Biometric and 2FA Fail the Security Test

In the last five years, numerous security breaches and hacks have led to a flood of so-called solutions. In 2016, Verizon stated that the global loss due to these breaches exceeded $500 Billion and 81% of those breaches were due to stolen access credentials. Despite the best efforts of security experts around the world, these events continue to escalate and dominate boardroom discussions.

As experts realized the fatal flaws of simple username/password security models, they created “add-ons” meant to strengthen these models. Biometrics and 2FA are currently the most popular of these “bolt-on” solutions. However, these additional hoops for the user to jump through only treat the symptoms, not the actual problem.

A new solution is needed. Only if we step back and are willing to question the validity of the username/password model can we begin to fix the problem. But what IS the actual problem? If we cannot truly define the problem, our solutions only compound user inconvenience without improving security.

The notion of “digital identity” implies the necessity of proving who you are across the Web. In other words, your digital identity, just like in the physical world, allows you to interact and transact across the Web. If you cannot prove who you are, the consequences can be catastrophic: stolen identities, account breaches, and fraudulent transactions. Today, these events are commonplace and growing in frequency.

When we create a digital account, we are asked for quite a bit of information. Some of it can be labeled as “Personal Identifying Information,” like date-of-birth, SSN, credit cards, etc. In addition, we are asked to create a username and password (U/P). This U/P is stored in the enterprise database and queried every time we login. This process of entering our U/P and the server verification of same can only be accurately described as a “validation of matching credentials.”

This activity has nothing to do with verifying the actual identity of the individual. Instead, it merely confirms that the entered information MATCHES the stored U/P. Anyone could have typed that U/P into the system. ANYONE. Therefore, anyone simply possessing these credentials (you, your coworker, a hacker) has unimpeded access into your account. This simple, yet fundamental defect is at the heart of the mess we face today. The appropriate cure requires a different way of thinking and re-architecting of “authentication.”

These are the facts:

  1. Use of passwords (static credentials), leads to sharing, copying, phishing, and eventually a breached account. Biometric and current 2FA implementations do not solve this problem. They just add an element of difficulty for the hacker. ALL forms of Biometric solutions and current 2FA implementations can be shared, copied, or phished. Therefore, they have all been breached and hacked. Regardless of how they are packaged, these flawed models perpetuate breaches and fraud.
  2. Authentication by static credentials is initiated and CONTROLLED by the end user. As long as the U/P entered by the POSSESSOR is correct, full access is provided by the enterprise. The user’s identity, in such a system, is irrelevant.

To construct an effective solution to this problem, an entirely new definition of “authentication” must occur. We need to be able to answer correctly “HOW can a user prove their identity across the Web?” Our current standard is tied merely to “WHAT static credentials prove your identity across the web?” These static credentials can be shared, copied, or phished. Therefore, these credentials are more accurately labeled “identifiers” controlled by their possessor. True human identity was never proven.

The Solution:

  1. STATIC access credentials, such as passwords, biometrics, and 2FA implementations should be changed to DYNAMIC access credentials, thereby eliminating their ability to be shared, copied, or phished.
  2. The CONTROL of the authentication should reside in the database server, not with the end user. In such a system, the server is now empowered to discriminate and challenge the end user, making hacking and impersonation extremely difficult, if not impossible.
  3. To achieve true identity verification, authentication should target HOW the individual’s brain works. We call this concept, “CognitiveID.” HOW we think and process information and interact in the external environment is as unique as your DNA. The Human Mind is the validating organ that makes sense of our external world. Thus, it makes no sense to continue relying on machines for that validation. Why can’t we use the “power of the mind” to be the authority and proof of our identity across the web. It’s about time we stop relying on devices to prove who we are.

The CognitiveID technology solution as invented and implemented by NimbusID LLC (nimbusID.com) solves ALL of the aforementioned problems in relation to digital identity and authentication. CognitiveID solves all of the failings related to static passwords, Biometrics, and 2FA implementations.

In addition, if CognitiveID is used as a “pre-factor authentication” to current password, biometric and 2FA models, transactions made by a user can be trusted. Fraud is virtually eliminated.

