Site icon Easy Prey Podcast

The Passwords Are the Problem with Thierry Gagnon and Philippe Desmarais

Easy Prey
“The attackers only need to be right once. The defenders need to be right 100% of the time.” - Thierry Gagnon Click To Tweet

With the use of passwords, we’re hoping to ensure privacy and security, but sometimes it is at the expense of convenience. As technology changes and biometric databases become more utilized, we need to remember that they may also be hacked. 

Today’s guests are Philippe Desmarais and Thierry Gagnon. Philippe is a tech entrepreneur who co-founded Kelvin Zero and currently serves as its CEO, overseeing the company’s strategic direction. He is also a member of the Next Generation Advisory Council at Rockefeller Capital Management. Before creating Kelvin Zero, Philippe played a significant role in various start-ups, focusing on data analytics for political campaigns, remote hardware device management, and cybersecurity.

Thierry Gagnon is co-founder and Chief Technology at Kelvin Zero. He is an expert in software development, malware analysis, cryptography, and reverse engineering. He has been actively involved in the cybersecurity community, participating in renowned competitions and projects such as Malware Information Sharing Platform.

The Passwords Are the Problem with Thierry Gagnon and Philippe Desmarais Click To Tweet

Show Notes:

The Passwords Are the Problem with Thierry Gagnon and Philippe Desmarais Click To Tweet

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Gentlemen, thank you for coming on the Easy Prey Podcast today.

Philippe: Thanks for having us, Chris.

Can each of you give a little bit of background about who you are and what you do?

Philippe: I'm Philippe Desmarais. I'm the CEO of Kelvin Zero. I set our strategy and our vision for where we're going at the company. My background: I've had a front-row seat at both highly regulated business and government settings throughout my life. I've studied criminology, I've worked in business, and I've always been very close to technology. I've worked in data companies. I've worked in remote management of a hardware company and now Kelvin Zero.

Awesome.

Thierry: In my case, I'm Thierry Gagnon. I'm the CTO of Kelvin Zero. Philippe and I co-founded a company five years ago together following a joint acquaintance, I guess, at the time, Philippe. That put us in touch, and then we eventually discussed cybersecurity and got along quite well.

Awesome. Was cybersecurity your plan coming through your education, or was it just where your careers went?

Philippe: Thierry is an expert in cybersecurity. I think his career definitely was cybersecurity. I've always been fascinated with crime. I've had computers. One thing just led to the other, meeting Thierry, and developed that passion with Thierry.

Thierry: In my case, cybersecurity may have been a calling. I remember my parents had the Commodore even before I was born. I was born with it, started playing computers, and tinkering with things over time as I grew up. I really, really got hooked on security after watching the Hackers movie. Maybe a few months after it got released—I was 10 at the time; I'm quite young—it got me hooked and considered it for a long period of time.

I failed a bunch of different things in the 90s. Basically in security, I really like anything phreaking. Not so much experience with it but definitely looking at designs and building some of the boxes that you could find online at the time.

I got to a point where in school, I had to make a choice as to what I was going to pursue as a career. I looked at computer sciences. Back then, there were no real specializations, classes, courses, or anything in security. I decided not to go down that path. I ended up in human kinetics, a completely different horizon from computer sciences, training people and looking for high performance, but then that joined back when I decided to actually go back to school and take on computer sciences.

Basically, that was prompted following an injury. That made it hard for me to pursue the athletic path, so I played video games in between the two. I got to become a fairly well-known individual into the eSports scene, where basically, the title was chief referee for the game Counter-Strike. One of the tasks was to defeat cheating and going all the way back to cheats in the mid-2000s.

We're actually quite advanced. If you look at what they were doing from a cheating perspective, some of the malware turn actor groups right now are just barely getting there. It got me into the cybersecurity path following that.

We're definitely kindred spirits. As a kid, I had a Commodore 64. Back in the post-college days, my roommate and I spent probably way too much time and money playing Counter-Strike.

Thierry: I was lucky to stay away from spending too much money for it, but ideally making some with it. Ultimately, I think it gets you into computers to some extent, I think, at least for me.

