A Passwordless Future

By Sam Rehman, SVP, Chief Information Security Officer, at EPAM Systems, Inc.

Using passwords is like carrying a large set of keys everywhere you go. You can get through doors, for instance, but if you lose them, not only are you stuck and can’t go anywhere, but now somebody else might be able to use them and visit places they shouldn’t. When inefficiency happens, like in this scenario, a change is necessary. The same is true about passwords, which as a security contract, often give a false sense of security. A study found that two in three respondents will forget their passwords unless they record them. What is recorded in multiple forms increases the chance that it’s stolen. Likewise, more than half of Americans perform at least five password resets each month, taking 10 minutes each time. Password resets are also a key tool for attackers to breach into systems, and since it’s used so often, it’s difficult for defenders to spot anomalies.

Furthermore, as people continue to shop, work, and interact online, their passwords – and by extension, the private information they protect – are becoming more vulnerable to bad actors. It stands to reason, with all of the problems of passwords, is a passwordless future possible, and what would it take to achieve it?

Passwordless and Zero Trust 

In the past, ring-fencing, or the process of limiting interactions between applications and their access to the internet, was the go-to strategy for cybersecurity. However, ring-fencing no longer holds the fort, and zero trust has begun to take center stage. As zero trust matures, the public continues to recognize that it is not a single product but a concept encompassing advanced technology solutions, processes, and policies. Some of the main principles of zero trust include risk detection and evaluating authentication in the context of the user’s transaction (what they accessed, where, when etc.), often called recertification.

Another chief pillar of zero trust is verifying identity frequently. And when it comes to securing one’s identity, a fundamental aspect is strong authentication. One of the primary reasons why going passwordless continues to gain momentum is the push for robust authentication, as it is a fundamental component of identifying the user. Many are now aware of the brokenness of passwords since they do not comply with the authentication principles of zero trust. Similarly, anything the password holder knows, anything they remember, a bad actor can socially engineer out of them through phishing, phone scams, or some other malicious method.

The Flaws of Relying Too Heavily on Biometrics 

The second reason behind the rise of passwordless is biometrics. Having a face ID or fingerprint ID on one’s phone is very convenient and removes the annoyance of remembering passwords that could get stolen. Additionally, these biometric authentication methods overcome the issues of cryptographic-based authentication. Nevertheless, passwordless systems have flaws, particularly when they rely too heavily on phone biometrics and are not connected fully to centralized authentication. Using biometrics on one’s phone creates a false sense of security because they don’t get validated against whom the phone belongs to.

For example, many people have their child or another family member’s biometric ID fingerprint enrolled on their phone. When they use biometrics to validate a transaction notification, this process can’t confirm if the user validating the transaction is the account holder or any other person enrolled on the phone. Such a method does not align with zero trust because it does not confirm the end user’s identity. Unfortunately, most passwordless solutions cannot bridge this gap between the account holder and the biometrics on the phone.

If there is no connection between the biometrics owner and the account holder, an attacker could access the owner’s credentials by going through a fraudulent account recovery or new device enrollment process, connecting their biometrics to the owner’s account. This scenario is the Achilles Heel of going passwordless, and companies wanting to adopt a passwordless model must address this gap.

Multi-Factor Authentication and Decentralized Data Storage

A passwordless biometric multi-factor authentication solution can address the gap or vulnerability in new phone or account recovery schemes. Ideally, this solution should not rely on phone biometrics but authenticate against a secure, centralized biometrics database accessible from any device or browser. Such a multi-factor method is repeatable across the user’s devices – plus, it would not eliminate the convenience and authentication of biometrics.

Another key component of a passwordless biometric multi-factor authentication solution is its ability to secure biometric data over a decentralized network. This decentralized network would allow businesses to implement the infrastructure needed to safeguard biometric data (or any personal data) uniquely and innovatively; moreover, it maintains the benefits of a centralized facility to authenticate against while keeping the security of a decentralized method in which data gets stored and protected.

Typically, when people hear decentralization, they think of blockchain. However, there are better solutions to store identity or biometric data than blockchain. Although blockchain is sufficient for sharing transactions between many parties that all trust the same ledger, it cannot get edited, nor can users get removed. Today, to be General Data Protection Regulation or GDPR compliant, one needs to be able to remove users. Alternatively, businesses can store and secure biometric and other sensitive data on a decentralized network based on concepts like zero-knowledge proofs and multi-party computing.

The User Experience and Passwordless Solutions

As brands transition to passwordless biometric models, they must remember the user experience. Passwordless authentication processes should be convenient and natural – it’s not optimal to have users constantly jumping through several different hoops. Likewise, businesses must remember the diverse populations they serve, especially since not everyone is tech-savvy. For some older generations, scanning a QR code could be complex. When selecting a solution (in addition to finding one with multi-factor authentication and a decentralized network for data storage), choose a vendor that offers multiple modalities that cater to different populations.

About the Author

Sam Rehman is Chief Information Security Officer (CISO) and Head of Cybersecurity at EPAM Systems, where he is responsible for many aspects of information security.  Mr. Rehman has more than 30 years of experience in software product engineering and security. Prior to becoming EPAM’s CISO, Mr. Rehman held a number of leadership roles in the industry, including Cognizant’s Head of Digital Engineering Business, CTO of Arxan, and several engineering executive roles at Oracle’s Server Technology Group. His first tenure at EPAM was as Chief Technology Officer and Co-Head of Global Delivery.

Mr. Rehman is a serial entrepreneur, technology expert and evangelist with patented inventions in software security, cloud computing, storage systems and distributed computing. He has served as a strategic advisor to multiple security and cloud companies, and is a regular contributor in a number of security industry publications.