Go Beyond Passwordless Solutions

Replacing 2 with M doesn’t necessarily cut it:
MFA solutions are definitely more robust, in terms of security, than 2FA applications. However, the reality is that they add another level of friction to the user’s experience.

Besides the added layer of friction, MFA solutions offer several key limitations. To use mobile SMS code MFA, an employee must carry a mobile phone, charged, and kept in-range of a cellular network, whenever authentication might be necessary.

There are MFA solutions that necessitate a piece of hardware like security keys, and that comes at a cost: Pay for each physical token and allocate resources for the hardware’s maintenance.

The smartphone and the security key can be lost or stolen.

MFA solutions give the user a sense of added security, however it remains a false sense of security.

To mitigate the risk, biometrics have been added into the mix: Touch ID, Face ID, iris recognition, etc.

A login page, a QR code to scan from a mobile application, a biometric-based authentication, and the employee is in. No more username and password required. The mobile phone is something the employee has and the biometric data is something the employee is.

Some levels of biometrics remain ineffective.
Financial Element: Biometric technologies are available commercially in many different forms, but by far the most common devices are fingerprint readers and hand geometry scanners. Now, commercial retina and iris scanners can cost between $2,000 and $10,000, are considered highly invasive by users, and have a slow throughput. Whether fingerprint or iris scanners are required for both physical and logical access, deploying biometrics in the organization is extremally costly.

Biometric Element: Whether it is voice recognition (Voice ID), facial recognition (Face ID), fingerprint scanning (Touch ID) or iris scanning, those types of biometric are falsifiable: Voice can be replicated, fingerprints can be copied, face can be spoofed and iris scanners can be hacked. Biometrics are used by most passwordless solutions is not enough.

Data Storage Element: Most passwordless solutions store their users’ biometric data unencrypted inside centralized systems, which are highly prone to cyber attacks.

MFA solutions that leverage biometrics give the user a sense of enhanced security. The reality is, however, rather different… unless advanced biometrics are involved.

Per the National Institute of Standards and Technology (NIST), digital identity is the online persona of a subject engaged in an online transaction. Now, accessing a digital service may not mean that the subject’s real-life identity is known.

NIST has created the NIST 800-63-3 guidelines to establish 3 levels of assurance for ID-proofing and authentication:

Identity Assurance Levels:

• IAL1: There is no requirement to link the applicant to a specific real-life identity.
• IAL2: Evidence supports the real-world existence of the claimed identity and verifies that the applicant is appropriately associated with this real-world identity.
• IAL3: Physical presence is required for identity proofing (address verification).

Authentication Assurance Levels:

• AAL1: Requires either single-factor or multi-factor authentication using a wide range of available authentication technologies.
• AAL2: Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). Approved cryptographic techniques are required at AAL2 and above.
• AAL3: Based on proof of possession of a key through a cryptographic protocol. Authentication must use a hardware-based authenticator and an authenticator that provides verifier impersonation resistance. The same device may fulfill both these requirements. Approved cryptographic techniques are required.

Federated Assurance Levels:

• FAL1: IAL1 + Any AAL, IAL2 + AAL1, IAL3 +AAL1
• FAL2: IAL2 + AAL2, IAL2 + AAL3, IAL3 + AAL2
• FAL3: IAL3 + AAL3

Most passwordless solutions do not exceed FAL1.

Most passwordless solutions store their users’ data in such a way that it represents a cyber criminal dream for 2 main reasons:

Users’ data stored unencrypted.
Did you know what major organizations are still storing passwords in plain text? Unfortunately, there are multi-billion dollar companies out there that continue to minimize the importance of security. Some actually choose to compromise security in the name of (financial) convenience. Others do everything right when storing their employees’ password. But they might add overzealous logging capabilities, which record passwords in plain text… Encryption is standard during the data transmission process, but many enterprises have failed at implementing the same for information held within their databases. And that’s a hacker’s dream, because they are able to easily use stolen data in its rawest form.

Users’ data stored in centralized systems.
First, the user of a centralized database has access to four data functions: Create, Read, Update, Delete. Logically, anyone with access credentials can utilize the Create, Update and Delete functions to compromise data. Read is only as good as the data which is read. Then, a centralized system represents a single point of failure. Naturally, the bigger firms which is associated with centralized systems can afford redundancy, but it is inherently expensive…

Data storage falls way below what is required to ensure users’ data security.

Identity is our number one focus at all times.

1Kosmos BlockID is the only passwordless authentication solution that verifies the user identity. BlockID reaches IAL2, AAL2 and FAL2 per the NIST 800-63-3 guidelines, and stores users’ data encrypted in a decentralized ledger.

Enrolling
During the enrollment process, BlockID creates a credential safe and the private key always stays with the user.

Enrollment process: Triangulating a given claim with a multitude of company or government-issued documents as well as sources of truth, including biometrics like a liveness test.

• Each enrolled document is validated in the background: AAMVA for driver’s licenses, issuing country for passports.
• By enrolling a driver’s license and a passport, for example, BlockID validates the user’s first and last name, address, date of birth, and ensure, to the extent possible, that the photos on both documents actually match.
• BlockID adds an extra source of truth to our ID proofing process: a liveness test to verify if the biometric traits of an individual are from a living person rather than an artificial or lifeless person.
• BlockID accesses even more sources of validation: a passport’s chip to validate the fact that the passport scanned during the enrollment process matches digitally signed data, for example. or external sources of truth like a credit card, a bank account or a loyalty program

1Kosmos BlockID reaches IAL2 per the NIST 800-63-3 guidelines and uses advanced, unspoofable biometrics like a liveness test.

Authenticating
BlockID uses advanced biometric authentication as a security process that relies solely on the unique biological characteristics of a user to verify that he is who he says he is.

Authentication process: A liveness test to eliminate any risk of facial spoofing, which is the task of creating false facial verification by using a photo, video, mask or a different substitute for an authorized person’s face.

1Kosmos BlockID reaches AAL2 per the NIST 800-63-3 guidelines and uses advanced, unspoofable biometrics like a liveness test.

Verifiable Credentials
The verification process leverages the attributes BlockID triangulates during the enrollment phase and digital verifiable credentials users can share with third-parties and with explicit consent.

Verification process: issuers create verifiable credentials, users can store some of them, and verifiers ask for proof based upon them. When identity needs to be verified, the user chooses those credentials that must be verified. The process
involves data the user initially enrolled in BlockID, verifiable credentials in their digital form through API calls, or a mix of both.

The attestations that verifiable credentials make are backed by the Decentralized Identifiers (DIDs), a technology that enables verifiable, decentralized digital identity.

1Kosmos BlockID reaches FAL2 per the NIST 800-63-3 guidelines. BlockID is also fully W3C compliant.

The BlockID Private Blockchain Ecosystem
1Kosmos leverages a Distributed Ledger to securely store users’ identity information, with access controlled by the user (GDPR compliant) as well as a layer of privacy built around Ethereum to execute smart contracts. This is the BlockID Private Blockchain ecosystem.

Each user’s information is encrypted using their own unique cryptographic key pairs, with their private key stored securely on their own mobile devices. That means there are literally thousands of separate and unique encryption keys and mobile devices protecting the identity data, which makes it impervious to hacking (W3C compliant).

BlockID solutions automatically and seamlessly handle all interactions with the Blockchain — No Blockchain knowledge or expertise is required by anyone on your team to enjoy all of its benefits. It couldn’t be any easier.

1Kosmos BlockID is the only passwordless solution to store users’ data encrypted in a decentralized ledger.