Open in app

Sign up

Sign in

Write

Sign up

Sign in

The Evolution of Passwordless Authentication

George Avetisov

RRE Ventures
RRE Ventures Perspectives

--

It’s been 3 years since RRE Ventures led HYPR’s Series A. Today HYPR has raised more than $37 million, built a world-class team, and deployed passwordless technology to millions of users across the globe.

As we continue our mission to rid the world of passwords it feels like we’ve climbed a big mountain that is now behind us, and we’re staring down a long, exciting road ahead. When taking a journey it’s sometimes good to pause and think back on how you got there.

They say hindsight is 2020, but back in 2017, it was not immediately obvious that passwordless authentication was becoming mainstream. HYPR and RRE believed that as biometric-enabled smartphones became mainstream, the adoption of passwordless security would reach critical mass. Except back then, many people were unsure what “passwordless” meant.

Fast forward to 2020 and the word “passwordless” is plastered across the cyber marketing sphere. So one has to wonder how authentication evolved to this point, and where is it going?

Passwords

The obvious place to begin. Passwords were invented in the 1960s. As of 2020, much of the world is still dependent on 50-year-old technology for securing access to online services and IT resources.

We know passwords are awful, so I won’t go on about the terrors of passwords as you’ve heard it all before. All I’ll say is that more than 5 billion passwords have been stolen since 2016. And that’s terrible.

Weaponizing stolen passwords has never been easier as widely adopted tools like SNIPR have made it easier than ever to launch an attack. In short, the cost of an attack has gone down for the hackers, while the cost to defend a service has drastically increased.

Hardware-Based 2FA

Chances are you’ve used one of these. Hardware security tokens became popular in the early 2000s and brought a higher level of security to the enterprise, using time-based one-time password (TOTP) algorithms and tamper-resistant hardware.

Hard tokens introduced many users to 2-Factor Authentication and were generally good at providing higher levels of assurance for authentication sessions. These devices promised to provide an additional layer of security above passwords. Unfortunately, over the years these tokens have been found to possess a number of user experience (UX) drawbacks as well as security vulnerabilities. And while they definitely caught on for employee applications, their adoption has been non-existent in customer-facing use cases.

Simply put, no enterprise wants to ship a million hardware tokens to their customer base.

Smart Cards

Smart cards are those plastic cards you see in big companies, government facilities, and movies. They contain an embedded microprocessor and are carried or worn by employees for identification, authentication, physical access, and sometimes even financial transaction approval.

Smart cards have been successfully deployed in mission-critical settings where the use of mobile phones is unsupported due to security concerns. This is often the public sector or highly regulated financial services. Yes, smart cards and hard tokens share similar usability issues, but the key advantage is security. Because they primarily rely on Public Key Infrastructure (PKI), smart cards often replace the use of passwords and they have meaningfully improved security.

Like their token counterparts, however, smart cards suffer from adoption hurdles by a wider audience.

SMS 2-Factor Authentication

Mobile devices introduced SMS-based authentication using the TOTP methods that were previously popularized by hardware tokens. As most people have a mobile phone of some kind, avoiding the cost of a hardware token has led many service providers to adopt SMS 2-Factor Authentication for large-scale consumer use.

SMS based authentication was widely adopted for a time but public awareness of its significant risks have all but stalled its growth. In 2016 guidance, NIST deprecated the use of SMS as a reliably secure authentication factor. Since then we’ve seen many organizations move away from using text messages. Well, most of them have.

Phone-as-a-Token Multi-Factor Authentication

That’s a mouthful.

Soft token multi-factor authentication (MFA) went mainstream as businesses and their users shifted towards mobile devices. These methods popularized software-based One-Time-Passwords (OTP), and managed to replace a large segment of the hard tokens with PIN, PUSH, or biometric based MFA.

Unfortunately, there are many known weaknesses in many of the software-based MFA systems. Some of the most popular authentication methods leverage OTP or rely on shared secrets — leaving users susceptible to social engineering, mobile malware, and man-in-the-middle (MitM) attacks.

Attacks on soft MFA have become more widespread in recent years leading people to reconsider how these phones are used to store credentials.

Today We’re Living in the Passwordless Decade

In the late 2010s “True Passwordless” authentication gained notoriety. Unlike legacy MFA, such passwordless approaches prohibit the use of passwords or other shared secrets, instead relying on public-key encryption and open standards for strong authentication.

What’s the difference? Rather than storing passwords and shared secrets inside the enterprise, True Passwordless Authentication moves the crown jewels to the edge. User credentials are stored securely in the most trusted areas of smartphones and devices that are in the control of the user.

By taking passwords out of the equation, HYPR forces hackers to have to attack each device individually. This approach nullifies mass credential stuffing, password reuse, and phishing attacks. Most importantly, it creates a fast and easy UX that makes passwordless pleasant for the end-user.

According to Microsoft, as of 2020 more than 150 million people are using passwordless methods each month — and that’s just on the Windows platform.

As organizations became more aware of the password-based MFA provided by incumbent identity vendors, they focused their attention on next-gen solutions such as YubiKey, Windows Hello, and HYPR — all of which are laser-focused on solving the password problem.

Where do we go from here?

At HYPR we believe this is The Passwordless Decade. Still unsure?

Millennials and Gen-Zers don’t even know what password managers are. Many of these users have been raised on Touch ID and Windows Hello. They’re the passwordless generation. And even the older population has told our R&D team that they are ready to ditch passwords.

Gartner predicts that, by 2022, “…60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”

Over the next 5 years, you’ll witness some amazing innovation in the authentication space. One key area that interests me is the advancement of FIDO authentication standards and the impact this will have on the Internet of Things (IoT). We’re definitely not going to use passwords to unlock our connected homes and smart toasters. Keep an eye out on what’s happening in IoT security.

There you have it. Authentication is evolving so fast that we’re seeing technologies come in and our favor during the modest lifespan of our partnership. Rest assured that we’ll be watching and adapting to it closely, mindful that the good instincts RRE has shown serve as great motivation to always keep a step ahead.

--

--

RRE Ventures
RRE Ventures Perspectives
Follow

Written by RRE Ventures

5.3K Followers
Editor for

Early-stage venture capital. We help build startups that transform industries.

Follow

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams