The Future of Digital Identity: A World Without Passwords

Most of us set passwords for our online accounts hoping to ensure our privacy and security. Those of us who are more concerned about security may sacrifice convenience believing it makes us even more secure. But as technology changes, passwords are not the complete security solution we think they are. Other digital identification methods may be even safer and more secure – if companies can implement them well.

See Passwords are the Problem with Thierry Gagnon and Philippe Desmarais for a complete transcript of the Easy Prey podcast episode.

Philippe Desmarais and Thierry Gagnon are co-founders of the cybersecurity firm Kelvin Zero. Philippe is the CEO and sets the strategy and vision for the company. Before Kelvin Zero, he studied criminology, worked in business, and has has a significant role in various startups working in tech-related capacities like data analysis and remote hardware device management. Thierry is the Chief Technology Officer of Kelvin Zero and an expert in software development, malware analysis, and cryptography with a passion for cybersecurity.

Philippe was always fascinated by crime and had access to computers. When he met Thierry and developed a passion for cybersecurity, it felt like a natural next step. For Thierry, cybersecurity may have been his calling. His parents had a Commodore computer before he was born, so he grew up tinkering with computers. He got hooked on the idea of security after watching the movie Hackers when he was ten. Though he got a degree in human kinetics, an injury made it difficult to continue an athletic path, so he went back to school for computer science. That education, combined with his experience defeating cheaters in the video game Counter Strike, led to pursuing a career in cybersecurity.

Passwords Could Be Better

Passwords as a method of digital identification have been around a long time. They were actually invented in the 1950s, when a university needed a way for the computer to keep track of which things the computer was processing belonged to which researcher. But even outside the digital world, “passwords” like code words, secret knocks, coded messages, and other ways of hiding knowledge and information have been around almost as long as human language.

When you think about it, knowledge-based secrets in general, whether in the digital system or not, have been around for millennia.

Thierry Gagnon

As humans, we like to think we’re getting smarter. But Thierry and Philippe think we often confuse getting smarter with getting faster, getting bigger, or getting better at forcing our way through problems. Passwords are interesting to look at from this perspective. Tech companies have created a lot of tools around passwords to make them more secure. Password requirements try to force you to create strong, random passwords. And tools like password managers exist to take the effort out of remembering them all.

But Thierry and Philippe think we’re going about it the wrong way. They think we shouldn’t be looking at what we can add to passwords to make them more secure. Instead, we need to think about what could be changed, addressed, or improved about passwords themselves – or even consider different methods of digital identification.

The Problems with Passwords for Digital Identification

The most immediately obvious problem with passwords is the sheer volume of them. So many things are done online or through apps these days, and each system needs a different set of login credentials. Depending on what research you look at, the average number of passwords each individual have is 240 or more. That’s way beyond the human capacity to remember, which is where tools like password managers come in.

A second problem is one you probably haven’t though of unless you work extensively with technology. That problem is that a password is not something you need to know. Logging in with a password is just an evaluation of an input. You enter something into the password box. The system checks to see if it matches what it expects. If it does, it lets you in. It doesn’t work for digital identification because it doesn’t identify anything. The person entering that password doesn’t have to be you – anyone who can provide an input that matches what the system expects can get in. That’s why a lot of systems have moved to two-factor authentication to verify it’s the right person logging in.

Additionally, the very methods that help us secure our passwords can put them in danger. Password managers are designed to store your passwords so you can have long, strong, unique passwords for every account without having to remember hundreds of random strings of characters. But that makes password managers a great target for hackers. If a hacker can get access to a password manager’s database, they have the information to get into any of its users’ accounts.

When did we think it was a good idea to centralize everyone’s passwords in a single place, in someone else’s hands, and use this as the way to provide authentication?

Thierry Gagnon

The Inherent Challenge of Cybersecurity

The same technology that allows us to work faster also allows criminals and threat actors to work faster. In cybersecurity, scams, or any situation where one party is attacking and another is defending, it’s a numbers game. The defenders need to get it right 100% of the time. The attackers only need to get it right once. In order to build an economy that works in a digital world, we need to flip the odds around.

