We’ve been told for a long time that passwords are on the way out. In fact, it’s no less a number than predicted by Bill Gates in password death at the 2004 RSA conference, and yet we still rely on it to manage much of our daily access.
But things are starting to change. Patrick McBride, chief marketing officer of Beyond Identity, believes the technology to remove passwords and replace them with something more secure is emerging. We spoke to him to find out more.
BN: Is it possible to completely replace passwords with something fundamentally secure?
M: The password issue is known. It’s inconvenient for end users, but more importantly, it’s a really high-risk way to authenticate the end user. Early attempts to tackle this involved longer and stronger passwords, if people used hack techniques to try and figure out passwords from the database that helped them. But a lot of the ways passwords are stolen, whether it’s malware running on your laptop, or phishing sites have nothing to do with it. Hackers use these methods to compromise thousands upon thousands of accounts, if you look at Have I Been Pwned there are 11 billion credentials out there, so obviously it’s a big problem.
Next came the multi-factor authentication, but that’s inconvenient, I have to pick up my phone and grab this code. It is also not proof of hackers, they will use phishing techniques and steal the second code. It’s a certain level of protection, but not too much, so we decided for workforce customers to remove the password entirely.
BN: What kind of techniques are used to do that?
PM: We now use SSL to authenticate the website we’re going to so we know it’s authentic and then just set up a secure connection. It uses something called symmetric encryption, which is how we deal with trillions of dollars in business every day and we don’t have a lot of problems with it. So we replaced the workforce passwords with the same encrypted public key/private key technology.
We have a little authentication working on the desktop, so after logging in with biometrics or a PIN, there’s no password involved. And the PIN never leaves the system, but rather is stored in a hardware chip on the computer, which makes it more difficult to crack. All modern computers and mobile devices have something called a TPM – which is required for Windows 11 systems – it’s a place where you can safely store a private key in the hardware. So you have a friction free login experience which is also very secure. We then build an SDK that developers can use to build powerful technology into their apps so we can provide a highly secure multi-factor login to any app, whether you’re logging into a banking website or ordering a pizza.
BN: So there is no need for any additional software or agent at the endpoint?
M: Exactly, self-guaranteed within the company or in whatever app you download. If I’m using my banking app, or if I’m using my delivery app, the technology is pretty self contained there. So we have installed our safe and friction-free capabilities in their apps. There are no multiple things for the end user to do, just login to their device and then open their app which is very smooth and very secure.
BN: We’ve been hearing for several years that passwords are on the way out, how far do you think we are from a tipping point where everyone will be without a password?
Pat: It’s starting now, it’s easier for companies to do this for their workforce, so it’s gaining a lot of momentum and removing passwords from the workers’ experience. The next step is really consumer apps and that’s where it gets a little tricky. There are a lot of “no password” items that hide the password but don’t actually remove it. If it sends you a magical link, or even a one-time code, to log in via SMS, hackers have many ways to steal that, there are malware that can run on the endpoint and ask you to login to a fake site so they can snatch that code. It doesn’t matter how complex or unique your password is because if a malware steals it, you can still hack it. We removed some of the hassle, and password managers do some of that, but they don’t remove the password security issue.
We have reached this tipping point, where companies, especially on the consumer side, will start incorporating technology as they build new applications. And it really is across a range of industries from banks or financial services companies to more factory e-commerce applications. To get to a site where no one will ever have any passwords to remember, I’d say we still have three to five years left.
BN: All of this still depends on cryptography, how big a threat does quantum computing pose?
M: The encryption algorithms behind our technology are the same thing as TLS and SSL, it’s public key encryption based on a certain set of things. I think we’re still a long way from crashing these things.
Of course you can’t prove the future perfectly, bad guys look at quantum computing as a way to defeat the good guys, and good people are looking at how to make stronger quantum-based algorithms, but the burden, frankly, is in the industry.
The bigger question is, have you structured your technology in such a way that you can replace it in the underlying algorithms with something quantitatively safer when this eventually happens, not if it does? I think it’s a bit of an arms race now. This is going to be a problem, so the onus is on the companies that build the technology to make sure that we use encryption technologies and that they are future-proof. It still looms large and is a problem for each company individually.
photo credit: Siphotography / Depositphotos.com