The World Must Go Passwordless to End ‘the Morass of Data Breaches’ – An Exclusive Interview with StrongKey CTO Arshad Noor

As part of the GoCrypto interview series, Mike Ermolaev spoke with Arshad Noor, CTO of StrongKey. With over 34 years of experience in Information Technology, Arshad has spent the past 23 years focused on solving data protection problems using applied cryptography. He has designed and built Public Key Infrastructures (PKI) – bolstering defenses in banking, defense, telecommunications, pharmaceuticals, biotechnology, and e-commerce – industries that are particularly in need of strong authentication and encryption. Notably, Noor authored the first open-source symmetric key-management system and contributed to numerous security standards. 

During the interview, Noor shared insights on global digital identity systems, emphasizing the urgency of building a cohesive global digital identity system, along with the acknowledgement that only internationally sanctioned security protocols can safeguard our increasingly digital lives. He also spoke about society tokenization and supported the idea of a retail US Central Bank Digital Currency (CBDC), a topic he’s been quite outspoken about lately. This conversation is a continuation of the interview series powered by GoMining, bringing you insights from leading experts in the field of cryptocurrency and data security.

Noor’s Pioneering Contributions to Digital Identity and Data Protection

Noor’s innovations include StrongKey Sign-On (SKSO), a web application for strong user authentication without third-party SSO services, and StrongKey FIDO Server (SKFS), an open-source, FIDO Certified enterprise solution for managing FIDO credentials, along with PKI2FIDO, a web application enabling simpler, stronger authentication for companies and government agencies. Prior to joining StrongKey, Noor worked for industry giants like Sun Microsystems, Citibank, and BASF Corporation, cementing his reputation as a skilled IT solutions architect and global PKI builder. His impressive track record and specialized knowledge establish him as a go-to authority on data protection and digital identity, offering sharp insights into the transformative potential of these systems.


Global Digital Identity Standards Need Harmonization

Speaking about a global identity system, Noor outlined its prospective structure, emphasizing the existence of multiple identity ecosystems serving diverse needs. He explained,

“Undoubtedly, there will be many islands of identity ecosystems to serve a variety of needs. Standards exist currently to enable sharing identity attributes – with attestation – so they may be trustworthy across borders – passports are an example.” 

He pointed out that commercial usage of digital identity attributes will require a robust framework agreed upon by nations.

“Once such a framework – and a trusted foundation to support that framework – is established, schemas may be created by diverse ecosystems to enable cross-border usage,”

Arshad Noor added. 

He also addressed the benefits and challenges associated with a global digital identity system, highlighting the potential for increased cross-border e-commerce and competition. Noor noted,

“A benefit of a framework for sharing identities globally is that it will increase cross-border e-commerce; while it will also increase competition for products and services, everyone – but the uncompetitive – will benefit.” 

However, he emphasized the need for harmonized security and privacy controls to ensure the system’s robustness, akin to the harmonization seen in global trade.

“At a minimum, what is needed to participate in such a framework is a global baseline for security and privacy controls. It does not make sense to have a standard like GDPR in the EU, while the US has no equivalent regulation. Dozens of nations across the globe have established their unique versions of security and privacy rules; much as global trade required harmonizing rules governing trade and logistics, data security and privacy must be similarly harmonized globally. This implies that the group responsible for harmonization must have representation from every nation – with equal voting rights – to ensure long-term success. While this will take time – and will likely be messy in the beginning – it can be made to work.”

Challenges in Passwordless Authentication

Noor shed light on the numerous challenges in implementing passwordless authentication, emphasizing several critical barriers: corporate and government inertia, the complexity of integration, groupthink in decision-making, investments in failed technological projects turning IT into a “sink-hole,” the missed opportunity with X.509 digital certificates, and the current focus on user experience (UX) over security.

Corporate and Government Inertia

Passwordless authentication faces major challenges from corporate and government inaction, according to Noor. He remarked,

“Authentication schemes to address distributed systems and the frailties of passwords have been invented since the ‘80s. Unfortunately, as large institutions invest in every new ‘shiny bauble’ that comes along, the complexity of integration grows exponentially.” 

Noor explained that investments in failed technological projects have made IT a “sink-hole,” causing IT executives to bet their careers on projects they do not always understand, leading to a “herd mentality.”

He elaborated,

“80% of the market will not make a move until they see how the early-adopters fare and there is proven ROI. But with the complexity that exists in the current environment, measuring such ROI is very difficult. Leading to inertia.” 

