The start-ups trying to kill the password
The start-up that attracted the largest investment in the history of cyber security, of more than half a billion dollars, has a simple mission: it wants to kill the password.
With the average person now having to remember between 70 and 80 passwords, Boston-based Transmit Security believes there is a better way of logging in to websites and applications, given the ubiquity of smartphones and computers with facial recognition or fingerprint reading technology.
“That is what has changed in the market that just was not true a year ago, two years ago,” said Rakesh Loonkar, president and co-founder of Transmit, which raised $543m from investors in June.
The need to replace the easily forgotten and highly hackable strings of letters and numbers that we use to access everyday life has become even more urgent with the shift to remote working, and a surge in password-related hacks, such as the freezing of the Colonial Pipeline that caused fuel shortages across America’s East Coast earlier this year.
Last year the World Economic Forum seized on the pandemic to call for a “passwordless future”, arguing that it “vastly improves a company’s security by reducing the overall attack surface and eliminating compromised credential risk”.
As a result, the race to replace the password is under way, with biometric-based security emerging as one of the most sought-after solutions.
“I think that the vast majority of consumer services will offer passwordless login systems in the next couple of years,” said Andrew Shikiar, executive of the Fast Identity Online alliance, or Fido, a coalition of more than 250 companies including Google and Microsoft, which promotes a standard system of passwordless authentication.
“If done correctly and safely in a compliant manner, biometrics are really [helping us] move to a passwordless future in a rapid manner. There’s a lot of innovation . . . and a lot of investment in the space.”
‘12345’
Despite the spread of password management software that can generate and remember complicated strings of random characters, some of the most common passwords are still “12345”, “password” and “iloveyou”.
As a result, more than 80 per cent of hacks involve compromised passwords, according to the World Economic Forum, and passwords remain the most sought-after data by hackers, above other personal or sensitive information.
In many cases, individuals are tricked into handing over password details by phishing emails and other social engineering techniques. But cyber intruders have also sought to break into apps and steal entire password databases, with big technology groups such as Yahoo and LinkedIn suffering huge password hacks in the past.
A lively marketplace for passwords runs on the dark web, a part of the internet that is only accessible via an untraceable browser. According to research by Digital Shadows, there are more than 15bn credentials circulating in hacker forums, coming from more than 100,000 separate breaches.
Passwords are also under attack from new technology, such as automated bots that can rapidly try to guess them, a tactic known as password spraying, or which try stolen passwords on multiple different online accounts, a technique known as credential stuffing.
Passwordless future
Several start-ups are persuading more and more companies to switch from passwords to other methods of authentication, for security, ease of use and to cut costs.
Estimates vary, but for many companies the cost of resetting the passwords of their employees are between $25 and $75 each time, taking into account the need to have account recovery and call centre staff.
A 2018 report by Forrester found some large US companies allocated more than $1m annually on support costs related to passwords, including anti-bot technologies.
“It’s all about the user experience, about compliance — and it’s also about saving money,” said Ismet Geri, chief executive of the passwordless identity company Veridium, adding that revenues at his business grew 250 per cent year-on-year in 2020 due to high demand.
Veridium, Transmit and several start-ups targeting online finance, payments and retail have embraced a solution also advocated by both Fido and the WEF: biometrics. Microsoft, Google and Apple are all also increasingly injecting biometric authentication as a means of logging on to their devices, using Fido.
But there are still risks to the use of such systems. Unlike passwords, biometrics cannot be changed. This means such data must be closely guarded for both privacy purposes and to prevent spoofing, when hackers try to trick cameras or sensors with photos, masks or moulds of their victim.
“Biometric authentication and passwordless authentication has its own attack surface,” said Lavi Lazarovitz, director of security research at CyberArk. Last month his team revealed that it had found a design flaw which would allow potential attackers to bypass Windows’ facial recognition login, Windows Hello, by injecting spoofed photos of a users’ face into the process.
Such an attack would be highly sophisticated, requiring physical access to the targeted device, but might be deployed by “nation state attackers targeting a specific individual”, Lazarovitz said. He warned that a black market for this highly valuable biometric data may become more common.
The security of biometric logins
However, the security of biometric systems has improved, according to Transmit’s Loonkar. In the past, biometric information was often held in databases on centralised servers, but it is now possible to ensure that it stays on a secure part of an individual’s device.
“When people are afraid of biometrics, they are really afraid of the biometrics that are stored centrally and can be stolen centrally,” Loonkar said, citing the 2018 breach of a database of Indian citizen’s biometrics held by the government. But with Transmit’s technology, mass hacks are impossible and instead would have to be undertaken “on a device-by-device basis”, he added.
Meanwhile, other start-ups, such as BioCatch and BehavioSec are exploring ways to defeat spoofing by continuously verifying a user in real time, using “behavioural” biometrics. Their systems learn how a user handles their device or behaves on their computer and flag if there are any suspicious changes. “Behavioural biometrics should be another layer for fraud detection,” Veridium’s Geri said.
Nevertheless, greater oversight of the nascent biometrics market — to prevent abuse by companies or governments — is needed, according to Anil Jain, a distinguished professor at Michigan State University and an expert in biometrics recognition. “Just as personal information gets shared with advertisers, for biometric data we need strong regulation,” he said.
A long road ahead
But the biggest obstacle standing in the way of the start-ups hoping to kill the password is how to change years of habit.
Ed Amoroso, chief executive and founder of TAG Cyber, a cyber research and advisory company, argued that while sensitive applications may rapidly shift from passwords, other websites, such as online poker sites for example, have less incentive to update their systems.
“My contention is that you’ll never get rid of them. You can’t make it illegal for someone to do,” he said. “We’re never going to get to this post-password era.”
Daily newsletter
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.