Meanwhile, two-factor authentication doesn't prove identity at all. Instead, it simply provides hope … that
            email accounts, devices and apps haven’t been hacked.

            Strong authentication using biometrics shows great promise in replacing passwords by moving beyond
            the “something you know” or knowledge factor to the “something you are” or inherence factor. These
            include physical characteristics (typically facial, fingerprint, or voice recognition) to verify a user's identity.

            However,  capturing  user  biometrics  is  one  thing.  Securing  them  is  a  completely  different  challenge,
            because, just like passwords, digitized biometrics can be stolen.




            Passwordless is the Future

            Recent  breakthroughs  in  standards  and  technologies  make  passwordless  authentication  not  only
            possible but cost-effective and convenient.
            For example, NIST standard 800-63-3B covers how users can use enrolled identities to authenticate who
            they are without usernames or passwords. The industry term for this is passwordless authentication.

            Meanwhile,  passwordless  authentication  has  been  popularized  by  the  Fast  Identity  Online  Alliance
            (FIDO), a non-profit industry consortium supported by such companies as Google and Microsoft.

            Its main standard is FIDO2, which enables users to store their biometrics behind a cryptographically
            secured  public-private  key  pair.  The  private  key  is stored  in  the  Trusted  Platform Module or  Secure
            Enclave of the device. That key (what you have) combined with a biometric such as TouchID, FaceID or
            LiveID (what you are) become the two factors needed to verify the user can be trusted to access an
            online service.

            For passwordless to work, certified authentication must enable a high level of certainty of the identity at
            the end of a connection. Thus, identity becomes key to the security perimeter of an organization, and
            removes the  anonymity behind  compromised  credentials,  which  is  also central  to  help  organizations
            move to a zero-trust architecture.

            To ensure the success of passwordless authentication, the biometric must be sophisticated and non-
            hackable. A “live selfie” is a must, using technology that detects depth of field, specific facial movements,
            and all signs of photo and video manipulation.

            The authentication mechanism needs to have a high degree of interoperability and be easily integrated
            with operating systems, user stores, devices, SSO, and other applications preferably via API / SDK.

            As a user biometric represents a high value target for hackers, they should also be stored as safely as
            possible.

            Centralized administration provides a honeypot target ripe for ransomware, hacking, etc. Conversely
            distributed ledgers offer a vastly superior approach to security and facilitates user privacy in management
            and control of their own information.







                                                                                                              15