Vendor Assessment: Veridium
How To Kill The Password
A Buyer’s Guide To Passwordless Authentication Technology
Last Updated: 12 October 2021
Document Id: tch-vendor-assess-veridium
Company Key Facts
 | Web: https://www.veridiumid.com/ LinkedIn: https://www.linkedin.com/company/veridium/ Twitter: https://twitter.com/veridiumid YouTube: https://www.youtube.com/channel/UCQJ0qSdVUzhHGW6QD7qzrTw/videos |
| Founded Date | 2016 |
| Executive Team | Todd Shollenbarger (Chairman), Ismet Geri (CEO), Baber Amin (COO), John Callahan (CTO) |
| No. of Employees | ~50 |
| Total Funding | $16.7 million |
| Locations | UK (London, Oxford), USA (New York), Romania |
| In Their Own Words | Your Partner for Passwordless Authentication Veridium envisions an authentication experience where your digital identity should fundamentally be similar to your innate identity and enables modern, passwordless, omnichannel authentication for employees, customers and transactions. To fulfill this vision we built the most comprehensive Integrated Identity Platform powered by AI-based Behavioural Biometrics, enabling Multi Factor Authentication, digital ID verification and a true passwordless experience. |
Funding
| Announced Date | Transaction Name | Number of Investors | Money Raised | Lead Investors |
| Jun 29, 2018 | Series B – Veridium | 3 | $16.5M | Michael Spencer |
| Jun 22, 2018 | Grant – Veridium | 1 | $150K | DFS Lab |
Veridium has received over $16 million in total funding. Their series B in June 2018 was led by Michael Spencer.
Source: Crunchbase
Customer Case Studies
| Customer | Region / Sector | Details |
| AnnieCannons | US / Non-profit | AnnieCannons provides technology support services for a range of non-profit initiatives. They leverage the Veridium technology to support application and infrastructure services for a human trafficking victim support programme. They built an application that leveraged Veridium components to allow for privacy preserving secure biometric enrollment for victims, in order for them to access services such as healthcare and shelter. Impact: Secure proofing / Privacy preserving biometrics / Reduced manual processing of applications / Simplified access to resources – Further details. |
| Cuy Movil | Peru / Telco | Cuy Movil is a leading mobile telecommunications provider in Peru. They were seeking a method to biometrically authenticate new SIM card users during enrollment. An investigation into leveraging physical scanners in-store was too expensive, time consuming to use with a large implementation cycle. Cuy Movil leverages the Veridium 4 Fingers biometric solution to securely enroll and authenticate new users. The process leverages the existing on-mobile camera to take a picture of their “4 fingers”. Impact: Streamlined enrollment / Cheaper and more effective biometry than hardware / Rollout without requiring new staff or hardware – Further details. |
| Dubai Islamic Bank | Pakistan / Banking | DIB is one of the leading islamic banks in Pakistan. They leveraged existing hardware based fingerprint scanners for in branch customer authentication. These devices were coming to the end of their service life and needed replacing. DIB leveraged Veridium 4 Fingers biometric solution along with their SDK to build a new DIB mobile banking application. Impact: Huge cost savings in hardware biometric replacement / Regulatory compliant / Streamlined experience – Further details. |
Technology Key Facts
| Go To Market Message | “We strive for a passwordless world” – based on identity verification that is simple and effective to use. |
| Solutions | Workforce authentication / Consumer authentication / Identity verification |
| Products / Platform | Composer / InMotion Behavioural Biometrics / 4Fingers / vFace / SDK |
| Useful Links | Case Studies DirectoryData Sheet DirectoryVideo Directory |
Technology Review
Veridium provides a range of biometric centered passwordless authentication solutions, including proprietary components for both fingerprint scanning and facial recognition.
With such a strong focus upon biometric authentication, they have several case studies showing support for large scale hardware biometry replacement – specially for the likes of hardware based fingerprint scanners.
They have a strong patent history associated with biometric technology.
Whilst they provide solutions for both the workforce and consumer user groups, they also provide a range of identity verification capabilities too – enabling subsequent authentication events to be tied back to a real identity of known origin.
They provide a narrative based upon the “enterprise dilemma” – where organisations have multiple identity providers and numerous multi factor authentication providers that all require integration and projects to justify a return on investment. Whilst usability is a key end user concern, Veridium also focuses upon usability for administrators too – with their composer product helping to integrate and manage components seamlessly.
Workforce Authentication
Veridium provides a range of authentication options for the modern and complex enterprise. They have a range of integration options from the likes Windows and virtual desktop infrastructure through to the replacement of existing hardware based MFA components.
One of their go to market straplines is “Windows Hello” without “Windows” and without “Hello” – that is delivering a well known and successful passwordless authentication experience to a range of systems, not just Microsoft based.
Customer Authentication
Customer authentication for Veridium very much focuses on replacing some of the existing approaches to secure MFA such as tokens and hardware fobs.
