Authentication startup Bharosa is growing up fast

FFIEC and HIPAA are regulatory rocket fuel for this company

The United Nations last week became the latest organization to warn computer users about the dangers of relying on just passwords to protect online bank accounts and e-commerce shopping carts, according to Reuters

The warning from the UN’s International Telecommunications Union came a little more than a year after the United States’ Federal Financial Institutions Examination Council (FFIEC) released similar guidance calling for stronger user authentication for online banking customers.

Those kinds of warnings are music to the ears of Jon Fisher, CEO of Santa Clara, Calif.-based Bharosa, which sells anti-fraud and multifactor authentication technology to banks, health care companies, and the government. Just three years old and with 50 employees, Bharosa’s been taking on security industry behemoths such as VeriSign and EMC/RSA on their own turf and, in some cases, winning. In the past year, Fisher’s company signed deals with Wells Fargo, National City, and the U.S. Air Force. A serial entrepreneur who sold his first company at age 23, Fisher spoke with InfoWorld Senior News Editor Paul F. Roberts about how the changing regulatory environment has been good for his company.

InfoWorld: What is the core intellectual property that Bharosa has?

Jon Fisher: We have a proprietary, gated methodology to screen for fraud in real time. The first gate manifests itself pre-log-in via an analysis of a host of data about the user and transaction. The second gate is at the first point of authentication: the user name and password. The third gate is manifest in session where transaction and document requests occur. The fourth gate is a score of third-party data, whether that’s enterprise, legacy, or other data that’s fed into our fraud detection engine.

IW: What should enterprises know about software like Bharosa’s?

JF: Fraud detection has a place not just in achieving FFIEC compliance, but also truly bringing together disparate legacy systems [that] enterprises have had in place for some time.

IW: Are you talking about single sign-on, or something else?

JF: Single sign-on is an application of that. But fraud detection [can make] a decision about what advanced forms of authentication to use based on the conditions, or what kinds of transactions will manifest in certain ways, like a document request or [bill payment]. 

IW: Aren’t authentication and fraud detection ultimately just parts of a bigger architectural change that will tip the scales in favor of vendors who can take care of data security in addition to authentication and storage and the networking piece?

JF: I’ve been an entrepreneur for a number of years. I know that if you want to start a company and run a good company, you’ve got to do something well. We’ve selected a few things to focus on and do well. They’re things that, in aggregate, constitute more than just a point solution. But, yes, certainly less than the array of products in unrelated areas offered by competitors.

In terms of how the competition in the space breaks out in the next few years, because of the importance of fraud detection — especially in the enterprise — some very large companies are looking at the space and deciding what their strategy will be. If you have a key product like [Bharosa] fraud detection that’s embedded deep within some of the world’s finest enterprises, no matter how much the space matures or develops and no matter what resources competitors have, you still have to work with Bharosa.

IW: In the financial services space, how much of this is being driven by FFIEC guidance around single factor authentication? Where do things stand with adoption of FFIEC?

JF: There are two answers. As an objective observer, I’d have to agree that more than 50 percent of U.S. banks will technically not comply with FFIEC-related guidance by the end of the year. However, as a principle at Bharosa, I’m finding that FFIEC compliance has served as rocket fuel for my relatively young company. It’s been a key driver in our growth. We’re very much looking forward to the second phase of FFIEC guidance in 2007. We’re also looking for the effect this guidance will have on other markets. These mandates for enterprises to update security as a function of time are great environments to work in if you’re a software company.