Each year, the first Tuesday in May is designated World Password Day, dedicated to reminding people to observe “good” password hygiene to keep their identity safe online.
Sadly, using passwords as a form of authenticating users is a game of Russian Roulette – a case not if, but when one is hacked…if it hasn’t happened already! We need to embrace a passwordless approach to security and Gartner designated passwordless authentication as a key technology that organizations should adopt as soon as possible.
The endgame is passwordless authentication for both enterprise and retail users, but the question is how best to achieve it and what is the most secure and easiest to use model?
Most organizations have already understood or are beginning to understand the weaknesses of a password-based user authentication strategy. Many have implemented 2-factor solutions to reduce their exposure to fraud and whilst the strategy is positive, most of these solutions have also proved vulnerable through advances in fraudulent techniques like social engineering, credential sharing, SIM Swap, SMS/OTP interception and other sophisticated forms of identity theft and hacking. We also need to be aware that our “users” may be a combination of employees and customers, where authentication methods may have differed suitability.
Firstly, we need to understand a basic fact about the absolute need to guarantee the identity of the user. Any form of knowledge (passwords/PINs/KBA) or possession factors (PKI, mobile phones, hardware etc.) do not guarantee identity. They only provide assurance that someone, anyone, is in possession of that information or device. Solutions based on knowledge or possession factors are therefore built purely on trust, that the correct person is in possession of that information. And trust is not a foolproof attribute for a security solution.
On the other hand, a One-time passcode (OTP) is deterministic, meaning it is binary. The OTP is either right or wrong. Usually consisting of a 6-digit random number its security strength is proportional to the random probability of guessing the number; for example, a 6 digit OTP has a random probability of 1 in a million. However, its strength is fundamentally diminished if the OTP is intercepted or shared, since it is a possession factor, and as such loses its integrity and cannot be relied upon to prove identity.
To create a strong passwordless solution we need legitimacy.
The authenticating entity needs verification that the authentication process is legitimate; it cannot only rely on trust that the process occurred remotely as prescribed.
A federated security model that relies on a user biometrically authenticating themselves using a remote device, where the authentication process is controlled by a 3rd-party device supplier and invisible to the authenticating entity is entirely based on trust. And if the biometric can be replaced by a PIN for instance, then there is no guaranteed identity, only trust, which is not legitimate since PINs can be shared.
To summarize, whilst only a biometric can prove identity – proof that the correct person is who they claim to be – not all biometric solutions are the same and biometric modalities differ greatly in terms of precision, accuracy, integrity and versatility (omni-channel). For example, grave concerns have surfaced regarding racially discriminating face recognition technologies that are inherently biased in their accuracy.
Voice biometrics on the other hand does not suffer from such accuracy, bias or privacy issues. Further, it is a fundamentally different technology than any other biometric modality as it is two-dimensional – it is not just one’s voice but also what the voice is saying. The combination of a probabilistic (voice) and deterministic factor (OTP) significantly amplifies the mathematical strength and accuracy of the authentication model and thereby guarantees identity. So how does this work?
Simply, it must be the genuine user’s voice that speaks the OTP, whether into a smartphone app, over a phone call, or directly into a browser, there is no longer any point in sharing, stealing or intercepting the OTP. We now have legitimate “Guaranteed Identity (GI)”.
Passwordless authentication is already here, but not all models are equal. Using a very strong mathematical approach that combines spoken (OTP) passcodes with the genuine user’s voice delivers Guaranteed Identity and provides a legitimate and strongest form of passwordless authentication with the easiest and most flexible customer experience.
How ValidSoft delivers passwordless authentication
ValidSoft has created the next generation Identity Guaranteed voice biometric technology that can be used consistently across the omni-channel, in any mode, anywhere in the real world and in the emerging Metaverse (MetaVoice®). Our technology offers imperceptible speed, accuracy and precision, utilizing active, dynamic active, passive and continuous passive authentication that is intuitive and easy to use, mathematically secure and offers the highest levels of compliance (via our certified unique approach to privacy by design).
Our technology is built on continuous and transparent authentication, enabling “Trusted Humans” to interact by guaranteeing that the speaker is who they are, always, for “proof of life”.
ValidSoft can be used as stand-alone, or overlay with leading enterprise MFA/2FA solutions. We offer multiple flexible deployment options including SaaS, on premise, private/public cloud, on-device, SDK, APP, and Edge.
To learn more about our enterprise-grade identity guaranteed products and solutions and how we can help you deliver frictionless passwordless authentication, contact us at www.validsoft.com