TokenOne Co-Founder Phil Cuff: Why Passwords Are Bad (And What's Better)

Roberto Popolizio Roberto Popolizio

Whatever you know about cybersecurity, cybercriminals probably know that too and are already finding new ways to breach your defenses and steal your sensitive data.

How can you always stay on top of the latest threats, vulnerabilities, and emerging trends to effectively protect yourself or your business as cyber threats grow in number and sophistication?

In this new interview series by Safety Detectives, I am talking to cybersecurity experts and business leaders who share untapped insights from their experience and expertise that will help you be more aware and effective in protecting your sensitive data.

Our guest today is Phil Cuff, Co-Founder of TokenOne, a company that provides advanced authentication solutions that allows users to authenticate without entering or storing a secret PIN.

Phil is a multi-patented inventor with over 25 years of experience in emerging technologies, and has co-founded several other emerging technology companies focused on information security and identity protection, including FinesseTech in Dubai and Cocoon Data Ltd in Australia.

He has also been a keynote speaker on identity protection and authentication security at events around the world, including the defense and intelligence community at Pentagon City in 2016 and the Central Bank of Qatar in 2018. In 2016, he presented alongside a former FBI Assistant Director on the topic of “Keeping Secrets Secret” in Sydney.

To start, can you share the story of what inspired you to pursue your professional path?

I’ve always loved spy novels and movies, particularly real-life, true stories. I particularly enjoy stories like the cracking of the Enigma Code during WWII and the development and use of One-Time Pad, on which TokenOne Authentication is based.

What are the most overlooked cybersecurity threats that you see affecting end users? Why are these threats particularly concerning?

If I had to pick one thing it would be education. Making folks far more aware of the various threats to their online security and how to protect against them.

This is a huge concern because, of course, 99.99% of people are not cybersecurity professionals and it’s shocking to realize how few people really understand the numerous types of online threats, let alone how to implement strong self-protection.

Research shows that far too many end users still lack awareness about cybersecurity threats:

  • According to a 2021 cybersecurity threat trends report by Cisco Umbrella, when a phishing link is sent to employees, over 80% of the organizations had at least one employee clicking the link
  • A Microsoft study found that 55% of people reuse the same password across multiple accounts
  • The 2022 Verizon Data Breach Investigations Report stated that 68% of data breaches involved a non-malicious human element (people falling victim of phishing, misuse, errors etc. )

Sources:
https://ivision.com/blog/types-of-cyber-threats/
https://www.microsoft.com/en-us/edge/learning-center/common-threats-online-security?form=MA13I2

What common cybersecurity beliefs and practices do you passionately disagree with? Why?

So few cybersecurity folks agree with me on this (until they dig a bit deeper), but my answer would have to be “passwords are bad and have to go”.

Don’t get me wrong, things have to change, and many positive changes have been made over the last 10 years, as traditional passwords became increasingly unmanageable AND insecure.

However, the problem is the way passwords are currently used and managed, whereas the concept of remembering a secret that only I know must be retained IMO.

Let me explain.

There are 3 and only 3 ‘factors’ of authentication:

  1. Something you know (e.g. a password)
  2. Something you have (e.g. a device or token)
  3. Something you are (e.g. biometrics)

Two-factor (2FA) requires two different factors (not two of the same factor) and three-factor authentication requires one of each. If we were to give up the knowledge factor altogether that would be an inherently bad thing. Apart from anything else, three-factor authentication would no longer be possible, which clearly would be bad.

There’s one overarching problem with the way passwords (the knowledge factor) are currently used and managed – you have to enter, speak or otherwise reveal your password (to a machine or person) to prove you know it. That’s what makes passwords vulnerable to hackers and that’s why we then get into secondary problems like the need to make them complex and hard to guess which in turn makes them hard to remember and difficult to manage.

Password managers (like LastPass, OnePassword etc) help with that because you no longer need to remember each password so you can then choose long, complex passwords each time. However, then our passwords actually become “something you have” (e.g. the phone or laptop that lets you access your password manager) rather than “something you know”.

💡 The right approach is ‘Zero Knowledge Password Proof’ (ZKPP) so you remember a secret password or PIN but never enter or reveal it. Ever! Instead, you follow a process that enables you to tokenize your password or PIN in a different way every time you try to log in or otherwise ‘authenticate’ yourself.

This way your password or PIN doesn’t actually need to be stored in a database managed by or on behalf of the service you’re authenticating to. Instead, all that needs to be stored are the (one-way hashed) correct ‘expected responses’ for each future authentication challenge. As a result, it’s possible to run an authentication system that is totally resistant to hacking (including from a quantum computer) because, even if a hacker (or rogue employee) does manage to compromise this database, there’s nothing valuable the hacker can obtain.

This is a very high level summary, but it is the basis for the patented ‘TokenOne Authentication’ system and more information can be found in the National Institute of Standards and Technology (NIST) Special Publication (SP) 1800-17 “Multifactor Authentication for E-Commerce” for the United States. Worth a read.

👉 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-17.pdf  👈

What are some things that people should STOP doing today because it’s damaging the safety of their data, and they don’t realize it?

