Biometric and 2FA Fail the Security Test

In the last five years, numerous security breaches and hacks have led to a flood of so-called solutions. In 2016, Verizon stated that the global loss due to these breaches exceeded $500 Billion and 81% of those breaches were due to stolen access credentials. Despite the best efforts of security experts around the world, these events continue to escalate and dominate boardroom discussions.

As experts realized the fatal flaws of simple username/password security models, they created “add-ons” meant to strengthen these models. Biometrics and 2FA are currently the most popular of these “bolt-on” solutions. However, these additional hoops for the user to jump through only treat the symptoms, not the actual problem.

A new solution is needed. Only if we step back and are willing to question the validity of the username/password model can we begin to fix the problem. But what IS the actual problem? If we cannot truly define the problem, our solutions only compound user inconvenience without improving security.

The notion of “digital identity” implies the necessity of proving who you are across the Web. In other words, your digital identity, just like in the physical world, allows you to interact and transact across the Web. If you cannot prove who you are, the consequences can be catastrophic: stolen identities, account breaches, and fraudulent transactions. Today, these events are commonplace and growing in frequency.

When we create a digital account, we are asked for quite a bit of information. Some of it can be labeled as “Personal Identifying Information,” like date-of-birth, SSN, credit cards, etc. In addition, we are asked to create a username and password (U/P). This U/P is stored in the enterprise database and queried every time we login. This process of entering our U/P and the server verification of same can only be accurately described as a “validation of matching credentials.”

This activity has nothing to do with verifying the actual identity of the individual. Instead, it merely confirms that the entered information MATCHES the stored U/P. Anyone could have typed that U/P into the system. ANYONE. Therefore, anyone simply possessing these credentials (you, your coworker, a hacker) has unimpeded access into your account. This simple, yet fundamental defect is at the heart of the mess we face today. The appropriate cure requires a different way of thinking and re-architecting of “authentication.”

These are the facts:

  1. Use of passwords (static credentials), leads to sharing, copying, phishing, and eventually a breached account. Biometric and current 2FA implementations do not solve this problem. They just add an element of difficulty for the hacker. ALL forms of Biometric solutions and current 2FA implementations can be shared, copied, or phished. Therefore, they have all been breached and hacked. Regardless of how they are packaged, these flawed models perpetuate breaches and fraud.
  2. Authentication by static credentials is initiated and CONTROLLED by the end user. As long as the U/P entered by the POSSESSOR is correct, full access is provided by the enterprise. The user’s identity, in such a system, is irrelevant.

To construct an effective solution to this problem, an entirely new definition of “authentication” must occur. We need to be able to answer correctly “HOW can a user prove their identity across the Web?” Our current standard is tied merely to “WHAT static credentials prove your identity across the web?” These static credentials can be shared, copied, or phished. Therefore, these credentials are more accurately labeled “identifiers” controlled by their possessor. True human identity was never proven.

The Solution:

  1. STATIC access credentials, such as passwords, biometrics, and 2FA implementations should be changed to DYNAMIC access credentials, thereby eliminating their ability to be shared, copied, or phished.
  2. The CONTROL of the authentication should reside in the database server, not with the end user. In such a system, the server is now empowered to discriminate and challenge the end user, making hacking and impersonation extremely difficult, if not impossible.
  3. To achieve true identity verification, authentication should target HOW the individual’s brain works. We call this concept, “CognitiveID.” HOW we think and process information and interact in the external environment is as unique as your DNA. The Human Mind is the validating organ that makes sense of our external world. Thus, it makes no sense to continue relying on machines for that validation. Why can’t we use the “power of the mind” to be the authority and proof of our identity across the web. It’s about time we stop relying on devices to prove who we are.

The CognitiveID technology solution as invented and implemented by NimbusID LLC ( solves ALL of the aforementioned problems in relation to digital identity and authentication. CognitiveID solves all of the failings related to static passwords, Biometrics, and 2FA implementations.

In addition, if CognitiveID is used as a “pre-factor authentication” to current password, biometric and 2FA models, transactions made by a user can be trusted. Fraud is virtually eliminated.

Every day, we hear of server breaches, enterprise hacks, C-level phishing, hacked Bitcoin accounts, cloud account breaches, and nation threats. CognitiveID renders these events improbable, if not impossible.

As long as we continue to rely on static credentials for authentication, these threats will multiply. The only solution is to truly verify a user’s identity using a tool that cannot be shared, copied, or phished: the human brain.

To learn more about CognitiveID, watch our short video or try it out yourself!

CryptoCurrency and Blockchain Need Cognitive ID

Counterfeiting Solved!

The success of cryptocurrencies has eclipsed quite a few Internet technologies recently. Everywhere you look, a new electronic currency is launching. From Ripple to Stellar, Moneia, and of course, BitCoin, the players are numerous and growing at exponential rates.

This growth is due in large part to the anti-counterfeit technologies cryptocurrencies are based on. Known by its more commercial term, Blockchain, this model eliminates the insertion of false transactions by keeping a public ledger stored on thousands of randomly selected machines around the world.

Financial institutions are taking serious interest in cryptocurrencies as they are not tied to the economic health of any one country. The political machinations of any government will not sway the legitimacy of these truly international currencies.

Houston, We Have a Problem

However, while the integrity and uniqueness of the transaction can be guaranteed, there remains one weak point: A failure to prove an “intent to transact.”

Most cryptocurrency systems are accessed through proprietary wallet apps. Access to these wallets is based on the decades-old model of username/password. Some may add two-factor authentication to lower the risk, but at the foundation of every user session, security is tied to static credentials that do not prove identity.

True security depends on verifying the identity of the user. While you may say that the username/password combo effectively meets this need, I disagree. Static credentials do not verify the user. They are simply “identifiers” known by the user. Similarly, your house key does not discriminate based on the identity of the holder. Anyone who has it, may enter.

Identity vs Identifiers

And that’s the key. In today’s world, you need to know the difference between “identifiers” and “identity.” As I mentioned before, the only way to GUARANTEE security is to verify a user’s identity. Usernames and passwords do not accomplish this task. After all, anyone armed with that information can impersonate a user perfectly.

How it Works

The only true transaction-creation solution is tied to the concept of CognitiveID. CognitiveID is the NimbusID implementation of the Cognitive Identification security strategy. It is based on the contextual logic every human uses to file information in their brain. I know that sounds very complex, but the concept is actually very simple. Watch this short four minute video to see how it works.

Remember, the only way to verify identity is to teach the server to discriminate and challenge the end user. The result: a qualified manifested legal intent (Intentication) is imputed. This digital transaction, therefore, can stand any legal scrutiny, a failing with current static access authentication.

NimbusID, using our patented CognitiveID model, proves the identity of the user, and therefore, the intent to transact. Because, in the end, the only person reaching into your wallet should be you.