The Toptal Approach to Reimagining Authentication and Biometric Security

Toptal possesses a vast network of tech professionals, and we are incredibly proud of having the largest distributed workforce in our industry. This is especially true for our dedicated development team, who work tirelessly to make this complex system appear effortless. Unlike traditional tech companies with their extensive infrastructure (office spaces, servers, standardized equipment, and security resources), we rely on readily available technology and services.

Traditional companies grapple with even a handful of Bring Your Own Device (BYOD) users, but at Toptal, all our hardware is BYOD. Our platform-agnostic approach and reliance on a distributed network raise a critical question: How can we ensure and maintain security?

This challenge has always been a priority, and we consistently strive to be ahead of the curve. Last year, we focused on designing multi-layered authentication and onboarding procedures. Our trials and pilots in the first quarter of 2016 yielded promising results, leading us to announce our findings and rollout plans.

We aim to familiarize all Toptalers with these new solutions by the end of the third quarter, with full implementation expected by year’s end.

Addressing the Security Challenge

Ensuring the identity of individuals accessing our network is paramount. Most of our team members collaborate remotely, having never met in person. This raises concerns about compromised security or potential internal threats.

To mitigate these risks, we’ve adopted a two-pronged approach:

Integrating personal reliability tests into our screening process.
Implementing a new layer of biometric security.

Our inspiration for these tests comes from the Personnel Reliability Program (PRP), developed by the U.S. Department of Defense. This program identifies individuals with the highest levels of trustworthiness, considering their past conduct, behavior, and loyalty. Our newly established Internal Security Division (ISD), comprised of seasoned military intelligence professionals, will continuously assess PRP compliance.

Security starts with personnel. If you can’t trust your people, all the tech in the world won’t make a difference.

Platform access will be granted solely to those meeting the stringent PRP criteria. However, not meeting these standards won’t lead to termination or demotion; it will simply restrict access to sensitive information based on an individual’s suitability for certain roles.

To maintain ongoing compliance, all Toptal members will sign a revised non-disclosure agreement and undergo periodic evaluations. This agreement outlines protocols for handling confidential information and details repercussions for any violations.

Given our distributed structure, we also rely on input from our team members. Our monthly TopTeam reports will incorporate a personal reliability questionnaire, enabling anonymous feedback on any concerning coworker behavior or activities.

Lt. Col. David Finci, Head of Toptal’s ISD, explains the rationale behind incorporating anonymous reporting:

“Our intention is not to sow discord, but rather to ensure individual accountability. We believe it’s crucial for network members to have a mechanism for addressing concerns about their colleagues’ professional conduct and integrity. This open communication channel is vital for us to receive timely and actionable insights.”

Network members who receive full PRP clearance will be issued security tokens and one-time pads for encryption in case of a security breach. Additionally, they will be provided with ID cards containing scannable QR codes and/or barcodes.

Adherence to these security measures will be mandatory. Any loss or theft of ID cards will be treated with utmost seriousness. These cards are a temporary solution and will be phased out upon the launch of our new security platform, anticipated in early 2017.

Biometrics: A Practical but Imperfect Solution

Last year, we inadvertently stumbled upon the potential of quasi-biometric security. One of our team members decided to get our company logo tattooed on their arm, sparking the idea of using this approach for QR codes. Nobody wants to carry extra cards, and QR codes are discreet enough to be tattooed or even etched onto fingernails.

No, of course we won’t ask developers to tattoo our logo or QR code. Not yet anyway, that’s Phase Two.

While the tattoo idea was a humorous anecdote, it sparked a genuine question: Why not leverage biometric technology in conjunction with existing tracking solutions?

The world is steadily moving towards a passwordless future, and Toptal aims to be at the forefront of this transition. Why burden users with passwords, QR codes, two-factor authentication, or security tokens if superior security can be achieved without them?

Previous attempts have been made using personal devices like smartphones and fingerprint scanners, but these methods have vulnerabilities. For instance, smartphone fingerprint scanners can be circumvented with simple tools like an inkjet printer or a knife.

Smartphone fingerprint scanners can be beaten by an inkjet printer, or a frustrated Tim Roth with a meat clever.

Furthermore, using smartphones for authentication introduces a new set of challenges.

Bluetooth LE: Making Personal Security Seamless and Robust

Losing a phone is a serious security risk. While anti-theft and anti-loss technology exists, it’s often ineffective or requires user intervention. Additionally, relying solely on smartphones for authentication is insufficient when users need to access their work devices.

A lost phone is problematic because users are often unaware of the loss. By the time they realize it, it’s often too late.

Security tokens and dongles, though effective, can be inconvenient to carry and are easily misplaced. That’s why our ID cards are a temporary solution, intended to be replaced by affordable, wearable Bluetooth devices within approximately nine months.

While Toptalers will be required to carry these devices at all times, it won’t be burdensome. Bluetooth LE is incredibly energy-efficient, and these devices can be easily secured, adding an extra layer of authentication (specific details are confidential due to NDAs).

Our initial tests involved inexpensive fitness trackers and anti-loss tags to assess feasibility. While successful, these off-the-shelf devices didn’t fully meet our requirements, prompting us to design our own, a surprisingly straightforward process.

Introducing the Toptal TopBand

We collaborated with reputable Chinese Original Equipment Manufacturers (OEMs), providing them with our specifications. They responded with prompt quotes and delivery timelines, streamlining the process.

