When serial entrepreneur Kevin Surace was asked to assess technology and help reinvigorate Token, a startup with roots at Rochester Institute of Technology, his answer was: “Why didn’t you call me sooner?”
Surace, an RIT alum and trustee and a widely known tech innovator, saw promise in the company. Last year, he became actively involved and is chair of Rochester-based Token, a startup focused on wearable biometric authentication products.
If Token sounds familiar, it is.
Launched by RIT graduates in 2015, Token has new life, pivoting to the lucrative enterprise security market and away from the consumer arena. The company is in hiring mode, announced a $13 million Series B investment by Paychex founder Thomas Golisano’s Grand Oaks Capital at the end of June, and appointed a new CEO, John Gunn.
Gunn predicts Token, which now has more than 20 employees, will boost its staff to more than 50 people in the next year—most of those positions in research and development, sales and marketing. While the company has a physical location on East River Road in Henrietta, it has employees who work remotely as well.
“As a technology company, in the cybersecurity space … the technology moves so fast. So, having the best developers, best engineers is really critical to our success. It’s critical to any successful technology company,” Gunn says. “If I’ve learned one thing over the last 30 years, it’s that you got to have great technology. To have great technology, you have to have a great development team. We’ve got a really strong development team now. And that’s where we’re adding more super talent to that group.”
Token estimates the addressable market for its products is valued at $10 billion. While the business has yet to generate revenue, it is close, Gunn says. Roughly 100 potential customers are evaluating beta versions of the technology at the moment.
“My personal focus for profitability, my personal focus is growth,” Surace says. “And with growth comes profitability, and that could be next year or the year after.”
He points to the high valuations of cybersecurity companies. Funding for cybersecurity businesses nearly doubled from 2020 to 2021, Crunchbase data shows. Venture dollars nearly reached $6 billion in the first quarter of 2022, up nearly 50 percent from last year. In 2021, investments crossed $20 billion.
“Cybersecurity is at the top of the heap in terms of valuation,” Surace says. “So, it really pays to drive the revenue up. You can take advantage of those high multiples in cybersecurity because cyber (security) is a very big issue today for everybody. That’s what we’re excited about.”
Roots in RIT
Token’s identity technology is the brainchild of RIT graduates Melanie and Steve Shapiro, then husband and wife, who launched its first prototype in 2017. Their third startup together, the company manufactured a biometric, encrypted ring with a fingerprint sensor and two-factor authentication.
Focused on consumers, the wearable ring was expected to be used for computer logins, mobile payments, transit cards and the like. In 2018, the Shapiros said the company had sold out its initial preproduction run.
“We believe that identity is at the core of all of the problems that we have today, and we want to change that,” Melanie Shapiro said in 2018. “We are creating an ecosystem that we want to live in, too. Our hope is to eradicate identity fraud and to have our customers able to securely carry their identities with them wherever they go.”
The Shapiros’ idea drew investors, including $1.75 million from Empire State Development’s venture capital fund. They had already proven successful with instant messaging software Digsby, which sold to Tagged for an undisclosed sum, and Case Wallet, a hardware wallet to securely store and send Bitcoin had already attracted funds. Locally, Case Wallet became the first to get funding from RIT’s Venture Fund.
By 2019, Token had beta testers at Microsoft and had completed interoperability tests for certification to enable the use of its ring in contactless payments. Melanie Shapiro shared the company’s journey in a post on Medium, reinforcing its mission—”to enable a keyless lifestyle, both digital and physical, so you can safely access everything you need in life without cards, keys, or passwords—just the ring on your finger.”
However, as Token worked to perfect its product, other technologies geared at consumers began to surface. For example, smartphones now make contactless payments seamless and secure.
“Token famously had a wonderful consumer product, and it was beautifully designed, and amazing, and, you know, really a proud point for it, and Rochester, etc., etc.,” Surace says. “Only one problem, (which) is the time it took to make a ring and get to something that at least was demonstrable; the world had moved on. And this is not untypical for consumer products.”
Meanwhile, ransomware evolved and expanded its reach. In 2019, it moved past malware as the No. 2 primary cause of data breaches, surpassed only by phishing, according to the Identity Theft Resource Center.
Data breaches are a threat to government and private-sector organizations alike. In the first half of 2022, there were 817 publicly reported data comprises in the U.S., the Identity Theft Resource Center reports. Many breaches go unreported.
A July IBM Security report found the global average cost of a data breach had reached an all-time high of $4.35 million for the 550 organizations it studied. Eighty-three percent of these organizations have experienced more than one data breach.
Another factor rising over time is the after-effects of breaches, which linger long after they occur—nearly 50 percent of breach costs are incurred more than a year after the breach, the report states.
For Token, this scenario represents another chance. Steve Shapiro left the company in November 2018. The following year, a lawsuit alleging financial irregularities was filed against the company. (The case has since been closed.)
Surace says Melanie Shapiro recognized the need to step back from her leadership role for the company to move forward.
“She still has stock in the company, she wants it to be very successful,” he says. “We didn’t buy it from her or anything else, but it’s time to pass the baton.”
While the original focus of the Token ring did not succeed as expected, the company had a side project that allowed for secure access to online applications. By storing biometrics in the ring, and not on the network, a user can access an application using the FIDO2 protocol for authentication. (FIDO Authentication standards were developed by the FIDO Alliance, an open industry association that aims to help reduce the world’s over-reliance on passwords.)Token technology makes sure that its ring is registered to a particular user and nobody else.
