Let’s talk about digital identity with Schehrezade Davidson, CEO of Tricerion.

In episode 26, Oscar talks to Schehrezade about Tricerion’s neurographic authentication solution – picture-based passwords. They discuss how neurographic authentication solves the risks of alphanumeric passwords and spoof phishing, the benefits for users who find it hard to remember and input alphanumeric passwords, and its use cases.

[Scroll down for transcript]

“None of us like passwords, we want something simple. But individuals understand they need something secure.”

Schehrezade Davidson is the CEO of Tricerion, whose innovative SafeLogin product provides strong mutual authentication with picture-based passwords.

Find out more about Tricerion and watch videos of how it works at tricerion.com.

Schehrezade DavidsonSchehrezade has 30 years’ experience in financial services and equity fund management, where her expertise covered investing in large and small cap companies. She has over 10 years’ experience in early stage technology investing, especially in companies on the cusp of commercialisation. Schehrezade was an early stage investor in Tricerion.

Find Schehrezade on LinkedIn.

Schehrezade also joins LTADI for a second podcast episode, discussing immunity passports. Listen to that conversation in episode 41.

We’ll be continuing this conversation on LinkedIn and Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Oscar Santolalla: Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Thanks for joining again to a new episode of Let’s Talk About Digital Identity. And happy to discuss a very interesting, very innovative way of protecting our digital identity. And if you haven’t heard before, we’ll talk about neurographic passwords. And for that we have a special guest so let me introduce to you, Scheherazade Davidson. She is the CEO of Tricerion Limited, a company that owns novel patented mutual authentication software. Before Tricerion, she worked in finance and fund management where she had a special interest in investing in innovative technology businesses. This experience has given her the understanding of what is needed to commercialise technology. Timing is all.

Hello, Scheherazade.

Scheherazade Davidson: Hello, Oscar. Great to meet you.

Oscar: Nice meeting you. It’s great talking with you. I’m really curious about hearing what Tricerion is doing so it sounds very, very interesting. But first, let’s hear something more about yourself, so please walk us through your journey to the world of digital identity.

Scheherazade: Yeah, sure, happy to give a little bit of background. So, originally, I was an investor in Tricerion. I came across it when the original founders came to present the idea to me. And it’s one of those things, in my investment career, I’ve seen a lot of amazing ideas and solutions in a whole range of industries. But when I heard the story of what the guys are trying to do, I just thought it was amazing. And when I left finance – that’s a long, long convoluted story – but in the end, I ended up joining the business and have become the CEO. Because I think our solution for authentication is simple, easy and visual. And it’s one of these stories where I have to admit I fell in love with the solution, and I really want to spread the idea far and wide.

Oscar: Oh, fantastic. Yes, we have been talking, not in all the episodes but I was thinking nearly all of the episodes in these conversations, we’ve been talking about one way or another about passwords. And people have differing opinions. But from your perspective of being in this company, Tricerion, having already been for several years and you have a very different perspective/way of solving this problem, what would you say is the main problem with traditional passwords?

Scheherazade: Well, I think one of the main issues is that everywhere that you log in with an alphanumeric password, you, as the individual, are given great leeway to create this string of letters and numbers. And I just thought I’d give you a few facts which would answer the question about what’s the main problem with alphanumeric. Did you know that 73% of people use the same password for multiple portals? And 33% of people use the same password for every site. And I think once a year, those of us in digital identity sort of roll our eyes when we see the list of the best-known passwords or used passwords. And they are the same. Sometimes the top used password is 123456, sometimes it’s 12345, and sometimes it’s pushing the boat out at 12346789.

Now, I think one of the key things is that alphanumeric passwords, strings of letters and numbers, is not a natural way for memorising things. Not all of us are have been trained to have mnemonics where we can easily remember a 16-digit complex alphanumeric. And then a number of portals ask you to change your password regularly. And then all we end up doing is changing the last digit from maybe 6 to 7.

