Feb 20th 2014, 14:00, by Natasha Lomas
Password manager startup PasswordBox, which closed a $6 million Series A last November months after launching its freemium service, has added a new feature to its convenience boosting arsenal that improves the experience for mobile users by allowing them to sign in to other apps and websites with a single tap, i.e. rather than actually inputting a password, or copy-pasting a secure password.
Called 1-Tap Login, the patent-pending feature launches in full today for Android PasswordBox app users, with an iOS beta version also released — albeit, it stresses that the latter product is a very early release, with few apps and websites supported.
The Android version of 1-Tap supports sign in for 80% of the top 1,000 apps, according to PasswordBox, with more websites being added daily, vs around the top 50 apps on iOS. PasswordBox’s wider claim for Android is that it currently supports about 70% of all logins.
The startup is obviously working on building out that percentage, via an automated process of machine learning that parses different app login screen layouts to figure out where to inject password credentials. It does also employ some human checkers doing quality assurance to verify the algorithm is hitting the bull’s eye.
Support for new apps is not released until they have been through this QA process — so it tells TechCrunch the accuracy rate is pretty much 100% (being as it only releases support for an app/website login once it’s sure it works).
As for app updates that radically redesign the login screens and therefore risk breaking PasswordBox compatibility — these will be flagged via multiple failed logins so it can readjust its algorithms as necessary, without having to do continual manual checking to keep the system ticking over.
The technology behind 1-Tap is something PasswordBox is very proud of — to the point where it unboxed that unparalleled cliche, the “paradigm shift” — also noting that one of its competitors claimed it’s impossible to enable smartphone apps to be liberated from their individual sandboxes so they can talk to other apps on the phone.
Yet PasswordBox has found a way to do this — and claims it’s not a hack or a workaround, either.
“What we’re doing it’s quite revolutionary,” co-founder and CEO, Dan Robichaud, tells TechCrunch. ”In the past when you are talking about native apps and native browser, no apps have been able to communicate with other apps because apps are normally sandboxed. We have worked for two years with our R&D team to make it ubiquitous to log in on any apps or any sites at all time on Android.”
“We’re using something on Android that is known and it’s public — it’s not a hack — we’re using basically the accessibility mode that can be activated within one tap. Once you have activated that we’re able to be within your experience in your browser, and be within your experience in different apps when you need to login,” he adds.
There is of course more complexity going on — but getting access on Android via the accessibility mode is the basic principle.
“We need to interact with the app and second we need to communicate in a secure way with our app and pass the right information at the right time and be sure we’re in the right environment, so it seems simple but the fact that no one did it so far in the world it’s because it’s more complex than it looks like,” adds Robichaud.
The same 1-Tap login feature on iOS has only been technically possible since iOS 7, hence PasswordBox’s later development stage on that platform. On iOS it’s using a VPN, says Robichaud — again stressing that it’s not a workaround.
“We’re using a VPN like other people are using. What we’re using is standard. And it’s actually available to many other developers and many other developers are using it — it’s just the first time that someone’s figured out a way to use it for offering one-tap login to people who want to use Safari with a password manager that is not [iCloud] Keychain,” he says.
(PasswordBox’s advantage over and above Apple’s iCloud Keychain system is that it’s not platform specific, allowing users to manage passwords across multiple devices and OSes.)
PasswordBox has big ambitions to stand out in what can be a very utilitarian space — using machine learning technology to improve its compatibility with login forms, and incorporating features such as end-to-end encryption to facilitate secure password sharing for its users, for example, and doing local encryption and decryption on devices, rather than holding any keys itself.
It also includes a digital legacy management offering in its freemium service, and last year bolstered that portion of its business with the acquisition of an early player in that space, Legacy Locker.
On the users front, PasswordBox passed one million registered users last September, around three months after going live. It’s not disclosing any more recent numbers now but says its user-base is growing at a “solid rate”.
With 2014 looking set to usher in a wave of biometric-enabled mobiles, in the wake of Apple adding a fingerprint sensor to the iPhone 5s’ home button last year, PasswordBox is positioning itself to plug in and complement biometric security features on mobile devices.
It wants to act as the password management layer that replaces those still-not-biometric passwords which it reckons will continue to be required for individual apps and websites for a long time to come, while the core phone hardware biometric sensors plays the role of master password for unlocking the device and thus also for providing access to PasswordBox’s trusted, third-party authentication layer.
“Our ultimately goal is to be the bridge between biometric and strong authentication — the old password world where you need to type a username and the password, we actually think that no one solved the password problem in the past because it’s a chicken and egg problem. Where, if you try to integrate directly within every app and every website’s biometric it’s never going to work,” says Robichaud.
“Why is that? First, developers will not agree on something standard and won’t integrate everything that all the different parties will suggest. The second thing is that big players won’t integrate with each other. So we think that by being a layer over the whole authentication or whole login method and by creating strong passwords for all the websites and linking it to biometric, there’s a real opportunity to change people’s behaviour on how to log in to sites without them noticing it that much.”
“We have all the frameworks, the technology — it’s ready to be augmented with biometrics,” he adds.
PasswordBox also has yet more ideas up its sleeve, which it hinted at in during the interview with TechCrunch, albeit, it’s not talking specifics right now. ”The login is just the first key to login to those websites — but then what you do on those websites… you can imagine, once you’re logging in to those websites we have more creative ideas that we’re going to present in the future to enhance your experience,” it says.