It has been surreal to sit around a kitchen table in a "hacker hostel" and work on something game-changing. We've been in the lab for nearly a year, and we're excited to finally share what we've been working on and announce our acceptance into Y Combinator's W23 Batch.

While our batch (YC W23) started on Monday, it really started in November when we got our interview and acceptance call. We're excited to finally share what we've been working on for the last year.

The problem we're solving

Most cybersecurity breaches are caused by phishing and credential theft. By definition, phishing and credential theft pose the largest security risk to most organizations today. While this sounds somewhat obvious, even well-known organizations with security teams are still falling victim to these attacks.

It doesn't take a nation-state actor to pull this off. More often than not, it's a teenager simply asking employees for their password and multi-factor authentication (MFA) nicely. In reality, simply having MFA is not enough, and the industry is quickly realizing not all MFA is created equal.

Where we come in

0pass is an identity platform that allows organizations to enable the most secure login mechanisms available for every login across their entire company. We replace traditional login methods like passwords passwordless methods using Windows Hello, Touch ID, Face ID, and YubiKeys.

Our mission is to make the world a safer place by defending its most important infrastructure.

We operate with three core tenants:

1. Make your concerns our concerns.

2. Never compromise on security or the user experience.

3. Deliver a consistent and easy login for employees across all infrastructure.

Why passwordless

Today, passwordless may be synonymous with convenience, but we want to drive home the idea that it is also synonymous with best-in-class security. We do that at 0pass by only using the strongest frameworks for passwordless logins.

FIDO2, "the passwordless protocol", allows users to generate PKI-backed credentials, where the private key is stored on the TPM or Secure Enclave of a device. Unlocking these credentials is usually bound by a biometric authenticator or two-factor step (like local pin + touching a USB device). When you try to log in to a website, the browser directly asks your hardware devices to complete a challenge for the identity at that exact website.

Smart Card (PIV), is the strongest form of multifactor authentication that is natively supported by every operating system and SSH. With security keys tied to a corporate chain of trust, it’s impossible for attackers to steal credentials, move laterally, or escalate privileges. A touch of the security key and a PIN unlock its private key. Only an unlocked key signs the challenge to be cryptographically verified by the OS’s smart card subsystems. No trusted user, no login.

With these mechanisms, attackers are quite literally stopped in their tracks. The employee's login methods are tied directly to their hardware. Regardless of how good the phish is, the employee no longer has a password or stealable code to give up.

We’re actively working with enterprise customers to implement 0pass at their companies and stop attackers in their tracks.

If you:

• Want a more convenient and secure login at your company

• Want to meet the highest cyber insurance and compliance standards

• Want to stop phishing once and for all

Then schedule a meeting with us today. We're looking forward to joining forces.