Passwords are the worst things ever. Okay, maybe that’s a bit hyperbolic, but they are pretty annoying. Here are the top hits of their most obnoxious qualities: One, they cause friction to get things done. Two, who can remember all their passwords? Three, it’s easy for bad actors to steal them. Four, practically everything requires a password now, so there are just too many. Mickey Boodaei, the CEO of Transmit Security, also agrees that passwords are terrible, but he has a solution to get rid of them.

Main Takeaways

• The Problems With Passwords: Passwords have become ubiquitous. Despite the good intention behind them to foster security, they remain cumbersome and ineffective. The layers added to passwords to make them more secure are insufficient. Two-factor authentication remains vulnerable to bad actors. Though biometric authentication is a helpful technology, many apps that attempt to harness it still have a password underneath the biometrics.
• Getting Rid of Passwords: Biometric data held on secure devices is part of the solution to move people beyond passwords. The data on a private device is very secure overall. Furthermore, it is possible to create trust between devices to provide access to applications, etc.
• Cryptographic Keys: Biometric data on a secure device can then be used for authentication through the creation of parallel cryptographic keys — a private key that stays with the device and a corresponding public key connected to an application. Using this technology, the private key always remains secure on the individual device. This makes it very difficult for bad actors to access any data of import.  

For a more in-depth look at this episode, check out the article below.

Article Notes

Passwords are the worst things ever. Okay, maybe that’s a bit hyperbolic, but they are pretty annoying. Here are the top hits of their most obnoxious qualities: One, they cause friction to get things done. Two, who can remember all their passwords? Three, it’s easy for bad actors to steal them. Four, practically everything requires a password now, so there are just too many. Mickey Boodaei, the CEO of Transmit Security, also agrees that passwords are terrible, but he has a solution to get rid of them.

“So think about identity as everything from the moment you open an account or register for a website all the way to authenticating every time you come back, to authorization, [and] all your permissions, and to making sure that no one is compromising your accounts,” Boodaei said. “So all these and all the privacy aspects around it — all this is identity management. And within identity management, we are really focused on solving the biggest problems that the market has today. When it comes to cyber security is when identity meets cyber security. And one of the biggest problems is obviously passwords, you know, because they’re bad. And they are probably the cause for; it’s not probably, they are the cause for more than 80% of all the attacks and the breaches that we’re seeing today.” 

If this was a monster flick, it’d be one where the scientists created the monster — passwords — because they thought it was going to serve humanity in a specific way but then they lost control of it. Passwords would be that devious type of creature with the capacity to easily replicate itself. In order to free an innocent, the hero chops off one of the monster’s limbs, and then that limb creates a thousand more creatures. Ultimately, the key to victory is to start writing the movie over from the very beginning and create a world where the monster doesn’t exist at all. 

On a recent episode of IT Visionaries, Boodaei explained the history of passwords as well as their liabilities for security. He also described promising technology involving biometric data and cryptographic keys that can free humanity from passwords once and for all. 

According to Boodaei, the number of passwords has had a sharp incline in recent history.

“If you go 40 years back before the internet, you only had one password,” Boodaei said. “Even with the beginning of the internet, you probably had one password. And then it started to become really complex. You had multiple accounts [and] multiple passwords. We started to see compromises because passwords were really easy to guess…I think like two or three years ago there was a survey and 123456 was still the most common password out there.”

Boodaei explained how complexity has been added to passwords to increase security via two-factor authentication and, more recently, the use of one-time codes on top of that.

“You login with a password and then you get this text message with a code and you type the code in and you get in,” Boodaei said. “The problem with that is actually two problems. Obviously, in terms of user experience, once again, [the] user experience became even worse. It used to be really simple like my password is the same password everywhere…Then I had like 200 passwords for 200 different accounts and now I need to do this and also start copying codes from from my mobile phone. That’s one problem. The second problem is that it was really, or still is, relatively very easy for attackers to bypass two-factor authentication that is based on one-time codes.”

Fundamentally, if the password still exists, then it is pretty vulnerable to bad actors endeavoring to access it through phishing or other methods. Biometric data held on a secure device and used for authentication can potentially help get rid of passwords but only if there is no password still associated with it.

“A lot of applications, what they do is that they just keep the password in [the] background,” Boodaei said. “…So as long as the password is there in terms of security, at least, we haven’t done much. It’s like we actually made it worse because if you use your biometrics on your mobile device for like six months, 12 months, whatever it is, and now you get a new phone and they ask you for a password, will you remember your password?”

Transmit Security’s solution involves using biometric data from a personal device alongside cryptographic keys.

“We’re using cryptography between the device itself and the serviceer side,” Boodaei said. “So you don’t store biometric data; you store cryptographic keys. The way it works is that on the device itself, the hardware that stores your biometric information, when you registered the device for a specific service or a specific application, it generates a pair of keys, the public and a private key. It stores the private key. It passes the public key to the application. Now, the application has the public key for the private part of it. And then when you actually try to authenticate, what happens is that the application generates a challenge and it then passes the challenge to the device itself. The device itself does the authentication, which releases the private key on the device or in the device itself, and then uses the private key to sign the challenge. And then the signed challenge is passed to the service side. Now, the service side uses the public side of that key to verify the challenge — that the challenge was actually properly signed. And this guarantees actually that the biometrics that were used in order to unlock the private key actually completed the process that was verified by the service side.”

When looking for the answer to the problem of passwords, Boodaei and Transmit Security dared to consider a storyline without passwords altogether. To hear more about how Transmit Security is saving humanity from passwords, check out the full episode of IT Visionaries! 

IT Visionaries is brought to you by the Salesforce Platform – the #1 cloud platform for digital transformation of every experience. Build connected experiences, empower every employee, and deliver continuous innovation – with the customer at the center of everything you do. Learn more at salesforce.com/platform