Every day, we hear of server breaches, enterprise hacks, C-level phishing, hacked Bitcoin accounts, cloud account breaches, and nation threats. CognitiveID renders these events improbable, if not impossible.

As long as we continue to rely on static credentials for authentication, these threats will multiply. The only solution is to truly verify a user’s identity using a tool that cannot be shared, copied, or phished: the human brain.

To learn more about CognitiveID, watch our short video or try it out yourself!

CryptoCurrency and Blockchain Need Cognitive ID

Counterfeiting Solved!

The success of cryptocurrencies has eclipsed quite a few Internet technologies recently. Everywhere you look, a new electronic currency is launching. From Ripple to Stellar, Moneia, and of course, BitCoin, the players are numerous and growing at exponential rates.

This growth is due in large part to the anti-counterfeit technologies cryptocurrencies are based on. Known by its more commercial term, Blockchain, this model eliminates the insertion of false transactions by keeping a public ledger stored on thousands of randomly selected machines around the world.

Financial institutions are taking serious interest in cryptocurrencies as they are not tied to the economic health of any one country. The political machinations of any government will not sway the legitimacy of these truly international currencies.

Houston, We Have a Problem

However, while the integrity and uniqueness of the transaction can be guaranteed, there remains one weak point: A failure to prove an “intent to transact.”

Most cryptocurrency systems are accessed through proprietary wallet apps. Access to these wallets is based on the decades-old model of username/password. Some may add two-factor authentication to lower the risk, but at the foundation of every user session, security is tied to static credentials that do not prove identity.

True security depends on verifying the identity of the user. While you may say that the username/password combo effectively meets this need, I disagree. Static credentials do not verify the user. They are simply “identifiers” known by the user. Similarly, your house key does not discriminate based on the identity of the holder. Anyone who has it, may enter.

Identity vs Identifiers

And that’s the key. In today’s world, you need to know the difference between “identifiers” and “identity.” As I mentioned before, the only way to GUARANTEE security is to verify a user’s identity. Usernames and passwords do not accomplish this task. After all, anyone armed with that information can impersonate a user perfectly.

How it Works

The only true transaction-creation solution is tied to the concept of CognitiveID. CognitiveID is the NimbusID implementation of the Cognitive Identification security strategy. It is based on the contextual logic every human uses to file information in their brain. I know that sounds very complex, but the concept is actually very simple. Watch this short four minute video to see how it works.

Remember, the only way to verify identity is to teach the server to discriminate and challenge the end user. The result: a qualified manifested legal intent (Intentication) is imputed. This digital transaction, therefore, can stand any legal scrutiny, a failing with current static access authentication.

NimbusID, using our patented CognitiveID model, proves the identity of the user, and therefore, the intent to transact. Because, in the end, the only person reaching into your wallet should be you.

CognitiveID Solves Phishing

The Problem

You are sitting at your desk when an urgent email hits your inbox. It’s a panicked message from your company vice president telling you he cannot log into the server. Because he’s in a time crunch, he needs YOUR username and password to get access to his files. Not wanting to get fired, you “bend” the rules and reply back with your credentials. Sadly, you have just had your credentials phished by a hacker who “faked” where their email originated.

Or consider this scenario: The Human Resources manager uses a weak email password, easily guessed by a hacker. The hacker then logs into the executive’s email and sends out a message to everyone asking them to verify their personal bank account information for the next payroll. Because the hacker has access to the account, he constantly refreshes his inbox, intercepting the replies before the actual HR director catches on. The HR manager was phished.

Phishing has long been a problem in the cybersecurity world. Going after the login credentials of users is common sport these days. Most of these attacks occur through social engineering and email account takeovers.

The Solution

However, a new solution is now available, and it will effectively eliminate phishing of static credentials. By eliminating passwords, CognitiveID has effectively drained the “phishing pond.”

Let me expound. True security depends on verifying the identity of the user. While you may say that the username/password combo effectively meets this need, I disagree. Static credentials do not verify the user. They are simply “identifiers” known by the user and the data server. This setup simply allows a “valid set of matching credentials” giving access regardless of the end-user identity.