So, in terms of protection against hackers, it’s a pretty low methodology for security. So, one of the main things is a combination of corporates don’t want to put a huge barrier of entry and to you entering their portal. But we all acknowledge that we need security.  And we haven’t really moved on from the alphanumeric password. And I wonder, Oscar, if I could ask you a question, how many portals do you think you log into, just in general? I mean I probably have over 50.

Oscar: Yes, probably more. Of course, some of them, more often than others but yeah, definitely, and let’s say in one year I access more than 50 definitely.

Scheherazade: Yeah.

Oscar: Yeah. And about the statistics you just shared with us, it’s hard to believe that statistics are still so high in this use of weak passwords or passwords that many people are using the same, so it’s really hard to believe that still the statistics are so high.

Scheherazade: Yeah.

Oscar: One of the things that I noticed when I went to the website of Tricerion, one of the main problems you are showing is one called spoof phishing. So, could you dive into what is spoof phishing in particular?

Scheherazade: Sure. That’s where some hackers try and steal information from you because they pretend to be from a trusted source. So, one of the key things is email scam phishing. And during the pandemic we’ve been looking at some statistics and for us based in the UK, the UK has become almost the centre, the most spoof phished country in Europe. And that’s where you will obviously realise in the pandemic, lots of people are going, been going online to perhaps do online shopping that they’ve never done before, to try different services. And one of the key things is that hackers are very adept at sending out emails once they have your email address from somewhere and saying, “Hey…” they either entice you with a free offer or they say, we’re from your bank or from a trusted service that you’ve signed up to. And then you click through and they may install malware on your laptop or PC.

And that’s not where we sit. Where we sit is if you’ve clicked through to what you think is a genuine website and a lot of hackers then are using SSL certificates, HTTPS, we’ve been trained to say, “That’s a valid site if you see that in the URL.” And then they can ask you to insert your credentials and effectively steal your password. But with our solution, it’s going to be pretty difficult for them to steal your password. And a little bit later on, I’m sure, you’ll ask me how it kind of works and we can explain how it’s very difficult for someone to be spoofed phished, if they’ve got a password like we have.

Oscar: Yeah. So, the spoof phishing particularly addresses the type where it’s just phishing – you receive for instance an email and the email prompts you to reveal the credentials to type in some words and…

Scheherazade: Sure. Because they’ll push you towards what looks like a genuine website but is not.

Oscar: Yeah, exactly. This attack is getting more and more sophisticated as you say using real HTTPS certificates, et cetera.

Scheherazade: Yes.

Oscar: OK. So, let’s go now to the solution that Tricerion is bringing, this concept that I haven’t heard before is this neurographic password. So, could you tell us what is this?

Scheherazade: Yeah, sure. So, when I describe the solution you can see how simple it is. So, it is grounded in science. And Oscar did you know that 50% of your brain is involved in visual processing and you will remember 80% of what you see. And the way that the brain works, it takes 150 milliseconds for a symbol to be processed by the brain and 100 milliseconds to attach meaning to it. So, the genesis of our solution was really derived from one of the original founders. Because he has dyslexia, and he could never log in or he found it incredibly difficult to type in an alphanumeric password so he wanted to come up with a different solution. And in the end, he came up with what we like to call neurographic passwords. But they’re essentially picture passwords, logging in with an image string. And I can sort of go on to describe a little bit more about that. Should I go to do that now?

Oscar: Yes, please.

Scheherazade: Yeah, so what happens is when you want to log in, you are delivered a grid of images, say, it’s a 4 x5 on the screen. And every time you want to log in, you’re delivered the same image set but the images are scrambled so they each appear in a different place. So, first time you log in, you have an apple in the top left-hand corner. Next time you log in, that apple has shifted to a different position on the grid. So, every time the keypad is delivered to you, the images shuffle around.

