Corsha, a Washington DC-based cybersecurity startup, has secured a $12 million Series A investment to bring multi-factor authentication (MFA) to machine-to-machine API traffic.
APIs, which allow two applications on the Internet to communicate with each other, have become central to organizations’ digital transformation efforts during the pandemic. This has made APIs a prime target for malicious hackers, with Gartner predicting that APIs will be the largest attack vector in cybercrime this year. API vulnerabilities have recently been the cause of a number of high-profile security breaches: Peloton leaked users’ private account information; Experian exposed the financial stories of millions of Americans; and Facebook, LinkedIn, and Clubhouse had user data mined due to insecure APIs.
In an effort to protect other organizations from suffering the same fate, Corsha has developed an automated MFA solution for machine-to-machine API traffic.
Typically, if an application or service wants to make an API call, it leverages a primary authentication factor, such as a PKI certificate or JSON web token. Corsha fortifies those requests with a one-time MFA credential created from the machine’s dynamic identity and verified with a cryptographically verifiable distributed ledger network. The API request is only accepted if there is a match between the MFA credential and the identity of that machine, and each API call requires a new one-time credential, allowing zero-trust access for API services of an organization.
“With human MFA, as soon as you download and configure your authenticator, you’re setting up access to your trusted machine. That’s what we’re doing in the world of APIs,” Corsha co-founder and CTO Anusha Iyer tells TechCrunch.
While MFA is not immune to hackers (threat actors in the past have been able to circumvent MFA through SIM swapping and man-in-the-middle (MITM) attacks), Corsha describes its proprietary technology as “MFA++” .
“We are able to do this in a unique way, in the sense that there is no central repository where we keep this secret master device where someone could compromise us. We have reversed it, so the origin of the MFA occurs in the machine itself. Keeping it out of sight of the attacker was key for us,” said Corsha co-founder and CEO Chris Simkins.
Before founding the startup in 2018, Simpkin’s worked for the Department of Justice (DoJ) as part of its national security division.
The startup’s link to the US government doesn’t stop there, as Corsha in 2020 secured the US Air Force as its first customer in 2020, which is using the technology to protect data from critical mission on the move across Air Force platforms. “Our first customer outside of the bloc was the US government, and that has been a good validator for us,” Simkins added.
The startup’s Series A investment, which was co-led by Eleven Ventures and Razor’s Edge Ventures with participation from 1843 Capital, will see Corsha expand his go-to-market efforts at the company. He’s also on a rapid hiring spree, Simkins tells TechCrunch, as he looks to bolster his current team of 10 employees.