Corsha, a Washington, D.C.-based cybersecurity startup, has secured a $12 million Series A investment to bring multi-factor authentication (MFA) to machine-to-machine API traffic.
APIs, which allow two applications on the internet to talk to each other, became central to organizations’ digital transformation efforts during the pandemic. This has made APIs a prime target for malicious hackers, with Gartner predicting that APIs will make up the largest attack vector in cybercrime by this year. API vulnerabilities have recently been the cause of a number of high-profile security breaches: Peloton spilled users’ private account information; Experian exposed the financial histories of millions of Americans; and Facebook, LinkedIn and Clubhouse all had user data scraped because of poorly secured APIs.
In an effort to protect other organizations from suffering the same fate, Corsha has developed an automated MFA solution for machine-to-machine API traffic.
Typically, if an application or service wants to make an API call, it leverages a primary authentication factor like a PKI certificate or a JSON web token. Corsha toughens those requests with a one-time-use MFA credential built from the machine’s dynamic identity and checked against a cryptographically verifiable distributed ledger network. The API request is only accepted if there is a match between the MFA credential and that machine’s identity, and each API call requires a fresh, one-time-use credential, enabling zero-trust access for an organization’s API services.
“With human MFA, as soon as you get your authenticator downloaded and set up, you’re pinning access to your trusted machine. That’s what we’re doing in the API world,” Corsha co-founder and CTO Anusha Iyer told TechCrunch.
While MFA is by no means immune to hackers — threat actors have in the past been able to bypass MFA using SIM swap and man-in-the-middle (MITM) attacks — Corsha describes its patented technology as “MFA++.”
“We’re able to do this uniquely, in that there’s no central repository where we hold this secret master device where somebody could compromise us. We’ve flipped it, so the origin of the MFA happens on the machine itself. Keeping it out of sight of the attacker was key to us,” said Corsha’s co-founder and CEO Chris Simkins.