Drive-by: Bharosa - Another web authentication player

As the number of drive-by's I want to do continues to grow, I'll start to chip away by looking at Bharosa. They do authentication stuff for financial institutions. I came across a couple of their press releases over the past few weeks, and am particularly interested in the topic. Two-way authentication is going to be big in the 2nd half of the year as the FFIEC guidance suggesting stronger authentication is closer to its end of year deadline. 

So let's swing by their website (www.bharosa.com). Here are my first impressions:

1. Headline doesn't mean anything to me - Identity theft is inevitable, but vulnerability isn't? What the hell does that mean and I tire of the old lock and key visual metaphor.
2. They do "multifactor online authentication" - OK. I can get that. I'm not sure what exactly they mean, but at least these are familiar terms.
3. IDC recommends these guys for FFIEC - Hmm. I guess they must have gotten some funding so they could pay IDC to say something nice about them. This isn't a positive in my book, but then I know too much about the business. But FFIEC indicates they are targeting the financials.
4. They've got 10.4 million users licensed - I'm not sure what that means either, but it's a big number. Clearly they are targeting financials and have some decent numbers. This should be more prominent on the homepage because it adds some credibility.
5. They have a video, let's check it out - This was pretty good. The CEO did the pitch and was clearly not a professional speaker, but did a decent enough job. It was too long. I lost focus about 2 minutes into the 5 minute pitch. But it did give a pretty good overview of what the product does and how it does it.

Overall assessment of the homepage is that it's pretty weak. Good thing I'm not one of those folks that just gives up if I don't see something interesting on the front page. So let's see what I can learn in the product section.  Here are a few quick observations:

1. They've got two products, Tracker and Authenticator (the video indicated this as well). Tracker verifies the user is coming from an authorized device, using it as kind of a second factor. And authenticator uses some visual authentication tokens to provide a multi-factor experience.
2. Tracker works behind the scenes, so using attributes like a user's device and location and even some behavioral stuff (like what they are doing) to determine if it is the user. But that's about all the information that is there. Kind of like Cyota, in that they use a lot of different data sources to figure out if something is OK to do, but they don't seem to have any kind of policy to enforce contextual authentication (forcing the user through additional hoops depending on what they are trying to do).
3. Authenticator is less clear (and it's not like Tracker is very clear). They protect the PIN. How? All they show on the page is a few graphical "virtual authenticators." I have no idea how this works.

So I dig a bit deeper into the product section and discover that I still have no idea what Authenticator does or how it does it. They claim it protects data from key loggers, etc. because neither the keyboard nor the mouse is used to enter information. Hmm. I guess they've mastered that elusive telepathic interface. Yeah, I'm lost at this point. Let me check out the Tracker page and see if at least I can learn a bit more about that.

Tracker does the work behind the scenes as I describe above. But it does seem that depending on what the policy says (and what they find through their analysis), it can ask for  additional authentication.

Tooling around the site some more, it seems they are pushing FFIEC pretty heavily, as expected. They also have a deal with the Air Force to build some strong auth into their web applications. So not just financial centric.

Overall, Bharosa is playing into the hot strong authentication market. But after driving-by their web site, I don't have any idea about what differentiates them from someone like RSA, nor to I get a clear understand of how their technology works. If I'm a buyer here, I probably move on because the last thing I have is time to get someone to explain everything to me.

Just goes to show, if folks can't go to your website and tell what you do and how you do it, you better get back to work. End users will disqualify you from consideration if they have to do too much work to figure it out.