How technology is trying to replace passwords [Q&A]

0
18

We have been told for a long time that passwords are endangered. In fact no less than Bill Gates predicted the password death at the 2004 RSA conference, yet we still rely on them to manage much of our daily access.

But things are starting to change. Patrick McBride, CMO at Beyond identity, believes that the technology of eliminating passwords and replacing them with something more secure is starting to take off. We talked to him to find out more.

BN: Is it possible to completely replace passwords with something basically secure?

PM: The password problem is well known. It is inconvenient for end users but, more importantly, it is a very risky way of authenticating the end user. Early attempts to address this problem involved longer and stronger passwords, if people used cracking techniques to try to figure out which passwords came from a database to help. But many of the ways passwords are stolen, malware running on the laptop, or phishing sites have nothing to do with this. Hackers use these techniques to compromise thousands and thousands of accounts, if you look Have I been pwned? There are 11 billion credentials out there, so it’s clearly a big deal.

Then came multi-factor authentication, but it’s inconvenient, I have to grab my phone and get that code. It is also not hacker proof, they will use phishing techniques and steal the second code. It’s a certain level of protection, but not a lot, so we decided that workforce customers get rid of the password entirely.

BN: What kind of techniques are involved in doing it?

PM: Let’s use SSL now to authenticate the website we’re going to so we know it’s genuine and then set up a secure connection. It uses something called symmetric cryptography, which is how we do business for trillions of dollars every day, and we don’t have a lot of problems. So we replaced the passwords for the workforce with the same underlying public cryptographic key / private key technique.

We have a small authenticator that works on the desktop, so after logging in using biometrics or a PIN no password is involved. And the PIN code never leaves the system, they are stored in a hardware chip on the computer, which makes them much more difficult to crack. All modern PCs and mobile devices have something called a TPM – it’s required for Windows 11 systems – it’s a place where you can securely store a private key in hardware. So you have a very simple and highly secure login experience too. So let’s create an SDK that developers can use to build hardcore technology into their application so they can provide very secure multi-factor access to any app, whether you’re logging into a bank’s website or ordering a pizza.

BN: So there is no need for any additional software or agent on the endpoint?

PM: That’s right, it’s autonomous within the company or in any app you download. If I’m using my banking app or if I’m using my delivery app, the technology is contained within it. So we’ve nailed our safe, frictionless capabilities into their app. There aren’t many things for the end user to do, they just log into their device and then open their app and it’s super smooth and highly secure.

BN: We have heard for several years that passwords are about to disappear, how far do you think we are from some kind of tipping point where everyone will be passwordless?

PM: It’s starting now, it’s gotten easier for companies to do this for their workforce, so it’s gaining a lot of traction and removing passwords from the experience for workers. The next step is really consumer apps and this is where it gets a little tricky. There are many “passwordless” things that hide the password but don’t actually remove it. If I send you a magic link, or even a temporary code, to log in via SMS, hackers have many ways to steal it, there is malware that can run on the endpoint and get you into a fake site so they can catch that code It doesn’t matter how complex or unique your password is, because if malware steals it from you, you’re still compromised. We’ve removed some of the hassle, password managers do a little bit, but they don’t remove the password security issue.

We are at that tipping point where, particularly on the consumer side, businesses will begin to incorporate technology as they create new apps. And it really is in a wide range of industries, from banking or financial services companies to the most common ecommerce applications. To get to a position where no one will have passwords to remember forever, I’d say there are still three to five years to go.

BN: All of this is still based on cryptography, how big is the threat posed by quantum computing?

PM: The cryptographic algorithms behind our technology are the same thing as TLS and SSL, it’s public key cryptography based on a certain set of things. I think we’re still a long way from that stuff breaking.

You obviously can’t prove the future perfectly, the bad guys are looking at quantum computing as a way to defeat the good guys, and the good guys are trying to create much stronger quantum-based algorithms, but the burden, frankly, is on the industry.

The bigger question is, have you built your technology in such a way that when, not if, this eventually happens, could you override it on the underlying algorithms using something that is more quantum secure? I think it’s a bit of an arms race now. It will be a problem and therefore the burden is on the companies building the technology to ensure that we are using cryptographic techniques and that they are future-proof. It is still on the horizon and is a problem for every single company.

Image credit: Syphotography/depositphotos.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here