In this interview, GameBuz had an amazing opportunity to talk with the founders of HiveID. They are not game developers or game publishers, but what they offer can help not only developers and publishers but gamers as well, and anyone else who wants to keep their online accounts as safe as possible.
HiveID is a fraud prevention and authentication platform with flexible deployment options and can be integrated at different stages of the customer journey. As for the gaming industry, HiveID could be used as a security centric back-end as a service solution with many capabilities, so we gave them a chance to introduce and explain their product, and you can read all about it below.
GameBuz - What you’re doing is a pretty good solution for everyone basically. How did you come up with the idea of building something like this? I can assume that you’ve noticed how much the lack of security is present in many companies, but I want to hear about your timeline.
HiveID - The idea has always been there. There’s a lot of fraud on the internet, but how do you prevent it? The idea never quite clicked, up until we decided to start our previous e-commerce website which was a marketplace for game codes for PS and Xbox etc. We were hit with frauds pretty early on and there was nothing we could do. The payments were charged back and that was the only thing we could’ve done. When you start something that’s like a potential honeypot for fraudsters, you cannot use existing fraud prevention solutions because of one simple reason - you don’t have enough data on your past purchases. You’ve just started, and all the existing solutions rely on rule-based systems and they need to feed data in order to analyze it and tell you if it’s a potential fraudulent transaction or not.
That moment when we got hit by fraud is when it clicked in our minds that in order to effectively prevent it from the very beginning, we need to know who our customer is. That’s why we went into strong customer authentication. By making sure that every single user is unique and verified, you can prevent most of the fraud happening on your platform, and then you’ll be able to utilize rule-based engine, rule-based systems. So, this is how it came up, it was a general understanding of the security space and the lack of security, and then personal experience of being hit by fraudsters and inability to do something about it.
There’s no such thing as identity on the internet nowadays and nothing prevents you from having ten email addresses, and you as a store owner never know who is on the other end of the transaction. Is it the same human being, is it the different one, is it the potential customer, is it a potential fraudster? You just can’t base your decisions on that.
GameBuz - Did you incorporate that idea into your e-commerce website?
HiveID - No we didn’t, because in order to work on this, we had to completely give that up and concentrate mainly on this. We did build a lot of modules when we were trying to fight fraud there, we rebuilt a lot of the things that eventually evolved into HiveID but there was quite a lot to do on this front as well, so we essentially gave that up and we concentrated on the cybersecurity space. Once we’ve finished the product, we were a part of the Startup Wise Guys Acceleration Programme in Estonia which was actually a cybersecurity focused programme, and we got a lot of mentorships, connections and industry insights which was extremely helpful. Now we are completely in cybersecurity space.
GameBuz - A lot of people were trying to bring cybersecurity on a higher level with various solutions but they didn’t succeed. It’s a tricky subject because on one side people want security, they want to have unique user accounts, but on the other side, some companies rely on having one guy with ten different accounts. How are you persuading people to use your app, to use your platform? What’s the key element that you’re selling to them?
HiveID - It depends on the industry, our platform is quite modular so it can differ depending on the use case and the needs. Some clients prefer what you’ve mentioned, and some of them are worried about customer acquisition, whether it will create additional friction. We’re not like off-the-shelf solution, although we can be, but we’re quite flexible in terms of integration options and it can be integrated in different stages of the customer journey. Let’s say you want a full authentication solution, you can have that, if you just want the identity verification form somewhere within your system, you can have that as well and you can still minimize some of the risks, not all of them obviously, and we communicate that, but it very much depends on the industry.
If we’re talking about the gaming industry, we’re still validating the idea, but gaming is a totally different kind of ball game. You have gamers and you have game publishers, and gamers are more conscientious and they care more about their accounts than regular consumers of e-commerce websites. It’s because of the fact that most of the gamers have in-game assets that they either earn or buy and spend real money for that, and they don’t want their accounts to be hacked or stolen or taken over. Strong authentication for them would be a major plus, that’s one thing, and the second thing is there’s no such thing existing as a single sign in in gaming. For example, I would like to use the same account to sign into different games, or to different services, or the different communities, or even support channels of game publishers, and you can do all of that with HiveID.
What I’m getting at is that in gaming we see much interest from both sides, not just the business side, and therefore the adoption should be kind of more streamlined and more organic. We just started getting into gaming and we want to explore it further. We’ve talked with a lot of publishers and gamers and many of them said they’re prepared to pay for that, to protect their account, it doesn’t have to be free.
GameBuz - The security is the most important subject for all gamers, because it’s not just one game, it’s the whole account. We are rapidly moving into the digital age of purchasing games. Now the statistic shows that 55% of all sales in the world is digital, which means all sales are directed to the publishers or platforms, and the games are staying on the digital accounts. People that have about 500 games on their account would surely want to be safe.
