By Hemen Vimadalal is CEO and founder of 1Kosmos
Approximately $590 million in ransomware payments were made in the U.S. in the first six months of 2021, more than the $416 million reported for the whole of 2020, according to a Reuters report.
And it’s no surprise that stolen credentials are the primary means by which criminals hack into organizations. In fact, the Verizon 2021 Data Breach Investigations Report noted that 61 percent of breaches are attributed to compromised credentials.
Problem is: most companies are mired in the traditional approach that uses an authentication method (such as a password, a one-time passcode, etc.) as a proxy for a user’s identity. Let’s consider the shortcomings of this model.
Passwords have been around for roughly 60 years and are easily compromised via phishing attacks, social engineering or simple carelessness, and many people reuse them across different systems. Meanwhile, two-factor authentication doesn’t prove identity at all. Instead, it simply provides hope … that email accounts, devices and apps haven’t been hacked.
Strong authentication using biometrics shows great promise in replacing passwords by moving beyond the “something you know” or knowledge factor to the “something you are” or inherence factor. These include physical characteristics (typically facial, fingerprint, or voice recognition) to verify a user’s identity.
However, capturing user biometrics is one thing. Securing them is a completely different challenge, because, just like passwords, digitized biometrics can be stolen.
Passwordless is the Future
Recent breakthroughs in standards and technologies make passwordless authentication not only possible but cost-effective and convenient.
For example, NIST standard 800-63-3B covers how users can use enrolled identities to authenticate who they are without usernames or passwords. The industry term for this is passwordless authentication.
Meanwhile, passwordless authentication has been popularized by the Fast Identity Online Alliance (FIDO), a non-profit industry consortium supported by such companies as Google and Microsoft.
Its main standard is FIDO2, which enables users to store their biometrics behind a cryptographically secured public-private key pair. The private key is stored in the Trusted Platform Module or Secure Enclave of the device. That key (what you have) combined with a biometric such as TouchID, FaceID or LiveID (what you are) become the two factors needed to verify the user can be trusted to access an online service.
For passwordless to work, certified authentication must enable a high level of certainty of the identity at the end of a connection. Thus, identity becomes key to the security perimeter of an organization, and removes the anonymity behind compromised credentials, which is also central to help organizations move to a zero-trust architecture.
To ensure the success of passwordless authentication, the biometric must be sophisticated and non-hackable. A “live selfie” is a must, using technology that detects depth of field, specific facial movements, and all signs of photo and video manipulation.
The authentication mechanism needs to have a high degree of interoperability and be easily integrated with operating systems, user stores, devices, SSO, and other applications preferably via API / SDK.
As a user biometric represents a high value target for hackers, they should also be stored as safely as possible.
Centralized administration provides a honeypot target ripe for ransomware, hacking, etc. Conversely distributed ledgers offer a vastly superior approach to security and facilitates user privacy in management and control of their own information.
Passwordless authentication results in a user-friendly computing experience that is highly resistant to credential theft. It eliminates significant threats posed by unauthorized users logged into the corporate IT network — including data breaches, ransomware, commercial espionage, and financial fraud.
From an organizational perspective, passwordless authentication with identity simplifies IAM IT architectures centered on passwords and 2FA security. More importantly, it helps organizations answer with certainty the key question of “Who is logging into my digital services?”
About the Author
Hemen Vimadalal is CEO and founder of 1Kosmos, which unifies identity and authentication to provide a passwordless and frictionless user experience for employees and consumers. Prior to 1Kosmos, Hemen founded Simeio Solutions and Vaau, both of which had very successful exits. He is also an angel investor in cyber security companies including Securonix, Saviynt, BrinQa, Simeio, and others.