Phil, Password Proof (ZKPP) approach to passwords. Do you believe passwords are fundamentally flawed and, if so, how did you come to this realization?
Actually, it’s the way
Passwords are used, or more specifically the way the ‘Knowledge Factor’ in authentication security (‘something you know’) is used.
We should keep using a secret Knowledge Factor like passwords or PINs to protect our identity, data, and devices, but here’s the problem: you have to reveal that secret to prove you know it. This makes MasterKey ideal for online stores and merchants, for example, to use to reduce both new user registration and check-out dropouts. Given the amount most companies spend to attract new customers, the potential ROI here is extraordinary.
This makes your
Secret very susceptible to being compromised by a hacker or other bad actor, and it also means we all end up having far too many passwords to remember, and they should be long and very complex, so it all gets a bit too hard.For example, MasterKey from a company called BankVault, is a passwordless authentication solution that provides both rapid and frictionless registration for users, because there’s no app to download, and rapid and frictionless installation for companies, so there’s no need for the usual long and expensive implementation project.
Token One offers
ZKPP approach to authentication. Can you explain in non-technical terms how it works, and what makes it more secure than traditional passwords and various MFA methods?
With TokenOne, or any form of ZKPP (Zero-knowledge password proof), you never enter, speak, or otherwise reveal your password, PIN or other secret that only you know. You simply scramble or ‘encode’ your numeric TokenOne PIN into different letters every time you authenticate.
You do this by just
Looking at a simple alpha-numeric image (or ‘cipher key’) in the TokenOne app on your phone. The ten numbers 0 to 9 are shown in recent mobile phone number list the image with each number next to one letter of the alphabet. One letter per number. This enables you to instantly replace (in your head) each number of your PIN with a letter so you enter the letters, never your PIN, when you log in.
This also works well by SMS, as shown in this short demo video, and provides a much more secure alternative to One-Time Passwords sent as text messages.
As each alpha-numeric
Cipher key on your phone is different every time and used only once (unless you’ve changed your PIN), there’s no way to calculate in advance which ppc manager, mis see on ja mida see teeb? letters should be entered for the next authentication.
Crucially, this means TokenOne Authentication is ‘non-algorithmic’ and therefore not subject to potential cracking by increased computing power such as a supercomputer or even quantum computing. This has been proven in a mathematical white paper which I’d be happy to share with anyone interested if they want to reach out to me.
Moreover, the backend
system doesn’t even store a copy of your TokenOne PIN so, if that backend system is compromised somehow, there’s nothing in the TokenOne database that will reveal to a hacker your PIN, let alone all the PINs of other users. This is what we patented.
Some argue that passwordless systems might create new vulnerabilities. What’s your take on that?
The problem is that there are three, and only three, forms of Authentication Factor:
Something you are (e.g. biometrics)
Something you know (e.g. passwords)
Something you have (e.g. a card, phone or other device)
A LOT of folks will argue with this
And quote things like ‘4-factor’ or ‘5-factor’ authentication. But so-called 4 or 5-factor authentication is actually just ‘multi-factor authentication’ where two or more authentication methods from the SAME type of knowledge factor are being used (e.g. password plus PIN, or face plus fingerprint biometrics).
Going passwordless more or less means no 1000 mobile phone numbers more Knowledge Factor in authentication security. Nothing bad with that, but if we do away with the Knowledge Factor altogether, we are (unnecessarily) giving up one precious factor of authentication security.
There’s a very good
reason why high-security systems use proper 3-factor authentication with three different authentication factors; it’s inherently more secure.
Instead of dumping the Knowledge Factor, we should be changing the way we use it through passwords, PINs, etc. by implementing a ZKPP approach.For small business owners and entrepreneurs listening today, what simple steps can they take right now to start moving away from passwords? What other elements should they keep in mind to avoid trading one set of vulnerabilities for another?
Apart from TokenOne and ZKPP approaches, I’ve seen some fascinating emerging technologies recently.
ALB Directory
However, if you’re focused on the most mainstream, established approaches (that would likely be a much heavier implementation lift) passkeys are clearly a great approach to reducing the need for entering passwords so often on your biometrics-enabled
