back to article Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Hoping to actually make the long foretold end of passwords happen, a startup called Beyond Identity believes it can hasten the demise of the memory-taxing access ritual by embedding a personal certificate authority into mobile devices. The New York City-based biz, founded by Silicon Valley vets Jim Clark and Tom Jermoluk – the …

  1. Robert Grant Silver badge

    Jasson Casey, CTO, said the company's technology has some similarities with Let's Encrypt, but it authenticates clients rather than servers.

    Sounds as though it's a race to who does both!

    But also - isn't this already solved rather nicely with biometrics? What does this add?

    1. Version 1.0 Silver badge

      It adds the ability to fail when your phones battery dies, but will it still work if someone steals your phone?

    2. doublelayer Silver badge

      "But also - isn't this already solved rather nicely with biometrics? What does this add?"

      No no no no no no no. Biometrics does not solve this problem at all. For one thing, there are devices out there that don't have them. But for the major thing, biometrics do not support many of the security things one usually wants to have with passwords or keys. Try revoking someone's face or fingerprints if that person still needs to log in but an outside party has found a copy. The only solution is to break your biometrics system and give the compromised person a key or password instead. Also, give me a good way of using biometrics to authorize myself to distant machines. I'm working from home at the moment, but I frequently use a key to authenticate and encrypt a connection to a machine kilometers away. To do that with biometrics, the remote machine either has to trust my machine to say that it is me at it, leaving it open to potential attacks on the verification hardware on my machine, or it has to transmit my biometric information on a potentially tappable connection. Neither is good.

  2. Pascal Monett Silver badge
    Thumb Down

    Let me see

    So, this one company proposes to replace the password schema with a central identity database that they control.

    Thanks, but no thanks. With passwords, I have only myself to blame if I reuse it, or the website if it gets hacked.

    A central identity database is going to be the relentless and unending target of all the scum in the world, and they will get in, however good you think your defenses are.

    1. Charles 9 Silver badge

      Re: Let me see

      Even if it's YOURS? I'm wondering if that is the push: your own personal certificate store, only for personal identity credentials. As for the phone getting stolen, these can be held behind the phone's current locks and keys, protected by remote wipe and the passkey entry limit, while you keep a backup squirreled away in your safe or whatever.

      Taken this way, I think it's something that has some legs, especially for those with terrible memories for passwords ("Now was it correcthorsebatterystaple or donkeyenginepaperclipwrong?")

      1. doublelayer Silver badge

        Re: Let me see

        We have that. It's a password manager (they can store keys too). This one is more than that because they want to run authentication through their infrastructure. That can sometimes be useful, but there's a reason most current players in that realm are providing secondary-factor authentication rather than primary-factor.

        1. Charles 9 Silver badge

          Re: Let me see

          A password manager still relies on memory (for the master key), and I deal with people who have trouble remembering how to spell their own names. The three tenets have been, "something you are, something you have, and something you know." But how do you deal with people who are nothing, have nothing, and know nothing?

          1. doublelayer Silver badge

            Re: Let me see

            The description above is no different. It still relies on storage on a phone. Now that may use a shorter passcode, relying on a phone's hardware to maintain control on how many attempts you have before an unstoppable erasure. If you trust this, there is a simple answer: get a phone, configure it for the security you can withstand, get a password manager on it, set the master key to "a". If you don't have complete trust in the phone's hardware to maintain access controls, then you remember a longer password and trust to much more provable encryption. This service does not have any more trustable security than that. It might be more convenient, but it also comes with negatives as detailed above.

            1. Charles 9 Silver badge

              Re: Let me see

              How about something a little harder to lose than a phone? Like I said, I deal with people who lose things all the time (so they have nothing), forget everything (so they know nothing), and have an inflated opinion of themselves (they essentially are nothing). Problem is, they're also my immediate family...

  3. SJA

    Typing your passwords?

    I generate passwords usually using pwgeny -ync 40 and then I store password, username, email address, login url in my password manager. When I need to login, open password manager and just copy'n'paste the password. Why would I need to type those passwords all the time? One password for phone encryption and one password for the password manager is all I need.

    1. Doctor Syntax Silver badge

      Re: Typing your passwords?

      Same here except the password manager will also generate a password that looks like line noise. Why extend the attack surface by involving an external agency?

  4. Eclectic Man Silver badge
    FAIL

    Changing passwords

    OK, so one security 'application' I actually installed and set up for a paying customer in the City of London (you would recognise the name were I so insensitive as to post it here) had the interesting 'feature' that you could never change the admin password. There was no facility to do that at all.

    And another fail is this. (True story, NOT FOR THE FIANT OF HEART): Recently some of my post has been stolen and used for social hacking purposes, emptying one pension fund and one shares fund. In attempting to alert another investment company I explained about the post interception and asked for a change of password. Guess what: they only do that by sending me a letter in the post (which is currently on its way). They cannot stop it coming either, so I have to just hope the thieves do not intercept this one too.

    <zootle-wordle, zootle-wurdle, zootle-wordle>

  5. joshperry

    I've been using FIDO with a hardware token (yubiko) for years and it brings game changing usability and security to sites that implement it. It is also now supported on mobile devices using NFC to communicate between websites and the same hardware token, I'm not sure why the HSM in modern mobile devices couldn't also play this role. This new company sounds like they're just bringing middleware for weaving together the ugly authn world that corps deal with, a la Auth0.

    There are a few problems in the general identity space, and I think penetration is the largest. The most important attribute in an identity system isn't authentication, it's trust, and almost nobody is trying to build a system that includes it. Thawte's Web-of-trust was an interesting attempt, but because of the number of users it never got large enough to work as intended.

    The honest truth is that normal people just don't give a shit about security, and in a lot of ways they really don't need to. If more people cared, PGP wouldn't be the pinnacle of our p2p PKI systems. It doesn't matter much anymore anyway, the internet that most people use these days is just a sterilized corporate and government propaganda tool where your identity is used primarily to track and profile you.

    1. Charles 9 Silver badge

      "The honest truth is that normal people just don't give a shit about security, and in a lot of ways they really don't need to."

      Identity theft tells me more people should be caring than they should; otherwise, society as we know it won't work (as it depends a lot on identities).

  6. sitta_europea Silver badge

    Single sign-on?

    But I DON'T WANT a single sign-on.

    Really I don't.

    I want a lot of different sign-ons, so that when one gets compromised the rest are not compromised.

    It's called a 'system', and it's what anyone has to have if they want to call themselves 'organized'.

    1. Charles 9 Silver badge

      And if they CAN'T be organized due to having terrible memories and such?

  7. Phil Endecott

    What’s the business model? (For consumers.)

    If it’s paid it will fail, people will continue to use “sign in with Facebook”.

    If it’s free - who is paying for it, and what are they getting in return?

    1. Version 1.0 Silver badge

      The typical business model these days is the Facebook method - make it free with a privacy policy that allows the company offering the free product to make money by selling information about the user to advertising companies.

  8. Anonymous Coward
    Anonymous Coward

    Password Storage

    I have a friend with a relative who went to work for an unnamed agency. With a major in mathematics, and an interest in encryption, shortly after the employment started my friend was urgently advised to use a particular password safe. He passed the word to me and I've followed it religiously since. I may not be organized elsewhere, but wrt passwords I'm covered.

    Yubikey would be my ideal if it were more ubiquitous. Sigh!

    1. Irongut

      Re: Password Storage

      Well done, that agency are now sure they can access your passwords.

  9. Jenny with the Axe

    But where do the certificates come from?

    They talk a lot about using certificates. But where are the certificates coming from? How are they issued, how do they guarantee that nobody can get a false certificate, how does revocation work, where is the CA, how is the CA's key managed... If they want us to rely on PKI, they need to show that we can trust their PKI.

    1. Charles 9 Silver badge

      Re: But where do the certificates come from?

      Ever thought the certificates can be made, on-site? That way no one else can possible know about them (unless you live in a Panopticon world).

      1. Jenny with the Axe

        Re: But where do the certificates come from?

        The "P" in PKI stands for "Public". The point is that by publishing the processes and safeguards against issuance of false certificates, the certificates can be trusted. If there is no trust, well... the entire point of using PKI falls to the wayside and it's just another way of encrypting, rather than authenticating, data.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021