LOGO

how startups can go passwordless, thanks to zero trust

AVATAR Chandu Gopalakrishnan
Chandu Gopalakrishnan
March 29, 2021
Topics:Access ControlauthenticationBill Gatescomputer securitycryptographyf-secureFacebookGoogleIdentiqIsraelMicrosoftmulti-factor authenticationPasswordSecuritysmartphonesStartups
how startups can go passwordless, thanks to zero trust

The Declining Reliance on Passwords and the Rise of Passwordless Authentication

Bill Gates predicted over 17 years ago that passwords would eventually prove inadequate for securing sensitive information. He stated, “There is no doubt that over time, people are going to rely less and less on passwords… they just don’t meet the challenge for anything you really want to secure.”

Despite this prediction, passwords have persisted as a common security measure, surviving numerous attempts at obsolescence. However, their continued use is increasingly challenged by more secure and user-friendly alternatives.

Barriers to Adoption and the Catalyst of Zero Trust

The perceived expense and complexity of implementation have historically hindered some smaller organizations from abandoning passwords. Industry analysis, however, demonstrates that password alternatives are now both affordable and straightforward to deploy, offering enhanced security. The growing adoption of zero trust systems is significantly accelerating this transition.

At its core, zero trust prioritizes verification of identity over network location. Zero trust models operate on the principle of never trusting any access request, requiring continuous verification, even for internal logins. Passwordless technology is a fundamental component of these models.

Exploring Passwordless Alternatives

Several viable alternatives to traditional passwords are currently available, including:

  • Biometric authentication: This method utilizes unique biological traits, such as fingerprint scanning on smartphones and physical verification at access points.
  • Social media authentication: Users can leverage existing accounts with providers like Google or Facebook to authenticate with third-party services.
  • Multi-factor authentication: This approach adds extra layers of security through the use of devices or services, like token authentication via a trusted device.
  • Grid authentication cards: These cards provide access using a PIN code in conjunction with a dynamic grid pattern.
  • Push notifications: Secure notifications are sent to the user’s smartphone or other encrypted devices for verification.
  • Digital certificates: These cryptographic files are stored on the user’s machine or device to confirm identity.

Real-World Implementation: Wolt's Passwordless System

Wolt, a food-delivery service based in Finland, serves as a practical example of successful passwordless implementation.

According to Erka Koivunen, CISO at F-Secure, “The user registers by entering their email address or a phone number. Login to the app takes place by clicking the temporary link in the user’s inbox.” An authentication cookie is then placed on the user’s mobile device, enabling seamless access without further authentication steps.

This system grants the service provider complete control over authentication, allowing them to manage expiration times, revoke access, and detect fraudulent activity. It also removes the burden of password management from the user.

Addressing Cost and Productivity Concerns

While not inherently expensive, adopting passwordless technology may require some adjustments, as explained by Ryan Weeks, CISO at Datto.

“It is not necessarily costly in terms of monetary investment, because there are a lot of easily accessible open-source alternatives for multi-factor authentication that don’t require any sort of investment,” Weeks stated. However, some organizations express concerns about potential disruptions to employee productivity.

Koivunen also contends that zero trust models are accessible even for startups.

“Zero trust recognises the futility of forcing users to authenticate themselves by presenting something they should keep as secret. Instead, it prefers to establish the user’s identity using some context-aware method,” he explained.

The Holistic Approach of Zero Trust

Zero trust extends beyond user authentication to encompass both the device and the user’s context.

Datto’s Weeks added, “From a zero trust perspective, there is an idea that there is a continuous authentication or revalidation of trust occurring. Therefore, passwordless in a zero trust model is potentially easier for the user and more secure as the combination of the ‘something you have’ and ‘something you are’ factors are more difficult to attack.”

Investment and Growth in the Zero Trust Sector

Major technology companies, including Microsoft and Google, are already offering zero trust technologies. Furthermore, investors are actively seeking out smaller companies specializing in zero trust solutions for growing businesses.

Axis Security, a zero trust provider focused on remote access, secured $32 million in funding last year. Beyond Identity raised $75 million in December, and Israel-based identity validation startup Identiq received $47 million in Series A funding in March.

Early Stage is the premier “how-to” event for startup entrepreneurs and investors. You’ll hear firsthand how some of the most successful founders and VCs build their businesses, raise money and manage their portfolios. We’ll cover every aspect of company building: Fundraising, recruiting, sales, product-market fit, PR, marketing and brand building. Each session also has audience participation built-in — there’s ample time included for audience questions and discussion. Use code “TCARTICLE” at checkout to get 20% off tickets right here.