We are currently evaluating various designs and form factors for the Toptal TopBand, as well as finalizing the software. Beyond serving as wireless security tokens for phones and computers, these devices will also track work and sleep patterns.

This additional functionality stems from the fitness tracker technology upon which the TopBand is based. It was more cost-effective to utilize existing solutions than to develop custom hardware and eliminate features.

Here are the initial product specifications:

Bluetooth 4.0 chip by Dialog
Accelerometer by ADI
50mAh lithium polymer battery by Sony (40-day battery life)
Vibration motor, three-LED user interface, notification speaker
Estimated dimensions: 8mm x 15mm x 35mm
Estimated weight: 8g (excluding strap or clip)

The design is not yet finalized, so these dimensions are approximate. We are considering aluminum, polycarbonate, or a combination of both for the casing, aiming for a sleek and modern aesthetic. The device will be IP67 water-resistant, suitable for everyday use, even in the shower.

We believe the TopBand will be unobtrusive. It’s compact, has a long battery life, can be worn as a fitness tracker on the wrist or attached to a keychain, and fits comfortably in a wallet. It can even function as a proximity alert for misplaced belongings.

Users can choose to simply pair the TopBand with their computer as a security device, but its functionality extends far beyond that.

Here are some key features:

Enhanced hardware security: Restricting platform access when the TopBand is not paired or within range.
Locating misplaced items: Finding a lost phone or using the phone to find the TopBand.
Notifications: Receiving alerts through vibration and audio alarms.
Activity tracking: Monitoring physical activity to prevent burnout and track work habits (when worn).

This last feature, while potentially controversial, offers valuable insights. For instance, it allows team members to see if colleagues are online and working, aiding in time tracking. Rest assured, Toptal will not collect or use this data without explicit consent; it’s purely for individual benefit and productivity enhancement.

From Toptal Project to Pet Project

During the prototype phase, a group of Toptalers, passionate about their furry companions, decided to repurpose the TopBand as a pet tracker.

With the hardware readily available, it was simply a matter of modifying the code. We encouraged them to test the device on their pets, as the data collected would be invaluable in preventing potential misuse (e.g., individuals claiming to be working while their pet-wearing-the-TopBand is elsewhere).

While still in development, the pet-tracking functionality shows promise. It currently monitors basic activity, detects sleep patterns, and vibrates if a pet strays beyond a designated range. A more humane alternative to shock collars, wouldn’t you say?

It may sound weird, but there is nothing to worry about. We are assured pets will love our Bluetooth implants. And so will our developers.

The main challenge lies in sensor calibration to accommodate various pet sizes, from small Jack Russell terriers to large Akita Inus.

We can’t disclose further details because our developers have transformed this side project into a serious venture. They have secured funding for a limited commercial release in 2017, which will pave the way for a comprehensive pet product line.

The team is already developing the next-generation pet tracker with enhanced features such as wireless charging and subdermal implant capability.

Subdermal Implants: A Safe and Effective Solution

Subdermal implants often carry negative connotations, fueled by conspiracy theories. However, veterinary professionals affirm that animals larger than rats don’t even notice these implants. In fact, they are often safer and more comfortable than most smart collars. Microchipping is already a widely accepted practice for pet identification and reducing stray populations; this technology takes it a step further.

Previous limitations in RFID technology restricted the functionality of subdermal implants. While commendable work is being done in this field (with Dangerous Things emerging as an innovator), the advent of smaller and more affordable Qi wireless charging technology allows for more feature-rich implants.

This advancement enables engineers to incorporate more sensors and always-on Bluetooth connectivity, expanding the possibilities.

However, this technology is still under development, with the first prototypes expected no earlier than 2018. Due to strict animal rights laws in mainland China, our hardware partners cannot conduct trials there.

See? Does that look like one happy pussycat or what?

Therefore, testing will take place in Cambodia. We have been assured that the research will adhere to ethical standards, ensuring ethical treatment of all animals involved. Our team members are eager to test the implants on their own pets and are committed to their well-being.

Pushing the Boundaries of Innovation

In a testament to Toptal’s adventurous spirit, two team members have volunteered to test the implants themselves. While human trials are not yet feasible, this demonstrates a willingness to embrace this technology. As key contributors to the TopBand’s development, they are keen to validate the concept firsthand. We’ve been told that the feeling of having the implant becomes second nature over time.

Human subjects are needed to test wireless charging and other functionalities. Training animals to remain stationary for extended periods for testing purposes is impractical. As a temporary solution, we are exploring ways to allow animals to move freely while recharging their implants, which currently involves attaching a power bank and Qi charging mat. For shorter-duration tests, we plan to utilize “cat condo” cages and catnip to encourage the animals to stay within the charging zone.

Don’t worry, Big Brother won’t be watching you. Since we are a distributed network, everyone will be watching you!

Formal human trials require extensive planning, regulatory approvals, and resources that are currently beyond our scope. However, our volunteers have signed waivers to proceed with the implant procedure. To navigate legal complexities in the EU and US, they found a willing clinic in Brazil. As an added bonus, the clinic offered a discount on gynecomastia procedures.

Toptal is seeking more volunteers, and we are confident we will find them. After all, Google attracted thousands of people willing to pay $1,500 for a wearable device that was later discontinued, and they still considered it a success! Those early adopters even embraced the nickname “Glassholes.”

One Toptal volunteer summed it up perfectly:

“I’d rather have an avocado-sized implant in my groin than Google Glass on my face!”

Disclaimer: No cats were harmed during the creation of this content.