unlocked.
Enrolment to the app is via an invitation email that will contain a QR code that can be scanned – or manually added. The addition of a secondary device can be done via self-service too.
A lost or stolen device can be reported via a help desk process and administrative intervention.
Octopus Management Console
Administrators need strong visibility and integration options for centrally deploying passwordless MFA to all applications and distributed systems. The Octopus Management Console aims to provide that single pane of glass view for configuration and audit.
Audit and log data is built upon ElasticSearch and logstash stacks and can be pushed out into third party SIEM products too for retrospective analysis and business intelligence.
Octopus Lite
Octopus Lite is essentially a mechanism for organisations to leverage their existing Okta or ForgeRock authenticator and rapidly integrate to the Octopus platform. The idea is to leverage the SDO workstation client to extend the existing MFA solution to the end user endpoint – helping to “close the MFA gap” from the IDP to the workstation. The only component that needs to be installed is the workstation client – with SDO articulating this approach as being server-free. The existing identity provider platforms (with their authentication apps and shared secret based OTP generators) could be still leveraged as part of a parallel and staged migration approach to passwordless authentication. Unlike Starter and Pro, the Lite edition only uses the desktop agent and none of the back-end server components of Octopus Enterprise.
Octopus Starter
Octopus Starter sees SDO tackle traditional password-based MFA adoption for VPNs, VDI and cloud applications. The increased demand for remote working requires the addition of MFA to those backend systems that allow controlled access to on-premise and third party systems. The same underlying components are being used, but the application coverage starts to expand to additional systems that larger enterprises leverage to enable employee access.
Octopus Pro
Octopus Pro is another passwordless-ready MFA offering that extends Octopus Starter to the desktop and offers BYOA options where a broad number of 3rd party authenticators can be integrated into SDO. This offering serves as another entry point, like Octopus Starter for companies to eventually roll out a full passwordless solution with Octopus Enterprise as part of a progressive passwordless journey.
Octopus Enterprise
Octopus Enterprise is the final go to market offering SDO have and it is focused upon the broadest possible coverage of passwordless authentication – aiming to replace all employee passwords across the entire workplace, including administrator accounts and legacy on-premise applications with a dependence on Active Directory.
Octopus Enterprise was previously named Octopus Passwordless Enterprise and represents the company’s flagship solution edition (which shares components with Starter and Pro to offer organizations flexibility in achieving the goal of passwordless).
Sample Technology Integration Coverage
Single Sign On Identity Providers
- JumpCloud
- Azure Active Directory
- ForgeRock
- Ping Identity
- Oracle
- IBM Security
- Okta
Privileged Access Management
- CyberArk
- Thycotic
- Centrify
- BeyondTrust
Remote Access / VPN
- Palo Alto Networks
- nordVPN
- zScaler
- F5
- CheckPoint
SaaS Applications
- Zoom
- Slack
- GoToMeeting
- Salesforce
- SAP
- PeoplSoft
Workstations / Virtualization
- VMWare
- Citrix
- Linux
- MacOS
- Microsoft Windows
- Microsoft Hyper-V
DevOps
- Jira
- OpenStack
- Git
- RackSpace
- CloudFlare
The Cyber Hut Comment
Secret Double Octopus undoubtedly plays in the modern workplace enablement space, by providing a broad range of integration options and improved user experience talk tracks for employees, contractors and partners.
Their history and experience is amplified by a wide range of resources, training and wikis that promote their view of making passwordless authentication and consolidated MFA a simple and universal process.
Their case studies focus upon the improved security and broad coverage of integration – typically for small to medium sized enterprises.
Their narrative surrounding staged migrations and the bring your own authenticator strategy show a sound knowledge of the complexities many organizations face with respect to attempting to rapidly change authentication journeys.
Strengths
- Broad array of workplace application coverage from VPNs, workstations, remote access, cloud/SaaS applications, privileged access management systems and legacy on-premise applications, whether using AD or not.
- A patented and innovative approach to communicating with the mobile app that removes the threat of MITM attacks
- Strong identity provider coverage to allow for SSO and legacy application coverage
- A patented and innovative approach to Windows AD Security – through password vaulting, multi-key encryption and high frequency policy driven password rotation
- Ability to perform offline authentication to pre-integrated workstation (for password based authentication and passwordless)
Methodology
The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship. We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.
1 – OSINT
The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.
We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.
This process takes between 2 and 4 weeks to complete and uses sources such as the following:
- Crunchbase / Glassdoor
- YouTube / Twitter / LinkedIn
- Vendor Website
- Vendor Webinars & Events
- Vendor Whitepapers & Datasheets
- Vendor Case Studies
- Patent Search
- Blogs
- Documentation & Release Notes
- APIs and SDKs
- Downloads and Trials
2 – Vendor Briefings
After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.
The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer. This process typically results in some further more technical questions that can be easily answered via email and existing documentation.
At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.
This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages. Existing public case studies will also be analysed.
3 – Vendor Fact Check
Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented. The vendor typically responds within 14 days with any corrections and edits.
4 – Vendor Assessment Completion
After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.
At this stage, the document can be made available to buy side practitioners as a standalone artifact. This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.
Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.
Methodology Benefits
The benefits to this approach are twofold: firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates. The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.
The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.
Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.
The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.
Vendor Assessments are typically re-evaluated every 12 months.
About The Author
Simon Moffatt is Founder and Analyst at The Cyber Hut. Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF. He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.
Education
B.Sc (hons) Economics (York, 2001)
M.Sc Information Security (Royal Holloway, University of London, 2022)
Professional Memberships
MBCS – Member of the British Computer Society
F.CIIS – Fellow of the Chartered Institute of Information Security
Professional Qualifications
CISSP (Certified Information Systems Security Professional) – 2007 to present
CCSP (Certified Cloud Security Professional) – 2020 to present
CEH (Certified Ethical Hacker) – 2018 to present
CISA (Certified Information Systems Auditor) – 2010 to 2014
Research Interests
Distributed Authorization; Cyber Strategy; Security Economics; Identity Counter Measures; Nation State Cyber Strategy
Disclaimer
© 2021 TCH Research Ltd. All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.
This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information.
The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy.
The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.