Badge Makes Device-Independent Authentication Platform Available
Badge Inc. today announced that a namesake platform that enables end users to securely be authenticated on-demand using any device is now generally available.
In addition, the company has allied with Okta to provide integration with an identity access management (IAM) platform.
Dr. Tina Srivastava, co-founder of Badge, said the overall goal is to eliminate any dependency on devices to ensure authentication without having to store credentials. That approach enables end users to securely access applications without having to be concerned about which device they happen to be using at any given time, she said.
Originally developed by a team of Massachusetts Institute of Technology (MIT) alumns, the Badge platform eliminates the need for passwords in a way that reduces the level of friction end users experience when required to use multifactor authentication (MFA), said Srivastava.
It also improves overall cybersecurity because there is no central repository for credentials that cybercriminals can hack to gain access to application environments, she noted. That approach also eliminates the need to recover or reset passwords any time they are lost or stolen, added Srivastava.
One of the reasons MFA has not been more widely adopted is that existing approaches are tied to devices. If an end user doesn’t have that device or it is lost or stolen, the credentials provided to them have to be reset. The Badge platform, in contrast, makes use of biometric factors combined with, for example, passive attributes such as physical features or PINs to create an MFA method that doesn’t rely on a device or token to authenticate users.
As organizations look to embrace zero-trust IT, many of them are revisiting how they authenticate end users. Credentials such as passwords are easily stolen via phishing campaigns and other tactics at rates that make existing approaches in authentication obsolete.
There’s no doubt that MFA will significantly improve the overall state of cybersecurity, but given the current level of maturity, it is challenging to implement. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) nevertheless recently jointly called for more organizations to adopt MFA and single sign-on (SSO) capabilities to improve cybersecurity despite challenges the industry needs to address.
Outstanding MFA issues cited include confusing definitions and unclear policy controls spanning different variations of MFA. There is a need for clarity, interoperability and standardization to enable organizations to make comparisons and integrate different solutions based on requirements. In the absence of that transparency, too many organizations opt for MFA solutions based on, for example, short messaging services (SMS).
Other issues include a lack of clarity regarding the security properties that certain MFA implementations provide. All forms of MFA provide some protection against password reuse and compromise but have differing levels of security for how secret keys are stored and their overall resistance to phishing attacks.
Finally, MFA solutions provide varying levels of support for public key infrastructure (PKI) and Fast Identity Online (FIDO)2 standards. Most identity and access management (IAM) vendors offering SSO platforms support both PKI and FIDO2 authentication, but not all, and it may be incomplete. Support on different client platforms is also inconsistent and credential life cycle management is often lacking.
One way or another, existing approaches to authentication need to be replaced if cybersecurity teams hope to have a fighting chance to protect IT environments that today are too easily compromised.