Identity vs Identifiers

And that’s the key. In today’s world, you need to know the difference between “identifiers” and “identity.” As I mentioned before, the only way to GUARANTEE security is to verify a user’s identity. Usernames and passwords do not accomplish this task. After all, anyone armed with that information can impersonate a user perfectly.

How it Works

The only true phishing solution is tied to the concept of CognitiveID. CognitiveID is the NimbusID implementation of the Cognitive Identification security strategy. It is based on the contextual logic every human uses to file information in their brain. I know that sounds very complex, but the concept is actually very simple. Watch this short video to see how it works.

Remember, the only way to verify identity is to test a user’s contextual logic, not test static identifiers. NimbusID, using our patented CognitiveID model, stops phishing and a host of other security vulnerabilities tied to static credentials. Other companies try to thwart phishing attacks by scanning email to identify the “bait.” At NimbusID, we know the only way to truly stop “phishing” is to empty the pond of “phish.”

Human Intent: The Key to Security

Authentication is a very deceptive word. In today’s security-conscious environment, this term is attached to every security solution without thought to accuracy. It has become cliché in the security industry. A new term is required. I humbly suggest that the ultimate security goal is better labelled, “Intentication.”

In other words, we should be determining access by measuring human intent, not a user’s identity.

A username/password combo is equivalent to a padlock. Anyone with a key may open it, gaining access to whatever was protected with no thought to human intent. And that’s the point. Anyone with the static credentials will be given access. In fact, we often see situations where the identity of the user may be verified, but their intent was not.

For instance, many people have had situations where they “drink too much” and make “accidental” purchases online. Was that their true intent? Or what about someone using my finger as I sleep to access my phone with TouchID? My identity was verified, but my intent was not.

Instead of truly verifying the identity of a person, today’s security solutions simply increase the complexity of the lock OR throw more locks at the problem.
Some may argue that with the advent of biometrics, the inherent weaknesses of passwords have been solved.

However, as with my earlier example, the static credential has only been made more complex with these methods. When a user registers their fingerprint, iris scan, or even DNA, that attribute is turned into a digital file…a key. Despite the complexity of that key, it is still just a key, giving anyone who possesses it, or a copy thereof, full unfettered access to anything within the original user’s account.

So, how do we measure “user intent?” The solution is right in front of you. Or to be more exact: right INSIDE you. The human brain is more than simply a biological hard drive of facts, figures, and pictures. What makes us unique is how we CONNECT those facts, figures, and pictures. These cognitive links stitch together our life experiences, changing us, and our views of the world.

While two people may experience the same event at the same time, their memory of it will differ due to their unique way of categorizing and connecting the facts of that event.

For instance, you and your friend are watching a football game. Later, when reminiscing about the game, you may remember a rather unusual touchdown by the receiver who caught it. Your friend may remember it by the quarterback who threw the pass. You both experience the same event, but how your mind stores and categorizes that information creates these incredibly unique mental connections.

A user does not have to practice memorizing such connections. They are built-in to the long-term memories of all people. And, as your life progresses, you gain more and more of these unique connections between the events, objects, and facts of your life.

Cognitive Identification is the new security paradigm allowing network administrators to truly measure user intent. By using a dynamic, random testing of these connections, you eliminate the need for passwords and biometrics. Users will no longer forget how to access their accounts. Stolen credentials are no longer a threat. And most importantly, your data, systems, and users are safer than they’ve ever been.

For every lock, there’s a pick. The only way to break that chain is to verify the intent of the user. Your data needs it. Your users deserve it. And with NimbusID, you can achieve it.

Convenience is the Enemy of Cyber-Security

Back in highschool, we all had lockers. To secure them, many of us trusted simple combination padlocks. While easily snipped with a pair of bolt cutters, this form of protection was enough to keep nosey classmates out of our stuff.

The problem, however, is that today’s companies are using the equivalent of simple padlocks to secure data worth millions.

