“Validate customer credential pairs against databases of known leaked usernames/passwords”
– Federal Bureau Of Investigations, Cyber Division -​
When it comes to building applications intended for external users high levels of security need to be included. But it can be a delicate balance between implementing robust security controls and damaging the user experience.
Traditional security controls designed for enterprises, like two factor authentication often aren’t a good fit for consumers. Your users want to be able to get access to your services quickly and without fuss. Any friction added to a user's journey risks losing you valuable subscribers or worse – revenue.
​
The reality is however that one of the biggest vulnerabilities to consumer applications is the consumer themselves and specifically their password behaviour.
​
End users often just don’t understand the risks associated with weak password choices, or that using the same password across multiple applications introduces a security risk to your online service. More importantly many don’t really care.
​
Poor user password hygiene across internet applications remains a top security threat to application owners, so Arc has been developed specifically to minimise that threat with zero impact on your users’ authentication experience.​
What our clients say: Sticky Password
.png)
"As a password manager, our customers look to us to not only protect their passwords on their devices, but to keep them safe on the web. With encryption and secure technology, Sticky Password provides the utmost protection of the customer’s database. But what about their data - logins, email addresses and passwords - stored by the many services that we all use every day: Yahoo, Facebook, ebay, Adobe, Twitter (when it was still Twitter), LinkedIn even Google - and many, many more?!? Names that you’re sure to recognize as a user of their services - but also names made famous because of data breaches and the resulting shady dealings on the so-called dark web.
​
Our goal was to provide Sticky Password customers with actionable data about their logins and passwords caught in the vast amounts of breach data that is being transacted on the dark web. We wanted Sticky Password customers to not only know that their email address (which is only part of the key that unlocks their account) was found on the dark web, but more importantly when their login/password pair (i.e. the complete key) was found on the dark web - a much more ominous situation.
Working together with Jon and Ian at Crossword Cybersecurity, we were able to design a unique solution that other vendors are not able to offer: by identifying login/password pairs, we pinpoint exactly where the problem is, thereby empowering Sticky Password customers to prioritize protective measures.
Jon and Ian are extremely knowledgeable about the capabilities and limitations of the Arc service - and because of this we found them to be splendid collaborative partners, resulting in our bespoke solution. We, and more importantly, our customers are extremely pleased with the result."
​
- Peter Lipa, Vice President, North America, Sticky Password
​
Disarm and defuse credential stuffing attacks
Real-time credential checks
Instantly check your subscriber logins and signups against billions of already leaked user credentials from 3rd party data breaches
No MFA required
No requirement for your existing or future subscribers to interact with SMS or 2FA tokens which could result in user drop off or costly deployment
Zero user friction
Improve B2C authentication security and reduce fraud attempts on your public facing applications with zero additional user friction
Secure and private
Complete security and privacy of checked user credentials using known and trusted existing cryptographic algorithms
Flexible configurations
Supports username and password pair, email and password pair, or just password leak checking
Lightening speed
Sub-second check and respond APIs ensure rapid risk decisions can be made
When it comes to protecting consumer data, or any data for that matter, it’s vital that the information you’re trying to protect doesn’t get passed to third parties unnecessarily.
​
The more your data is distributed the more it’s likely to be leaked so Arc has been designed specifically to be able to provide absolute assurance of the presence of leaked credentials against our indexes without ever needing to know the specifics of the data your checking for.
​
Ultra high performance data lakes store hashed and encrypted candidates of the credentials you might be interested in, while industry trusted cryptograpic anonymity schemes are used to ensure complete confidentiality of your applications queries.
​
Arc receives, looks up and checks for any ‘possible’ matches of your username and password pairs and returns them from billions of potential candidates with sub second response times, allowing you to make rapid decisions about the risks to your customer accounts.