The password is dead. Long live the password.
So it goes with most of the “Passwordless” solutions available today.
If you simply replace long character strings with long MFA processes, you’ve missed the point entirely.
All of us innately have a unique identity. Advances in Biometric technology such as a Liveness Test allow us to verify that identity at a near face-to-face level.
We need to stop making the login process more tedious for your users by layering solutions.
Instead, let users verify their identity with the best proof they have: themselves.
Password management unveils 3 groups of employees:
- Employees who have no problem remembering different usernames and passwords.
- Employees that give it three tries before they’re locked out and start harassing the Helpdesk
- Employees who choose to rely on the good old post-it note they stick on their monitor, openly and publicly.
And to make matters worse…
IT departments require employees to choose complex formats for their passwords: between 8 and 16 characters long with at least 1 uppercase letter, 1 number, and/or 1 special character. IT also requires that it be changed every 30 or 60 days. For many employees, those requirements, compounded by the number of systems they must access to do their job, can be overwhelming… hence the infamous post-it notes.
This ecosystem creates inefficiencies such as loss of productivity and increased costs. Did you know, for example, that replacing one password can cost up to $70? Yes, that’s what it can cost in human capital and machine resources to handle one password reset request.
81% of data breaches are caused by poor password management.
2FA to the rescue?
3 Reasons Why 2FA Solutions Are Vulnerable:
Passwords, the first authentication factor, can be stolen or lost. Second factors such as one-time emails, texts or tokens can also be intercepted or coerced from end-users and also result in a poor user experience. It is the same issue with a security key that can also be forgotten inside the pocket of a pair of jeans and run through the laundry. There are 2FA solutions that use device-based biometrics as a second factor of authentication. But Touch ID and Face ID do not prove a user’s identity.
The lack of pertinence, in terms of security, is magnified, when an employee finds himself locked out of an app after losing a factor. Believe it or not, but this employee actually finds himself in the very same position as a hacker, who’s trying to gain access to the employee’s account. If an account can be reset without an access factor, then a hacker can, too. However, without recovery options, the employee account may be lost forever. To meditate…
Finally, hackers are seasoned criminals. For example, they can set up or reconfigure two-factor authentication to keep the real account holder out of his or her own accounts.
Two-factor authentication (2FA) brings an extra layer of security that passwords alone can’t provide. Yet, they remain highly vulnerable.
Get the Complete Whitepaper
MFA to plug the holes?
Replacing 2 with M doesn’t necessarily cut it:
MFA solutions are definitely more robust, in terms of security, than 2FA applications. However, the reality is that they add another level of friction to the user’s experience.
Besides the added layer of friction, MFA solutions offer several key limitations. To use mobile SMS code MFA, an employee must carry a mobile phone, charged, and kept in-range of a cellular network, whenever authentication might be necessary.
There are MFA solutions that necessitate a piece of hardware like security keys, and that comes at a cost: Pay for each physical token and allocate resources for the hardware’s maintenance.
The smartphone and the security key can be lost or stolen.
MFA solutions give the user a sense of added security, however it remains a false sense of security.
Now, biometrics... Alright, but what kind...?
To mitigate the risk, biometrics have been added into the mix: Touch ID, Face ID, iris recognition, etc.
A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password required. The mobile phone is something the employee has and the biometric data is something the employee is.
Some levels of biometrics remain ineffective.
Financial Element: Biometric technologies are available commercially in many different forms, but by far the most common devices are fingerprint readers and hand geometry scanners. Now, commercial retina and iris scanners can cost between $2,000 and $10,000, are considered highly invasive by users, and have a slow throughput. Whether fingerprint or iris scanners are required for both physical and logical access, deploying biometrics in the organization is extremally costly.
Biometric Element: Whether it is voice recognition (Voice ID), facial recognition (Face ID), fingerprint scanning (Touch ID) or iris scanning, those types of biometric are falsifiable: Voice can be replicated, fingerprints can be copied, face can be spoofed and iris scanners can be hacked. Biometrics are used by most passwordless solutions is not enough.
Data Storage Element: Most passwordless solutions store their users’ biometric data unencrypted inside centralized systems, which are highly prone to cyber attacks.
MFA solutions that leverage biometrics give the user a sense of enhanced security. The reality is, however, rather different… unless advanced biometrics are involved.
To "comply with guidelines" doesn't mean much...
Per the National Institute of Standards and Technology (NIST), digital identity is the online persona of a subject engaged in an online transaction. Now, accessing a digital service may not mean that the subject’s real-life identity is known.
NIST has created the NIST 800-63-3 guidelines to establish 3 levels of assurance for ID-proofing and authentication:
Identity Assurance Levels:
- IAL1: There is no requirement to link the applicant to a specific real-life identity.
- IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
- IAL3: Physical presence is required for identity proofing (address verification).