Yeah, we both had custom-built computer rigs that were like, “OK, what's the best graphic card that's going to work with this game and not that game?” It was a fun time, and a lot of things have changed since then.

Thierry: Definitely.

Let's move our discussion into passwords. Do you guys have much of an awareness of the history of passwords?

Thierry: We've been using it for a long time. When you think about it, knowledge base secrets in general, whether it be in the digital system or not, have been around for a millennia at this point. From a historical standpoint, it's something that we definitely have an interest in. But also as to the use, we can apply these principles into our daily lives, whether it be again in the digital or in the physical world. Those are two aspects that we look at in general and say, “Well, OK. Can we actually improve on this?”

As human beings, we'd like to think we're getting smarter. I think we often confuse being smart with being faster. -Thierry Gagnon Click To Tweet

As human beings, we'd like to think we're getting smarter. I think we often confuse being smart with being faster. Or nicely, even being faster, but simply having a bigger throughput from different ways, and basically being able to brute force our way through things in life. We often overlook this part. Passwords being something that interests Philippe and I, both. It's something that could be changed, could be addressed, could be improved, definitely.

I'm one of those back in the day. I had a password that I used for everything, probably like everybody did in the late 90s. It's been very interesting to see how the landscape has changed and the realization that in those days, maybe we had two or three systems that we had to remember a password for at most. Nowadays, hundreds is probably even on the low side for many people.

Thierry: From a statistical standpoint, I think depending on what research you are actually taking numbers from, it typically ranges over 240 on average per individual. It's quite a lot.

And that becomes well beyond a human's reasonable capacity to manage in a way that's actually safe.

Thierry: I'm not sure what you're saying here, like, who uses a password, right?

Yeah.

Thierry: I was saying, the management of passwords is obviously an issue just by the sheer number of different credentials that we need to carry around. There's the whole problem of a password, not really something you really need to know, specifically. When you think about it, it's just an evaluation of a value. As long as the input value actually matches the expected outcome of hopefully a hashed and salted password, you're in.

We often believe that when we talk about authentication, that we have different factors in authentication, and that the knowledge base ones, such as the password, are actually attached to knowledge. But in reality, they could also be attached from all the text that's passed a hash or things like that that have been explained in the past. It highlights the fact that it's actually not all that much anchored into the knowledge of the individual. That's if you have the right individual in front of you.

 

If I'm using a password manager, is the password really knowledge anymore?

Thierry: There we go. The thing is, is it knowledge or is that something you have? You have it.

When there's a password manager, it's definitely moved to, I guess, your second factor, so to speak. It's something that you have because there's a button I press that regurgitates something that I don't know what it is.

Thierry: Exactly. Even when we say something you have with some of the services that are out there that runs it as a SaaS and actually stores the passwords for you, really, you don't even have any more. All you have is then you may have a single-factor password that you use to log into your password manager on that service that then regurgitates something for you.

If these sources get compromised—and that has happened; we've seen everything around the LastPass breaches—what do you do? When did we think it was maybe a good idea to centralize everyone's password in a single place, have it in someone else's hands, and then use this as the way to actually provide authentication from all the other resources that we can think of an individual can access?

For us, when you think about it at that point, it may almost be as secure as if you were keeping it in your desktop/super-secure file, dontread.txt type of thing. That's what I meant earlier when we said sometimes we confuse being smarter versus being faster. In reality, here it shows that we can compromise passwords at scale when people are writing them on pieces of paper and definitely not in a remote setting.

Nowadays, though, with some of the services that are out there, that can be done remotely. It can be done at scale. It can be done at machine speed, basically. And it can be done on such a large scale of the amount of users that it makes it a no-brainer for threat actors to target these systems.

That's how the threat actors got smarter, or they just got faster in the same way?

Thierry: I think we've made them faster. We've enabled them to be faster and smarter. I think they're just as smart as they were. I think one of the realities, one of the parenting that exists in cybersecurity that we, at least at Kelvin Zero, are really focused on trying to change, is that when you look at the cat-and-mouse game that takes place in cybersecurity—something has been mentioned in your podcast several times—it's a numbers game. Whether it's a scam, whether it's cybersecurity, it's the same principle.