However, your password is six images say on that grid, always in the same order. So then you look on the grid and you click the images that make up your password. Say, for example, my password could be kitten, apple, surfer, dog, beach, flowers, every single time. So that is my password. And what happens is individuals – we’ve written some papers on this – they will remember images better than alphanumeric. Some people make up a story to remember their picture password. And the novel thing about our solution is that it’s simple, easy and visual for the user but we come with cyber credentials for the backend, for the corporate entity deploying our solution. And we’ve got patents about what we’re delivering to our server behind the corporate firewall to make it very robust.

So, if I go back to one of my earlier comments, it’s pretty difficult for a hacker to replicate the keypad’s real time. Of course, how do they know what kind of picture of a kitten you have? How do they know what sort of photograph of a dog. So, if you then had to describe your password to somebody, it will be pretty obvious that when you’re not delivered a picture password keypad that the site that you think is real is not real.

And that’s one of the great beauties of our solution in terms of trying to stop spoof phishing. As we’ve said, you sort of need industrial grade cyber security from the bad guy side for them to try and replicate your keypad in real time. It’s just not worth it. But know that the reality is we’re not sending back a photograph, we’re sending back as you imagine a sort of clicked coordinates. But even if these were intercepted, they’re meaningless. So, that’s where we’ve really helped stopping this sort of spoof phishing aspect of authentication.

Oscar: If the user defines a series of these pictures, even if the attacker tries to convince you to give me that information, it’s much more difficult to that you give that information because it’s mostly in your mind. You see the pictures, it’s on your mind but it’s difficult to describe and that’s very, very interesting. One question is how you sort of create one of these passwords, let’s say, when the user is let’s say enrolled.

Scheherazade: Yes. Yes. And a lot depends on the corporate entity using the solution and it could be that the corporate entity want to sort of use a branding that resonates with their brand. People have used different image sets. Some corporates allow the individual to create the original keypad. So there you might have two images of two beaches but your password might need to pick one of them or none of them. So, that’s a very much in terms of the way that our solution would be deployed from the corporate perspective, very flexible. Or, you could deliver a choice of different keypads that the corporate entity has created.

But if you look at the arithmetic, the more images on the keypad and the longer the string, the more secure. But we think six is a perfectly reasonable number for people to remember. And as I said, you might not remember your password if you’re not looking at the keypad. But as soon as you look at the keypad, you will remember your password. And that’s also another one of the features we’ve noticed is that if I had to sort of describe it in abstract, they probably would find it tough which is another reason why it’s great. But if I look at the keypad, my memories come flooding back.

Oscar: There it is. Yes.

Scheherazade: So Oscar, it could be that you know, you and I are seeing each other on Skype or Microsoft Teams and we remember each other’s faces. And then we might never see each other but we might meet up at a conference in a year’s time and we’ll go, “Hang on, I don’t quite remember your name but I certainly remember your face.” That’s what the solution kind of really delves deep into the way that people remember images better than alphanumeric.

Oscar: Exactly. Yeah, makes sense. And this kind of solution is– can be in a web, in websites and also in mobile, I guess?

Scheherazade: Yes. Yes. I mean we work with our customers to integrate it on to portals and it’s easy to integrate it within apps. We have a certain product that allows you to unlock an Android device with lots of branded image sets. So you can see and there are sort of- our strapline is ‘your brand in their hand’ – so for corporates, who might want to have their brand top of mind with fans that’s a different way to go. But it’s very flexible in terms of where it can be deployed.

Oscar: Good. If you can now describe some concrete examples, let’s say if you can pick a couple of different industries how your solution has already helped some companies.

Scheherazade: So, we were used for a long time in the US credit union. And their particular issue is they were based in Alaska and every year the residents of Alaska receive an oil dividend and so, phishing was really rife leading up to the payment of those funds to the people who lived in the state. And when our solution was deployed, spoof phishing disappeared overnight. It was a very, at that time, a very novel way of logging in. You know retail banking was in its infancy and it was easy to use. I think what was fascinating was password reset fell off and also call centres, where people would ring off and say, look, I’m having trouble logging in, I can’t remember my password. And that fell off dramatically as well.