Kelvin Zero is focused on trying to change the cat-and-mouse game in cybersecurity. The typical approach to cybersecurity is generic solutions that solve a lot of different problems. But the reality is that any good adversary will find a way into any system eventually. Given enough time, resources, and incentives to get in, and they will succeed.

There’s no such thing as an unhackable thing or system. It’s a fallacy to think that there is.

Thierry Gagnon

Thierry and Philippe don’t believe that hack-proof systems exist. No matter how safe you think you are, a threat actor out there will find a more creative or unique way to attack. A broad, multi-layered, but generic approach to cybersecurity may protect you against general attacks. But it probably won’t be able to cover all the edge cases.

Cybersecurity for the Individual

One of the biggest challenges with digital identification and cybersecurity is that nobody is protecting the user. Most people aren’t qualified to be their own cybersecurity specialist. And the default approach for most companies is not to secure the users first. Companies are mostly after what they can get from the user. If they offer security options and you as the user know about those options and how to use them, it can help improve your current standing. But it’s just an improvement, not complete security. The reality is that even if we have the knowledge or the desire to learn, and no matter how many online safety tips we know and follow, most of us don’t have the resources for great security.

Moving Away from Passwords for Digital Identification

One of the approaches for solving the problems with passwords for digital identification has been move away from passwords altogether. This is something that Thierry and Philippe have worked on with Kelvin Zero. The approach is to provide trusted identification that’s recognized in both the physical and digital worlds, put it in the hands of users, and have it be secure by default.

A lot of people talking about “secure by design” as a way of developing technology, and that’s a great concept. But Thierry has been a software developer in cybersecurity space for decades. Secure by design isn’t a clear and concrete idea for people working in the field. It’s a great principle, but it’s almost never the option a company is going to use when they build something.

Digital Identification Without Passwords Presents Opportunities

One thing that’s rarely discussed when we talk about passwordless digital identification, or cybersecurity in general, is the opportunities. Cybersecurity issues are such a big problem that if you can protect the end user and identify who they are with very little uncertainty, the world is your oyster. Once you’ve solved the challenge of digital identification, you’re free to innovate.

Think about it – what’s stopping a bank from innovating? Regulations. They’re scared of violating the rules put in place for consumer protection. That is a real concern. But part of following those regulations is knowing who’s on the other end. If your method of verification is something that you have, like a password, it can be taken. And when a hacker takes it, to the best of the bank’s knowledge, they’re you. But if you have a digital identification method that leaves very little uncertainty about who is on the other end, there are a lot more opportunities to innovate and offer great services.

A lot of businesses treat cybersecurity as a cost center – a department that costs money instead of making money and only exists because they’re required to have it. But Thierry and Philippe think that instead of a drain on profits, companies should look at it as an opportunity to innovate. If you can solve cybersecurity problems, you have the freedom to innovate. You can become the kind of business you want to be instead of shutting down opportunities because of regulations and cybersecurity challenges.

Other Ways to Validate Identities

Digital identification without passwords goes back to what exists in the real world that doesn’t exist in the digital world. We need to create the fabric of an identification system that doesn’t have to match personal information in order to keep personal information protected. One method would he to have access to tokenized data about an individual. When data is tokenized, sensitive data is substituted with non-sensitive data, called a token, that can be used to identify something without revealing sensitive information. Tokenizing data would allow a system to verify a specific individual is interacting with the system without revealing anything sensitive. It would create a somewhat-anonymous identification system based off cryptography.

Once there is some sort of system in place to minimize the replication of user identity without needing to know exactly who the user is, we can move on to better authentication by default. Multi-factor authentication (MFA) or two-factor authentication (2FA) by default would be a great step for additional security. Thierry and Philippe are still surprised how many systems don’t require it.