The attackers need to be right once, and they'll probably make their own way for a pretty long period of time. The defenders need to be right 100% of the time. - Thierry Gagnon Click To Tweet

The attackers need to be right once, and they'll probably make their own way for a pretty long period of time. The defenders need to be right 100% of the time. We need to flip these odds around for it to be really useful for us to build an economy that's going to depend on the digital world and bridge a gap between the physical and digital world. It's something that's hard to achieve.

Are they getting smarter? I don't know, because typically, the approach in cybersecurity is to try to come up with generic solutions that solve a lot of different problems. The reality, though, is if you have a good adversarial mind, you will find the gap that you need to find to get into pretty much any system. Given enough time and resources, it's game over.

I don't believe in an unhackable system or anything like that. Just by experience in different things that I've seen, I've spent a whole lot of time in the federal government in Canada doing cybersecurity work. There's no limit.

Unhackable systems are like unsinkable boats.

Thierry: Yes. One doesn't go without the other, technically.

Famous last words.

But ultimately, there's no such thing as an unhackable thing or system. It's a fallacy to really think that there is. -Thierry Gagnon Click To Tweet

Thierry: Exactly, unless you're a great swimmer. But ultimately, there's no such thing as an unhackable thing or system. It's a fallacy to really think that there is. 

Again, when you do think you're safe from anything, you're just asking someone to come up with a more creative, unique solution to the one problem that they're given to try to target and compromise you, versus you having a very broad, maybe multi-layered but generic approach. Nonetheless, you're probably not going to be able to cover all the edge cases that someone can come and type to go with.

The attack surface that is available is unthinkable and unfathomable for most users. That's where it's costly. Especially if we're comparing organizations versus individuals, this is a striking difference.

We were talking before we started recording that individuals are not in a place to be able to manage anything beyond basic cybersecurity. We're lucky if people are using two-factor authentication. You're lucky if that's the case. You're lucky if the person installs an update on their phone within a month of it coming out, let alone their printer, their router, their television, their refrigerator. The individual is not qualified in many cases to be their own cybersecurity specialist.

Thierry: Correct, and the default approach that a lot of the companies are taking is not to secure the user first. They're really in it for what they want to grab from the user first, and then they're going to move on to, “Oh, here's an option.” If you know about it, if you know what you're talking about, you can maybe hope to improve your current stand. Nicely get secured. Just improve your current standing.

No matter what you do as an individual, the reality is, as an individual, you're not going to have your own SOC running 24/7 to monitor what is happening about your home network or any of your resources you may be using in your daily lives. And that's a problem.

What's the solution, or what's the direction to move?

Thierry: I think when we look at passwords, I think one of the approaches definitely has been to move away from them, to go more passwordless. This is something that we worked on ourselves on a day-to-day basis. There are different approaches to do this.

The approach, regardless of the actual way of using the technology, a product, or a service that you could be applying, is how are you actually going to be able to put in the hands of the right people that can provide a level of trust that can be recognized both in the physical and digital world, and from there, they can actually distribute it and put it in the hands of their end-users, customers, or employees, whatever you want to insert here as a term, but ultimately, have them be secured by default?

A lot of people have been talking about secured by design as a way of developing technology, and it's great. But again, I've been that. I've been a software developer for a long time now, specifically in cybersecurity, for over a decade doing software development. 

What does secure by design mean? It's not something that's concrete and clear for even people that are looking at us and working in that field on a day-to-day basis, per se. We get the principle, yes, but the reality is that this is pretty much never the option that a software company is going to take when they actually build a system. We believe in a different approach where if you are secure, then you actually enable yourself to do much more than you can in the current ecosystem. 

I think this is something Philippe can speak of a bit more on the business approach as to what can be done and how different companies could be working to actually really improve the overall cyber posture of the economy.

Philippe: I think one thing that's rarely discussed, even when you've talked about passwordless or just cybersecurity in general, is that if you do it properly, it presents a huge opportunity, because it's such a massive problem. If you can protect end-users, and you can know who the end-user is with very little uncertainty, then actually the world is your oyster.