I’m curious how are you going to tackle regulations that publishers and other countries have? What’s allowed in one country it’s not allowed in another, especially privacy agreements. It can be pretty tricky and in general it can be a lot of work, it can be pretty chaotic. How are you approaching that problem? Is it all countries at once, or country by country, union by union?
HiveID - It’s all countries at once. The main idea is, if you look at it from a more technical view, once the customer verifies all the information and inputs all their personal data, it’s only stored on their mobile device. It doesn’t get stored on our service, it doesn’t get stored anywhere else. When the customer logs in, when a gamer logs into the game, they can pass some of that information directly to the publisher depending on what they need.
The publisher will take the liability of storing that information obviously, depending on the rules and regulations set in their country, but it will be the customer passing that information from their home. Therefore, with this sort of transactional peer-to-peer exchange of information, and customer being in full control of their personal data and their identity, we can stay compliant with all the data regulations in different countries and unions, by GDPR or country by country, it doesn’t matter. The sensitive data belongs to the customer and we are essentially giving back that fundamental rights, so it doesn’t have to be stored by Google, like nowadays, but it will be stored on your mobile device and you use it as you wish, because it’s your data.
GameBuz - What happens if you lose your phone?
HiveID - You can make a backup copy of your data, that’s totally up to you, it can be offline, it can be on your laptop, it can be a cloud provider of your choice… You as the user decide what to do with it. We do provide you with different mechanisms, we do provide you with strong encryption, and if your data gets into the wrong hands, the mechanism that we provide is one of the strongest on the market.
It’s kind of an evolution from how the password managers work. You have the master password that only you know, so your data acts as the encryption and decryption key, and according to the tests that we were doing, it will take tens of thousands of years to brute force and to hack that password in order to get to your data. It’s safely encrypted on your device and then it’s totally up to you what you want to do with it, you can make a backup, you can change the device, in case you lose the device you can restore it etc.
GameBuz - So if someone loses everything, it can be reacquired in theory? Is it possible to reacquire some of the data, master key or anything else? As I assumed you are providing the master key, right?
HiveID - The way it works is a bit different. We have the user’s profile which is totally anonymous, it doesn’t get tied to your personal information, to your data like your first name or your date of birth, but it is tied to your biometrics. So, if you lose everything and you didn’t make a backup copy, when you create another account the system will flag that you are an existing user and then it will be able to either restore from backup, or in case you’ve lost everything, you will need to add your credentials again and verify them again.
On one hand it’s a bit of a downside, on the other hand, it's how all the password managers work nowadays. If you lose your master password all the passwords are gone, it’s up to you to protect that, the same goes for your personal information. It’s the best kind of compromise between security and usability, but at the same time you can stay very secure with your data.
You need to understand that you need to protect that master password and you also need to make a backup of your data. In case you lose it, it's not the end of the world, it’s much better than losing all your passwords because you can recreate your identity, it already belongs to you. All you’ll need to do is add your information and verify it once again, just for us to make sure that it’s still you, that’s it.
GameBuz - I saw that most of the app management is through your phones. What if someone doesn’t want to use a phone, what if someone prefers to use a desktop, or a laptop?
HiveID - Well, no, it won’t work. You can protect your game on your desktop or laptop, but you will still need your mobile device in order to sign up and approve this kind of log in from your mobile device. As I said, it's a compromise between security and usability, whatever is stored on desktop or laptop is not as secure as the mobile device. That’s the whole idea. And nowadays everyone has a mobile device of some sort. We don’t tie you into any kind of specific devices, or specific models, it can be pretty much anything as long as you can install an app from the App Store or Google Play, you’re good to go.
GameBuz - Since you are working closely with Google and Apple, what would you say is a better work environment, Android or iOS? Some people say Android is less secure, easier to breach, and iOS is a closed ecosystem. What’s your opinion of that?
HiveID - We have to distinguish between the operating system and the app developers. If we are talking about the operating system, yes, Android is less secure because of the fact that you can do a lot of things on Android that you can’t do on iOS. You can get rude access, you can install apps besides the Google Play Store, you can install different certificates and things like that, and it will allow you to do that, and you can even do it remotely without the user knowing about it.
Now, that’s kind of fundamental design, I wouldn’t even call it a flaw, it’s a feature of Android and it’s a feature of iOS, kind of having more closed and more open system, it serves different markets. But then, if we are talking about the app developers, that’s where all the problems are, because the way the people develop apps on both platforms, that is what’s less secure and more secure.
