Two veteran Silicon Valley executives, Jim Clark and Tom TJ Jermoluk, have raised $30 million in funding to launch publicly Beyond Identity, a concept that aims to eliminate passwords once and for all, using biometric technologies.
Have you ever wondered why you can unlock something as personal as your smartphone or computer with your face or fingerprint, but are still forced to remember or store a bunch of passwords for all the pages or services you intend to use? The technology that enables convenient access to your devices was originally created by Apple, which introduced Touch ID into the iPhone 5S, along with a secure enclave inside the processor that protects biometric data, and later incorporated it into the rest of its environment, either through the use of fingerprints or facial identification. Later, Google copied the concept and introduced it into the Android operating system.
The idea of Beyond Identity is to eliminate the need for any password in the authentication process. Most system intrusions are aimed at obtaining exploitable passwords: if we remove them, the fundamental reason for these data intrusions disappears, in addition to providing the user with more convenient access, without the problems associated with having to remember a password, obtain it from a manager or carry out a reset when we forget or lose it.
Beyond Identity works by anchoring the entire security process in the verification of the user’s identity, something that our devices already do very well. From there, by means of a well-known and proven technology, X.509 Certificates, biometric access links the device to its user, and a certificate issued by Beyond Identity authenticates that device and its user to the service provider it intends to access. A certificate or trust string that includes the user and shares it in encrypted form via TLS with the service provider we use to identify ourselves.
It’s a simple idea: assign the verification of the user’s identity to devices that already do it well and through sufficiently secure mechanisms, and link that identity through a chain of securely encrypted certificates. It will probably be used first in corporate environments, where a company will ask users to install the Beyond Identity app on the devices they intend to use to identify themselves (within a list of devices approved for this purpose which considering the trends, will become increasingly broad and inclusive), a device in which a private key will be generated, which from that moment on allows access to corporate applications without the need for a password, simply by authenticating themselves on the designated device.
The process can be used on any number of devices: the device profile generated at the time of service login is unique to each. This makes it possible to differentiate between authentication, which is carried out through cryptography, and authorization as such, which is produced from the device profile. On the same platform, a user can authenticate other devices equipped with company approved biometric identification, such as a laptop fingerprint reader. If we wish to change the device, we can register the new one with any of our previous devices, without having to depend on the help of a corporate helpdesk.
The company says the service will be available for the general public at the end of 2020, possibly by including the pre-installed application in many devices. The idea is a good one: can you imagine a world without passwords, in which accessing services such as your company network, your bank or your social networks is as easy as authenticating yourself on your smartphone?
(En español, aquí)