Washington, D.C.-based startup Corsa has invested $12 million in Series A to bring multi-factor authentication (MFA) to machine-to-machine API traffic.
An API that allows two applications to communicate with each other over the Internet has become the focus of organizations’ digital transformation efforts during the pandemic. This has made the API a prime target for malicious hackers, and Gartner predicts that the API will become the largest vector of cybercrime by this year. API vulnerabilities have been the cause of several high-profile security breaches in recent times: Peloton removed personal user account information; Experian reveals the financial histories of millions of Americans; And Facebook, LinkedIn and Clubhouse had user data removed due to poorly protected APIs.
In an effort to save other organizations from the same fate, Corsha has developed an automated MFA solution for API machine-to-machine traffic.
When an application or service needs to make API calls, it typically uses a primary authentication factor, such as a PKI certificate or a JSON web token. Corsha anchors these requests with an MFA one-time credential generated from the machine’s dynamic identity and validates them against a cryptographically verifiable distributed ledger network. API requests will only be accepted if the MFA credentials match the identity of this machine, and each API call requires a new one-time credential, creating an API service organization unrelated to the API. Confidential access possible.
“With Human MFA, once you have downloaded and configured your authenticator, you secure access to your trusted machine. This is what we do in the API world,” said Anousha Iyer, co-founder and CTO of Corsha, to gaming-updates.
While MFAs are by no means immune to hackers — attackers have historically been able to bypass MFAs using SIM spoofing and man-in-the-middle (MITM) attacks — Korsha uses its proprietary technology, which it describes as “MFA++”.
“We can do it in a unique way because there is no central repository where we store this secret master device where someone can compromise us. We’ve reversed it, so MFA occurs on the machine itself. It was important to us to keep it out of the reach of an attacker,” said Chris Simkins, co-founder and CEO of Corsha.
Prior to founding the startup in 2018, Simpkin worked for the Department of Justice (DoJ) as part of the Homeland Security Administration.
The startup’s connection to the US government doesn’t end there, as Corsha secures the US Air Force as its first client in 2020, technology to protect critical data in motion on Air Force platforms. “Our first customer was the US government, which is a very good confirmation for us,” Simkins said.
The Series A startup’s investment, led by Eleven Ventures and Razor Edge Ventures with participation from 1843 Capital, will expand its market efforts in the Korsha venture. Simkins also tells gaming-updates that the company is busy hiring as it seeks to bolster its current team of 10 employees.