Many organizations, specifically within the financial services arena, would leverage OTP (one time password) based authentication fobs for authentication and high risk transactions. These can be expensive to maintain and do not necessarily provide long term agility.
Veridium aims to reduce the operational cost of such use cases by replacing hardware with existing technology – namely the customer’s mobile device, coupled with a mobile application using the Veridium SDK to provide secure biometric authentication and enrollment.
Veridium also provides a narrative around the modern customer experience requiring an omnichannel experience – that is authentication services that are consistent across web, call centre and mobile technology groups.
They also seemingly target regulated industries – by allowing biometric data to be handled in a privacy preserving manner.
Identity Verification
Identify verification to Veridium is very much focused on the secure biometric enrollment of end user data, that is technically equivalent and sometimes compatible with, existing biometric systems based on the fingerprint.
Their 4Fingers proprietary biometric solution can provide compatibility with existing fingerprint databases such as NADRA (Pakistan’s National Database and Registration Authority), RENIEC (Peru’s National Registry of Identification and Civil Status) and AADHAAR (Unique Identification Authority of India).
Not only is this being used for KYC (know your customer) style use cases, it is also being used by national government and law enforcement agencies.
Veridium ID Platform
The ID Platform is Veridium’s approach to providing a centralized set of MFA capabilities that can be abstracted from the underlying identity provider and application services that require biometric authentication.
Organizations – especially when focused on employee identity – will have a range of enterprise applications that require strong passwordless authentication. The ID Platform claims to provide that integration option to identity providers, SaaS applications and legacy systems too.
The ID Platform provides an abstraction narrative that removes the authentication pressure from existing identity providers such as Okta, Ping Identity or ForgeRock.
Composer Orchestration Engine
Enterprise identity and access management is becoming ever more complex, with multiple authentication modals, data signals and integrated systems.
The Veridium Composer is aimed at improving the usability for the administrator.
This central console provides the ability to design user flows that help to augment existing and new data signals to allow consistent omnichannel authentication across different device types.
InMotion Behavioral Biometric
Veridium talks about proprietary biometric technology as one of their main unique selling points, with numerous case studies where a solution from an existing hardware biometric has been migrated to Veridium. InMotion however aims to improve the typical OS lead native biometric services such as FaceId or fingerprint, by analysing behavioural characteristics at the same time they are being used – reducing the ability for biometric spoofing. InMotion is their behavioural biometric engine.
How the end user holds their phone and interacts with the device for example is leveraged by using the “motion sensors” on the mobile. The continued analysis of these interactions are monitoring when the biometric is taken in order to generate a risk score that can be used to determine whether step up authentication events are needed.
4Fingers
4Fingers is a proprietary biometric capability Veridium have designed to improve fingerprint based authentication. The concept is to leverage the existing camera available in many mobile telephones.
By taking a picture of the four fingers on each hand, the Veridium SDK can leverage this as a means to uniquely identify the end user, without the need for expensive hardware. Fingerprint verification is a typical use case for financial institutions, as well government agencies and law enforcement. 4Fingers also provides support to match the captured templates with existing fingerprint databases for simpler migration and integration.
vFace
vFace is Veridiums second proprietary biometric capability. vFace provides alternative ways to capture facial imagery away from the native mobile operating system. The storage of the biometric data is also distributed – reducing a single attack vector on the device. Veridium describes how they have the ability to essentially provide the Windows Hello capabilities to other non-Microsoft based services.
vFace uses a liveness check to provide robust protection against picture and video based spoofing attacks. A mobile SDK and AI powered back end provides the infrastructure for deployment.
SDK
The Veridium ID app is available in both the iTunes and Google apps stores. Many organizations of course want to develop their own applications. Veridium provides an SDK to assist them in doing so for both the Android and iOS platforms.
Pre-requisites:
iOS
- Operating system: 9.0 and above
- Programming language: Swift or Objective-C
- Hardware sensors: depending on the capabilities of the phone the SDK will use local biometrics such as TouchID or FaceID.
- For the VeridiumID proprietary 4F biometry back camera permission is required.
Android
- Operating system: 4.4.4 (API 19) and above
- Programming language: Java 8 or Kotlin
- Hardware sensors: depending on the capabilities of the phone the SDK will use local biometrics like Fingerprint or Face recognition.
- For the VeridiumID proprietary 4F biometry back camera permission is required.
Sample Technology Integration Coverage
Single Sign On Identity Providers
- Okta
- ForgeRock
- Ping Identity
Identity Verification
- Jumio
Virtual Desktop Infrastructure
- Citrix
- IGEL
Cloud Infrastructure
- AWS
- Microsoft
Hardware
- FIDO/FIDO2
The Cyber Hut Comment
Veridium has a range of proprietary biometric capabilities that can assist in the deployment of secure multi factor enabled passwordless authentication. Their case studies prove capabilities for the higher security use cases for financial institutions, government and law enforcement entities.
The replacement of legacy hardware based biometric technology such as fingerprint scanners seems a sweet spot, with the lower cost and more agile deployment approach of the Veridium SDK and Veridium ID platform.
