Phil, you’ve been a strong advocate for a Zero Knowledge Password Proof (ZKPP) approach to passwords. Do you believe passwords are fundamentally flawed and, if so, how did you come to this realization?
Actually, it’s the way passwords are used, or more specifically the way the ‘Knowledge Factor’ in authentication security (‘something you know’) is used. We should keep using a secret Knowledge Factor like passwords or PINs to protect our identity, data, and devices, but here’s the problem: you have to reveal that secret to prove you know it. This makes your secret very susceptible to being compromised by a hacker or other bad actor, and it also means we all end up having far too many passwords to remember, and they should be long and very complex, so it all gets a bit too hard.TokenOne offers a ZKPP approach to authentication. Can you explain in non-technical terms how it works, and what makes it more secure than traditional passwords and various MFA methods?
With TokenOne, or any form of ZKPP (Zero-knowledge password proof), you never enter, speak, or otherwise reveal your password, PIN or other secret that only you know. You simply scramble or ‘encode’ your numeric TokenOne PIN into different letters every time you authenticate. You do this by just looking at a simple alpha-numeric image (or ‘cipher key’) in the TokenOne app on your phone. The ten numbers 0 to 9 are shown in the image with each number next to one letter of the alphabet. One letter per number. This enables you to instantly replace (in your head) each number of your PIN with a letter so you enter the letters, never your PIN, when you log in. This also works well by SMS, as shown in this short demo video, and provides a much more secure alternative to One-Time Passwords sent as text messages. As each alpha-numeric cipher key on your phone is different every time and used only once (unless you’ve changed your PIN), there’s no way to calculate in advance which letters should be entered for the next authentication. Crucially, this means TokenOne Authentication is ‘non-algorithmic’ and therefore not subject to potential cracking by increased computing power such as a supercomputer or even quantum computing. This has been proven in a mathematical white paper which I’d be happy to share with anyone interested if they want to reach out to me. Moreover, the backend system doesn’t even store a copy of your TokenOne PIN so, if that backend system is compromised somehow, there’s nothing in the TokenOne database that will reveal to a hacker your PIN, let alone all the PINs of other users. This is what we patented.Some argue that passwordless systems might create new vulnerabilities. What’s your take on that?
The problem is that there are three, and only three, forms of Authentication Factor:- Something you are (e.g. biometrics)
- Something you know (e.g. passwords)
- Something you have (e.g. a card, phone or other device)
For small business owners and entrepreneurs listening today, what simple steps can they take right now to start moving away from passwords? What other elements should they keep in mind to avoid trading one set of vulnerabilities for another?
Apart from TokenOne and ZKPP approaches, I’ve seen some fascinating emerging technologies recently. For example, MasterKey from a company called BankVault, is a passwordless authentication solution that provides both rapid and frictionless registration for users, because there’s no app to download, and rapid and frictionless installation for companies, so there’s no need for the usual long and expensive implementation project. This makes MasterKey ideal for online stores and merchants, for example, to use to reduce both new user registration and check-out dropouts. Given the amount most companies spend to attract new customers, the potential ROI here is extraordinary. However, if you’re focused on the most mainstream, established approaches (that would likely be a much heavier implementation lift) passkeys are clearly a great approach to reducing the need for entering passwords so often on your biometrics-enabled laptop, phone or other device. And of course, leveraging biometrics on a separate device for a form of strong ‘out-of-band’ authentication is a very sturdy approach to authentication security. So, for example, if you’re making a funds transfer in internet banking on your laptop, your bank may ‘push’ a biometric authentication challenge to the bank’s app on your phone before processing the transaction. Again, this may be a heavier implementation lift, but does provide strong authentication security and a simple, convenient user experience.Your upcoming book “Stay Safe Online – 12 Critical But Simple Steps” is aimed at the average user. What motivated you to write a book for everyone, rather than focusing solely on corporate or high-tech solutions?
Last year, one of my employees (in a tech company!) said she didn’t know what phishing is. That shocked me a bit so I spoke to several other people and asked some relatively basic (or so I thought) security-related questions and quickly realized that most people have reasonable knowledge about some areas of online security (“I use a virus scanner”) but very few people have a good, rounded knowledge across each of the most common risks and vulnerabilities, let alone how to protect themselves against the most common threats with a far more comprehensive approach.“I am perhaps more familiar than most with the damage and suffering that both individual criminals and organized crime can inflict on innocent people, their families, and their businesses. What is so valuable about this book is the way Phil uses plain English, practical language, and a step-by-step approach towards implementing measures we can all actually use to protect ourselves, our families, businesses and workplaces.”
Asst. Director FBI Ret. Charles ‘Chuck’ Archer
What are some common misconceptions people have about authentication and cybersecurity in general that you hope to dispel in the book?
That’s easy… “I’ve installed a VPN, firewall and/or virus scanner so all good, I’m safe”. I know it’s a cliché but it’s absolutely true that ‘security is only as strong as the weakest link’. I devote a chapter to this in my book and it’s the most important message overall to encourage readers to understand AND then take each of the steps set out in the book for a far more comprehensive approach to online security and self-protection for individuals, families and small businesses. Several data breaches involving VPNs, firewalls, and antivirus software, have caused the collective leakage of millions of user records. Here are just some notable ones:- Thousands of Ivanti Connect Secure VPN devices (including U.S. government agencies) were compromised due to the exploitation of high-severity vulnerabilities. This breach affected numerous organizations, highlighting the vulnerabilities in widely used VPN solutions.
- AT&T learned in April about a breach affecting more than 73 million of their current and former customers, with sensitive information such as Social Security numbers and account details leaked. The data dates back to 2019 and was found on the dark web in March 2024.
- A brute-force attack led to the exposure of data from 49 million Dell customers, including names and addresses. This incident raised serious concerns about Dell’s cybersecurity measures and the effectiveness of their firewall protections.
- 145 million records from Change Healthcare were leaked, including sensitive personal information. This is so far one of the largest healthcare breaches in history.
- Over 560 million records from Ticketmaster were exposed in a breach that included personal and financial information of customers.
Without giving too much away, can you share one of the 12 steps that you believe is most critical to authentication security yet often overlooked? Why do you think this step is so often ignored, and how can one implement it effectively?
Again, above all else, it’s the need to understand that security is only as strong as the weakest link and, therefore, you need to implement ALL of the steps set out in the book. For example, you could have the best VPN, firewall and virus scanner, but if a hacker or other bad actor can successfully pretend to be you (i.e. identity theft) when logging onto your internet banking service, company network or other private online service, your VPN etc won’t be able to protect you, your money or your data. I often say you can have the tallest, strongest walls around your house, but if the wrong person can pretend to be you, then your family inside the house may let that person just walk in the front door! Similarly, strong authentication and identity protection alone are not a ‘silver bullet’, but they are important, so we all should use two-factor authentication and minimize as much as we can how much personal information we share online as part of our overall online security and safety plan as outlined in my book.“There’s plenty of easy-to-follow advice to improve online security, but mostly coming from content creators with experience, not expertise. Phil’s book, which I had the pleasure to read before it was launched, may look like another online security checklist, but this time coming from a veteran in the cybersecurity industry and the best in class. That makes it the most authoritative cybersecurity resource that everyday people like you and me can afford (not even 10 bucks!) and actually understand.”
Roberto Popolizio, managing editor at Safety Detectives
🔎 Stay Safe Online: 12 Critical But Simple Steps is available on Amazon (Kindle edition).