Jasson Casey, CTO of Beyond Identity, discusses the difference between symmetric and asymmetric secrets and how these cryptographic principles are used by Beyond Identity to eliminate passwords completely.
Symmetric and asymmetric secrets
So passwords are something called a symmetric secret. There's a piece of information that you have to remember and that some service or third-party remembers that same piece of information, and this is ultimately how you prove you are who you say you are to get access to that service.
Now the problem with this shared secret, or a symmetric secret, is when someone can access the collection of those from the service provider or the backend database. They can then pretend to be you. So at the core of our product we offer a framework for establishing identity and kind of a zero trust environment, and the way that we do that is with an asymmetric secret.
So an asymmetric secret, it's actually not a new technology. It was minted in the 70s, and it lets us do things where we can create a pair of information—a piece of information that you keep secret and you have to share it with no one (remember, with the symmetric secret you had to share it with one person) and with an asymmetric secret you share the secret part with no one and then there's a non-secret part, a public part, and you can share that with the world.
What these two things allow you to do is when you want to prove you are who you say you are to a third party, they'll challenge you by saying prove your identity and you can use that secret to add a signature. It's a special type of signature called a digital signature, but it's a way of encrypting a piece of information using your secret that you've shared with no one and then you give that back to the service provider and they can actually verify it with the public part, or the non-secret, that you shared earlier.
So that's kind of a very high-level description of something called asymmetric cryptography and it forms the basis for digital signatures.
Why hasn’t this happened sooner?
So why didn’t this happen 30 years ago? We do take advantage of some more recent modern technology that's been introduced in the last couple of years in terms of mainstream computing devices that helps ensure a level of security in the solution. Modern chips now have something called TPMs and secure enclaves where there are these really nice properties where you can generate some of those asymmetric secrets—the private key with the the public key.
The way this hardware is constructed, the private key physically can't be moved off the device. So it fundamentally becomes unmoveable and that's really nice because it gives us one of those properties where if the thing that is secret can't move then it can't really be disclosed. It can only be used by someone who controls that device and that really kind of forms the basis.
The final bit really is the prevalence of SSOs. Secure sign-on is a technology and a tool that companies have been using to aggregate the authentication points for their users to get access to their applications. Leveraging a new protocol called OpenID Connect, we're able to kind of work with existing SSO solutions.
We don't really require our customers to change any infrastructure. We don't require them to write any code. We're going to reduce friction on your users. We're going to improve the overall security experience. We're going to let you start making risk-based decisions on how you not just authenticate, but authorize users to an application. When you authenticate, what is the posture of your device? What is the risk of the thing you're actually trying to access and should we allow that in a moment in time? We can do all of that and I can get it set up in your environment with about 10 minutes with your identity engineer.
It's easy to try, it provides value to the identity engineers or the IT staff as well as the end users. Why don't you try it out? It'll take 10 minutes, I guarantee you won't turn it off.