Vendor Assessment: Transmit Security

How To Kill The Password

A Buyer’s Guide To Passwordless Authentication Technology

Last Updated: 09 September 2021

Document Id: tch-vendor-assess-transmit

Company Key Facts

	Web – https://www.transmitsecurity.com/  LinkedIn – https://www.linkedin.com/company/transmit-security/  Twitter –   https://twitter.com/transmitsec  YouTube –  https://www.youtube.com/channel/UC705_E5vPIkWOUrGHBCzT7Q
Founded Date	2014
Founders	Mickey Boodaei, Rakesh K. Loonkar
No. of Employees	~260
Total Funding	$583 million
Locations	US (Boston), UK, Israel, Japan
In Their Own Words	“We power you with the most advanced identity solutions. Striving towards a passwordless experience.” “Identity protection today is more important than ever. Organizations lose billions of dollars and suffer irreparable brand damage due to identity fraud. Our identity and authentication solution keeps you and your users secure and delighted.  Identity protection means everything to us.  It’s what we do and what we are passionate about.” “Transmit Security was founded in 2014 with the aim of changing the identity security space. Since then we have grown rapidly to meet the demand of the growing IAM space. We have continually developed and found new and innovative ways to meet the needs of our customers and the ever changing security space.”

Funding

Transmit Security has had two official funding rounds.  Firstly, a self-funding transaction, with the two founders Mickey Boodaei and Rakesh Loonkar providing a seed of $40 million in Q1 of 2017.  

Their most recent round of official funding, and by far the largest seen within the identity and access management space, was in June 2021 and was an official Series A round of $543 million.  The June 2021 funding round was led by General Atlantic and Insight Partners.

Source: Crunchbase

Customer Case Studies

Technology Key Facts

Technology Review

Transmit Security provides three main pillars of passwordless technology: WorkID targeting the workforce, BindID for consumer identities and a meta model for orchestration known as FlexID.  

Their go to market narrative is focused upon placing identity at the centre of both the security and end user experience.  Most authentication approaches hit the dichotomy of usability and security and Transmit Security is seemingly aiming to blend the two for both staff and customers.  

They talk about hitting three main areas of unique delivery: passwordless experience via the FIDO2 standard; a level of innovation focused on app-less technology and a security talk track focused upon amplifying the weakness of existing multi factor authentication components.

They mention “agility” and “flexibility” numerous times in their literature, which amplifies the problems many in industry face when it comes to authentication selection: namely technology integration challenges evolve, alongside external threats.  Fraud is a huge and evolving problem for many in the financial services and retail industries, and agile response to help reduce fraud impact is a key narrative for many CISO’s.

BindID

BindID is a solution focused exclusively on the customer identity ecosystem.  The back story is pretty straightforward – by improving the customer experience for stages such as registration and login, can see improvements with abandoned shopping cart rates, reduced support desk calls and ultimately increases in user happiness.  User happiness results in increased revenue.

BindID looks to power an “identity authentication network” – which seeks to eliminate the need to have multiple identities, multiple credentials and multiple applications.  The “not another app” fatigue when it comes to authentication processes is real – one time password generators, push notification responders, QR scanners and more, result in the end user having 4 or 5 overlapping applications that are leveraged for login journeys across multiple relying parties and services.  

Transmit are focusing upon the “app-less” adoption track, where a QR code mobile browser initiated authentication experience is front and centre.  

An interesting aspect of this, is that the login experience can be made consistent across different device types – mobile, desktop and tablet.

BindID leverages two stable identity standards: OpenID Connect to present identity information from the cloud based BindID service to the relying party and FIDO2/WebAuthn for performing the cryptographic passwordless authentication dance.

An extension of the WebAuthn specification is the ability to leverage “usernameless” login – where an identifier can be bound into the authentication device, resulting in even more streamlined customer experiences.

