How technology is looking to replace passwords [Q&A]
We've been told for a long time that passwords are on the way out. Indeed no less a figure than Bill Gates predicted the death of the password at 2004's RSA conference, yet we still rely on them for managing much of our day-to-day access.
But things are starting to change. Patrick McBride, CMO at Beyond Identity, believes that the technology to eliminate passwords and replace them with something more secure is starting to take off. We talked to him to discover more.
BN: Is it possible to replace passwords completely with something fundamentally secure?
PM: The password issue is well known. It's inconvenient for end users but, more importantly, it's a really high risk way of authenticating the end user. Early attempts to tackle this involved longer and stronger passwords, if people were using cracking techniques to try to figure out what passwords were from a database that helped. But a lot of the ways passwords get stolen, either malware running on the laptop, or phishing sites have nothing to do with that. Hackers use those techniques to compromise thousands and thousands of accounts, if you look at Have I Been Pwned there are 11 billion credentials out there, so it's clearly a big issue.
Next came multi-factor authentication, but that’s inconvenient, I have to pick my phone and grab that code. Also it’s not hacker proof, they'll use phishing techniques and steal the second code. It's some level of protection, but not much, so we've set out for workforce customers to just eliminate the password entirely.
BN: What sort of techniques are involved in doing that?
PM: We use SSL now to authenticate the website we're going to so that we know that its authentic and then just set up a secure connection. It uses something called symmetric cryptography, which is the way we transact trillions of dollars in business daily and don't have a lot of problems with. So we replaced the passwords for the workforce with that same technique of underlying cryptographic public key/private key.
We've got a little authenticator that runs on on the desktop, so after the login using biometrics or a PIN there's no password involved. And the PIN code never leaves the system, they're stored in a hardware chip on the computer, which makes them much harder to crack. All modern PCs and mobile devices have something called TPM -- it's required for Windows 11 systems -- it's a place where you can securely store a private key in hardware. So you have a very frictionless login experience that is also highly secure. We then build an SDK that developers can use to create hardcore technology into their application so that we can provide very secure multi-factor login to any app, whether you're logging into a bank website or ordering a pizza.
BN: So there's no need for any additional software or agent on the endpoint?
PM: Exactly, it's self contained within the company or in whatever app you download. If I'm using my banking app, or if I'm using my delivery application, the tech is self contained within there. So we've nailed our secure and frictionless capabilities into their app. There aren’t multiple things for the end user to do, they just log into their device and then open their app and it's super seamless and highly secure.
BN: We've been hearing for several years that passwords are on the way out, how far do you think we are from some kind of tipping point where everyone will be passwordless?
PM: It's starting now, it's become easier for companies to do this for their workforces, so it’s gaining lots of traction and removing passwords from the experience for workers. The next step is really the consumer apps and this is where it gets a little tricky. There's a lot of 'passwordless' stuff that hides the password it but it doesn't actually remove it. If I send you a magic link, or even a one time code, to log in through SMS, the hackers have lots of ways to steal that, there's malware that can run on the endpoint and have you log into a fake site so they can grab that code. It doesn't matter how complex or unique your password is because if a piece of malware steals it you’re still compromised. We’ve removed some of the hassle, password managers do a little bit of that, but they don't remove the security issue of passwords.
We're at that tipping point where, particularly on the consumer side, companies will start to incorporate technology as they build new apps. And it's really across a range of industries from banking or financial service companies all the way down to more run of the mill eCommerce applications. To get to a position where nobody will have any passwords to remember forever, I'd say that's still three to five years away.
BN: All of this still relies on cryptography, how big a threat does quantum computing pose?
PM: The cryptographic algorithms underlying our technology are the same thing underlying TLS and SSL, it's public key cryptography based on a certain set of things. I think we're still some way away from that stuff getting broken.
Of course you can't future proof perfectly, the bad guys are looking at quantum computing as a way to defeat the good guys, and the good guys are looking at how to make much stronger quantum-based algorithms but the onus, frankly, is on the industry.
The larger question is, have you built your technology in a way so that when, not if, this eventually happens you could replace it on the underlying algorithms using something that's more quantum safe? I think it's an arms race a little bit now. It will be an issue and so the onus is on the companies building technology to ensure that we're using cryptographic techniques and that they are future proof. It's still on the horizon and it's a problem for every individual company.