Further on, we can move away from only the server authenticating digital identification. Having only the server authenticating just shifts the cybersecurity challenges to the company doing the authentication. If the server gets compromised, you have to start all over. Having it more decentralized would be good.

Privacy and Digital Identification

Digital identification currently comes back to usernames and passwords. But we also have something of a digital footprint that can be tracked across websites, platforms, devices, and networks to the point where we need to also include privacy in the discussion. It’s not just cookies anymore. If you get online using Chrome or another browser from a big tech company, even if you use a VPN, websites or other platform providers may be able to identify the device.

Technology is moving at such a fast pace that most of us are left behind. We don’t understand how the technology can be used against us to benefit corporations. Corporations are trying to improve their bottom line, which is fine. But at the same time, they’re laying the groundwork for world-changing technology that could be even better if it had more security and privacy included.

Technology is moving at such a fast pace that most of the population is left behind, not understanding how it can be used against them.

Theirry Gagnon

Think about the medical space. How do we convince people to share medical data to provide better care and improve treatments when there are data breaches everywhere? The end result is less ideal than what we could establish if users had a bit more control. Everyone in the world is in cooperation in some way or another. Your bank probably deals with thousands of third-party service providers. To provide a way for people to navigate this safely, control has to go in the hands of people with no incentives to abuse the relationship – the user themselves.

We Need Data Privacy

Companies know that it’s in the best interest of their customers never to sell their data. But that’s not in the interest of shareholders, who want to see profits. And a struggling company can very easily sell some customer data to pay the bills. There’s a question of acceptability here.

Most users want privacy. But what actually is privacy? Is it anonymity? Not allowing anything to be known about you? Having control to allow or disallow use of your data? The ability to force a company to delete your data? Thierry and Philippe believe there’s a market for privacy. We’re talking about privacy and security for a reason. And there are some people who are in the business of making sure your data is protected, not mishandled, and not misused.

Technology should serve us fundamentally. It should do what we want to do.

Philippe Desmarais

In the past, if you went to the doctor, you brought your file with you and took it home with you when you left. The only people who got to see it were the people you gave it to. Now, it sits in digital space, duplicated everywhere. We don’t know who has copies or where they are. And if someone exploits a medical API or breaches your doctor’s office, now they have it.

We’re Behind Where We Should Be

We have kicked the problem of digital identification and authentication down the road too many times, and now we’re behind where we should be in terms of security. But we do have the opportunity to fix the problem at the root. When you were a kid building a sand castle, at some point you had to improve the base before it could get any taller. Now in cybersecurity, we may have to go back and address some problems at their roots before we can make more improvements.

One of the more concrete approaches is that if we could create a system that allows for somewhat anonymous identification without sharing sensitive information, companies would still be able to profile people to sell to them and improve their business margin. But they would be able to do it without the risk of leaking personal information.

Biometrics are one way to verify a digital identity with a client-side verification. But some organizations are building massive centralized biometric databases, which have their own problems. They are a great target for hackers. And if your biometrics are compromised, then what? It’s a lot easier to change your password than your fingerprint. The challenge with all of this is to avoid and move past the mistakes of the past to get into the great ideas that we have today and want to see in the future.

What You can Do to Improve Digital Identification

Unfortunately, many of these changes and improvements are out of the hands of consumers. But there are some things that you can do. Move away from single-factor authentication. Turn on two-factor authentication everywhere you can. If a system gives you the option to move away from passwords, take it.

You can also ask institutions to use other methods of digital identification. There are solutions out there. Kelvin Zero offers some of them, but there are more. Request your healthcare organizations, government, and financial institutions to choose more secure methods.

Finally, don’t mix your sensitive information with leaky devices. A lot of people are using cloud-based storage or just relying on the local storage on their phones. Look at other solutions that are less likely to expose your sensitive information.

Learn more about Kelvin Zero at kzero.com. You can also find them on LinkedIn. Feel free to get in touch – they’re always happy to talk.