Let me explain. If you have read my previous blogs, you know that the main problem with today’s security strategies lies in the reliance on static credentials. Passwords, access cards, fingerprint scanners, and other biometric methods measure authentication on “what you know” and not “who you are.”

True authentication should be based on USER identification, not “ability to access.” Most authentication methods are easily thwarted with copied credentials. If I know your password, the system will give me the same access as you. In other words, the system doesn’t care WHO you are, just that you had the right key to access it.

In the past, the security industry addressed these weaknesses with more complex credential rules and shorter password life-cycles. But users pushed back claiming that the decrease in convenience was too much to bear. Corporate IT managers capitulated out of sheer exasperation from the tidal waves of user complaints.

Password rules were made lax. Password expiration dates were extended or even removed altogether, just to calm angry users. These same users were allowed to keep their easily-guessed passwords for years, or keep a black book of passwords in their desk, all to assuage the “pain” of inconvenience.

However, server security was compromised in the process. Today’s hackers know some very important facts:

  1. Complex passwords are hard to remember, so users tend to err on ease of memory rather than the inherent security of complexity.
  2. If allowed, most users will use the same password to access multiple, disparate accounts.
  3. Most users have no problem giving those same passwords over the phone to someone they feel they can trust with the information.
  4. If a company forces password changes often, their users will compensate by documenting those passwords somewhere easily accessible.
  5. Companies continue to grant server access to computers outside of their control (users’ home PCs) where security and software installation policies are often ignored.

Once again, today’s security is based on the centuries-old methodology of “keys.” A password is simply a key. Anyone with it can access everything the owner can. Whether that key is a password, or a complex fingerprint scan, that data is easily copied and used by ANYONE.

Until companies realize that convenience must take a backseat to security, this problem will continue.

Luckily, forward-thinking organizations are starting to turn to cognitive identification to solve this dilemma. With minimal impact to convenience, this system eradicates the static credential security flaws.

To learn more about the cognitive solution offered by NimbusID, watch this video! Your data is worth more than highschool textbooks. Secure it with something stronger than a three-dollar combination padlock.

Identity or Access: What Does Your Security Verify?

Passwords have been around since computers were created.  But what do they measure?  In a perfect world, the only person accessing information should only be the person who is authorized to access it.  In other words, you hope that your security system is verifying the identity of the user.

However, the very nature of passwords prevent true identity assurance.  In essence, they only verify the “access authority” of the person.  A password is much like a house key.  Anyone with your username and password can access everything you are trying to protect.

Human identification can never be reflected by WHAT you know (passwords), WHAT you have (key fob, two-factor) or WHAT you are (biometric) simply because it is a form of static credential that can be shared or copied. A novel method of proving a person’s Identity can be discriminated by HOW the person “knows” what they know.

HOW is a complex, unique, dynamic intellectual process possessed by each individual – a process that is resistant to human impersonation. Properly implemented and layered in a network, this method eliminates the access breach/vulnerabilities inherent in all forms of static credentials.

The password does not guarantee that only you have access.  It is simply a key that can be used by anyone.  We call username/password combinations “static credentials.”  Anyone could write them down on a sticky note, hand them to a friend, giving that friend full access, much like that house key.

Biometrics are not that much better.  Fingerprint and iris scans are stored as basically static credentials.  A person with access to these digital keys has the same access as you do.

Identity assurance can only be achieved when you go from static credentials to dynamic credentials tied directly to a person.

NimbusID uses the AIRiD method of identity assurance. The cognitive ability to “Associate and Interpret what you Recognize,” is similar to a a fingerprint, except this method comes in the form of a Cognitive ID, and is almost impossible to duplicate. Basically, this model uses a person’s unique connections between events and things to create a dynamic credential. Learn more here or watch the 5-minute video.

Today, static credentials are being traded on the dark web as currency.  Identity assurance plugs this hole in your security strategy, reducing your legal and reputational risks in today’s online world.

Cognitive Identification: The Solution to Weaknesses in Passwords, Biometrics and Two-Factor Models

The title may have caught your attention. After all, I’m implying that passwords, biometrics and two- factor (2F) security models are inherently flawed. Well, they are.

