Identity as Security Key: Akamai Buys Online Access Firm Janrain

Xconomy Boston — 

It’s an online security concern perhaps best distilled in a popular 1993 comic from The New Yorker magazine.

“On the Internet, nobody knows you’re a dog,” reads the comic that shows a drawing of one pooch atop an office chair in front of a computer, sharing the wisdom to a second of man’s best friend below.

Logins, passwords, security questions, and dual authentications all try to tackle the identity issue that centers on whether a website can trust that a user is who they say they are and—from the other side—whether a user can trust their account is opened up to them and only them.

It’s also the reason why Cambridge, MA-based Akamai Technologies (NASDAQ: AKAM), a provider of Internet content delivery network services and cybersecurity technologies, plunked down an undisclosed sum to buy Portland, OR-based online identity management company Janrain.

“Identity is a key component to be able to mitigate both the current generation of attacks and the general going forward,” says John Summers, Akamai chief technology officer. “Linking the digital identity to real work identity is a direction the industry needs to go.”

Here’s how it works, according to Summers. Janrain’s customer login and registration pages pick up a swath of other user information such as the type of device used, the usual times of day the user accesses the page, the average time spent on the page, the parts of the website usually accessed—a sort of activity fingerprint for each user on a given site.

What Akamai plans to do is combine that with the Internet Protocol (IP) information it has from funneling the large swath of the Internet activity it processes—it manages 240,000 servers in over 130 countries, the company says—to get a picture of whether John from Austin, TX, is acting like his usual self or whether it’s really a person in Bangladesh using a hacked login.

Summers didn’t have an estimate on-hand of how much of the Internet’s traffic moves through Akamai servers, but he got to the point a different way: “Whenever we haven’t seen an IP address before, that’s unusual,” he says.

The Janrain information will also beef up Akamai’s abilities to detect when a login is coming from a bot rather than a person, Summers says.

He says the largest attacks Akamai is seeing on its network are no longer distributed-denial-of-service schemes but “credential stuffing” attacks, where automated hacking software takes stolen credentials from one entity and applies those login names and passwords to other websites. All this is built on the fact that many people use the same login and password for multiple websites.

One difficulty Akamai and Janrain face is the fact that a lot of the magic needs to stay behind the curtain. Two-factor authentication and security questions are solid ways to add barriers for bad actors, but they also form walls that legitimate users need to scale to use a service. And those barriers can scare off customers if they are high enough, Summers says.

“It’s critical that we do it seamlessly,” he says. The system must “provide a stronger authentication but with very low friction and have those two things go together. That’s what the World Wide Web needs.”

The deal formed out of a partnership Akamai and Janrain entered into in July, Summers says. The two have many shared customers.

Another force behind the acquisition is it lets Akamai offer its customers a way to manage the login and usage data of their users, ensuring they follow all the online privacy and data-sharing regulations being set up around the world.

“A problem for customers is you want to hold additional profile information so you can do better security with lower friction, but with privacy regulations you’re on the hook for taking care of all that data and not letting it get stolen and being a candidate for breach,” Summers says, adding that Janrain and Akamai will provide users the paperwork to show they are in compliance.

Janrain had raised at least $70 million in venture funding since its founding in 2002, according to company press releases. The startup had been focused on establishing a secure, universal login for the Web—built around the open-source OpenID—that companies could accept. Competitors developing customer identity and access management software include Microsoft (NASDAQ: MSFT), Salesforce (NYSE: CRM), Auth0, ForgeRock, Gigya, LoginRadius, and Ping Identity.

Akamai did not disclose any terms of the all-cash acquisition, though the numbers will likely come out in public filings at a later date.

Akamai expects the deal to close in the first quarter of 2019. The deal is expected to reduce Akamai’s earnings per share for 2019 on the whole, but add to earnings starting in 2020, the company says. Investors didn’t show too much worry with that. They pushed the stock up more than 3 percent on Monday, much higher than the Nasdaq Composite’s 1.3 percent bump.