By Frances Zelazny, CEO of Anonybit
Recent advancements in securing online accounts have effectively changed the way many of us envision protecting our digital footprint – with top priorities of maintaining privacy and preserving online identity security. While transformative, these advancements are not airtight means of security.
The continued flood of identity fraud within the past few years is insurmountable. In 2021 alone, 59% of identity fraud victims attested to total account takeover, with an approximate average value of financial losses of $12,000 across multiple accounts per victim. With $6 billion in personal losses each year, account takeover has quickly become the leading form of fraud loss. As such, security experts across the industry agree that the way forward is through strengthened authentication, starting with eliminating passwords and replacing them with more secure factors, such as biometrics.
Strong authentication has traditionally been synonymous with methods of multi-factor authentication (MFA), most of which still rely on the use of a password of some kind. However, the unfortunate truth about passwords is that they are not only inherently broken but are also the most ubiquitous authentication factor. Therefore, any implementation of multi-factor authentication is undermined by their inclusion.
High-assurance strong authentication is what many industry experts believe to be a much superior approach to securing accounts, in which multi-factor authentication is merged with biometrics. In the past five years alone, high-assurance authentication has been adopted on a mass scale, climbing from 5% in 2017 to 16% in 2018, and even more so up to a whopping 24% in 2021. With high-assurance and biometric authentication gaining traction in the U.S., the prevalence of password dependence still exists among 49% of users across their accounts. Despite this surprising percentage, the growing awareness of stronger authentication methods is promising for its implementation in the near future.
As it currently exists, the widespread adoption of high-assurance authentication has largely been led by the FIDO Alliance. Since 2013, FIDO sought to enable strong authentication through an open set of standards and specifications that link user devices to a secure online service and then rely on biometric information stored on a particular device. Making this process more accessible appears to be the key to its ubiquity, but there are also loopholes that need to be addressed as device biometrics only authenticate the device owner, not the owner of the account they are trying to access. When this gap gets exploited by attackers, it further contributes to the growing fraud rates that we are experiencing.
There are other issues that must be overcome to move towards the ubiquity of biometrics for consumer applications. Currently, FIDO credentials are only generated for a specific device, meaning that each device or browser must be separately provisioned in order to seamlessly authenticate access. Managing multiple devices is not only difficult, but from a consumer perspective also degrades the experience. As a result, the FIDO Alliance has called for the issuance of multi-device credentials that will enable users to authenticate from anywhere, at any time, and from any device.
The transition to this model begs a few questions, the first being: how do you establish a high-enough level of assurance with a new user device that will allow for the entire set of credentials or keys to be entrusted to it? Secondly, how can digital assets be securely backed up and transferred without exposing them to potential compromise in transit or at rest whilst in vendor storage? And lastly, how does all of this happen across different device manufacturers who are disincentivized from working together?
Because biometric information is stored and bound to the specific device, it cannot be relied on to authenticate from any other device, meaning the biometric samples from the original device will no longer be available, and the fallback will once again be other authentication factors with lesser assurance levels. Additionally, sending cryptographic assets to backup facilities exposes this information to eavesdropping by cyberattackers in transit. Finally, if a vendor’s facility is hacked into, all cryptographic keys stored can provide unfettered access to all of their accounts.
The solution to address both of these challenges lies in a decentralized cloud infrastructure that can provide high levels of authentication assurance regardless of the device. Applying biometrics to a decentralized cloud infrastructure aligns with the privacy principles of FIDO, where a user is in control of their biometric data, and the biometric itself is not accessible across multiple parties.
While the technology to fully realize this is fairly new, companies are working to leverage techniques like multi-party computing and zero-knowledge proofs in ways that break down biometric data into anonymized pieces. These bits of data are then secured individually over a decentralized network and can be matched in a decentralized manner as well, ensuring their security both at rest and in process. The same infrastructure can also be used to secure cryptographic assets like FIDO credentials. Sharded cryptographic assets can be distributed over a decentralized network, and only after a user authenticates biometrically will these assets be released onto the user’s new device.
Looking to a much larger scale, in order to make this method of authentication ubiquitous, it is critical to move past the inhibitors for adoption. Though many still cling to outdated methods of security and identity authentication, there has never been a stronger call to utilize existing technologies and infrastructures to foster the privacy and security of countless users. While it may take some time to achieve on a widespread scale, decentralized biometrics cloud infrastructure provides the framework to propel us towards a truly passwordless future.
About the Author
Frances is a seasoned marketing strategist and business development professional with over 25 years of experience with start-up and scale-up companies, primarily focused on biometrics and digital identity, fintech, data and analytics and cybersecurity. Frances has led marketing and strategy teams at L-1 Identity Solutions, MyCheck, BioCatch and most recently, Signals Analytics, and has run her own business consultancy where she provided expertise in biometrics and identification systems to growth companies. Frances has also served government and multilateral organizations in promoting biometrics best practices for social and economic development and has been an outspoken advocate for consumer privacy and the responsible use of biometrics. Her latest venture called Anonybit, which provides a ground-breaking infrastructure for decentralizing biometric technology (not on the blockchain!) and creates a new category for privacy-preserving identity management.