Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint //

Authentication

5/28/2019
12:00 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail

8 Ways to Authenticate Without Passwords

Passwordless authentication has a shot at becoming more ubiquitous in the next few years. We take a look at where things stand at the moment.
4 of 9

HYPR

George Avetisov, CEO and co-founder of HYPR, has been on a mission for some time now. He aims to help people understand that moving away from the 'shared secret' of a password must be replaced by a system where the user's device holds a private key that can get authenticated by either touch, a thumbprint, or facial recognition.

'We look to eliminate shared secrets,' says Avetisov, who adds that in deploying HYPR, security teams can give their users a choice of how they want to authenticate.

'People don't want to be forced,' he says. 'For example, we ran a study in Australia and found that people didn't like eye recognition, where in Europe and the United States, they found it more acceptable.'  HYPR customer Mastercard, Avetisov added, gives its users a choice of a fingerprint, facial recognition, and a PIN.  

Image Source: HYPR

HYPR

George Avetisov, CEO and co-founder of HYPR, has been on a mission for some time now. He aims to help people understand that moving away from the "shared secret" of a password must be replaced by a system where the user's device holds a private key that can get authenticated by either touch, a thumbprint, or facial recognition.

"We look to eliminate shared secrets," says Avetisov, who adds that in deploying HYPR, security teams can give their users a choice of how they want to authenticate.

"People don't want to be forced, he says. "For example, we ran a study in Australia and found that people didn't like eye recognition, where in Europe and the United States, they found it more acceptable." HYPR customer Mastercard, Avetisov added, gives its users a choice of a fingerprint, facial recognition, and a PIN.

Image Source: HYPR

4 of 9
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
ScottyTheMenace
100%
0%
ScottyTheMenace,
User Rank: Strategist
6/6/2019 | 5:46:08 PM
Touch ID is not passwordless
Not sure if it was your intent to suggest that it was, but Apple's Touch ID is not passwordless.

In iOS, you still have to set a passcode, and it seems to be the passcode that actually unlocks your device. All Touch ID does is use your fingerprint to fill the passcode into the field. (I don't know the technical details to know that's the case, but it sure seems like that's what's happening.) You're also forced to use the passcode seemingly at random (though it's probably time delimited) and to activate Touch ID after a restart.

I love using Touch ID—it's quite convenient—but its dependence on a typed passcode actually encourages users to use weak passcodes that are easily remembered since they'll eventually need to type it in, and typing the passcode* 984ELBMYAq[[email protected]%t5sM+5{j=9AYH__4jqDr on a touch keyboard is not real fun.

 

* Generated just now. Not any of my passwords. C'mon now, do I look that dumb? DON'T ANSWER THAT!
wibblewibble
100%
0%
wibblewibble,
User Rank: Apprentice
5/30/2019 | 7:49:18 AM
SQRL
Don't forget SQRL! https://www.grc.com/sqrl/sqrl.htm
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19645
PUBLISHED: 2019-12-09
alter.c in SQLite through 3.30.1 allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements.
CVE-2019-19678
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the generic field entry point via the Generic Test Definition field of a new Generic Test issue.
CVE-2019-19679
PUBLISHED: 2019-12-09
In "Xray Test Management for Jira" prior to version 3.5.5, remote authenticated attackers can cause XSS in the Pre-Condition Summary entry point via the summary field of a Create Pre-Condition action for a new Test Issue.
CVE-2019-19647
PUBLISHED: 2019-12-09
radare2 through 4.0.0 lacks validation of the content variable in the function r_asm_pseudo_incbin at libr/asm/asm.c, ultimately leading to an arbitrary write. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via crafted input.
CVE-2019-19648
PUBLISHED: 2019-12-09
In the macho_parse_file functionality in macho/macho.c of YARA 3.11.0, command_size may be inconsistent with the real size. A specially crafted MachO file can cause an out-of-bounds memory access, resulting in Denial of Service (application crash) or potential code execution.