How Companies Can Stop Using Passwords
Whoever said crime doesn’t pay didn’t consider how much money there is to be made as a hacker. Last year, we visited one of the leading threat intelligence war rooms on this planet, where experts monitor chatter on the dark web in real-time. It was there we learned about how Russian computing graduates are often attracted to a life of crime because it’s far more lucrative than a desk job. Here’s how much various credentials sold for on the dark web last year in U.S. dollars (courtesy of J. Clement at Statista).
|Bank Details||$ 259.56||Grubhub||$9.08|
|Debit Card||$ 250.05||NordVPN||$8.84|
|Credit Card||$ 33.88||Match||$7.86|
|Western Union||$ 29.44||$6.21|
|Driving License||$ 27.62||Gmail||$5.87|
|Best Buy||$ 26.54||Plenty of Fish||$3.77|
|eBay||$ 21.66||Pizza Hut||$2.60|
Two things are readily apparent. Firstly, there’s a lot of money to be made from stealing people’s credentials. Secondly, data security is a problem across all domains, from dating to ordering pizza. We’re able to create synthetic life, yet we’re protecting nearly every single valuable thing we control with an alphanumeric combination of characters.
Most people don’t know that four-digit pins are actually more secure than passwords because of their simplicity. If the FBI is having to ask Apple for help to break into Apple devices, then the security being employed at the device level today is sufficient. What if your smartphone never asked for a password because it always assumed you were the operator? That’s the idea behind Beyond Identity, a company that aims to replace passwords with devices – the ones you’re using to read this article.
About Beyond Identity
Founded in February of 2019, New Yawk startup Beyond Identity has taken in $30 million in funding to eliminate passwords using a security platform that’s already found in most devices – Trusted Platform Module or TPM. Simply put, TPM is an international security standard that manifests itself on your device in the form of a chip. Oftentimes, a TPM will have its own processor, RAM, and even a tiny little operating system. In this way, it’s isolated from the rest of your device’s hardware and can remain entirely secure, no matter how compromised your device becomes.
The Emergence of Trusted Platform Modules
Nearly all large semiconductor manufacturers produce TPM chips which are found in nearly all electronic devices today that are used to access the Internet. The Department of Defense requires that any computing devices they use internally are equipped with TPM, describing it as follows:
The TPM is a microcontroller that stores keys, passwords, and digital certificates. It typically is affixed to the motherboard of computers. It potentially can be used in any computing device that requires these functions. The nature of this hardware chip ensures that the information stored there is made more secure from external software attack and physical theft.
Rarely do people get to see how the sausage gets made, but the Internet is a giant network of servers that communicate with one another using common encryption methods that ensure secure communication.
If these security methods didn’t work incredibly well, the Internet wouldn’t exist as it does today. All that Beyond Identity has done is to create the same sort of security that servers use to communicate and given that to clients. Like this:
You might be thinking that’s an incredibly simple solution, and you’d be right. So why on God’s green earth would something so blatantly simple and easy to do not have been done already? That’s a good question, and if you ever worked in IT, you would know that rarely does simplicity dictate which path to follow.
We live in a world where it is commonly accepted that you never use the same password twice. In that same world, it’s commonly accepted that the average person has 90 or more sites which they access requiring a name and password. It is humanly impossible for passwords to be used as an acceptable method of securing our most valuable possessions. The Beyond Identity solution makes sense and we should definitely use it to replace passwords. The question is, how do we go about implementing such a solution? Where would we even start?
Rolling Out Beyond Identity
One place to start would be at America’s largest private company – Koch Industries – which is a multinational conglomerate with 130,000 employees that dabble in just about everything under the sun. As a lead investor in Beyond Identity, it makes sense that Koch would be rolling out enterprise implementations across their many subsidiaries.
Gracing the front of Beyond Identity’s homepage is a video of Koch CISO Jarrod Benson talking about how cloud computing leads us to an identity-centric identity model with two primary advantages. Firstly, it eliminates friction (no pesky reminder emails or remembering 20 different passwords). Secondly, it can potentially eliminate a majority of security breaches. The Verizon Data Breach Investigations Report estimates that 81% of hacking-related breaches are the direct result of stolen credentials.
