- December 13, 2018
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Biometrics, Cyber Crime, Cyberattack, Data Breach, Mobile Devices, Posts with image, Security Management, Work Force
If your password is “Ihatepasswords,” get ready to celebrate.
You may get to kill off those not-so-secret log in phrases for good.
Here’s how one new company is trying to do it.
Ross Kinder feels your pain.
Passwords can inspire passionate loathing.
“I’ve got hundreds of them,” he said. “I can’t remember any of them. I’m constantly clicking the ‘forget password’ link because I have no clue what the password might be. All the time.”
He and co-founder Mike Bousquet have come up with a way to save you from password purgatory — and in theory prevent data breaches at the same time.
Their Groove.id would eliminate passwords, so you can just sit down at your work computer and get going, without mental or physical fumbling for a phrase you forgot.
Ross Kinder & Mike Bousquet of Groove.id at the Collision 2018 conference in May in New Orleans. Image: Archer News
In a previous job, Kinder did clean up after cyber attacks on companies and government.
“I started noticing that we were solving the same problem over and over again,” he told Archer News at the 2018 Collision conference in New Orleans. “In every computer intrusion, there was some moment, not where a piece of tech failed or where some developer made a mistake, but there was a moment where a user voluntarily gave up their password to the attacker.”
Gave it up?
But we wouldn’t do that!
Or would we?
Yes, by falling for a phishing e-mail, or reusing our work passwords on sites with less security, he explained.
“So, we set out to get rid of the password,” Kinder said. “And the idea is, it doesn’t matter how gullible the users are, that no matter what, they don’t have anything of any value they can give up to the attacker.”
Well, no one likes to be called gullible.
But you may love the idea of killing off your passwords — and your all-too-frequent password headaches.
Ross Kinder prepares to demo his Groove.id system. Image: Archer News
How Does It Work?
Kinder and Bousquet use the fictional employee “Michael Bolton” as an example.
“Michael sits down at his computer and he’s got multiple ways to sign in,” said Bousquet.
That sounds suspiciously like passwords.
But no, Kinder’s and Bousquet’s system is already taking note:
Is this Michael’s usual work time?
His usual workplace?
His usual computer?
Is this how he types and moves his mouse?
“Is this normal behavior or is this abnormal behavior?” said Kinder. “And if it’s normal behavior, we provide a very low friction path straight into your e-mail. Maybe you don’t even notice that anything’s happening in the background.”
Into your e-mail and into your work apps — you’re done signing in.
Mike Bousquet demonstrates his Groove.id system. Image: Archer News
But what if you’re traveling, or you have a broken arm and you’re typing funny?
Too many things out of order and the system with “bother” you with a little more “friction” — another step to sign in.
“The most common way that our users choose to log in is using their mobile phone,” said Bousquet. “So, I’ll just select the option ‘sign in on my mobile phone.’”
“I just got a push notification on my phone,” he said less than two seconds later. “So, I’ll tap that.”
He places his fingerprint on his phone, and the phone says he’s all set.
“So, I’m just driving around to whatever applications I need to use at work,” Bousquet said.
“If we bother you too much, you’ll get annoyed with us. If we bother you too little a bad guy might get in,” Kinder said.
Administrator screen for Groove.id. Image credit: Groove.id
If things get really suspicious, the system goes all out — with video vouching.
“I’m going to ask to ‘get assistance by video’ here as I sign in,” said Bousquet. “And the system has brought up a little video box. I’ll click start.”
The system shows “Michael Bolton” four random words: nape, dosage, deflector, hypnotic.
The web cam makes a video as he reads them off.
Then it goes to his designated video-vouching co-worker, in this case, Kinder.
“Here’s the video. I’m sure that this is Michael Bolton,” Kinder said.
He verified the video and the words.
“Now I’m done with my part. Michael will be signed in,” he concluded.
People giving away their passwords leads to many cyber attacks, according to Ross Kinder of Groove.id. Image credit: Microsoft
Push for Passwordless
Groove.id is not the only company out to eliminate passwords.
Microsoft has launched a similar passwordless service where you can choose different ways to sign in, including using your face, fingerprint and other biometrics.
SecureAuth checks your location, device and user behaviors, among other things.
And the list of like-minded companies is growing.
If these ‘no password’ technologies stick — and if they prove to be more secure — there may come a time when your written password becomes just a memory.
One that you’ve probably already forgotten.
Microsoft & many other companies allow you to use a key and fingerprint to sign in. Image credit: Microsoft
Still Using Passwords
In the meantime, if you are using written passwords, remember to:
—Make a long one, at least 15 characters
—Make a different password for every account
—Store them in a password safe, also known as a password manager
Here’s how to use a password manager or safe, in case you’re not using one already.
P.S. Bousquet says Groove.id is ready for beta testing and should be ready to go in the first half of 2019. It’s not for individual users, but for companies with 200 to 1000 people, or larger.