In partnership with

At PreSeed Now we like to bring you startups first, but sometimes it’s worth catching up with a company we’ve previously featured to find out how they’re progressing.

That’s especially true if they’ve made a compelling pivot or expansion of their offering, and I think you need to know about it.

So today, let’s check in with Everlink, which does clever things with sound and is now ready to talk about a security offering it calls Wavekeys.

If you’re a Premium subscriber (and you should be as you’ll help keep PreSeed Now in business as a valued part of the UK early-stage ecosystem!), you can check up on the progress of any startup we’ve featured via your login to the Startup Tracker.

Premium subscribers also get some extra info in this update.

– Martin

Read newsletters, not spam

Tired of newsletters vanishing into Gmail’s promotion tab — or worse, being buried under ad spam?

Proton Mail keeps your subscriptions organized without tracking or filtering tricks. No hidden tabs. No data profiling. Just the content you signed up for, delivered where you can actually read it.

Built for privacy and clarity, Proton Mail is a better inbox for newsletter lovers and information seekers alike.

Newsletters without the noise

Everlink wants to make enterprise logins easier and more secure… with ultrasound ‘Wavekeys’

Sometimes, it can take a while for a startup with compelling technology to refine their go-to-market offering.

When we first spoke to Everlink two years ago, the startup had developed tech that was able to allow fast, seamless wireless communication using ultrasonic keys.

At the time, they were exploring use cases such as allowing authorised people to access a secure car park in a cost-effective way when alternatives like SMS were impractical, reducing audio interference during video calls, and footfall monitoring to track exactly who is in a physical space such as a university lecture hall.

By the time we caught up with Everlink as part of a wider startup catchup piece in December last year, they had honed in on authentication as a use case, exploring things like passenger check-in for shuttle buses that businesses use to get their staff to work. The tech can allow passengers to check-in without even unlocking their phone.

While Everlink is still working on that aspect of its product, and expects to deploy a live version with a significant customer soon, founder Isaac Harmer and his team have been busy working on a bigger market opportunity: cybersecurity and removing friction from business user authentication.

To explain what this means in practice, we caught up with Harmer to find out more.

This conversation has been edited for clarity.

MB = Martin SFP Bryant, IH = Isaac Harmer

MB: How has Everlink evolved since we last spoke? Tell me about this new focus on ultrasound for cybersecurity.

IH: Historically, we’ve been focused on proptech, event tech, those types of non-security use cases. But something we had noticed, with the rise of cyber attacks right now, the total cost of cyber theft is predicted to be around $15 trillion by 2030.

It made us think how we could apply our expertise in ultrasound, but also the properties of ultrasound, to potentially build a solution that adds more security than is currently being offered.

The first step for us was to look at the trends right now. Passkeys are popular now, and the idea is they are unphishable. If an attacker gets you onto a malicious website and tries to get you to give them your Passkey, they can't reuse it on its own.

So our first step was that we needed to make ultrasound unphishable.

We identified that the enterprise access-management and identity market was the real battleground. That's where attackers are trying to disrupt services and get cyber attacks in through there.

So we spent quite a long time trying to build, essentially, a new ‘sonic key’, and we've gotten to the point where we've developed what we're now calling a Wavekey.

The reason why we're calling it a Wavekey is that it’s essentially a sonic key, which changes at a sub-second level. The critical point being is that it changes faster than a network call, so if an attacker tries to get it from you through a phishing website or whatever, by the time they receive it and reuse it, it's already obsolete and outdated.

This is based on our old IP, and there are some very secret special things which we've also filed new IP on. It's taking that best of our previous technology but also incorporating some new innovations in there.

MB: So if Passkeys exist as a painless and secure way to log into services, why does the world need your Wavekeys?

IH: Passkeys are resistant to pre-authentication attacks, but they are susceptible to post-authorisation attacks.

Once you've done your Passkey login, you are granted a session token, possibly in the web browser, and that might say you’re good to do whatever you want for the next two hours. An attacker can steal that granted authentication token, and then they can use it and pretend to be you and do whatever they want during that time.

There are also remote access attacks, where if they can get a bit of malware on your laptop when you walk away from it, they can control your mouse and keyboard. Because you've already logged in and done your Passkey logins, they can do everything under the sun whilst you're away and not noticing that something bad's going on.

Or they can get you to give them your Passkey and read their credential in such a fast pace of time that it can spoof that it's you.

So Passkeys are hailed in the market as this new amazing solution, but in today's market, cyberattacks are escalating so quickly. The market is shifting to Passkeys, but attackers are not going to just keep doing what they’ve previously done.

The Chief Information Security Officers of large enterprises are being told to make sure they don't get attacked, but at the same time, they’re being told to drive efficiency by minimising the amount of time employees spend on authentication, because it kills productivity velocity.

So the poor old CISO has to now deliver a solution which is more secure than anything they've ever had before against criminals who are now empowered with AI and have drastic scalability to do very complex social engineering attacks, but they also need to make it all less time-consuming for their employees.

MB: What is the user experience like with your technology?

IH: From the user side, let's say I have an app on my laptop which I use to authenticate. I’d have an app on my phone that I would do a facial scan with at the start of a day. That would send a Wavekey to my laptop… and that’s it.

But we don't actually need an app on the user's laptop. It can work through a web browser. So the start of my day I’d be logging onto Salesforce, I’d click login, it would just do a web browser pop up. That would be my Wavekey page, and everything I'd log into there for the rest of the day would go through that. So if I logged into Slack or I did something on Salesforce, that tab would be accepting the sonic key every time from my phone.

And then if I walk away and someone tries to do something on my laptop, as long as my phone’s with me, they can't do anything.

Enterprises may want to re-authenticate through the day with a facial scan maybe twice a day. It's completely up to them.

MB: Who do you see as the customer for this?

IH: We want to sell to companies that handle authentication, so the tech can be built into existing authentication systems. Think of things like Salesforce Authenticator, Microsoft Authenticator, Google Authenticator, or OneLogin.

We are building this into an SDK, so that any identity provider can put it into their identity app. Enterprises could put it into their own custom authentication software, too.

I also want us to really own the ultrasonic piece of the market, and we're going to make that one bit of technology as strong and fast and efficient and reliable as it can possibly be. I think that we just need to focus on doing one thing really, really well, and then supply that to the guys making companies more secure.

MB: What are the next steps for you with this tech?

IH: We’ve just filed a new patent, and we have a demo coming out which is going through pen testing. We've already had third parties look through the maths and the science behind all of it, and they have given us the thumbs up on that.

So now we're putting it through more significant pen testing. We've done internal tests on our side and they’ve all come back green. But we need to get more rubber stamps to prove the credentials of it. We've already secured one pilot. We're looking for maybe one or two more with some IdPs.

We can have a commercially ready SDK on our current stack within two months. But there will be issues, and there will be things we want to improve and enhance.

Part of the point of this pilot is for us to work with identity providers or IdPs and understand the architecture of how they operate, so that we can customise our SDK so that it fits that missing jigsaw piece into them.

We're hoping to have this deployed within the next six months, and we want to build on our momentum as quickly as possible.

Back next week

We’ve got a couple of compelling startups for you in next week’s editions. We’ll see you in your inbox then!