So, I think our time is now really for sort of pushing forward on this. We’re very interested in working with educational providers because you could see how even at a younger age group logging in this way could be very simple, where maybe a younger child is not au fait at trying to log in. But if a parent knew that they could login securely and safely with picture passwords that would be a massive leap forward. And in addition, we’re very keen to be integrated into areas that are going to grow dramatically in a post-pandemic world. And we think certainly online retailing, there’s definitely an opportunity for us. And yeah, I think one of the key things – the reality is none of like passwords, right? We want something simple. But I think individuals understand they also need something secure.

And of course, password managers are useful but we know that those have been hacked as well. One of the key things that we want to sort of make logging in a fun experience, right? I mean I don’t think anyone has ever had that out there as their strategy. But you can see where if you went to a website and the images were images of the products that were sold. It’s a great way of branding your company and getting the image sets memorable in people’s minds and sort of brand reinforcement and subliminal advertising in a way. So, we see a lot of opportunity for the growth in our business.

Oscar: OK. So you mentioned financial, of course, educational from the perspective of young children, they’ll be able to login. That’s very, very interesting. Yeah. So you have made some comparison how easy it is for a young child to create and remember a traditional password versus creating and remembering a… yeah.

Scheherazade: Yes. So, we were working with a tablet manufacturer that’s very focused on children, specifically as like a walled garden, and although they like use of the tablet and it had educational information on it and apps and videos, the parent didn’t want the child to be on it all the time. This is one of the key things for young children. We know that they’re spending a lot of time on the screen.

So what would happen is the parent can set a timer that says you can only be on it for half an hour. But to do that, the child had to log in. Now, originally, they were joining the dots and there’s always an L or U or Z. But you imagine if you could log in with well named characters from a brand like Disney or Pixar, you could see that that would be great, or any other children’s brand. So, we are working with them to see if the login- where the child logs in and it says “OK, you got half an hour.” And then they have to login on their own using the picture passwords with the characters they love. So, that’s very interesting.

I think also, if you look towards the more, the older children with online portals and obviously online remote access teaching has moved up dramatically as schools especially in the UK, not so much probably in Scandinavia but where schools have been closed. Or even supplementary work where you need to identify the individual people very particularly for safeguarding and also knowing that they’re logging in. All of those are driven by alphanumeric at the moment. So, you want the child to know they’re logging on to the correct portal. So, again, we’re working with some companies who are in that space pitching to online learning portals for remote learning.

Oscar: Yes, sounds like there’s a great potential there in educational services, especially in children.

Scheherazade: Yeah but fundamentally, wherever there is alphanumeric, we could slot in very easily. And the other thing we can be is we can be the backup, right? So, there are a lot of challenger banks at the moment that are logging in with biometrics. It is not quite sure how that’s going to work with a face mask but we’ll see if the technology is moving on and you know, we won’t be living with face masks forever, hopefully. But it’s a hindrance to doing things quickly.

But there are some challenger banks, especially in Europe, that are just logging in with biometrics alone. And then if for some reason, your camera stops working, or your fingerprint reader doesn’t work, something has gone wrong with your device. So these are the downsides of biometrics, right? These are device specific readers. If something happens, they need a backup. And invariably, their backup is a four-digit PIN number. So, sort of need to be a little bit more robust in that. And again, we could be sitting there in the background as the backup login.

Oscar: Right. One thing that came to my mind also you mentioned resetting passwords in the traditional way, in a traditional password. How does that work in this picture or password, there is reset functionality, how does it work?

Scheherazade: Yes, it’s the same methodology, and if you have password reset it’s sort of three strikes and you’re out. It’s the way that our software works is incorporated in the same way as you would with an alphanumeric, where you’re delivered a keypad or you’re send to a click-through. So it’s the same logic from a sort of technical perspective of how you would ask someone to reset.

And at that time, you might ask them, “do you want to choose a different keypad?” or whatever. Depending again on the level of how the software has been incorporated on the portal. So, password reset is something that we all live with. I mean we all know that a number of people don’t bother to remember their password because they always say I’m going to do password reset anyway. So the concept of password reset is not alien and we just follow the same protocol. But I think what’s interesting as we’ve shown is password resets fall off when our solution is deployed.