What's stopping a bank from innovating? It's the regulation or scared of being in violation. Part of that is knowing who's on that other end. When you talk about something you have, if I can take that, then now I'm you. That's a big issue.

The opportunity side is where I always look at, especially when you're talking to these businesses, because it's not true that it's just a cost center. Cybersecurity is an opportunity. It's an opportunity to innovate, to have the freedom to innovate, and go after the type of business that you want to do, instead of being reactionary and having to shut off opportunities where big tech is eating your lunch because they don't have the same types of regulations.

What are some of the examples of where big tech has, I was going to say more freedom, but less regulation versus a financial or a medical institution?

Philippe: If you just think about the financial services and the identity of how they play their game, no one has better identity data than the banks. What are all the fintech and big tech companies doing? They're trying to get that data, so you see it pushes towards open banking. You see it pushes towards all of these different solutions where we can aggregate different credit cards that you have or the different banks that you have.

I can start formulating an idea of who you are, because the bank can't really play that digitally. They have to be very cautious about their application and how that application interacts with third parties and all that type of thing that the customer has decided they want. Rightfully so, the innovation is there, but the protection and the security level is not there yet. That's the delta in the competition.

What ends up happening is once a big tech company can offer you a multitude of banks on a channel, and they can serve you that, then actually, the bank just becomes a utility. Which bank is going to serve you the lowest interest rate or whatever it is? Financial product, the best financial product, choose that one this time, choose that one this time. I now own the brand. I own the customer. That's really the problem.

This passwordless is so much more important than just password lists and securities. Who owns the end-user at the end of the day? Who owns that relationship? -Philippe Desmarais Click To Tweet

This passwordless is so much more important than just password lists and securities. Who owns the end-user at the end of the day? Who owns that relationship?

I can think of a couple. Who are the big players in trying to get into owning the relationship? First and foremost, we think Google as a big player in trying to own that, Facebook to some extent. I'm not sure that they’re nearly as savvy at it as Google has appeared to have been. What are some of the other players that are trying to own us in that sense?

Philippe: There are a few different fintech companies that play this game, where they're trying to aggregate this data, whether it's Mint or whatever it is. I can't speak that that's their exact game, but these are the big players that are doing that. Apple has Apple Pay as well. They want to know what's going on on your credit cards and see what payments are happening. They say they're private. Sure they're private, but not to the level of a bank.

What do we do about that problem?

Philippe: This is a bit of the reason why Thierry and I got going. We fell into where we're at with Kelvin Zero. But essentially, what we're really after is ensuring trust in the digital transaction. We want these highly regulated institutions to have that relationship with the end-user. We don't want any of the information. 

We want to create a system where they're able to identify who's on the other end of that transaction with very little uncertainty, where they can decentralize the control of their tech stack so that the end-user has a less clunky interface to work with.

It's very complicated when you have to then call and validate who you are, and you're going through these different levels and procedures of the bank. In order to do that, you have to be able to have the privacy and all of that jazz that comes with it. What do you need? You need to have accountability and governance.

This is a really key piece. The physical world versus the logical world has a difference here. In the physical world, they know who I am, they've got the relationship, and they're able to see that. In the logical world, I'm just entering here. I could be who I am, I could not be who I am. We really don't know yet.

With Kelvin Zero, what we're trying to do is we're trying to give them that logical world that creates the physical world, where you cannot only identify who you are, but then you're able to transact freely with all this different opportunity that is presented.

I'm not sure if it's entirely clear, but that's true. Most emerging technology is not clear to us.

Philippe: Thierry, do you want to take a better run at that?

Thierry: Maybe one thing to mention is how Philippe ended. In the real world, we have a process of identification, which is not really something that exists in a digital world. We have somewhat of a digital ID, which a lot of people would refer to, really, if I wore it down maybe, but it comes back to your usernames and your online identities. That's what we like to call them.

It's not so much, again, the reputation that you have on someone really being the person that you think they are, regardless of the claim and if they can authenticate against the claim that they make, which then that's the authentication part. It's not something that really exists today. There are all sorts of different ways to track users across different sites, across different platforms, across different devices, across different networks, to the point where, in reality, when you look into this, that's where it gets involved with the privacy side of things.