Authentication Assurance Levels:
- AAL1: Requires either single-factor or multi-factor authentication using a wide range of available authentication technologies.
- AAL2: Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.
- AAL3: Based on proof of possession of a key through a cryptographic protocol. Authentication must use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance. The same device may fulfill both these requirements. Approved cryptographic techniques are required.
Federated Assurance Levels:
- FAL1: IAL1 + Any AAL, IAL2 + AAL1, IAL3 +AAL1
- FAL2: IAL2 + AAL2, IAL2 + AAL3, IAL3 + AAL2
- FAL3: IAL3 + AAL3
Most passwordless solutions do not exceed FAL1.
2 major data storage issues
Most passwordless solutions store their users’ data in such a way that it represents a cyber criminal dream for 2 main reasons:
Users’ data stored unencrypted.
Did you know what major organizations are still storing passwords in plain text? Unfortunately, there are multi-billion dollar companies out there that continue to minimize the importance of security. Some actually choose to compromise security in the name of (financial) convenience. Others do everything right when storing their employees’ password. But they might add overzealous logging capabilities, which record passwords in plain text… Encryption is standard during the data transmission process, but many enterprises have failed at implementing the same for information held within their databases. And that’s a hacker’s dream, because they are able to easily use stolen data in its rawest form.
Users’ data stored in centralized systems.
First, the user of a centralized database has access to four data functions: Create, Read, Update, Delete. Logically, anyone with access credentials can utilize the Create, Update and Delete functions to compromise data. Read is only as good as the data which is read. Then, a centralized system represents a single point of failure. Naturally, the bigger firms which is associated with centralized systems can afford redundancy, but it is inherently expensive…
Data storage falls way below what is required to ensure users’ data security.
The BlockID platform fundamentals
Identity is our number one focus at all times.
1Kosmos BlockID is the only passwordless authentication solution that verifies the user identity. BlockID reaches IAL2, AAL2 and FAL2 per the NIST 800-63-3 guidelines, and stores users’ data encrypted in a decentralized ledger.
During the enrollment process, BlockID creates a credential safe and the private key always stays with the user.
Enrollment process: Triangulating a given claim with a multitude of company or government-issued documents as well as sources of truth, including biometrics like a liveness test.
- Each enrolled document is validated in the background: AAMVA for driver’s licenses, issuing country for passports.
- By enrolling a driver’s license and a passport, for example, BlockID validates the user’s first and last name, address, date of birth, and ensure, to the extent possible, that the photos on both documents actually match.
- BlockID adds an extra source of truth to our ID proofing process: a liveness test to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person.
- BlockID accesses even more sources of validation: a passport’s chip to validate the fact that the passport scanned during the enrollment process matches digitally signed data, for example. or external sources of truth like a credit card, a bank account or a loyalty program
1Kosmos BlockID reaches IAL2 per the NIST 800-63-3 guidelines and uses advanced, unspoofable biometrics like a liveness test.
BlockID uses advanced biometric authentication as a security process that relies solely on the unique biological characteristics of a user to verify that he is who he says he is.
Authentication process: A liveness test to eliminate any risk of facial spoofing, which is the task of creating false facial verification by using a photo, video, mask or a different substitute for an authorized person’s face.
1Kosmos BlockID reaches AAL2 per the NIST 800-63-3 guidelines and uses advanced, unspoofable biometrics like a liveness test.
The verification process leverages the attributes BlockID triangulates during the enrollment phase and digital verifiable credentials users can share with third-parties and with explicit consent.
Verification process: issuers create verifiable credentials, users can store some of them, and verifiers ask for proof based upon them. When identity needs to be verified, the user chooses those credentials that must be verified. The process
involves data the user initially enrolled in BlockID, verifiable credentials in their digital form through API calls, or a mix of both.
The attestations that verifiable credentials make are backed by the Decentralized Identifiers (DIDs), a technology that enables verifiable, decentralized digital identity.
1Kosmos BlockID reaches FAL2 per the NIST 800-63-3 guidelines. BlockID is also fully W3C compliant.
The BlockID Private Blockchain Ecosystem
1Kosmos leverages a Distributed Ledger to securely store users’ identity information, with access controlled by the user (GDPR compliant) as well as a layer of privacy built around Ethereum to execute smart contracts. This is the BlockID Private Blockchain ecosystem.
Each user’s information is encrypted using their own unique cryptographic key pairs, with their private key stored securely on their own mobile devices. That means there are literally thousands of separate and unique encryption keys and mobile devices protecting the identity data, which makes it impervious to hacking (W3C compliant).
BlockID solutions automatically and seamlessly handle all interactions with the Blockchain — No Blockchain knowledge or expertise is required by anyone on your team to enjoy all of its benefits. It couldn’t be any easier.
1Kosmos BlockID is the only passwordless solution to store users’ data encrypted in a decentralized ledger.