Cipherise Pty Ltd, the company behind the passwordless login system used by the ANU, is in the process of liquidation, after its creditors placed the company into external administration last month.
A few days after it entered administration, the company’s shareholders resolved to appoint liquidators: meaning that the company’s business will be sold to satisfy debts rather than, as would be done in an administration, saved or turned around.
The ANU announced on November 24 that Cipherise users at the University must return to using password-based logins from November 30. The Cipherise app will not function from that date.
Cipherise’s demise marks a big hiccup in the University’s plan to become passwordless, a path it adopted after suffering a massive cybersecurity breach in 2018 in which the use of insecure passwords was a factor. The rollout began in mid-2022 with students encouraged to sign up to use the app. In May 2023, it was estimated that 50% of current students and 80% of new students had signed up to use the service.
The Cipherise product was originally marketed by a Melbourne-based start-up called Forticode, which registered the new company Cipherise Pty Ltd in November 2022. Notices published on the Australian Securities and Investments Commission website reveal that Forticode has been in liquidation since April 2023 after its shareholders voted to voluntarily wind up the company in January.
The winding up notice for Forticode indicates that it had engaged a restructuring firm, WLP Restructuring, suggesting the company may have entered into financial difficulties around that time.
In the year since the new Cipherise company was registered, an alliance of major tech firms including Apple, Microsoft, and Google implemented support for passwordless device-based “passkeys” in their most recent operating systems and web browsers.
This passkey system works very similarly to Cipherise’s technology: both work by having users accept a login request on their device using passcode or biometrics stored on the device to verify their identity. In recent months, the ANU has also mandated the use of a second-factor of authentication to log in with the most common method being selecting a number displayed in the Outlook app.
Earlier this year, the University said Cipherise was chosen over more established start-ups because it is Australian owned, “Cipherise stores its data within Australia and is therefore subject to Australian data and privacy laws and protections”. However, throughout its roll-out, students had complaints about the system, citing inaccessibility and inconvenience when using the mobile phone authentication. There were also concerns that the system overlooked students with lower socio-economic backgrounds, who did not own a device with biometric capabilities.
The rollout of the ANU’s implementation of Cipherise’s software was in a transition phase at the time of the liquidation notice being published on the ASIC website with users still allowed to use their username and password combination even if they were registered with Cipherise.
An ANU spokesperson told Woroni that while Cipherise’s exit from the market was “unexpected”, they “remain committed to a passwordless solution” and will “explore alternatives and develop options in early 2024 for a new solution”.
As of the 30th of November, the University will no longer use Cipherise. Instead, students will be required to log into information infrastructure such as Wattle and Interactive Student Information System (ISIS), using their username and password and existing multi-factor authentication.
We acknowledge the Ngunnawal and Ngambri people, who are the Traditional Custodians of the land on which Woroni, Woroni Radio and Woroni TV are created, edited, published, printed and distributed. We pay our respects to Elders past and present and emerging. We acknowledge that the name Woroni was taken from the Wadi Wadi Nation without permission, and we are striving to do better for future reconciliation.