People are going away from cookies. We now have network IDs. When you look at the tech stack that an individual uses, whether it be in the corporate environment or not, if you are running a computer—it's something that I've noticed recently—for example, if you do run something even on a VPN, and you're using Chrome or any of the browsers of the big tech companies out there, they'll be able to tell that you're not connecting from the same IP. It doesn't match the actual user that's not necessarily even logged in, just the actual device ID fingerprint that they have based on the browser use.

This is something that's not really new for someone in the tech world, but for most users out there, they're wondering. When they say, “Oh, I was talking to some friends, and I've sent messages over Facebook Messenger about a given topic. Then I'll have that ad, and they're listening in on my conversation, et cetera.” Maybe they are. Even if you turn it off, the reality is, people have a hard time understanding how these different organizations are able to get the information back from either the software or the services you're using, because they don't understand how they work. That's the unfortunate reality, I think.

Technology is moving at such a fast pace that most of the population is left behind not understanding how it can be used against them to really benefit these different corporations. -Thierry Gagnon Click To Tweet

Technology is moving at such a fast pace that most of the population is left behind not understanding how it can be used against them to really benefit these different corporations. They're after the bottom line; that's OK. That's what they should be doing. But at the same time, we're not actually setting the grounds up for truly world-changing technologies that could be superb if we would have a bit more security and a bit more privacy in general.

We'll get into the medical space, which is something that we're interested in. How do you convince people to share medical data to better either care or treatments that can come out of research on online technologies when there are breaches left, right, and center? Some companies will use that information to market you something, and then you'll be like, “How did they know this?” You can't do the one-plus-one-equals-two in this case.

The end result, really, is just a less-than-ideal outcome versus what we know we could be establishing if we were just actually giving a bit more of that control that Philippe mentioned earlier, relinquishing it from a business model standpoint almost to the end of the user. 

The reality is also this: Everyone in the world is always in cooperation in one way or another. When you use a bank, or when you use any service on the web, it's not just the service that is doing something. It's not just you that is consuming something, it's bidirectional. It's always two ways at the minimum, if not more. If you're dealing with a bank, they typically deal with thousands of third-party service providers that will have access to your data. You basically have that right away.

Just managing that is a challenge. How do we get to a level of providing a way for individuals to be able to navigate these waters safely and not compromising on security and privacy for more convenience but actually trying to get both? That's ultimately the real answer. It's to be able to put it in the hands of people that have no incentives and actually abusing that relationship, relinquish that part of the control and put it in the hands of the user, so that every step is part of a corporation process, basically, between the two, whether it be client and server or end user and service provider.

Isn't always the push against that going to be the business that is looking to make additional profit margin in the sense of, “I've got this medical data. My organization is struggling financially. If I just sell a little bit of this, then I can pay my corporate bills”? There's always this push against, “Well, yes, it's in the best interest of my customer to never sell any of their data to anybody, but that's not in the interest of my shareholders who want to see corporate profits.”

Thierry: There's a big aspect of acceptability in this where I think most users want privacy. But what is privacy? Is privacy anonymity? Or is privacy not allowing anything to be done or known about you? Or is privacy maybe a bit more lenient but getting to a place where you should at least have the control to allow or stop it whenever you want to be able to use your data and actually have to force deletion, let's say, whenever there is no law that prevents it from it being deleted, obviously?

For you to be able to say, “Well, that was great. I love these tailored advertisements on my device for a little while, but you know what? I'm ready to move away from those, and I'd like you guys to get rid of my data for you not to be able to target me that much more.” Where's the problem in this?

I think a lot of organizations would be able to, and I believe there's a market for privacy. We're all here talking about privacy and security for that very reason. I think some people are actually definitely into the market of making sure that your data is protected, not mishandled, and actually used how you intended it to be used.

Thinking from the medical perspective, if I go see my doctor, I want them to have the history of my heart rate from my smartwatch. I want them to have the history of the scale that I stand on every morning, the history of the water bottle that tracks how much water I drink. 

