Passwords have been used to access computers since 1961 when an operating system at the Massachusetts Institute of Technology first required login credentials. 60 years later, despite the massive advancements in technology and cyber threats, the password security system has remained largely unchanged.

While password tactics have somewhat evolved to address new cybersecurity threats, attackers have gotten more sophisticated in response. Most of the time, cybercriminals don’t even need to use advanced hacking methods when employees are still using weak passwords like “1234”, storing passwords on their desktops, or sharing their credentials with their coworkers.

Stealing a password is as easy as reading a post-it note on a desktop, no hacking required. When employees don’t write passwords down, they often forget them and start harassing the help desk for a $70 password reset. The truth is, most employees hate the inconvenience of passwords and most employers are tired of facing the consequences of insecure passwords (data breaches, loss of trust, financial loss, etc.). So what is being done to fix this broken system?

2FA

One of the first steps that cybersecurity leaders take to increase cybersecurity in their organizations is implementing 2 factor authentication or 2FA. How does this solution work? Passwords are the first authentication factors.

As we know, these can be lost or stolen. The second authentication factor can vary, but it is usually something like an SMS code, a security key, or biometrics. Unfortunately, none of these second authentication factors are very secure either.

Consider this: your phone or security key gets run through the wash in the pocket of your jeans. If there are no recovery options, you could be locked out of your account forever. What if the 2FA solution uses biometric authentication? The truth is that fingerprints can be copied to hack Touch ID and faces can be spoofed to compromise Face ID.

To summarize…

2FA

Security X
Convenience X

MFA

If cybersecurity leaders want an extra level of security, they will use a multi factor authentication solution (MFA) instead of 2FA. Although MFA solutions are more robust in terms of security than 2FA solutions, they add another level of friction that makes the user experience undesirable.

Each additional authentication factor increases cognitive load and confusion for employees. MFA has other limitations in addition to the inconvenient user experience. To use an SMS code, for example, an employee needs a charged mobile phone, connected to a cellular network, whenever they need to authenticate.

If pieces of hardware like security keys are used, your company will need to pay for the keys, the maintenance, and their replacements when employees lose them. If less advanced forms of biometrics are an authentication factor, users tend to feel more secure.

However, voices can be replicated, fingerprints can be copied, faces can be spoofed, and iris scanners can be hacked. In reality, MFA is not the end all solution to replacing passwords. MFA solutions are hackable and have a low quality user experience.

To summarize once again…

MFA

Security X
Convenience X

What Is Passwordless Authentication?

The key differentiator between password authentication and passwordless authentication is the kind of information needed during the user’s login process. Password systems require user knowledge of their User ID, email address, password, etc.

Passwordless systems, however, require information the user has, like biometrics. Each user has unique biometrics, like fingerprints or voice recognition. When implemented correctly, there are many benefits to using biometrics including a high level of identification accuracy, low risk of theft or loss, and an easy user experience.

However, passwordless solutions are only effective when non spoofable advanced biometrics, such as a liveness test, are used and if data is stored in a private blockchain ecosystem, to eliminate hacking risks. Another component of passwordless authentication is user possessed information. This could include a limited time password, a verification link, a QR code from an authentication application, etc.

These are more secure than passwords because the user is required to access a separate device in a limited amount of time. In both cases, passwordless authentication requires two cryptographic keys: one private key and one public key. Because the private key is something unique that the user has (not a password), it would be difficult for a criminal to hack it.

The user uses the private key to access the public key which is on a system or application. The private and public keys need to match for the user to gain access. Passwordless solutions provide numerous benefits to individuals and organizations.

First, the elimination of passwords means that organizations are no longer susceptible to security breaches when their employees manage passwords poorly. Additionally, the employee user experience is greatly simplified. They won’t need to store passwords on desktop sticky notes or harass the help desk every 30 days for a $70 reset. Lastly, help desk costs will drastically decrease when they don’t need to manage every employee’s password.

A summary of passwordless authentication if and only if advanced biometrics and encrypted, decentralized data storage are used…

Passwordless Authentication

Security
Convenience

If you are interested in increasing the security of your organization while creating a better user experience for your employees, I invite you to explore 1Kosmos BlockID workforce solutions.

1Kosmos’ passwordless solution uses an advanced form of biometrics called a liveness test that secures the identity of your employees who need to authenticate and access your systems and internal web resources.

A hacker cannot reproduce and compromise the analysis and result of a liveness test, so the fear of having one’s fingerprints copied, face spoofed or voice replicated is eliminated. Live ID brings an extra, uncompromisable level of authentication.

With a simple blink of an eye and a smile, 1Kosmos BlockID can indisputably verify an individual’s identity. The solution is 100% contact free which minimizes employee friction while bringing employees the highest levels of identity and authentication assurance per the NIST 800-63-3 guidelines, or IAL3 and AAL3. Lastly, with BlockID, you can leverage the BlockID Private Blockchain Ecosystem, our virtually uncompromisable system that initiates peer-to-peer transactions while ensuring the immutability of the data stored encrypted.

FIDO2 Authentication with 1Kosmos
Read More