Missed Opportunities and the Second Chance with FIDO

He also reflected on the missed opportunity in the late ‘90s and early ‘00s to introduce passwordless authentication with X.509 digital certificates, noting, 

“Industry killed that ‘goose that laid the golden eggs’ by over-pricing and under-delivering PKI.”

According to Noor, there is a second chance with FIDO but some large tech companies overfocus on user experience (UX) rather than educating consumers about security needs and behavior adaptation. He stated,

“The world now has a second chance with FIDO; but once again, some of the largest companies in the technology industry are blowing it again by choosing to focus on user experience (UX) rather than focusing on educating consumers about the need for security, and consequently, adaptation in behavior.”

Transitioning to Passwordless Authentication is Essential, but Implementation Details Matter

Discussing the future of PKI and passwordless authentication, Noor said,

“PKI, FIDO, and passwordless authentication are analogous – they are simply different styles of ‘shirts’ cut from the same ‘cloth’.” 

He stressed that compared to what preceded public-key cryptography, there is no alternative, asserting,

“The world must transition to passwordless authentication to alleviate the morass of data breaches we drown in currently. However, implementation details matter. Much as a firearm can be used to defend oneself from marauders, it is equally possible to shoot oneself with the same instrument.”

Rational Evaluation Needed for Blockchain vs. Traditional Technologies

As Noor pointed out, while blockchain technology can technically facilitate business operations, distributed databases and digitally signed transactions can achieve the same objective. 

“Almost anything that can be implemented with blockchain was possible to be implemented with traditional databases leveraging public-key cryptography in the late ‘90s – the market could not adopt such capability because of recessions following the “dot com” and real-estate related mortgage-backed securities meltdowns,”

he explained. 

“In the early ‘10s, blockchain captured the imagination of some people in the technology industry. While business processes spanning companies can be implemented technically with blockchain, they can be similarly implemented with distributed databases and digitally signed transactions,”

Noor added. 

However, according to him, the hype and speculative investments around Bitcoin overshadowed the practical and technical applications of blockchain technology, leading to a feverish and sometimes irrational adoption of blockchain without sufficient consideration of its actual value and implementation.

He stated,

“Once that fever subsides, blockchain solutions with reasonable ROI will emerge to solve some problems.”

When discussing specific applications or innovations that hold the most promise for leveraging these technologies to address current and future challenges in data protection and identity management, Noor emphasized that business processes requiring workflows involving multiple parties are the natural problem to solve with distributed systems and public-key cryptography.

He concluded,

“Whether it should use blockchain or traditional – yet proven – technology is an implementation detail that must be analyzed like any other corporate financial investment.”

The Fed Should Automate Interest Rates for a Smoother Economic Ride

Arshad Noor envisioned financial markets becoming more efficient and benefiting consumers globally over time with the introduction of a retail US CBDC. He acknowledged,

“There will be some bumps in implementation in the early stages; but as these bumps settle down (while keeping consumers whole), the system will become productive.”

Noor also foresaw the Federal Reserve shifting focus from its current process for establishing interest rates. He suggested establishing a system for automatically and transparently calculating inflation rates on a periodic basis.

He stated,

“I envision the Federal Reserve choosing to defocus on their current process for establishing interest rates, and simply paying 2% over whatever the current rate of inflation may be on any given day. The efficiency gained from this strategy will be similar to automobiles going from manual to automatic transmission. Savers will always be rewarded with a reasonable rate of return, while spenders will bear what they must for their profligacy. Knowing that individual buying decisions no longer need be dependent on a small group of central bankers meeting a few times a year, it will allow the economy to achieve a “smoother ride” as rates shift automatically corresponding to inflation rates prevalent in the market.” 

Noor provided detailed comments addressing cybersecurity concerns associated with a CBDC to the Federal Reserve, available on their website. He said,

 “While retail CBDC transactions will be transparent in nature, with appropriate encryption and psuedonymization techniques supported by a new and transparent regulatory framework for decrypting such transactions, law-abiding citizens may rest assured that their personal transactions will be secured and kept private with appropriate technology and regulations.

However, he warned that nefarious activities are unlikely to disappear from the internet:

“This is inherent in human nature where arbitrage in economic conditions and outcomes are possible. The question society must answer is: how much money is it willing to spend to preserve individual privacy?

 He concluded that in the pre-computer/pre-internet age, protecting sensitive information was relatively inexpensive, requiring only nominal amounts for locks/keys and simple procedures. In the digital age, the cost will be significant. Noor emphasized,

“While open-source technologies can drastically reduce costs, establishing, operating and enforcing the regulatory framework to preserve privacy – and the security controls it will entail – will require significant commitment for the long-term.”


Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.

Source link

About The Author

Scroll to Top