WebAuthn is a protocol that allows asymmetric cryptography to perform challenge response style authentication.  Each ceremony creates a private/public key pair – the private key being kept secure in a secure element on a mobile device or a USB security key and the public key being made available to third parties for verification services.  

The authentication dance, at its most basic, results in a local authentication event on the device (entry of a PIN, fingerprint or face biometric) which if successful, releases the private key from its secure storage in order to sign a challenge (often a random nonce or number used once) that is sent back to the challenger – who uses their corresponding public key to verify the signature.

The login ceremony being standardised is not unique, but the aspect Transmit promotes is the ability to drive that flow across different devices and scenarios, such as call centre authentication.

WorkID

WorkID is the Transmit solution focused upon workforce enablement and optimization.  The narrative is driven towards passwordless-MFA, that is risk based.  Workforce identity is very much focused on two things: efficiency and risk reduction.  Both pillars typically have assigned budgets and have a mature set of metrics and target total costs of ownership.  WorkID is tackling two modern enterprise scenarios: remote worker and zero trust workforce security.

Many modern enterprise security architectures are moving towards zero trust and it’s relative CARTA – continuous adaptive risk and threat assessment.  Transmit aims to assist in those design patterns.

FlexID

FlexID is an interesting take on the identity workflow and orchestration set of user cases.  Many of Transmit’s early customers (See TIAA and TD Bank above) reference the fact that existing identity technologies existed in their landscape.  Most organisations looking to improve MFA or to adopt passwordless technologies, will already have identity repositories, identity provider services, single sign on integrations and so on. 

Many of those systems will have long life spans, be difficult to extend and be less agile than the changes being thrust upon them.  FlexID aims to provide an overlay to existing identity technology investments and augment them with modern authentication and risk capabilities. 

“No-code” and “unification” are the means by which FlexID provides a value proposition and focuses on returns on investment.  FlexID is centered around user “journey’s” which contain bite sized chunks of logic and integration.  A “drag and drop” model of administration (based on the “Journey Editor”) allows multiple different stakeholders to develop identity workflows based on a set of template life cycle events.

A key component of any orchestrated ecosystem is metrics and Transmit provide a range of ways to analyse user journeys – for coverage, timings and successful authentications.  

The business case Transmit aims to describe for FlexID is very much centered around code removal from legacy “glue-ware”, reduced reliance on costly professional services, feature augmentation for legacy access management, accelerated deployment times and a migration away from legacy OTP, risk and authentication modalities via their journey editor.

SDK

Transmit provides three “SDKs”: mobile device integration for Android and MacOS as well as JavaScript support for web applications.  They take a narrative focused upon centralised “journey planning” as a means to differentiate their SDK model.  Many vendors provide SDK capabilities as a means to wrap APIs and abstract the complex working of authentication, authorization and identity management related functionality from the developer.

Transmit extends this approach, by arguing that their model of centralised SDK orchestration allows developers to focus more on application development, allowing SDKs to be updated, managed and embedded from a centralised control plane.

The SDKs provide support for “transaction signing” as well as authentication.  This transaction signing capability allows financial events to be integrated into the authentication life cycle, which helps organisations to support compliance for the likes of the EU’s PSD2 regulation.

APIs

Whilst SDKs are in-vogue, REST APIs still account for many integrations.  Transmit provide a REST API that supports numerous endpoints including the following: ../authorize, ../token, ../jwks, ../userinfo, ../authorize_ciba, ../session-feedback and ../custom-user-data.  

These endpoints are typical integrations for OpenID Connect style flows.  CIBA relating to client initiated backchannel authentication – often used for use cases such as call centre login flows, where the authentication event and token issuance occur across different devices.

Admin Console

The Transmit BindID Admin Console is the central point for integration applications, performing basic branding for integrated applications and configuring the basic tenant settings.

The Admin Console provides a range of basic user details – including the activity relating to their most recent device authentications and linkages.