A report by LastPass showed that your average corporate slave manages just over 190 passwords. That explains the popularity of single-sign-on solutions which allow you to authenticate with dozens of applications using just one set of credentials. Publicly traded firm Okta (OKTA) has made a $30 billion business out of single-sign-on. They’re just one of many single-sign-on solutions that Beyond Identity can interface with which makes it easy for organizations to adopt the solution.
Enterprise implementations are one part of the equation, the other being companies that want to secure the communications they have directly with their customers. When you’re dealing with Joe Pubic, you never know who is actually behind the device that you’ve authenticated using TPM or any other authentication method.
Securing the Human Element
We’ve now managed to secure all the machines in equation. What we haven’t secured is the human. Let’s say that your machine was compromised and someone else was using it. How can we tell it’s actually you? That’s particularly important in an era where someone is able to mimic your voice after hearing 60 seconds of your speech. How can we tell it’s not you behind the keyboard?
There are some very sophisticated ways to ensure the person behind the keyboard is who they say they are. One company solving these problems using some very creative methods is BioCatch.
Update 12/08/2020: Beyond Identity has raised $75 million in Series B funding to expand their global footprint. This brings the company’s total funding to $105 million to date.
We first looked at BioCatch back in Spring of 2017 when we wrote a piece titled BioCatch – Behavioral Biometrics for Fraud Detection. At that time, they were a small Israeli startup with just over $11 million in funding and some really cool technology. Today, they’ve taken in nearly $214 million in disclosed funding from some big names like American Express, Citigroup, Barclays, HSBC, and Bain. All that money is being used to thwart account takeover threats that bypass traditional fraud prevention and authentication defenses.
Let’s say that for whatever reason someone was able to gain control of your computer and they decided to transfer money from your bank account. BioCatch uses what’s called “behavioral biometrics” to quickly detect it’s not you behind the keyboard. For example, think about how you type your own name. No matter how hard a criminal might try, they’ll never be able to emulate the cadence at which you type away on those keys while spelling out your name. Similarly, they won’t type other words the same way you do.
Ever had your mouse cursor disappear? When it does, everyone wakes up their mouse using that little hand jiggle.
Turns out that hand jiggle you do is unique and can be used to identify you. Every way in which you physically interact with your devices tells BioCatch something about who you are. They’re able to detect when the user isn’t familiar with the data, or is perhaps too familiar with the data. Certain fields you may hesitate to fill in, while a cybercriminal would push forward confidentially, having performed these same actions hundreds of times before.
How accurate are BioCatch’s techniques? The false error rate for the BioCatch behavior detection algorithms is just 1%, and of those false errors, they can detect 95%.
The Return on Investment
The same financial motivations that drive hackers to hack also drive institutions to protect themselves. An IBM study says the average data breach in the United States costs a company $8.64 million and takes 280 days to contain. Some of the biggest and most expensive data breaches have taken place in the past five years.
Perhaps the best example of this was the recent case of former Amazon cloud employee, Paige Thompson, who was arrested and charged with accessing personal information of 106 million Capital One credit applications.
According to an AP news brief, “Capital One said 140,000 Social Security numbers and 80,000 bank account numbers were obtained in the hack.” The bank account information alone would have been worth over $20 million on the black market. Capital One was fined $80 million for the breach, and authorities discovered at least 30 additional institutions that were hacked by the same individual. It was one of the biggest data breaches of all time.
By combining elegant hardware solutions like Beyond Identity with sophisticated behavioral biometric techniques from BioCatch, there’s no reason you should ever need to memorize a password again. If it means not having to receive an email every 30 days from helpdesk asking you to choose another password, then it should be an easy purchase order for any CTO to sign off on.
Are we going to finally open a position in the Global X Cybersecurity ETF? Or did we go all hero-or-zero on CrowdStrike? Become a Nanalyze Premium subscriber and find out.
I’m very interested in this. Do you publish a newsletter with the same information which could be mailed to me?
Hey Joe. You’ve been subscribed to our newsletter since summer. Perhaps check your spam folder to see if it’s being hung up?