 

The Problem with Static Credentials

The key is to understand WHAT passwords and 2F actually verify. Basically, all passwords are static credentials that provide ACCESS assurance, not IDENTITY assurance. Understand the difference.

Anyone with your password can access whatever that password protects. Anyone looking over your shoulder, active keyloggers, and even well-meaning colleagues can put holes in your security environment in seconds.

2F strategies, contrary to many vendors’ marketing claims, are also based on static credentials, and therefore only assure ACCESS, not identity. Anyone in possession of a keycard and your password/PIN will be granted access, without actually verifying their identity.

As an example, take your ATM card. Technically, it is 2F, because at the ATM you need both the physical card and the PIN. As long as I have both of those “static credentials” I have access, regardless of who I am.

Biometrics was supposed to solve these issues by limiting access to individuals based on difficult-to-copy credentials tied to complex physical traits like fingerprints and iris scans. However, despite their complexity, these supposedly “identifying” traits are easily copied in a digital world as they are simply static credentials.

Once again, passwords, biometrics, and 2F do not GUARANTEE identity. They just grant access. Access is granted based on “what you possess” not “who you are.”

 

What is Cognitive Identification?

Cognitive Identification (CogID) solves this problem by eliminating static credentials. CogID operates on HOW we think, not what we KNOW. It taps into the complex relationships we create between seemingly unrelated events, people, and things in our life.

As an example, let’s take an imaginary, yet possible experience in my life:

“I took a cruise to Jamaica last year. On the cruise, my cabin steward was named Yuri. He folded our towels into cute animal shapes. My favorite was the elephant. While on the cruise, we had an amazing chocolate buffet one night. One chef had carved a beautiful mermaid out of chocolate. I got a piece of the fin LOL!”

That story has all the ingredients I need to implement a cognitive identification test. Step 1 is to pick out some “recognition objects.” In the cognitive ID world, a recognition object is a combination of a focus object and an attribute. For example, a focus object might be “cruise.” Because of my memories, I have linked numerous attributes to this focus object.

When I think of “cruise,” I now automatically think of Yuri, mermaids, chocolate, Jamaica, and elephants. Someone without my experiences will not have made those mental links between those attributes and the focus object.

A good cognitive system will parse a paragraph (like the cruise story above) and create these focus objects and their attributes automatically. I would then enter quite a few more recognition objects comprising multiple focus objects having multiple attributes.

 

The Cognitive ID Login Process

When it is time to log in, the CogID system will randomly pick one of my focus objects. The system will surround it in a number of fake or false focus objects. Below, the system will list a number of attributes. Only ONE of them will connect with only ONE of the focus objects.

A user scans the four or five recognition objects and immediately spots the legitimate one. They then look at the list of possible attributes and click the only one that is linked to their focus object.

To illustrate, during my login, the system might present me with the following focus objects: Bed, Arkansas, Cruise, Lemonade.

Below, it might give me the following attributes: December, Lathe, Bumblebee, Red, Chocolate, Squirrel.

I would immediately recognize that “cruise” is my focus object, and “chocolate” is my attribute. I would click on Chocolate. Notice, I did not click on “cruise.” That’s how cognitive ID thwarts those spying over your shoulder. While they may see which attribute you choose, they will have no idea which focus object it goes with, preserving the security of the link.

Cognitive Identification Example 2

With enough recognition objects, no two logins will ever be the same. Gone are the days when you could write your password on a sticky note! A network administrator could decide how many recognition objects would have to be verified to confirm a user’s identity.

And, if someone clicks the wrong attribute, the system does not give an error. It just keeps listing recognition objects until the success threshold has been crossed. A hacker “guessing” at these attributes will have no idea which guesses were correct and which were not.

With CogID, the weaknesses of passwords, biometrics, and 2F are eliminated. True Security is Identity-based. True Security is NimbusID.

For more information, please watch our video and visit our website, NimbusID.com. To learn how you can implement a CogID solution for your network, give us a call at 844.968.7143.