By Shamsh Hadi, Co-founder and CEO of ZorroSign
According to the 2022 Verizon Data Breach Investigations Report, 82% of breaches involved the human element, whether it is the use of stolen credentials, phishing, misuse, or simply error.
Removing the human factor has long been the most challenging aspect of cybersecurity, as humans are not only users, producers, and consumers of information but also represent the greatest security risk. In an increasingly digital world with multiple access points to many devices, systems, and networks, people continuously opt for greater security and ease of use.
To combat this human element (and the general resistance to employing multi-factor authentication for each login), passwordless authentication seems like the optimal solution to improve an organisation’s data security. But is it?
An article from CPO Magazine titled ‘Why the Best Password is No Password at All’ posits that “passwords alone are not enough to protect products, and users would be foolish to think otherwise.”
A recent Information Age article further claims that the time is right for passwordless authentication, as “passwordless authentication makes users’ lives easier” and removes the human factor from cybersecurity — where “people just can’t be trusted to set reliable passwords, to change them frequently, to make sure they are strong, and to keep them secure.”
Philip Black at Techradar.com published an April 2021 article dispelling the myths around passwordless authentication, the risks of biometrics, and how expensive it is to escape passwords for cybersecurity.: “A paradigm shift is on the horizon as new passwordless solutions and technologies gain in popularity, such as biometrics, laying the foundation for a more secure standard for accessing information in the digital world.”
Passwordless authentication solutions aspire to provide customers with a more secure, simple and fast way to authenticate their accounts. Personal data, such as a mobile number or email address to receive a one-time password (OTP) — can authenticate a user’s access without requiring a password.
“For security teams, the idea of eliminating passwords is an attractive prospect,” notes a recent VentureBeat article by KPMG, “as it prevents cybercriminals from being able to harvest passwords and login credentials, and reduces the risk of data breaches caused by phishing scams, brute force hacks and business email compromises.”
On June 6, 2022 at WWDC 2022, Apple stated that Passkeys, a new password-free feature, will be available in Safari browsers across all hardware in September 2022. This is Apple’s take on a passwordless solution that, according to the company, can’t be phished or leaked and will work with Microsoft and Google platforms as well.
According to a study conducted by Kaspersky, only 53% of UAE users password-protect their phones, and just 14% encrypt their devices to avoid unauthorised access to their data. Such findings come as UAE users become all the more dependent on their phones. “Over 41% of people use their smartphones for online banking, 65% regularly use their smartphone to access their email accounts, and 66% say they use it for social media activities, all of which involve a huge quantity of sensitive data.”
“Cybercrime is the biggest source of concern for 81% of internet users around the world, including 76% of MENA consumers,” notes Consumers International’s Regional Briefing on Cybercrime in the Middle East and North Africa. “Some MENA consumers are particularly vulnerable to cybercrime as criminals are attracted to the high wealth in certain countries. The United Arab Emirates, for example, is home to some of the highest-earning households in the world and is the second most-targeted country for cybercrime, costing an estimated $1.4 billion per year.”
In this high-risk environment, passwordless authentication gives Emiratis and residents a secure way to validate their accounts without the need to cater to human password habits.
Modern applications that are hosted in the cloud, such as software as a service (SaaS), incorporate some of the latest identity protocols, like OpenID Connect or SAML (Security Assertion Markup Language), and often have integrations with multi-factor authentication platforms. This ecosystem makes going passwordless easier.
From a security perspective, blockchain architecture (originally built for zero-trust environments) gives organisations a compelling alternative to centralised databases and stronger protection against cyber-attacks.
Minimising these risks, ZorroSign has been employing blockchain, identity-as-a-service (IDaaS), and other web3 technologies since 2019 to authenticate user identities in digital environments without resorting to passwords.
ZorroSign, founded in Dubai, is the only company that offers a multi-blockchain platform to secure, track, and manage digital signatures, transactions, and documentation. ZorroSign’s technology accommodates complex passwords and multi-factor authentication while also supporting passwordless logins.
By leveraging the biometric security of Apple and Android devices, such as face, fingerprint, and iris scans, and integrating with Samsung Pass technology, ZorroSign facilitates passwordless user authentication at the device level for subsequent digital signatures and document management.
Further, ZorroSign’s blockchain platform can validate multiple dimensions of authentication based on the transaction security needs, i.e., what you know (the login password), what you have (PC or mobile phone) and who you are (biometrics such as fingerprints or eye scans), for system-level authentication.
ZorroSign further adds dynamic knowledge-based authentication (KBA), in partnership with LexisNexis, which requires the knowledge of private information of the individual to prove that the person providing their identity information is the actual person.
With ZorroSign’s multifaceted user authentication options, it is almost impossible for an imposter to sign a document on the ZorroSign platform, ensuring legal enforceability and signature attribution.
And by using zero-trust distributed ledger technologies—first built on Hyperledger Fabric and recently expanded to include the Provenance Blockchain—ZorroSign provides superior privacy and security, from passwordless user authentication through immutable records (stored on blockchain) and document validation with patented fraud-detection solution.
IDaaS is a relatively new and somewhat nebulous concept in today’s market. Gartner has a category defined as ‘identity management as a service,’ but most SaaS companies providing identity and identity-management functionality tend to define IDaaS to their own strengths and capabilities, so it is hard to find a consistent definition.
Yet the world of digital data we engage in today requires digital identities for access and operations. Using digital identities, we can trust is at the heart of modern cybersecurity, and, as such, IDaaS has a very well-defined need, if not yet a well-defined category.
At a basic level, all IDaaS platforms are created to enhance online user experiences, secure access to critical enterprise applications, and reduce IT resource-related expenses with efficient identity and access management (IAM) and privileged access management (PAM).
For government ministries and federal entities, companies, and individuals in the UAE that desire to securely transform paper-based workflows, ZorroSign’s union of digital signatures, blockchain, and IDaaS technologies can decrease costs, reduce errors, and increase productivity.
Moving forward, ZorroSign will be implementing a blockchain-based audit trail for all user activities—including profile updates, signature changes, etc.—and will maintain a separate blockchain to maintain users’ signatures. With these immutable blockchain records, we can uniquely validate users in ways no competitive solution can.
At ZorroSign, we believe passwordless user authentication is a better, stronger way to secure access to digital systems and have built our web3 technologies from the ground-up on blockchain and IDaaS to ensure users are who they claim to be, even in a zero-trust environment.