11.12.21 – SIW – Brian Coulombe
Startup ProveID looks to end our dependence on passwords using proximity-based and persistent authentication
This article originally appeared in the November 2021 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
As we wrap up cybersecurity awareness month, it seems appropriate to delve into what remains the most prevalent and imminently frustrating issue facing cyber professionals – password security.
In today’s era of multi-factor authentication (MFA), biometric authorization and other advanced technologies, it is hard to pinpoint quite why our collective password hygiene is so abysmal. What’s worse, if you think humanity’s problem rests with the inability to simply remember which site uses which password, that is just the tip of the iceberg. Statistics compiled by a Google/Harris poll in 2019 revealed that 43% of Americans admit to habitually sharing their passwords, 59% incorporate easily discoverable personal data in their passwords (i.e., a child or pet’s name), and 27% openly admitted to trying to guess someone else’s password.
While the Cybersecurity and Infrastructure Security Agency (CISA) has openly stated that using a single password authentication method is “dangerous,” only 37% have actually made a move to MFA.
While a unilateral move to MFA would be a drastic improvement, some are looking towards a future where we can divorce ourselves from passwords altogether. After all, we cannot share or forget what we do not know, right?
Authentication disruptor ProveID Inc. (http://proveid.net), is looking to end our messy dependence on passwords altogether through a platform that provides proximity-based and persistent authentication.
Most people I know have experienced a situation where a fraud alert is placed on their credit card after someone has attempted to use their card number to buy gas in a remote corner of the globe. Some banks have instituted a feature through their mobile apps that if your phone is nowhere near the transaction, that raises a red flag and negates the transaction. This is a basic type of proximity-based authentication. My phone is a known and trusted device, and it is theoretically in my possession at any given time.
If I am trying to log into a workstation or open an access-controlled door, the proximity of my phone or smart wearable device should be able to provide the same function. ProveID facilitates that capability. IoT devices like phones or smart watches act as “beacons,” and communicate your position to listening devices that are continuously monitoring for the radio signals they emit. Those listeners might be workstations trained to look for your smart watch Bluetooth signal, or a standalone device might track WiFi signal strength to your device.
This data is used to determine your proximity to enrolled devices requiring authorization. If you are close to a door you have access to, the system can be programmed to recognize that proximity, and a popup on your phone or watch might ask if you want to unlock the door. Similarly, proximity to your workstation might automatically log you into it, without the need for a username or password.
Typical authentication requires a single login at the beginning of a session. The longer the session, the greater the opportunity for a breach. The user might walk away for example, leaving the asset unlocked and vulnerable. Persistence refers to the concept of continuously authenticating the user throughout the session, through ongoing two-way communication between the platform and the user’s phone or wearable device. Walking away from that workstation would cause the user to be automatically logged out.
In a broader sense, a network of listening devices is continuously communicating with your smart IoT device and reporting your location back to the ProveID platform, which can keep you logged into an asset or automatically log you out once you walk away.
The system is infinitely customizable. For example, the platform can prompt the user to reauthenticate themselves to their phone periodically or before triggering something like an access-controlled door. A wearable device like a smart watch might become trusted once the user has started wearing it and authenticated him/herself using their smartphone. Taking the watch off would break the authentication. More advanced sensors might be able to know the individual wearing the watch through biometric markers and negate authentication through the phone altogether.
According to Sean Kelley of ProveID, the explosion of smart IoT devices makes this the right time for persistent and proximity-based authentication: “We believe that the environment and architectures of smart IoT devices and sensors – with persistent communications to the hybrid Cloud and mutual proximity-based authentication – is here to stay, and that this architecture and data is the true key factor to security, reliability, and solid lasting return on investment.”
While smartphones can be used as user beacons to implement ProveID technology, wearable devices make authentication even more seamless to the user since (once authenticated) the device knows if it has been removed. The future of authentication might just reside in wearables, Kelley says.
“Hardware device costs per unit will continue to drop, and battery life will continue to get better, and the devices/chips will continue to get smaller (and more powerful), and the radio signals aspects will continue to get better,” Kelley says. “All of this will lead to a more user-friendly experience that will push the concept of wearing or carrying your credentials with you wherever you go.”
ProveID can be used for asset tracking as well, through the deployment of smart tags that can be tracked through a facility or globally through GPS and cellular connection. As a software company, ProveID can work with any number of off-the-shelf hardware products from any number of manufacturers. With the adoption of persistent and proximity-based authentication, hopefully one day soon we can all look forward to a life without passwords.