Sample Technology Integration Coverage

Single Sign On Identity Providers

• Auth0
• Azure AD

Applications

• WordPress

Software Development Kits

• Android
• MacOS
• JavaScript/Web

Hardware Tokens

• Yubico Yubikey

Standards Support

• OpenID Connect
  • PKCE
  • CIBA
• WebAuthn/FIDO2

Authentication Modals

• QR Code
• OTP
• Push/Swipe

The Cyber Hut Comment

Transmit Security hit the headlines in June 2021 with a staggering half billion dollar Series A round of funding. This was seen at the time as the largest funding round of any cyber security related vendor.  That volume of funding follows on the back of strong growth over a relatively short period of time with some interesting references appearing from the financial services industry.

Their initial startup focus on identity “orchestration” and centralised “journey planning” seems to have given way to tackling one of the biggest challenges within the cyber security and authentication spaces: how to combine security and usability.  

Organisations looking to deliver comprehensive digital identity projects for external facing consumer, customer and citizen based users, will undoubtedly be facing the same challenges regarding how to deliver seamless experiences that are grounded in modern security that uses open standards and cryptography.  

Transmit aims to target that exact market.  With such a huge round of funding will no doubt create new challenges: namely how to hire from what is already a small talent pool of cyber security professionals that have the knowledge and desire to focus solely upon the identity and access management space.

The reliance on standards such as OpenID Connect and WebAuthn/FIDO2 will immediately help with integration and adoption by large scale development teams.  However, adoption of passwordless technology requires multiple different components to separately and simultaneously come together at one moment – including end user coverage and education, as well as being able to deploy modern approaches such as QR code and “app-less” login flows to a broad array of technologies.

Strengths

• Large funding to allow for secure and stable growth over the next 36 months
• Strong references within the financial services industry
• “App-less” integration to increase integration and adoption
• Ability to link devices without re-enrolment activities
• Support for “usernameless” authentication to streamline customer experience
• Strong integration for call centre and voice recognition use cases
• New device linkage increase usability for infrequent user logins and reduces help desk calls

Methodology

The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship.  We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.

1 – OSINT

The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.

We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.  

This process takes between 2 and 4 weeks to complete and uses sources such as the following:

• Crunchbase / Glassdoor
• YouTube / Twitter / LinkedIn
• Vendor Website
• Vendor Webinars & Events
• Vendor Whitepapers & Datasheets
• Vendor Case Studies
• Patent Search
• Blogs
• Documentation & Release Notes
• APIs and SDKs
• Downloads and Trials

2 – Vendor Briefings

After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.

The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer.  This process typically results in some further more technical questions that can be easily answered via email and existing documentation.

At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.

This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages.  Existing public case studies will also be analysed.

3 – Vendor Fact Check

Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented.  The vendor typically responds within 14 days with any corrections and edits.

4 – Vendor Assessment Completion

After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.

At this stage, the document can be made available to buy side practitioners as a standalone artifact.  This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.

Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.

Methodology Benefits

The benefits to this approach are twofold:  firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates.  The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.

The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.

Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.  

The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.

Vendor Assessments are typically re-evaluated every 12 months.

About The Author

Simon Moffatt is Founder and Analyst at The Cyber Hut.  Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF.  He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry. 

Education

B.Sc (hons) Economics (York, 2001)

M.Sc Information Security (Royal Holloway, University of London, 2022)

Professional Memberships

MBCS – Member of the British Computer Society

M.CIIS – Member of the Chartered Institute of Information Security

Professional Qualifications

CISSP (Certified Information Systems Security Professional) – 2007 to present

CCSP (Certified Cloud Security Professional) – 2020 to present

CEH (Certified Ethical Hacker) – 2018 to present

CISA (Certified Information Systems Auditor) – 2010 to 2014

Research Interests

Distributed Authorization; Cyber Strategy; Security Economics; Identity Counter Measures; Nation State Cyber Strategy

Disclaimer

© 2021 TCH Research Ltd.  All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.

This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information. 

The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy. 

The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.