Tozny Awarded NIST Grant To Secure IoT-Enabled Smart Homes And Transit Systems

Galois subsidiary selected as technical lead for National Strategy for Trusted Identities in Cyberspace (NSTIC) Pilot Program to build password-free authentication platform for IoT systems

Portland, OR – November 09, 2015 – Amid growing concerns that IoT devices are inherently vulnerable to attacks that could compromise users’ information privacy and security, Galois today announced that it has been awarded a $1.86 million NIST National Strategy for Trusted Identities in Cyberspace (NSTIC) grant to build a secure data storage system that enables next-generation IoT capabilities without sacrificing privacy. Galois’ authentication and mobile security subsidiary, Tozny, will serve as the technical lead for the NSTIC pilot program.

The Tozny-led team will build a data storage and sharing platform that guarantees security and enables new use cases for collaborative connected devices – with an initial focus on allowing consumers to securely store and share private information across IoT-enabled smart homes and transportation systems. The system will protect the users’ data from being involuntarily shared, while at the same time enabling multiple IoT services and devices to easily collaborate in better serving smart home and connected device users.

NSTIC is a White House initiative to work collaboratively with the private sector, advocacy groups, public sector agencies and other organizations to improve the privacy, security and convenience of online transactions. The pilot program will initially focus on two NSTIC pilot program applications:

  • Smart Home IoT Authentication – Due to lack of standards and security expertise, many commodity IoT devices and cloud services have not been designed to be secure, easy to use, and interoperable. Furthermore, elements of the system that are authenticated typically use weak passwords for login. IOTAS is already operating a smart-home pilot in apartment units in Portland, Oregon and San Francisco, CA. NSTIC support will allow IOTAS and Tozny to collaborate to add transparent but privacy-preserving authentication and encryption to this pilot.
  • Transit IoT Authentication – Many municipalities are deploying “mobile ticketing” in their public transit platforms, which allows riders to buy transit tickets on their mobile phone and use the phone itself as the ticket. Password authentication is a barrier for users suffering from “password fatigue” – particularly acute for mobile devices where inputting sufficiently complex passwords is challenging. NSTIC support will fund collaboration between Tozny and GlobeSherpa to pilot secure, password-free authentication.

The pilot program team includes Tozny, which has built a secure, privacy-preserving, and password-free
cryptographic authentication system, its parent company Galois, which builds open and secure technologies for government and commercial organizations; IOTAS, which provides smart-home technology for apartment buildings; GlobeSherpa, a mobile transit ticketing company; SRI International, the non-profit research institute and leader in biometric authentication; and 6 Degrees Privacy Consulting, LLC, which specializes in privacy policy.

“In the rush to build IoT products and services, security and privacy is often ignored until it’s too late,” said Isaac Potoczny-Jones, founder of Tozny and Galois’ Principal Investigator for the project. “The collective vision of this team is to enable data sharing between everyday connected devices, while putting security and privacy first. By the end of the pilot, users will be able to create accounts and authenticate to their home without passwords; prove that they’ve purchased transit tickets just by walking to their bus; and have their home and transit systems securely communicate and collaborate – all while preserving the user’s privacy.”

Tozny anticipates broad deployment beyond the initial set of users who opt into the pilot program. The Tozny framework was designed and implemented with NSTIC’s guiding principles as its foundation. The project aims to pilot an ecosystem where 1) Mobile devices are trusted and express authentic user identity, 2) users can login securely without managing complex unique passwords for each device, and 3) privacy is enhanced through increased user control and transparency.

For more information, visit

About Galois

Galois has been performing computer science research and development since 1999. With many of the world’s foremost experts in computer security and computer science, including a world-class team of programmers and engineers, Galois is uniquely positioned to take on the world’s most difficult challenges in computer science. Galois is a trusted partner in the federal government and defense industry, proving the feasibility of cutting edge research as it applies to critical systems. Technology companies turn to Galois to build reliability, safety and security into their product development efforts from day one. For additional information, visit

About Tozny

Tozny is a Galois subsidiary formed in 2012 to commercialize a mobile authentication platform designed to be easy for end users and developers. Tozny tackles one of the weakest links in cybersecurity today: the password. It replaces your username and password with something you know and love: your phone, or wearable device. Tozny’s out of band transaction verification system combines world-class security with excellent design and usability for a seamless and secure experience.