Passwords are ubiquitous, despite not being foolproof and cannot alone protect your online identity. Almost one-third of data breaches reported over the past decade happened due to stolen credentials, per Verizon, including some of the biggest breaches of all time.
Instead, the industry has largely found passkeys arguably the most prominent solution to replace passwords. More than 15 billion accounts online can use passkeys, and big tech companies — Amazon, Apple, Google, and Microsoft, and others — are working together to promote passkey adoption.
But users are still shying away from passkeys due to their lack of portability and a general state of clunkiness.
Cybersecurity startup Hawcx aims to fix some of the headaches with passkeys by using its new passwordless authentication technology, which takes the best of passkeys but without their limitations.
Users can find setting up passkeys on their accounts cumbersome and challenging when logging in using passkeys across multiple devices, as noted by Dan Goodin at Ars Technica. While passkeys undoubtedly offer better security over passwords, account lock-outs and recoveries can become a costly affair for businesses that use passkeys at scale.
Founded in 2023 by Riya Shanmugam, who spent almost two decades at Adobe, Google, and New Relic; along with chief technology officer Selva Kumaraswamy and chief scientist Ravi Ramaraju, Hawcx says it offers a platform-agnostic solution that allows developers to add five lines of code to enable its passwordless tech.
Hawcx said its solution doesn’t rely on transmitting or storing private keys from devices, like passkeys. Instead, Shanmugam told TechCrunch that Hawcx cryptographically generates private keys every time the user signs in.
Since the generated private keys are not stored on a user’s devices, Hawcx says its technology works on older devices that don’t have the modern chips to support the typical passkey setup.
“We are not reinventing the wheel fundamentally in most of the processes we have built,” Shanmugam told TechCrunch.
In one example, if a user switches from one device to another, Hawcx’s solution asks if they want the new device to be registered on their account and verify the user’s authenticity to let them in.
However, in this case, the solution will not create another private key that will be stored on the new device or in a cloud service — unlike a typical passkey setup in which a new private key is either generated and stored on the new hardware, validated using the older device, or synced via a cloud service.
“No one is challenging beyond the foundation,” Shanmugam said while referring to the competition in the digital identity management space. “What we are challenging is the foundation itself. We are not building on top of what passkeys as a protocol provides. We are saying this protocol comes with an insane amount of limitations for users, enterprises, and developers, and we can make it better.”
Hawcx has filed patents, but has not seen its deployed by companies or technology validated by third parties, which could hamper trust in its service.
Nonetheless, Hawcx has raised $3 million in a pre-seed round led by Engineering Capital, along with participation from Boldcap, to speed up its product development and get to the market.
Shanmugam told TechCrunch that the startup is in discussions with large banks and gaming companies to start its pilots in the next few weeks, which will run between three to six months with a limited set of users. The startup also plans to get the tech validated with a “couple of cryptography experts” at Stanford University.
“As we are rolling out passkeys, the adoption is low. It’s clear to me that as good as passkeys are and they have solved the security problem, the usability problem still remains,” Tushar Phondge, director of consumer identity at ADP, told TechCrunch.
Phondge is bullish on Hawcx’s tech and is set to deploy it at ADP for a pilot to test if it addresses the issues passkeys bring along, including device dependencies and core system lockups.
Ultimately, Shanmugam said Hawcx aims to be a unified authentication platform for businesses over time and partner with different players to integrate services such as document verification, live video verification, and even background checks.
