Zero login: Fixing the flaws in authentication

Get a copy of the upcoming book "Secure Operations Technology"

Passwords, birth certificates, national insurance numbers and passports – as well as the various other means of authentication, that we have relied upon for the past century or more to prove who we are to others – can no longer be trusted in today’s digital age.

That’s because the mishandling of these types of personally identifiable information (PII) documents from birth, along with a string of major digital data breaches that have taken place in recent years, means that all of these items have potentially been compromised. Ultimately, they can no longer be considered ‘secret’ or protected.

In twenty years’ time our children and our grandchildren will likely find it completely bizarre when we tell them that we all had to remember countless complex passwords in order to access our daily work, financial and personal apps on our computers and phones.

That’s because passwords provide a truly awful user experience, not to mention the fact that they are terrible for security. Millions of passwords have been compromised or stolen in recent years following a string of high-profile data breaches, from the much-publicised Equifax hack of 2017 through to the recent MyFitnessPal hack in late March this year.

Hackers stole account information for over 150 million users from MyFitnessPal, which made it the fourth-biggest reported data breach of all time, after two massive Yahoo hacks in 2016 and the MySpace hack back in 2016.

The post-password zero-login age

The truth is clear. We are moving into a post-password zero-login age, with new biometric technologies and other PII innovations helping to secure a fast, easy, frictionless personalised experience for every single application we need to access on a daily basis.

Zero login is clearly an idea whose time has come, yet it requires a complete rethink and rebuild of our identity system. That’s because we have to develop completely new ways of identifying ourselves and others, that no longer rely on passwords or formerly ‘trusted’ documents such as those mentioned above.

MySpace, Yahoo, Equifax, MyFitnessPal – these massive data breaches all occurred in the last three years, yet they are only the tip of the iceberg. How many others went by without being reported? Or even noticed?

Biometric methods such as facial recognition and fingerprint scanners are becoming much more prevalent – particularly with the release of popular consumer devices such as the iPhone X last year – and these mark the beginnings of zero login age innovations.

Zero login essentially refers to the idea that we will never again have to recall complex passwords or provide documentation to identify ourselves. Our devices will be smart and secure enough to instantly recognise us by our features, our voice, and our movements and other unique identifiable traits.

So, beyond face and fingerprint recognition, we are already seeing innovation from companies such as Amazon, with the online retail giant trialling new ways to authenticate its customers based on typing speed, how hard they tap their phone’s screen and more.

Using these types of zero login technologies, the device is able to identify a user’s completely unique and intricate patterns of behaviour that no hacker could possibly recreate or ‘steal’.

Your device might also identify you from your other devices that are connected to it – your car, your Fitbit, your headphones and so on. Using all of this information, the user can be correctly authenticated by their biometrics in conjunction with their unique behavioural data.

Finally, with any authentication technique, the correct way to operate these is by having software running locally on your phone or other device, with a ‘risk score’ being sent to the cloud where a decision can be made on the likelihood of any nefarious behaviour by a potential cybercriminal.

That way, there is no information being sent across the internet on your locations, behaviours and biometrics, which would completely defeat the point of zero login security. We have to take care that the hype and excitement over our zero login future doesn’t preclude the user’s right to privacy, security and consent.