Oscar: So, it happens much less often.

Scheherazade: Yeah. Yeah. And then call centres saying where people “I don’t remember my password.” It does fall off.

Oscar: Exactly.

Scheherazade: Yeah, and sorry I can’t really share the statistics from the bank. But there was a material monthly cost saving for them…

Oscar: Excellent.

Scheherazade: …in terms of run rate of expenditure.

Oscar: Sure. And just one more question I would like to ask also going for the guys who want to go and to know a bit deeper what is behind in the backend. If you can give us briefly what is in the backend of this system.

Scheherazade: Sure. And this is why we have global patents around the solutions. So, one of them is obviously the delivery of the keypad, what we call the one-time keypad. Because although the images are the same, they shuffle around. So, in our head, we like to think it’s a one-time keypad because every time you get the keypad delivered, the images move round.

And then we have a patent around this concept called triangulation where what’s interesting is our solution is called SafeLogin and our server sits behind the corporate firewall. And the way it works is there is a set of pings between the individual logging in on the portal and the corporate server, so say it’s the bank – opening up the bank server and our SafeLogin server. And we push the pings in a triangulated way. And what’s neat about our solution is that we don’t know who the user is. All we’re doing is the request come from the corporate server to deliver the one-time keypad. So, as I said, even if you had a man in the middle attack, they wouldn’t be getting anything but a string of numbers. And those effective coordinates are sort of matched behind the corporate firewall.

And then let’s be briefly on this, the corporate firewall is being breached then you know things have gone horribly wrong and logging in to the bank servers is the least of the problems in a way. So that’s why it’s so novel. It’s very light touch, very easy to deploy. And you know we could set up a test within a couple of days. And actually, one of the key challenges is people say “which image set should I use” but we’ve got a lot of experience in helping corporates and brands work out the best sorts of images that work, having done this for a while now.

Oscar: Excellent.

Scheherazade: You can find more on our website tricerion.com, simple. And there are some videos there that you can see how it works.

Oscar: Yeah. I have watched some of these videos. They are very, very, very well illustrated so yes, good. So finally, we’re reaching the end of this nice interview with you. Could you finally give us a tip, a practical advice for anybody to protect their digital identity?

Scheherazade: Sure. I, in some ways Oscar, would turn this on its’ head in a way. And why do you want to protect your digital identity? And I’m not talking about don’t give all your secrets away on social media platform, I’m talking about if you’re doing a lot of things online, I would create a separate email address for all your online shopping because I think that that would be a one step in you know it could be Gmail, Outlook, anything, there are a lot of free email services.

Secondly, it’s very easy to go online and say, well, make up a password for me. You can do that easily. And I’m afraid my idea is old school, please use a different alphanumeric for every single website you log in to. And if you can’t remember, you’re going to have to go old school and don’t save it on your phone, don’t save it on your PC or laptop, save it in a little book and keep it somewhere safe where no one can find it. Of course, I’d really hope that the need for all of that would fall away dramatically when the world instigates neurographic passwords. But until then you kind of have to go off grid a little bit and sacrifice utility for safety.

Oscar: Yeah, I think it’s always beneficial to have some of these offline as well, well-protected. Thanks a lot Scheherazade for all these very interesting things about neurographic passwords and the work that Tricerion is doing that sounds very innovative and very solid and it’s very well many, many use cases that we work in digital identity. Finally, could you tell us how people can either get in touch with you or find more information about Tricerion?

Scheherazade: Yes. Sure. If you go to our website, tricerion.com, T-R-I-C-E-R-I-O-N.com there’s a contact form there and please do contact us, happy to do trials with corporates that are interested. So yeah, that would be great. And having used these neurographic passwords myself for a long time, it’s really easy.

Oscar: OK. Well, fantastic. Scheherazade, it was great talking with you and all the best.

Scheherazade: Thank you, Oscar. Really great speaking to you.

Oscar: Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]