I’ve seen a lot of apps on iOS, like financial apps or password managers, where people don’t do simple things like certificate pinning. It means that they don’t verify the certificate when the app goes to their old backend, and you can supply a certificate in the middle and read all the communications unencrypted, which is unacceptable. So it’s not the platform security, it’s the actual app security. If you have a sensible approach to developing apps, then your app will be equally secure on both platforms, if you’re not, it won’t be secure even on iOS, it won’t help you.
GameBuz - Thanks for explaining that! What are your plans for user acquisition in the future?
We were thinking of separating a specific product for gaming, so apart from having a digital identity for logging into games, gamers could have, let’s say their statistics from different games all pulled into one app. They will be using it to log in and naturally we can collect the statistics and show them within the app, “Here’s your stats in that particular game and see how you compare to the rest of the players” etc. It can evolve into a separate app that they would use for all the data and all the statistics as well as their personal data and identity.
GameBuz - Did you approach any mid-size to big-size publishers?
HiveID - Mid size to big size, no, we haven’t. We had a few early stage discussions, but we understand that we are a bit early for them and we would like to test it on a smaller scale and see how it works for smaller publishers. We want to see where we bring value to them, what kind of features do we need to add, and then take it to the bigger ones and see how it works for both sides. But in gaming, even a small game can have a substantial user base, so we would like to start on a small basis and tackle some small publishers.
GameBuz - In mobile gaming most of the users are casual gamers and more often younger gamers. Younger people might not understand the features of your app and what’s good about it. How are you going to make younger audience use your platform?
HiveID - Essentially by educating them. They have game assets they want to protect, and nowadays you can see in the news that there are a lot of data breaches. There are bad things going on. Steam has also published on their blog that they have 77 thousand accounts hacked every single month. So it’s about educating users that if they have in-game assets, and they make purchases with real currency, real money, they need to protect that, otherwise it can be stolen from them. If not today, maybe tomorrow, it’s just a matter of time.
Then if we are talking about striking a deal with the game publishers, if the button is already there in the game, the whole authentication platform allows the user to start playing the game without creating the account. They will start playing the game and they will be an anonymous users in our system, on our platform, and once they decide to protect the account, they can just create it and tie all the in-game progress to that.
GameBuz - Would there be an offer for the publisher when they, for example, take your service for half a million users and they are covering every starter accounts? Is there going to be tiers, collaborations with publishers where they are covering the prices of users that are using only their game, if in the future they are using HiveID, let’s say, only for Blizzard and World of Warcraft? Will there be some exclusive deals?
HiveID - There might be, it’s not something that we thought of in terms of implementing it today, but there is nothing stopping us from having exclusive deals with publishers, so yes, we are quite open to that. But in terms of the users, as you’ve mentioned covering all the user costs, initially our product is totally free for the users so it doesn’t cost them anything to create their ID and to start using it.
It’s the businesses that pay for the authentication and fraud prevention services. What I was saying when we did the interviews is that the feedback that we got from the gamers, they were even prepared to pay for it, but it doesn’t necessarily mean that we’re going to be charging. Most likely it will be a free account with some paid add-ons, like in-game purchases, it’s the same thing, but for some more advanced features.
GameBuz - I saw that the US and European Union are the main focus but what about Asian market, have you thought about expanding, because their mobile ecosystem is totally different than anywhere in the world?
HiveID - Yeah, it totally makes sense to go for the Asian market, American, Latin American, but the thing is if you cast your net too wide, you won’t be able to concentrate on smaller things and that’s why we’re tackling region by region for the time being, and industry by industry, so that we don’t lose our focus and we can serve this particular region and this particular industry the best we can do.
GameBuz - What’s your next step in making this a widespread solution?
HiveID - We are talking to different companies now, in gaming and e-commerce, and we are about to run a few pilots and take it from there. We have quite a few companies in the pipeline, that we are talking to, and now we are toying with the idea of tackling gamers themselves and offering them the service to get the user base first before talking to the bigger publishers. This is kind of the whole business development process that’s concentrated on that, and we are taking it step by step and moving towards the wider adoption.
GameBuz - I just wanted to point out that you have a pool of people that would be interested in using your platform for security purposes. Things like two-factor authentication can be hacked, even Blizzard Authenticator, an app on the mobile that generates numbers, or EA Authenticator can be hacked.
HiveID - Yes, but the thing with the authenticators is that users don’t normally turn them on because it creates additional step for them, and then we are back to square one, to their regular password which can be hacked elsewhere. It doesn’t even have to be that particular game or that particular website, it can be a part of a data breach somewhere else where they have reused the same password, that’s how it happens in real life.
GameBuz - Most of the people, me included, are using the same password on a couple of websites but with this app, you just need to authenticate yourself.
HiveID - Yeah, you don’t even have to have a password.
GameBuz - Well, thank you for your time and explaining how your app works! You have a really good platform, a really good foundation to build something in the future that will be widely used.