By Sam Rehman, Senior Vice President, Chief Information Security Officer, at EPAM Systems, Inc.
Using passwords is like carrying a big set of keys everywhere you go. You can go through doors, for example, but if you lose them, not only are you stuck and can’t go anywhere, but someone else might now be able to use them and visit places they shouldn’t. When ineffectiveness occurs, as in this scenario, change is necessary. The same goes for passwords which, as a security contract, often give a false sense of security. A study found that two in three people surveyed will forget their passwords unless they save them. What is recorded in more than one form increases the risk of theft. Likewise, more than half of Americans perform at least five password resets each month, within 10 minutes each time. Password resetting is also a key tool for attackers to break into systems, and because it is used so often, it is difficult for defenders to detect anomalies.
Additionally, as people continue to shop, work, and interact online, their passwords – and by extension, the private information they protect – become increasingly vulnerable to malicious attacks. actors. It stands to reason, with all the problems surrounding passwords, that a passwordless future is possible, and what would it take to get there?
Passwordless and Zero Trust
In the past, ring-fencing, or the process of limiting how applications interact with and access the Internet, was the preferred cybersecurity strategy. However, the fences no longer hold the fort, and zero trust began to take center stage. As zero trust matures, the public continues to recognize that it is not a single product but a concept encompassing advanced technology solutions, processes and policies. Some of the main principles of Zero Trust include risk detection and evaluation of authentication in the context of the user’s transaction (what was accessed, where, when, etc.), often called recertification.
Another major pillar of Zero Trust is frequent identity verification. And when it comes to securing your identity, a fundamental aspect is strong authentication. One of the main reasons passwordless continues to gain momentum is the need for robust authentication, as it is a fundamental part of user identification. Many are now aware of the broken nature of passwords since they do not respect the principles of Zero Trust authentication. Likewise, everything the password holder knows, everything they remember, a bad actor can exploit socially through phishing, phone scams, or any other malicious method.
The flaws of too much reliance on biometrics
The second reason behind the rise of passwordless is biometrics. Having Face ID or Fingerprint ID on your phone is very convenient and eliminates the hassle of remembering passwords that could be stolen. Additionally, these biometric authentication methods resolve cryptographic authentication issues. Still, passwordless systems have flaws, particularly when they rely too heavily on phone biometrics and aren’t fully connected to centralized authentication. Using biometrics on your phone creates a false sense of security because it cannot verify who owns the phone.
For example, many people have saved the identifying biometric fingerprint of their child or other family member on their phone. When using biometrics to validate a transaction notification, this process cannot confirm whether the user validating the transaction is the account holder or anyone else registered on the phone. Such a method is not Zero Trust compliant because it does not confirm the identity of the end user. Unfortunately, most passwordless solutions cannot bridge this gap between the account holder and the phone’s biometrics.
If there is no connection between the owner of the biometric data and the account holder, an attacker could access the owner’s credentials by going through a fraudulent account recovery or new registration process. device, connecting its biometric data to the owner’s account. This scenario is the Achilles heel of passwordless, and businesses looking to adopt a passwordless model must address this gap.
Multi-factor authentication and Decentralized data storage
A passwordless biometric multi-factor authentication solution can fill gaps or vulnerabilities in new phone or account recovery systems. Ideally, this solution should not rely on phone biometrics but instead authenticate against a secure, centralized biometric database accessible from any device or browser. Such a multifactorial method is reproducible across all user devices. Additionally, it would not eliminate the convenience and authentication of biometrics.
Another key element of a passwordless biometric multi-factor authentication solution is its ability to secure biometric data over a decentralized network. This decentralized network would allow businesses to implement the infrastructure necessary to protect biometric data (or any personal data) in unique and innovative ways; Additionally, it retains the benefits of a centralized facility to authenticate while retaining the security of a decentralized method in which data is stored and protected.
Typically, when people hear about decentralization, they think of blockchain. However, there are better solutions than blockchain for storing identity or biometric data. Although blockchain is sufficient to share transactions between many parties who all trust the same ledger, it cannot be modified or users deleted. Today, to comply with the General Data Protection Regulation or the GDPR, you must be able to delete users. Alternatively, businesses can store and secure biometric and other sensitive data on a decentralized network based on concepts such as zero-knowledge proofs and multi-party computing.
User experience and passwordless solutions
As brands move to passwordless biometric models, they need to remember the user experience. Passwordless authentication processes should be convenient and natural: it is not optimal to let users constantly go through several different steps. Likewise, businesses need to keep in mind the diversity of populations they serve, especially since not everyone is tech-savvy. For some older generations, scanning a QR code can be complex. When selecting a solution (in addition to finding one with multi-factor authentication and a decentralized network for data storage), choose a provider that offers multiple modalities suited to different populations.
About the Author
Sam Rehman is the Chief Information Security Officer (CISO) and Head of Cybersecurity at EPAM Systems, where he is responsible for many aspects of information security. Mr. Rehman has over 30 years of experience in software product engineering and security. Prior to becoming CISO of EPAM, Mr. Rehman held several industry leadership roles, including head of Cognizant’s digital engineering business, CTO of Arxan, and several engineering leadership roles at within Oracle’s Server Technology Group. His first mandate at EPAM was as Chief Technology Officer and Co-Head of Global Delivery.
Mr. Rehman is a serial entrepreneur, technology expert and evangelist with patented inventions in software security, cloud computing, storage systems and distributed computing. He has served as a strategic advisor to several security and cloud computing companies and is a regular contributor to a number of security industry publications.