Passwords have been the backbone of user identification for years, but in the modern data threat landscape, are passwords still an effective method of authentication, or are they relics of the past that cause more security risks than they solve and are in need of replacement? For Shahrokh Shahidzadeh, CEO at Acceptto, a provider of continuous behavioral authentication, the answer is the latter.
Shahidzadeh is a seasoned technologist and leader with 27 years of contribution to modern computer architecture, device identity, platform trust elevation, large IoT initiatives and intelligence research. It is his belief that the obsolescence of passwords is well and truly upon us and, at Acceepto, he leads a team championing the need for the widespread use of other, more advance forms of authentication.
Infosecurity spoke to Shahidzadeh to learn more about Acceptto, password security problems and authentication methods for the future.
What are Acceptto’s chief aims and missions?
We started Acceptto with a base fundamental assumption of “what if all passwords, and in general binary authentications, are already breached, even those not yet created?!” and had a wager amongst ourselves if we could solve such an intricate challenge. This implied that we would need to make passwords benign where they were the core of our authentication for decades, making it a very complicated proposal.
Acceptto’s mission is to completely eliminate the reliance and risk of binary authentication such as passwords, two-factor authentication (2FA) and other forms of multi-factor authentication (MFA) including biometrics. Such transformation in cybersecurity is made possible through delivering continuous identity access protection and real-time threat analytics.
What is the current state of the security risks around password use?
Your login credentials have already been compromised. Your passwords have been hacked no matter how complex you’ve made them. 2FA security is temporal, causes high friction and can be easily intercepted during transmission. Current MFA security solutions lack context and rely on too few attributes. Your biometrics are binary, and regardless of how safe a fingerprint or retina scan appears to be, it can be spoofed and cannot be reset, ever. There are few, if any, solutions that continuously validate your identity post-authorization.
There is one other key fact. Authentication is not a single event, with a start and end, or a simple binary yes or no. It is a continuum. The biggest mistake people make is assuming passwords are a safe avenue to protect online data. Unfortunately, passwords have been proven to be the weakest form of online protection ever.
How can password-less authentication methods improve the security of data?
Investing in a continuous behavioral authentication technique is the way forward. This is a method that not only makes sure you are who you say you are when you log in, but also tracks that accuracy through your full online session. Further, companies and end-users that are relying solely on binary authentication tactics such as 2FA or MFA need to understand that these processes are static and stored somewhere, waiting to be compromised time and time again.
Securing the access at the start, midway and end of your online session is the first step to protecting data. Next, people need to subscribe to a paradigm shift away from username-password and other forms of temporal, binary and even biometrics controls towards a continuous behavioral authentication. This type of transformation is warranted today through a combination of multi-modal and contextual controls that continuously and accurately protect a users’ consumer identity and privacy with the assumption that all online credentials are already compromised.
Do you think passwords will ever be fully replaced?
Yes. The obsolescence of passwords is upon us, no doubt. In fact, everyday security incidents continue to occur due to account takeover and the causes are well known. The most relevant of them is credential hijacking which accounts for greater than 80% of the attacks.
It is past time that the industry recognizes that perpetuating the use of the password is taking away valuable resources from other strategic IT investments and compounding the security risk on a year over year basis. It will take executive sponsorship and initiative to remove password dependency.