Can You Finally Go Passwordless with Your Data? Hemen Vimadalal, Founder & CEO, 1Kosmos Shares Insights

1Kosmos BlockID is a distributed digital identity platform supporting both business-to-employee and business-to-consumer services that easily integrates with existing operating systems, applications, and IT security infrastructure to perform strong, verified identity-based authentication – eliminating the need for passwords, one-time codes, and more. We talked to the spokesperson, Hemen Vimadalal, Founder & CEO, 1Kosmos and asked him to shed some light on the technology.

How did you come with the vision and concept behind Passwordless, and how do you think it will change the way we protect our data?

After consulting with industry-leading CISOs, former members of the National Security Agency and the Department of Homeland Security, I realized the key vulnerability in passwords was not knowing who is on the other side of a digital connection. It wasn’t enough to eliminate passwords. We needed a way to prove identity at each claim of identity. That starts when you onboard a worker or customer and continues every time a user requests an online service. We needed a re-usable, indisputable digital identity. But, identity by its very nature is highly personal by nature, so privacy needed to be just as important as security. This is the fundamental construct behind identity-based authentication. Security without compromising privacy, and it’s a game-changer because it not only eliminates the threat of password-based attacks but gives back the control of the IT network to the CISO and their team from unauthorized users operating behind compromised logins.

Why do you think Biometrics are a safer option? We have seen instances where Biometrics have also been by-passed. How will Passwordless tackle that?

Biometrics are harder to spoof than passwords are to hack, but like other types of personal information biometrics once captured in digital form can be stolen. This makes capture and storage extremely important, and this is why we have opted for a distributed identity platform certified to industry standards including FIDO2 and NIST 800-63-3, and have developed in strict compliance to the W3C-DID and W3C-VC standards.

Also, while spoofing a biometric can be difficult, it’s not impossible so biometric authentication needs advanced anti-spoofing technology built into it. AI applied to live video streaming facial recognition offers some great capabilities there. But, importantly, a biometric doesn’t necessarily solve the “who is on the other side of the digital connection” question. If you are just sending an invitation to enroll a biometric to an email inbox that has already been compromised, you haven’t solved anything really. This is why identity proofing is a critical element of a biometric passwordless solution. A biometric that is not identity proofed can offer a sense of security that perhaps is not warranted.

Do you think biometric identification hinders the possibility of staying anonymous on the internet?

This again is where digital identity vs. a simple biometric offers a useful construct for both implementation and explanation. In the physical world, we have one identity and all of our biometrics match that identity. In some instances we operate anonymously -- we go about our everyday lives in relative anonymity. But, when we request certain services, such as withdrawing funds from an ATM, we need to identify ourselves. In the online world, a digital identity used for authentication needs to accommodate flexible levels of identity assurance. This means some services or applications might require the very highest level of identification. Others, very little or none. This doesn’t compromise anonymity on the web, but rather places it in the proper context for the user and intended action.

Your platform would be storing a lot of personal data. What are your ways of securing this platform from any kind of cyber-attack?

We have architected our platform with privacy by design as a key construct. This provides access to a user’s information via a private key stored in the secure enclave of the users device and activated only by a match between the users live biometric and the biometric captured at enrollment. This private-public key pair is certified to FIDO2 standards. We’ve gone a step further to store the user information in a distributed ledger and certified this to NIST 800-63-3 standards. This ensures end-to-end encryption of user data and removes centralized storage. Only the user via a live biometric match has access to their information and authority to grant access to that information by 3rd party applications.