The focus on security usability for the end user is not new – but what Veridium are also doing is amplifying the usability for the designer or administrator of authentication solutions. The complex hybrid nature of many enterprises is driving the need for more orchestration and the Veridium Composer seems to fit in that arena of improving the integrated and consolidated technology view when it comes to authentication.
Strengths
- Strong directory of case studies
- Over 50 patents for proprietary biometrics for face and fingerprint
- Strong support for higher security use cases for government and law enforcement
- Strong support for hardware fingerprint migrations
- FIDO2 certified
Methodology
The Cyber Hut Vendor Assessments are always independent and free from vendor sponsorship. We follow a 5 step process to create a body of knowledge that provides buyside decision makers with a tool that can assist with overcoming the information asymmetries often associated with vendor due diligence.
1 – OSINT
The first stage in the process is to leverage a range of open source intelligence data points (OSINT) to create an impartial and empirical view of the vendor, through their natural actions, talk tracks and observable data points.
We leverage free and paid for data sources to help understand the basic history and vision of the organization, as well as technical details that help to create a picture of capabilities, features and functions.
This process takes between 2 and 4 weeks to complete and uses sources such as the following:
- Crunchbase / Glassdoor
- YouTube / Twitter / LinkedIn
- Vendor Website
- Vendor Webinars & Events
- Vendor Whitepapers & Datasheets
- Vendor Case Studies
- Patent Search
- Blogs
- Documentation & Release Notes
- APIs and SDKs
- Downloads and Trials
2 – Vendor Briefings
After a basic dossier has been created, a reach out to a vendor is performed to arrange a briefing, pitch and demo and to answer any questions that may have been raised during the OSINT phase.
The briefings usually last about 60 mins and normally cover a general go to market pitch and position, followed by a secondary demonstration session by a sales engineer. This process typically results in some further more technical questions that can be easily answered via email and existing documentation.
At this point, The Cyber Hut are in a position to start creating the first version of their Vendor Assessment.
This will take up to 2 weeks and will contain all the information gathered in the OSINT and vendor briefing stages. Existing public case studies will also be analysed.
3 – Vendor Fact Check
Once the initial draft of the Vendor Assessment has been created, this is sent back to the vendor, to allow them to validate any technical points and “fact check” any information that has been documented. The vendor typically responds within 14 days with any corrections and edits.
4 – Vendor Assessment Completion
After the vendor has been given the opportunity to fact check the assessment any corrections are incorporated into the final document.
At this stage, the document can be made available to buy side practitioners as a standalone artifact. This is provided as a non-distributable PDF available in single-seat and enterprise-wide licenses.
Vendors may also purchase a redistributable version of the Vendor Assessment which they can use as marketing and pre-sales collateral for a 6 or 12 month period.
Methodology Benefits
The benefits to this approach are twofold: firstly the vendor is not burdened with cumbersome questionnaires, normalised market requirements and time consuming templates. The “heavy lifting” is performed by The Cyber Hut in order to provide a more empirical and evidence based assessment.
The vendor has full control over the ability to correct and fact check any written material, which validates the evidence that has been collected.
Secondly, The Cyber Hut does not place emphasis on the concept of “ranking” vendors and identifying “who is the best” in a particular segment, vertical or implementation.
The Cyber Hut aims to produce impartial evidence based reports that help to bridge the supplier and buyer divide.
Vendor Assessments are typically re-evaluated every 12 months.
About The Author
Simon Moffatt is Founder and Analyst at The Cyber Hut. Simon provides the overall strategy and content management, analysing unique positions with many different lenses. He is a published author and contributor to identity and security standards at the likes of NIST and the IETF. He has a 20+ year career working within the identity & access management and cyber security sectors – for vendors, system integrators and within industry.
Education
B.Sc (hons) Economics (York, 2001)
M.Sc Information Security (Royal Holloway, University of London, 2022)
Professional Memberships
MBCS – Member of the British Computer Society
F.CIIS – Fellow of the Chartered Institute of Information Security
Professional Qualifications
CISSP (Certified Information Systems Security Professional) – 2007 to present
CCSP (Certified Cloud Security Professional) – 2020 to present
CEH (Certified Ethical Hacker) – 2018 to present
CISA (Certified Information Systems Auditor) – 2010 to 2014
Research Interests
Distributed Authorization; Cyber Strategy; Security Economics; Identity Counter Measures; Nation State Cyber Strategy
Disclaimer
© 2021 TCH Research Ltd. All rights reserved. The Cyber Hut is a trading name of TCH Research Ltd.
This publication may not be reproduced or distributed in any form without The Cyber Hut’s prior written permission. It consists of the opinions of The Cyber Hut’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, The Cyber Hut disclaims all warranties as to the accuracy, completeness or adequacy of such information.
The Cyber Hut does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by The Cyber Hut’s Usage Policy.
The Cyber Hut prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party.