When they tell me, “Hey, we need to send you to this specialist,” I want the specialists to have all that data. But as soon as the specialist says, “Your treatment is done,” I don't want that data sitting at the specialist anymore. I want to, like you said, retract it and put it back in this nice little box where it's safe.

Thierry: That's an idea that I think most people would agree should be their idea. If that's the case, we just need to find a way to actually monetize that aspect.

Philippe: Technology should serve us fundamentally. It should do what we want to do. If I go see a doctor, back in the day, I'd bring my file with me and there we go. Today, it sits there, and then it's there, and it's duplicated everywhere. I don't remember where everything is.

And then someone exploits the medical API somewhere, and now they have it.

Philippe: That's right.

Thierry: In the press, you often hear these stories and breaches of very high-profile organizations. But the reality is, we've done a quick analysis very quickly at Kelvin Zero a long time ago. What would be the ideal targets to get the most information about an individual? If I target a travel agency or service, say, a car dealership, I have pretty much everything about you, except maybe medical history. How many of these organizations do you think are running a proper cybersecurity program?

Why would I waste time to even go after the big targets? You think these guys will notice they've been breached? It's an unscalable problem because we outsource IT more, and more, and more towards these big tech organizations. 

[…] private talent into this regulated environment. Does it make it appealing for individuals in talent to actually end up working in some of these regulated environments? Why? I'd rather go to the big tech companies, because these guys are doing something cool, something big, something black shields.

How can you attract talent or really serve all these different organizations when there's a shortage in cybersecurity? It's been something that's been set for a long period of time. There's a shortage of talent for any job at this point.

The flip side is I don't want my travel agent having to be a cybersecurity expert. I want them to spend their time and effort being the best travel agent that they can be. The cybersecurity, I don't want to say, takes care of itself, but where they don't have to worry about that. They have the confidence of, “I can provide my service, and I don't have to worry about people stealing the data, people breaking in the back door, or getting access to the bank accounts.”

Philippe: That's why we're working with highly regulated institutions. We want to enable them to be able to serve all of those groups and validate end-users as they go across the economy. They control the economy anyway.

What are some of the ways that you can start validating people other than usernames, passwords, and one-time PINs?

Thierry: Basically, that goes back to what exists in the real world that does not exist in the digital world. It is to create that fabric of actually creating an identification system that doesn't necessarily have to match to your personal information, by the way. 

We know how to use pointers in programming. Why can't we use the same principle to have access to tokenized data about an individual? -Thierry Gagnon Click To Tweet

We know how to use pointers in programming. Why can't we use the same principle to have access to tokenized data about an individual? Actually, you know that it's a specific individual, that someone somewhere has a record of knowing who that is. It can't sit with the government. The government knows your identity anyway. They're issuing it to start with at that point, whatever.

What you don't want is you don't want your government to be spying on you and tracking every little move that you're doing. However, if they're just a provider of a tokenized version of your identity, and someone else keeps a record of what you've done with them, and if they need to prove it by law and they have proof, that creates basically a pseudo-anonymous, or at the very least, identification system that can be based off cryptography.

If you pin that, and you anchor that with something—this is where we get into what our approach is—anchor it back to an authentication system as well as a verification on the client side, the user side, pre-authentication to the server—then you get to a level of actually being able to minimize at least a replication of an identity of a user that's using something without actually having to know who that user is, which in my mind, would be ideal, or at least a very interesting offering for creating a system.

Because you have that in place, then you can move on to a better authentication system by default. You could have an MFA by default. Why is that not a thing? You would be surprised even by how many enterprise systems right now—IDP and IM solutions in general—even if they offer a password to this offering, they force you to still enter a password to start with.

Like what you were saying about the routers earlier when we're discussing pre-recording. It can be breached before you actually put the security measure in place, ultimately. Typically, you wouldn't act that fast if you take it out of the way. The only real reason why this is the case is because there's some genius at some point that said it's a mandatory field in a database, because back then all we were doing were password-based credentials.

We're stuck in that reference point.

