Biometric and 2FA Fail the Security Test

In the last five years, numerous security breaches and hacks have led to a flood of so-called solutions. In 2016, Verizon stated that the global loss due to these breaches exceeded $500 Billion and 81% of those breaches were due to stolen access credentials. Despite the best efforts of security experts around the world, these events continue to escalate and dominate boardroom discussions.

As experts realized the fatal flaws of simple username/password security models, they created “add-ons” meant to strengthen these models. Biometrics and 2FA are currently the most popular of these “bolt-on” solutions. However, these additional hoops for the user to jump through only treat the symptoms, not the actual problem.

A new solution is needed. Only if we step back and are willing to question the validity of the username/password model can we begin to fix the problem. But what IS the actual problem? If we cannot truly define the problem, our solutions only compound user inconvenience without improving security.

The notion of “digital identity” implies the necessity of proving who you are across the Web. In other words, your digital identity, just like in the physical world, allows you to interact and transact across the Web. If you cannot prove who you are, the consequences can be catastrophic: stolen identities, account breaches, and fraudulent transactions. Today, these events are commonplace and growing in frequency.

When we create a digital account, we are asked for quite a bit of information. Some of it can be labeled as “Personal Identifying Information,” like date-of-birth, SSN, credit cards, etc. In addition, we are asked to create a username and password (U/P). This U/P is stored in the enterprise database and queried every time we login. This process of entering our U/P and the server verification of same can only be accurately described as a “validation of matching credentials.”

This activity has nothing to do with verifying the actual identity of the individual. Instead, it merely confirms that the entered information MATCHES the stored U/P. Anyone could have typed that U/P into the system. ANYONE. Therefore, anyone simply possessing these credentials (you, your coworker, a hacker) has unimpeded access into your account. This simple, yet fundamental defect is at the heart of the mess we face today. The appropriate cure requires a different way of thinking and re-architecting of “authentication.”

These are the facts:

  1. Use of passwords (static credentials), leads to sharing, copying, phishing, and eventually a breached account. Biometric and current 2FA implementations do not solve this problem. They just add an element of difficulty for the hacker. ALL forms of Biometric solutions and current 2FA implementations can be shared, copied, or phished. Therefore, they have all been breached and hacked. Regardless of how they are packaged, these flawed models perpetuate breaches and fraud.
  2. Authentication by static credentials is initiated and CONTROLLED by the end user. As long as the U/P entered by the POSSESSOR is correct, full access is provided by the enterprise. The user’s identity, in such a system, is irrelevant.

To construct an effective solution to this problem, an entirely new definition of “authentication” must occur. We need to be able to answer correctly “HOW can a user prove their identity across the Web?” Our current standard is tied merely to “WHAT static credentials prove your identity across the web?” These static credentials can be shared, copied, or phished. Therefore, these credentials are more accurately labeled “identifiers” controlled by their possessor. True human identity was never proven.

The Solution:

  1. STATIC access credentials, such as passwords, biometrics, and 2FA implementations should be changed to DYNAMIC access credentials, thereby eliminating their ability to be shared, copied, or phished.
  2. The CONTROL of the authentication should reside in the database server, not with the end user. In such a system, the server is now empowered to discriminate and challenge the end user, making hacking and impersonation extremely difficult, if not impossible.
  3. To achieve true identity verification, authentication should target HOW the individual’s brain works. We call this concept, “CognitiveID.” HOW we think and process information and interact in the external environment is as unique as your DNA. The Human Mind is the validating organ that makes sense of our external world. Thus, it makes no sense to continue relying on machines for that validation. Why can’t we use the “power of the mind” to be the authority and proof of our identity across the web. It’s about time we stop relying on devices to prove who we are.

The CognitiveID technology solution as invented and implemented by NimbusID LLC ( solves ALL of the aforementioned problems in relation to digital identity and authentication. CognitiveID solves all of the failings related to static passwords, Biometrics, and 2FA implementations.

In addition, if CognitiveID is used as a “pre-factor authentication” to current password, biometric and 2FA models, transactions made by a user can be trusted. Fraud is virtually eliminated.

Every day, we hear of server breaches, enterprise hacks, C-level phishing, hacked Bitcoin accounts, cloud account breaches, and nation threats. CognitiveID renders these events improbable, if not impossible.

As long as we continue to rely on static credentials for authentication, these threats will multiply. The only solution is to truly verify a user’s identity using a tool that cannot be shared, copied, or phished: the human brain.

To learn more about CognitiveID, watch our short video or try it out yourself!

About the author: Eric Spellman