
Authenticating Real People – Not Simply Usernames and Passwords
July 24, 2018As our world has migrated to a collection of digital, cloud-based services, we have become more reliant on usernames and passwords, along with various forms of second–factor authentication. The stakes in authentication are high, as it serves as a gateway to valuable data used to access both workplace and personal services. Regardless of how secure the services may be, the weakest link – and target point for hackers – is usernames and passwords. After all, a chain is only as strong as its weakest link.
Authentication systems can employ various forms of second-factors to battle this weakness in security, including clear text SMS with One Time Passwords (OTP), answering secret questions, Knowledge Based Authentication (KBA) and push notifications using various authenticator apps. These methods, despite being an improvement on the basic authentication method, still rely on the original username and password paradigm, which complicates the user experience to improve security. Additionally, these methods are vulnerable to hacking, as the device itself becomes the second factor and breaching or impersonating the device can open the doors for hackers.
We can continue to improve username and password security in a leap-frog race against hackers, who will continue to evolve means of compromising those improvements. However, the best approach to increasing the security of authentication is to eliminate the need for usernames and passwords altogether.
Think of the comparison of combustion-based gasoline powered vehicles to electric vehicles. A combustion engine can be improved to increase its gasoline consumption per mile and engine reliability, requiring fewer oil changes and reducing transmission issues. However, with the introduction of electric vehicles, all the related issues with the combustion engine are eliminated, like oil changes, timing belts or transmissions. Removing usernames and passwords altogether provides a similar result in strengthening security – there is no need to make them more secure as they simply no longer exist.
ShoCard offers a distributed solution where users’ identities are entirely stored on a mobile device, and authentication codes in the form of digital certificates are placed on an independent data source – the immutable blockchain. Each mobile device is equipped not only with private keys that never leave the device and the user’s identity information, but also geo-location and facial images for true-biometric authentication. This solution is provided through its product, ShoBadge, which seamlessly integrates as an IdP with OneLogin’s Single Sign-On Service using
SAML.
With ShoBadge, a user is authenticated through a four-factor authentication process, and is enhanced with two additional optional factors – geo-location of the individual based on their GPS location and a selfie that proves the identity of the person behind the device attempting to login. For the user, it is as simple as scanning a QR Code, never having to type in a username or a password. Behind the scenes, a true multi-factor process authentication process occurs.
ShoBadge eliminates the need for a central database of identity data, which is often targeted by hackers. If a phone is stolen and a hacker is able to enter a pin or fake a TouchID/FaceID equivalent on the app, they still cannot bypass the true-biometric validation where a live selfie is captured and compared with a registered identity that was previously certified on the blockchain.
While the approach to eliminate usernames and passwords is disruptive in nature, it improves security, makes usability simpler, and does not require a complete overhaul to bring widespread adoption. ShoBadge easily integrates into existing solutions where a user has setup OneLogin access management. Users adopt a new authentication method while continuing to enjoy the benefits that OneLogin provides in managing and accessing applications and services.