Thierry: Basically. Moving away from it, I would say, kick the can at least a few meters out, a few feet down the road, basically. When you get to something where, “OK, well, can we actually address the problem of having a single-factor authentication for sure?” is something that I think is probably a bit more known than moving to multi-factor solutions. That's great. That's a good first step.

But also getting away from the problem of being only the server authenticating. Because then, what it's all going to do is it's only going to shift the problem to the organization doing the authentication. When they get compromised, then you start over.

It's a very interesting world. In some sense, it's good that we can have these conversations. I would say we've probably waited too long, not the three of us here at this moment, but I think as a technological society, we're behind the game, behind the times, behind where we need to be in the industry.

Thierry: For sure. We've avoided and we kicked that can down too many times, basically. Now, we're so far from where we started and have the chance of actually fixing some of these problems at their roots that we've just been patching all along. Even as a kid, if you're building a sandcastle as high as you can, at some point, you're going to have to improve your base.

A pile of sand is not going to get you a hundred feet high.

Thierry: Or you're going to need a very wide, very broad pile of sand at its base, and then you're going to have to build it up gradually on top. We built it, and then we kept building on top. 

We may have to go back down at some point and say, you know what? Let's address some of these issues at their roots and build on top of that to allow us to do all these great ideas and use cases that we think we can be achieving, but that would have an issue being either adopted or would have some ethical concerns from a security standpoint, from an ethical standpoint. Everyone wants to move fast, technology wants to move fast, and it's going to move faster, regardless. 

One of the concrete approaches that we can use to actually address some of that problem that I mentioned earlier is if we were to create a system that allows for pseudo-anonymous identification without at least sensitive information being exchanged or shared, you could still profile someone. You could still sell something. You could still improve your margin as a business. But then you don't run the risk of leaking that personal information from your client to someone else.

Biometric is one such way to pin back and anchor back the persona with the client-side verification that happens pre-service of an authentication. But even then, we see some organizations moving and just building these massive, centralized biometric databases, which are just bound to get compromised one day. And then what? You just ruined it for everyone who was using it?

Somewhere in my mind, I seem to remember a sci-fi movie that whenever you needed to authenticate, you had to do a pinprick of blood everywhere that you went.

Thierry: Those sci-fi movies are actually great for that sometimes. They predict the future. We actually built our product called Multi-Pass from The Fifth Element idea here of that little card. That does everything in a movie. They can pay with it; they can log in with it; they can get into VIP parties on whatever spaceship they're on. Sorry for all The Fifth Element fans here, but it's the reference.

The idea is this: How can we avoid the mistakes of the past and move passed that into the great ideas that we have today, that we want to see in the future? I think when it gets to biometric, this is something that we need to really take time to take a good look at. Yes, there are ethical reflections on it, but there are bad approaches that we know already should just be avoided altogether.

I immediately start thinking of AI cameras, training, data, and having to, “OK, how do we separate ourselves from our cultural and ethnic biases and have a wide enough system that works for everybody, not just people who look like us and sound like us?”

Thierry: I think we need to have the reflection as to, “OK, well, what biometric technology can be used for what purpose?” I think, actually, let's say facial recognition is great at doing identification without actually revealing necessarily some specific sets of information about an individual. I think it's a terrible way of doing authentication, though. Why? Because content actually creates solutions to bypass these systems that are readily available. Pictures and videos of individuals are already available anywhere on the web these days.

The equivalent of what used to be a dictionary attack, or basically a start to get into the rainbow tables way of how we used to break passwords back in the days. We just basically went 30 years back in time starting over, this time with biometrics, something that's going to be much harder to change than a password, which we were already pretty bad at changing whatever it is.

In the current system of way of doing things for consumers, I'll just try to whittle it down with where consumers are today. What you're doing is awesome, but it's not in the hands of consumers yet. What's the one data point, one system, one point of identity with the most risk that they really need to put the most effort into maintaining and securing?

Thierry: I think we see a lot of governments already talking about digital ID initiatives. They're already in place in some different jurisdictions, different countries. Others are working on them, and some are just looking at what others are doing and waiting. They do a wait-and-see, and they're going to reevaluate after a bit of time.

