Why legacy security models don’t work
15 September 2020

Why legacy security models don’t work

15 September 2020

And how zero-trust biometric solutions can help you transition to a more secure digital workplace

We’re rapidly approaching a future fueled by digital technology — one where users and employees frequently access private systems outside the security perimeters of a workplace.

Traditional security systems, which are flawed, to begin with, fail to offer adequate protection from cyber threats outside of the security perimeters of a workplace.

To properly secure remote working environments, organizations must start thinking about implementing radically different security models.

In this article, we’ll cover:

  • Traditional security models and their failings

  • Zero-trust security models

  • A biometric multi-factor authentication alternative

What are traditional security models?

Traditional security models refer mainly to perimeter network firewalls.

Firewalls were designed to protect corporate systems from malicious attacks by erecting security defenses that ward off threats from outside of the perimeters of the network.

Security experts often refer to this as the “castle and moat” approach. The idea is based on the assumption that anyone outside the “moat” (firewall), cannot be trusted; and that anyone in the “castle” (the network) can be.

The issue with this approach is that it assumes anyone within the network can be trusted. This is problematic for two reasons:

  1. The assumption that everyone inside a network is trusted leaves organization’s vulnerable to insider-orchestrated attacks

  2. This approach fails to protect organizations when employees are accessing systems from outside the security perimeters of a firewall. With the dramatic increase in remote work — firewalls are not just weak, they’re redundant.

Remote-work security is traditionally tackled with VPNs, but with the rising adoption of smart technology comes the proliferation of security backdoors — greatly increasing the likelihood of a hacker successfully breaching a corporate network via poorly protected remote devices.

If a hacker compromises one smart-device within a home network, then the potential to launch further attacks on other devices (used to access company systems) greatly increases. In theory, hackers could potentially hijack a user’s device, steal their login credentials, and use them to bypass a VPN.

Hackers only need to find the weakest entry point to a network in order to infiltrate it.

Once a hacker has gained access to a network, they’re then free to move laterally within the network until reaching a target — usually a highly sensitive database that contains the private data of users, employees or clients.

According to IBM, the average breach went unnoticed for up to 206 days (just under six months), giving malicious parties plenty of time to steal such data.

What is zero-trust security, and what are the benefits?

Zero-trust systems take a radically different approach to network security. Instead of trusting those who have already authenticated and accessed a network, these models assume that no one can be trusted — regularly requiring users to reauthenticate as they move through the network. Therefore anyone attempting to access systems must be regularly authenticated no matter where, when or how they access systems.

How do zero-trust solutions protect against insider threats?

Insider threats and cybersecurity incidents doubled between 2018 and 2019 — meaning it’s absolutely true that not everyone who has permissions to a network can be trusted.

Since zero-trust models assume that no one is trusted, they protect organizations from such threats. Insider organized threats can otherwise have large-scale financial and reputational consequences for organizations.

What is zero-trust authentication and identity

Zero-trust authentication and identity solutions combine the principles of zero-trust security, with the principles of strong authentication. Strong authentication – sometimes referred to as MFA or SCA – can greatly improve security by presenting users with at least two different kinds of security challenges.

For example, an MFA solution may require a user to enter their login credentials, followed by a one-time password sent to the user’s registered phone number.

Traditional MFA solutions create a range of user-experience problems when combined with the idea of zero-trust security: having to authenticate at every level of access can be disruptive when the authentication experience is cumbersome.

Plus, legacy MFA solutions are not immune to threats — since 2015, customers in the UK lost £9.1 million due to SIM swapping attacks. (SIM swapping is where a bad actor is able to bypass 2FA by having the ‘one-time code’ sent to the victim’s phone number, diverted to a new SIM).

Read more about security issues with 2FA solutions like YubiKey in this article.

The Keyless solution: Zero-Knowledge Biometrics

At Keyless, we combine multi-modal biometrics with privacy-enhancing secure multiparty computation to provide a passwordless, secure and privacy-first way to authenticate users that is minimally disruptive to the user experience.

Our privacy-enhancing biometric authentication solutions offer multi-factor (MFA) security by design:

  • Keyless verifies users are authenticating from their trusted device. If a device is not registered, the user won’t be able to authenticate.

  • Keyless uses facial biometrics to verify users across every touchpoint — a universal inherence factor as an added level of security.

  • Keyless will soon also leverage behavioral biometrics, which serves as another, transparent third authentication factor.

Once a user is registered, all they need to do to access their accounts is look into the camera of their device.

This simple, user-friendly solution can be implemented at multiple access points, ensuring that only the right users have the right access at the right time while offering cutting-edge security.

To protect end-users and organizations against fraudulent takeovers, Keyless leverages advanced liveness detection and anti-spoofing techniques, in addition to the built-in multi-factor security. This allows Keyless to ensure that the user is in fact, real.

Simple, secure, and above all, private authentication

To recap that’s:

  • No passwords

  • No one-time codes

  • No secret questions

Or in other words that’s nothing to remember, nothing to type, nothing to lose, nothing to forget, nothing to phish and nothing to copy and paste.

To find out how Keyless’ ZKB biometrics work, watch the video!

How we protect biometric data

Keyless never stores sensitive information on a user’s device or on centralized servers. Instead, encrypted shares of data are stored on the Keyless Network, a distributed cloud network.

This is possible thanks to our patent-pending technology zero-knowledge biometric (ZKB™) authentication — enabled by the unique combination of state-of-the-art biometrics with zero-knowledge cryptography and privacy-enhancing multi-party computation.

This breakthrough technology allows Keyless to authenticate users, without needing or being able to access the raw contents of someone’s sensitive information. In other words, we don’t trust anyone, not even ourselves.

Request a Free Trial of Keyless

Keyless™ authentication can help deliver secure and seamless digital experiences for your end-users and for your increasingly remote workforce.

Head to our website to learn more about our biometric authentication and identity management solutions.


Alternatively, you can email us directly at info@keyless.io

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.