From authentication to the future of identity
28 March 2020

From authentication to the future of identity

28 March 2020

Authentication is a process used to verify that someone is who they claim to be. Each of us completes the process of authentication multiple times a day.

In fact, authenticating ourselves has become so ingrained in our everyday lives, that most of us don’t give a second thought to what we’re actually doing in the process.Unlocking our devices, entering our PIN numbers, swiping into our office buildings, scanning our passports at airports — these are all acts of authentication. We’re proving who we are, or that we have ownership over something, to a platform or service.

In this piece, we’re going to delve into the evolution of online authentication methods and the inherent security problems with how our private credentials are managed by companies today. We’ll then focus on how our team is leveraging the latest advancements in cryptography and biometrics to work towards building a privacy-focused future.

The evolution of online authentication methods

Technology has evolved at an incredible speed since the launch of the World Wide Web in 1991. So much so that today, our entire lives entirely revolve around mobile devices and the platforms on them. Today most of us work, socialise, make payments, shop for groceries, and even bank online.

Yet, the way we authenticate online and manage private information has failed to evolve at the same pace. Despite being introduced over half a century ago, usernames and passwords are still the most popular authentication method used today.

The 20th Century

1960s: Usernames and passwords

Usernames and passwords have been the most common form of online authentication for decades. Users choose a “secret”, an easy to remember password that nobody else knows.

The password is shared with the platform or service, and then stored on their internal systems so that it can be cross-referenced when someone attempts to login.

While still the most popular means of authentication on the internet, guessing passwords has proven to be relatively easy. To protect users against this, most platforms have imposed their own set of password requirements, some more lax than others, and most require user’s to change their passwords periodically.

This strategy has arguably made it harder for users to keep their passwords secure. In reality, being forced to remember dozens of different password combinations forces users to either overuse the same password, or keep copies of them stored in insecure places.

1970s: Hash

Hashing is a one-way encryption function that’s used by platforms to securely store passwords. With hashing, raw or unaltered passwords are transformed into an unrecognizable alphanumeric “hash”.

The one-way function makes it more difficult for an attacker to uncover a user’s password.

To authenticate a user, passwords entered during login are converted to a hash, and then the system compares that with the stored hashed copy saved on file. If there is a match, then the user is granted access.

Unfortunately, hashing alone is generally not strong enough to completely dissuade malicious actors, as cybercriminals can still steal hashed passwords from databases.

These can be easily broken by a dictionary attack, or by brute force attacks where the malicious party plays trial and error until they discover the original password or secret.

1980s: Two-factor authentication — Hardware tokens

Two-factor authentication (2FA) is essentially the idea of presenting the user an authentication challenge that is different to the first. This creates another security perimeter that hackers need to bypass, making it much more difficult to break into a user’s accounts.

Hardware tokens are registered to a user’s accounts, and produce one-time passwords (OTP) were introduced as a method to do this. Essentially, the user’s possession of the hardware token is another challenge.

If the user knows their username and password, and has possession of the hardware token, then the service can be sure that the user is who they say they are.

Hardware security tokens like YubiKey, are modern examples of 2FA solutions that still use this technology today.

Unfortunately, hardware token solutions are costly, disruptive to the user experience, as they can often be misplaced or lost entirely.

1990s: Public key cryptography

Widely used today amongst those that own digital assets, public key cryptography relies on pairs of “keys” to authenticate users: one private, and one public. Keys are random alphanumeric numbers that are so long and random that they’re considered impossible to guess (or remember).

Instead of needing to store a user’s private information to be able to authenticate them, the only data that systems must store is the public key, along with a username. To authenticate, a server sends a message to the user’s device, and the user creates a digital signature with their private key.

This technique, while more private and secure than other authentication methods, is particularly disruptive to the user-experience.

Since they are so long, private keys are therefore difficult to remember without writing them down and storing copies somewhere. Storing private keys puts them at risk of being compromised or lost, which means user’s not only risk having their account breached, they risk accidentally locking themselves out of their accounts.