I think this is definitely one aspect where individuals need to pay attention because it's most likely going to become that de facto way of identifying yourself in the digital world. And maybe even in the physical world where people are not relying on physical aspects that we used to be able to leverage and actually only rely on technology to do it and trust it. 

I think that's one of the aspects that we need to look at, make sure that they're well-secured, and that the principles that are used to build that—respect privacy and respect security principles—as a foundation.

In terms of an actual solution for an end-user, what can someone do? I think my view on this is similar to what we were mentioning on password managers. Let's not go full circle and go either one way or the other. If we have a fully centralized system that does that, it's bound to be a massive target in a matter of time. What's the ROI for me to be able to compromise it? It's just going to eventually happen.

On the flip side, if we go fully decentralized, OK, well then, it doesn't really offer a great, as we were mentioning, cooperation. The reality is the identification process always happens again with at least two entities: the person that wants to get identified—I say person, it could be an object or a system—and then the actual party doing the identification itself.

In reality, you're only who you are because you're recognized as who you say you are. If no one recognizes you as such, their self-issued ID is of very little value. These solutions are going to be in the middle, and I'm not actually here to do a massive pitch on what we do or anything like that. But I'd like to think that ultimately, a solution that would strike a right balance somewhere in the middle is the answer.

No one location for all the control, so to speak, or all the data.

Thierry: Correct, and I would go even as far as saying no one single point of applied control on these aspects of data.

As we wrap it up here—we went longer than we thought we were going to go—any parting advice, and then we'll talk about where people can get a hold of you? And where can people find out more about what you're doing?

Thierry: We won't repeat it enough. Please go away from single-factor authentication. Please go away from password if you can. There are solutions out there, and we do offer solutions. Is it really available in the hands of consumers? No. Just request it maybe to some of your regulated institutions as we mentioned, whether it be healthcare, whether it be financial institution, whether it be your government, or anything else, really. They're actually out there, they exist, and they can be integrated into a much bigger fabric than the typical authenticating solution that exists right now.

I would say, let's try not to mix highly sensitive information with leaky devices. That's typically a step that a lot of individuals have taken. They're using cloud services, they're using phone-based storage as the place to store everything, and actually maybe look at solutions that offer you. 

Instead of having a cloud-based password manager that manages your vault for you, maybe you store a backup to your key that unlocks something that you have across your different devices yourself that you manage. It can be a very simple setup as a way for you to unlock some of these credentials. Again, it doesn't have to be a password.

I think biometric can be quite useful. Again, be aware of where you use it, where it's stored, because you're not going to have a second chance on changing your mind on this one. Once it's done, you're owned.

I think maybe the analogy of online backup is great. But if what you're backing up isn't encrypted, it's vulnerable in multiple places now. It's enough, but it's vulnerable.

Thierry: Correct. And even when encrypted, if gathered all into the same place, threat actors are going to go after that. They're going to see that very easily. It's going to create a massive target for them. They're going to find a way in, they're going to take that.

You may be OK. You may be getting away from it for now. It's a matter of time. Ultimately, some users that would have depended on that encryption hoping that it'd be strong enough are going to get breached. Why? Because the key they used was not strong enough, for example. For any other reasons, ultimately, it's going to be hard.

If you have it, that's where we need to be in between the decentralized and centralized aspect. If your backups are decentralized in such a way that you're not going to be able to compromise every individual in the whole world using that authentication service backup, because they're individually stored in separate places but only have the authentication server, not the storage of these credentials that's a bit more centralized or streamlined, then you strike that right balance of not making it easy to steal everyone's credentials, but also making it convenient for users to be able to do, from a user standpoint, almost an SSL across all the services that they're using.

Nice. If people want to find out more about Kelvin Zero, where can they go?

Thierry: kzero.com, that's our website. They can look us up on LinkedIn. We can probably provide the link for you guys to find it from the comment of the podcast. Feel free to get in touch. I'm always in for a good discussion. As you can tell, I can be chatty. We're usually having a good time.

Awesome. We'll make sure to link to Kelvin Zero, as well as each of your guys' LinkedIn profiles in the show notes. Thank you so much for coming on the podcast today.

Thierry: Thank you for having us, Chris.

Exit mobile version