“And if you take the ring off, no one else can use it. No one can get access to your applications or data,” Surace says. “This is the solution for ransomware and ransomware is the biggest cybersecurity issue.”
He approached Golisano and his investment firm, Grand Oaks Capital.
“(I) said, ‘I believe we have the solution to ransomware,’” Surace recalls. “‘The company didn’t know they had it, but it’s the solution…’ Tom got it, and his team got it and funded the company quite well and we were off to the races.”
“We have great faith in the Token team and are confident in their ability to be a leading provider of authentication and cybersecurity solutions that have incredibly great ROI,” says David Bovenzi, chief investment officer at Grand Oaks. “Token has a short path to revenue and then rapidly scaling the business, and cybersecurity has always been a recession-proof business.”
In total, Token has raised $22.9 million in funding over seven rounds.
When Surace came to Token, most of its staff were younger people. With enterprise cybersecurity as a focus, he says it’s important to lean on experience and have a diverse team.
“You need people that have decades of experience in cybersecurity, and decades of experience of building big businesses to sell to enterprises, and that’s what we’ve been able to start to put together,” he says.
Surace hired Gunn as CEO in March. Before joining Token, Gunn was chief revenue officer of OneSpan Inc., a SaaS-based digital agreement security business. He has held positions at various technology companies including VisionTek and Aladdin Knowledge Systems.
“Authentication is absolutely broken. Consider that for more than five years, eight out of 10 data breaches and successful ransomware attacks have been the result of compromised user credentials,” Gunn says. “A bulletproof approach to user authentication that works with existing solutions greatly enhances security and is the ultimate in user convenience; (it) is certain to be a winner.”
With Token’s integrated fingerprint sensor, users get the benefits of multifactor authentication and password-less login support in one step.
Ersin Uzun, the Katherine Johnson Endowed Executive Director of RIT’s ESL Global Cybersecurity Institute, notes that usability is key when it comes to cybersecurity.
“A lot of the multifactor authentication is adding a step and a delay, so it is a hit in terms of productivity,” Uzun says.
He hasn’t examined Token’s technology in detail, but says the company is among others who are addressing the issue for usable workflows in multifactor authentication.
Surace believes Token has a product that stands apart. Currently, he says, there is no competition for a ring that uses the FIDO2 protocol.
“Frankly, making a ring with the amount of electronics is a heavy lift. It’s not something you do in a weekend. It’s not like a software product. It’s very, very, very hard,” he says. “So, there’s no one on the horizon.”
He adds: “Our biggest competition is, ‘I’ll do nothing rather than I’m going to find another ring.’ There are no other rings.”
Cybersecurity is being taken more seriously, Uzun observes. On the consumer end, smartphones that use face recognition software, fingerprints or applications that require push notifications have become commonplace.
“It is being used in some enterprise solutions, like USB keys, some of them actually authenticate the user with their fingerprint,” Uzun says. “But fingerprints, or biometrics by itself, is not very strong in terms of authentication, simply because they’re static, they can be copied.”
Combining variables—biometrics with strong cryptographic protocols, creating a smarter barrier than a thumbprint—has become essential, opening up a sizable opportunity for Token.
“When you put your biometrics on your phone, or if they put them all in one central place on a service, hackers could steal that,” Gunn says. “Your biometrics for us are only on the ring, there is no WiFi connection. There’s no way for hackers to steal that. So, your biometrics are absolutely safe.”
While many organizations have become more willing to invest in cybersecurity, it has still to catch on in a bigger way. Those that haven’t been a victim of a breach are hesitant to invest time and resources toward security. The IBM report founded 43 percent of surveyed organizations are in the early stages or have not started applying security practices across their cloud environments, incurring more than $660,000 on average in higher breach costs than those with mature security across their cloud environments.
“Businesses need to put their security defenses on the offense and beat attackers to the punch. It’s time to stop the adversary from achieving their objectives and start to minimize the impact of attacks,” said Charles Henderson, global head of IBM Security X-Force, at the report’s release.
Because of its unique nature, Token could gain a foothold in the giant cybersecurity market. Plus, the enterprise world is more informed, and organizations are beefing up security budgets, Uzun says.
“The market is ready,” he says. “Cybersecurity is the (sector) that has over 2 million job openings, unfilled in just (the) United States.”
Gunn says Token has advantages in its technology, people, investors and a market that’s hungry for solutions.
“We’re in the business of stopping hackers and the losses to hacking,” Gunn says. “The average loss for a ransomware attack has doubled over the last year. We have an answer to an urgent and massive business problem.”
Token’s biggest challenge, he notes, is building a business that can scale rapidly to meet demand. The company, which works with a couple of vendors, will begin production in October.
“We have a very good chance for positive EBITDA in the next year,” says Gunn, referring to earnings before interest, taxes, depreciation, and amortization, a profitability metric that many startups use.
He has his eye on connections and talent coming out of ESL GCI. Uzun says the institute is at capacity.
As for Rochester, it will remain Token’s home base. Surace, who has a home here, visits frequently.
“I think it has the opportunity to be a very large company and we have the best backer in Upstate New York, who believes in us, Tom Golisano,” he says. “I don’t think you can do much better. We’ve got all the cards are stacked in our favor.
“There’s a lot of work to do, a lot of heavy lifting, but we’re going to production this year,” he adds. “And by the end of the year, we’ll have rings in production, and next year in very large quantities. So, we’re excited where this goes. The industry and the channels excited for us. We’ve got amazing people we’ve hired. It’s a true turnaround story.”