Everyone knows the importance of passwords and even password managers, but the age-old security method is not without its faults.

Passwords in the wrong hands can lead to dire consequences, with large-scale cyberattacks sometimes being launched thanks to the attacks finessing a password out of an unwitting target. It only takes one employee with an insecure password to launch a full-scale attack. Beyond Identity Inc. is working to eliminate the use of passwords and take personal security to the next level.

“[A] big aspect of our strategy is what we’re calling zero-trust authentication,” said Kurt Johnson (pictured, left), chief strategy officer and head of corporate development at Beyond Identity. “Eliminate the passwords first and foremost, make authentication phishing resistant, pulling in the device signals, but then, tying in through third-party integration, as many risk signals as we can to make a true determination at that point of authentication that you know exactly who and what is gaining access.”

Johnson and Jasson Casey (pictured), interim chief executive officer of Beyond Identity spoke with theCUBE industry analysts Lisa Martin and Dave Vellante at the Fal.Con event, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed how Beyond Identity plans to get rid of passwords, the problem passwords and other authentication methods pose and how Beyond Identity is partnering with CrowdStike to integrate solutions into a broader security ecosystem. (* Disclosure below.)

A more secure, passwordless future

Some websites and applications have moved to session cookies, which as Casey said, “sound, smell and taste like credentials.” However, most companies implement these credentials poorly, Casey said, treating them as symmetric secrets and moving them around all over the place. Just like passwords and credit card numbers, these session cookies can be bought on forums and the dark web.

“Our mission is, we’re a security company solving identity problems,” Casey said. “We don’t believe identity companies solve security problems. We believe they solve productivity problems and maybe create security problems. And we think it takes a principled approach to get there.”

A passwordless future is a nice idea, but there must be a replacement to keep people’s information and credentials safe. Credentials should never move, Casey says, whether it’s a session cookie, an access token or a GPG key, and credential usage should always be guarded by policy, as much of that policy can be baked into what is called trusted computing.

“That’s just a fancy way of saying there’s hardware proof that what I expect is happening, is happening,” Casey said. “There’s a log that gets created that I can always validate offline and see if something went wrong.”

Even facial recognition doesn’t solve credential problems, the group discussed. With facial recognition, it’s just a symmetric piece of data, or a password, with a different name. Some companies use a technology called bio hashing where the facial data is stored as a number, such as password hashing, but even these pose challenges and risks.

“They’re not a substitute for asymmetric cryptography,” Casey said. “Just doing digital signatures is truly how authentication should work when you do that, the private key doesn’t have to move. If you do that on a machine with an enclave, you have a guarantee it won’t move. That’s the bulletproof way of eliminating these two classes of problems.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Fal.Con event:

(* Disclosure: Beyond Identity Inc. sponsored this segment of theCUBE. Neither Beyond Identity nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE