When I joined IBM back in the 1980s, one of the big problems we were dealing with was IDs and passwords, which we listed as the most vulnerable parts of any computer system. Here we are—nearly 40 years later—and they remain the most vulnerable parts of any computer system, and the threats have expanded significantly.
We do now have biometrics in the form of fingerprint and facial recognition. Still, these modes are typically backed up by IDs and passwords and even PINs, which are all relatively vulnerable to compromise. Worse, if someone wants to, they can call into a service protected by an ID and password and convince them they are you. This theft happened to me a few years back when someone called into Microsoft support and convinced them they were me to get my gamer tag. It took me three years and the help of Microsoft’s CEO to get my tag and ID back.
This opening is a lot of background, but it is why I took a briefing with a fascinating small company called Hushmesh, which seems to have the solution to the problem mostly sorted.
Let’s talk about Hushmesh this week.
The Authentication Problem
With security, you always think about the weakest link because that is where a smart attacker will focus. So even if you have biometrics, it is generally backed up by a PIN or password and ID, both because those technologies aren’t trusted and because you need a failover process if they don’t work. Therefore the password and ID are the weakest links, and any more secure technology built upon them is reduced to the security level of the weaker PIN and password in practice. You can’t supplement weak security with strong security and expect to become more secure. Thus the biometric authentication we’ve been using is just more convenient, but not more secure.
The goal is to create a way to identify you with high accuracy without significantly increasing either the cost of the related hardware or services or making the authentication process excessively annoying. One way to do this is to use your authenticated smartphone as the authenticator—they typically connect using NFC or Bluetooth. Sadly, using NFC or Bluetooth is problematic because NFC isn’t universal in PCs and Bluetooth continues to have pairing issues, particularly when you have multiple Bluetooth devices connected to your PC.
The most common way to get around all of this is to use dual-factor authentication where your phone gets a code via text that you use in addition to your password. The issue with that approach is that often it adds a lot of time to the log in as you wait for the text (longer if it comes in via email) and getting the text is problematic if you don’t have phone service.
This exact scenario happened to me last week when I was trying to complete an Amazon transaction. I had Wi-Fi, but AT&T wasn’t working in the building, and I couldn’t recieve the text message needed to validate my identity. It strikes me that given many Amazon customers have Echo devices, Kindles, or Fire Tablets that they could more easily use one or all of those for the second factor as an option and make things a ton simpler.
Hushmesh: A Better Authentication
Hushmesh is a company that was founded to fix the password problem. It uses your smartphone as the authentication device but the keys are kept in a wall wart you install in your home that is geo-fenced so that if it is removed from your home, it stops working. The keys are then sent to several other wall warts in the network randomly so that if yours fails, you have a backup but no one knows where that backup is, so the backup doesn’t become a target.
Hushmesh doesn’t keep the keys, but they can help you find them if you have a catastrophic accident (like your house burns down) or if law enforcement needs to get access and has a warrant. But unlike the concern with a master key—something that Apple and others are rightly resisting because it would breach everyone’s security—this can only be done on a case by case basis which not only allows Hushmesh to put in place a robust process (given a legitimate request would be massively more infrequent than a lost password) but makes mass attacks, which a master key would allow, virtually impossible.
While this is initially focused on authentication, the product and service could also be used to keep encryption keys so that your correspondences are also secure. This product and service are one of the first offerings to use Azure Sphere, the secure Microsoft Cloud offering for IoT devices, and it assures the wall wart is kept up to date and fully patched. Without the Azure Sphere, Hushmesh couldn’t have made this offering affordably.
The process on a PC is that rather than a login screen, you’d get a QR code which you’d then scan with your phone to gain access to the service. No password or PIN needed. On the phone, you don’t need the QR code—the login would occur transparently in the background. For the phone to be first set up, it needs to be near the wall wart before it becomes your assured identity device.
Wrapping Up: The First Personal Cryptographic Server
Hushmesh is the emergence of the first Personal Cryptographic Server, and it isn’t hard to imagine that the necessary wall wart might get built into something else in the future like a router or digital assistant. But the result is the elimination of the need for passwords and IDs generally, and the combined security validation of both location and mesh cryptographic key management and protection is, in my opinion, inspired.
For financial institutions, online retailers, and healthcare organizations that need something secure and easy; this may be the ideal solution. But, they had me when they just said they could get rid of the damned passwords.