EPAM Systems’ Chief Information Security Officer, Sam Rehman, believes that passwords are an outdated and insecure method of authentication. He likens using passwords to carrying around a large set of keys, which can be lost or stolen, giving unauthorized access to sensitive information. Rehman points out that two in three people will forget their passwords unless they record them, increasing the chances of them being stolen. Additionally, more than half of Americans reset their passwords at least five times a month, making it difficult for defenders to spot anomalies or for users to keep up with their login credentials.
As more people conduct their daily activities online, the vulnerability of passwords and the private information they protect continues to grow. It is clear that a change is needed, and Rehman explores the concept of a passwordless future and what it would take to achieve it.
Zero trust has emerged as a key strategy in cybersecurity, surpassing the outdated approach of ring-fencing. Zero trust encompasses advanced technology solutions, processes, and policies. One of the main principles of zero trust is frequent identity verification, which requires strong authentication. Traditional passwords do not comply with the authentication principles of zero trust and are prone to being socially engineered out of users through phishing or other malicious methods.
Biometrics, such as face or fingerprint recognition, have gained popularity as an alternative to passwords. They offer convenience and eliminate the risk of passwords being stolen. However, passwordless systems that heavily rely on phone biometrics may create a false sense of security. For example, if someone’s phone has multiple users’ biometrics enrolled, the system cannot confirm the end user’s identity, which goes against the principles of zero trust.
To bridge this gap, a passwordless biometric multi-factor authentication solution is needed. This solution should not solely rely on phone biometrics but authenticate against a secure, centralized biometrics database accessible from any device or browser. It should also ensure that biometric data is stored securely over a decentralized network. While blockchain is often associated with decentralization, there are other solutions, such as zero-knowledge proofs and multi-party computing, that can securely store and protect sensitive data.
When transitioning to passwordless authentication, businesses must consider the user experience. Processes should be convenient and natural, avoiding the need for users to jump through numerous hoops. Additionally, businesses should cater to diverse populations, including older generations who may find certain authentication methods complex. Choosing a solution that offers multiple modalities can help address these challenges.
Sam Rehman is an industry expert with over 30 years of experience in software product engineering and security. He is the Chief Information Security Officer and Head of Cybersecurity at EPAM Systems. Rehman has held various leadership roles in the industry and has patented inventions in software security, cloud computing, storage systems, and distributed computing. He is a regular contributor to security industry publications and advises multiple security and cloud companies.