Passwords are a company’s first line of defense against hackers, but are often the weakest. Beirut-based Myki wants to change that with its password management tool in a region where cybersecurity is still an afterthought.

It started when Priscilla Sharuk’s grandmother kept forgetting the password to her Skype account, which she used to call her son in the U.S. from Beirut. “She was diagnosed with Alzheimer’s,” says Sharuk, who’s 28. “Slowly but surely this process became more and more difficult.”

It was early 2013, and Sharuk, a landscape architect, contacted her friend Antoine Jebara for help. A skilled computer engineer, Jebara crafted a hardware device with a USB port that automatically logged into Skype when plugged into a computer, eliminating the need to remember a password.

The device was crude, held together by duct tape, but it helped Sharuk’s grandmother. Jebara then built one for himself and Sharuk, but this time with a layer of security. He added a fingerprint scanner. Now they could sign into their accounts—from Facebook to Gmail—with the touch of a finger.

Pleased with their gadgets, the pair presumed there were other people searching for a simple and secure way to sign into accounts, and formed Myki four years ago to sell their password management device. They didn’t get far. By 2014, smartphones included fingerprint scanning technology, making their gadget redundant.

Since then, Sharuk and Jebara have repositioned Beirut-based Myki, making it one of the first cybersecurity startups in the Arab world. They ditched the hardware, and combined fingerprint authentication technology with software that generates complex passwords, allowing users to securely log into online accounts from a mobile app. Myki is targeting companies—where the real money can be made.

In February, its software hit the market after being in testing mode last year. Roughly 80% of 40,000 users who tested the product were from the U.S., and most were small businesses with around 10 employees.

The real test now is getting paying customers. The startup charges $1 to $15 per employee per month, depending on the number of features. Jebara and Sharuk are assembling a sales team to pitch to large companies in the region, but plan to also reach out to smaller businesses in North America through online marketing. “They say nobody gets fired for choosing IBM, but not everybody has the money to choose IBM,” says Sharuk, who’s chief operating officer.

Some high profile investors have already given Myki a vote of confidence: right before its official launch, Beirut-based Leap Ventures invested $600,000, joining Beco Capital and B&Y Venture Partners in bringing total funds to $1.2 million. “I like to say we’re solving the password problem,” says 24-year-old CEO Jebara.

Passwords are usually the first line of defense in a company. Unless a firm requires employees to periodically change their passwords by picking a combination of characters and numerals, it can expose itself to security breaches.

One of the most spectacular hacks was on Saudi Aramco’s computers in 2012, which forced the company to reportedly block employee email and Internet access to prevent further damage. In December 2016, news reports pointed to an attack on computers belonging to Saudi government ministries.

More than half of companies surveyed in the Middle East by PwC lost at least $500,000 due to cybersecurity breaches in 2015. Globally, only a third reported similar issues. “[Cyber] security is a very big problem worldwide, but in the region it’s even worse because we really neglected it until a couple years back,” says Jebara.

There are plenty of password management tools available. U.S.-based LastPass, for example, stores passwords in the cloud, but in 2015 hackers breached a LastPass server. To minimize that risk, Myki stores encrypted passwords on a user’s phone. “We hate the idea of storing the passwords in the cloud,” says Jebara.

Having just opened for business, Myki is navigating uncharted waters.

Jebara and Sharuk met in 2009 through Raja Rahbani, a mutual friend and software engineer, who became Myki’s first employee. Jebara was working in Dubai for security consultancies on data loss prevention. He noticed that even when big companies adopted cyber security software, it was often ineffective and expensive, sometimes selling for up to $70,000.

After building the password gadget for Sharuk’s grandmother, he and Sharuk entered on a whim a competition for entrepreneurs in Cairo organized by MIT in 2013. They didn’t win, but met one of their future investors.

Back in Beirut, Jebara developed the tool, while Sharuk oversaw operations and assembled a team. The arrangement served them well. As Myki’s only employee with a non-technical background, Jebara had to clear the “mom test” with her. “I’m like, ‘would your mother understand this?’” says Sharuk.

In September 2015, while trying to import passwords from Apple’s Keychain password management system to Myki, Jebara and Rahbani stumbled on a vulnerability that could allow hackers to steal passwords. “First thing we did, we reported it to Apple,” says Jebara, but the company didn’t respond. He contacted Steve Ragan, a cyber security blogger, who proposed to write a piece warning about the vulnerability. Overnight, the press and social media picked up the blog post, and Apple contacted Jebara. The media exposure netted Myki several thousand beta testers.

It got another boost in October 2015, when it scored $600,000 from Dubai’s Beco Capital and Beirut’s B&Y Venture Partners. Sharuk quit her job at a landscape firm to work full time on Myki, and Jebara followed.

Because they want to attract customers outside of the Middle East, Jebara and Sharuk are incorporating Myki in Delaware. They think it will also help assuage any concerns American customers might have dealing with a startup from the Middle East.

“Really the essence of Myki has nothing to do with Beirut,” says Jebara. “It’s a global product.”