The 21st Century

2000s: The evolution of 2FA to SMS and soft tokens

As sales of mobile devices sky rocketed, 2FA solutions that leverage mobile devices, rather than secondary hardware devices, rose in popularity. As a secondary authentication challenge, SMS 2FA solutions send a one time password to a user’s pre-registered mobile number.

SMS passwords have proven to be relatively expensive for businesses, susceptible to social engineering attacks, and disruptive to the user-experience if the user loses access to their phone.

Instead of sending an OTP to a user’s phone number, soft tokens leverage the technology built into a user’s smart-device to generate an OTP. While this is less costly for businesses, soft tokens are still vulnerable to security breaches if the user’s device is hacked.

2010s: Biometrics

In the last decade, the use of fingerprints and facial recognition technology became pervasive in mobile banking, cloud-based mobile payments, accessing government services and remote working.

Today, users can opt to use their biometrics to authenticate on their registered smart- devices, which then gives them access to the services and platforms within the device.

Instead of being ubiquitous however, mobile-based biometric solutions available today are restricted to specific brands or platforms. For example iPhone users are only able to use their FaceID and TouchID with platforms that have integrated with Apple.

While biometrics solve the problem of having to remember and manage countless passwords, however biometric data is just as vulnerable to being leaked or compromised in breaches, with the risks being significantly higher for both businesses and users.

Challenges: protecting personal data

One of the biggest security challenges with authentication over the decades has been how private credentials are managed. Generally, businesses and platforms store copies of our passwords, PINs and security questions, alongside our personal details. This practice of storing private information in centralized databases essentially creates “honeypots” of our personal data.

These entice hackers to execute large-scale cyber attacks and unfortunately, many attacks are successful, despite the best security efforts of the platform.

Building privacy-first solutions

We want to overhaul the way we interact with digital platforms. By disrupting the ways in which businesses manage personal information, we hope to enable a world where anyone can seamlessly access any digital service from any device at any time. All while keeping personal credentials safe, private and under control.

2020s and beyond: Keyless

Keyless is a deeptech cybersecurity company founded by experienced entrepreneurs and leading security experts. Backed by top-tier venture capitalists, our team is bringing over a decade of research in biometrics and privacy-preserving cryptography to life.

Our platform features everything businesses need to embrace passwordless with Keyless biometric multi-factor authentication across the enterprise and enable PSD2-compliant strong customer authentication with just a look across all customer touchpoints, with built-in privacy protections that allow individual users to control their own identity data.

With Keyless, personal data is kept private and secure by combining privacy-enhancing multi-party computation and zero-knowledge proofs with machine learning, and by leveraging a unique combination of multi-modal biometrics and user behavior modeling. Our zero-knowledge distributed architecture removes the risk of data being compromised in an accidental data breach or targeted cyber attack.

The future is passwordless

The combination of biometrics with our patent pending privacy-enhancing security technology has the power to completely transform the way that we relate to the web and the world around us. By disrupting the ways in which we authenticate, not just online but in the physical world too, we can make the world more secure and private than ever before.

We see a future where anyone can seamlessly access any service from any device at any time. All while keeping their personal credentials safe, private and under control.

With Keyless, the authentication experience will become frictionless and ubiquitous for users no matter where they are or what they’re doing. At the same time, businesses will no longer need to choose between improving the user-experience or strengthening security.

In a Keyless world, users won’t need to remember anything. Instead, their unique biometric profiles will become their passwords, allowing them to access any service at any time, without needing to worry about their privacy being compromised.

Interested in trialing Keyless to enable secure work from home in a seamless and compliant way?

If you’re interested in how Keyless™ authentication can help deliver secure and seamless digital experiences, whether for your end users or for an ever more important and dynamic digital workplace, or if you’d like to learn more about our platform, then please feel free to get in touch with our team.

You can email us at info@keyless.io

We’re always keen to have a chat about how we can help businesses on their journeys towards a complete zero-trust security model.

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.