Sharing personal identifiable information.

Sharing extremely personal information online has become second nature for many people. Social media platforms, online shopping, and various web services often ask for details about your life. Or just provide the opportunity for you to share it with friends and complete strangers.

Oversharing can lead to major risks, including identity theft, financial fraud, and privacy breaches. It’s crucial to be mindful of what you share with whom and, if in doubt, don’t share.

What are some things that people should START doing today that they’re currently not doing to protect their information?

This is the topic that interests me most for this discussion because it’s so simple and achievable, but also so poorly done by almost everyone.

The reason I’ve just written “Stay Safe Online – 12 Critical But Simple Steps” is because 99% of folks on this planet are woefully uninformed and unprotected online. And unnecessarily so.

None of us would drive our loved-ones around in a vehicle without ever checking its brakes or tires. We know how to check these things or, at the very least, we know how to get them checked regularly by a professional.

But think about how much time we all spend online now. Then stop and really think about what would happen if your phone or laptop is compromised by a hacker and you can’t access family photos or anything else on that device.

Now contemplate the horror of having all your private and invaluable data corrupted by a virus or locked up by ransomware so you can’t access it. Tax receipts, financial records, medical records, customer data if you run a small business, and so on.

And then finally, but perhaps worst of all, imagine having your identity stolen so that someone else can “be” you. You find out you owe money you didn’t borrow, you’ve bought goods you didn’t buy and “you” are traveling and spending money in a different country. Then imagine “you” start committing crimes, you can’t travel on a plane anymore, law enforcement wants to interview you. This actually happened to a friend of mine in Europe over a period of more than a decade and the impersonator turned out not only to be a thief but also a sex offender!

There’s no such thing as perfect security, but it all comes down to protecting our devices, data and identity. The solution to all this starts with education – understanding the threats, knowing how to mitigate them and then actually taking action. That’s the point of my new book. Too many DIY cybersecurity books and blogs fly over the heads of most folks and don’t provide a simple and practical approach to increased security.

And finally, it’s not just about implementing a few security measures and then being ‘safe’, because security is only as strong as the weakest link. EVERY step needs to be implemented, or at least as many as practically possible, including but not limited to:

  • A VPN
  • Anti-virus software
  • Anti-malware software
  • A firewall
  • Strong passwords
  • A password manager
  • Two-factor authentication (2FA)
  • Reducing the sharing of personal identifiable information

It’s a process and takes time, but we all need to improve this massively IMO.

Security is only as strong as the weakest link

Are there any common cybersecurity practices you believe are overrated or not as effective as commonly thought? Why?

Point solutions. In other words, relying too heavily on a product or tool that is designed for one specific purpose (e.g. to stop viruses) to protect you. Don’t get me wrong, it’s essential to implement tools like anti-virus software, but it doesn’t stop there and we all need to be more aware of the need for a comprehensive approach to our online safety and security.

What are some lesser-known strategies for ensuring online safety and privacy that you’ve found particularly effective? Why is no one talking about them?

Again, I would say education. This doesn’t get nearly enough attention and I think that’s partly because it’s easier to talk about buying a cybersecurity product to solve a specific problem. But the irony is the more we all learn about how to stay safe online, the more demand there will inevitably be for these cybersecurity products.

What has been your most memorable experience dealing with a cybersecurity threat in your career? Can you describe what happened and the lessons learned from this experience?

Not a specific attack, but the general vulnerability of passwords has been a source of so many hacks and online attacks over the last 30 years.

Most memorably, back in 2016, I was asked to present for half an hour to over 200 members of the US defense and intelligence community at Pentagon City outside Washington DC. To put it in perspective, the former director of the NSA and CIA presented after me. Terrifying! Particularly as everyone in the audience had a mic and didn’t need to ask permission before interrupting my talk and asking (really detailed) questions.

What has been your most memorable experience dealing with a cybersecurity threat in your career? Can you describe what happened and the lessons learned from this experience?

But everyone listened and, as a result, I was asked to meet with the folks at the US National Cybersecurity Center of Excellence (NCCoE) in Maryland which eventually resulted two years later in the Tokenone Authentication system being written up in the NIST publication (link to the PDF above).

The big lesson for me was if you think you know how to make things better or safer, don’t keep it to yourself even if making your opinions heard is difficult or intimidating!

What cybersecurity technologies or trends do you believe will have the biggest impact on your industry in the next 5-10 years? How can they affect people if they don’t adapt?

Artificial Intelligence (AI) is extraordinary but it also feels like a honeymoon phase right now. I don’t think we have really begun to experience the ways AI can (and IMO will) be used by hackers and other bad actors to effect online attacks on each of us, our families and businesses.

Again, IMO the best protection is education and making sure we all take the various necessary steps, and implement the products and tools needed to protect ourselves.

How can our readers follow your work?

Website:  https://tokenone.com/

LinkedIn: https://www.linkedin.com/in/philcuff/

About the Author

About the Author

With over 13 years of experience in managing digital publications, Roberto has coordinated over 5000 interviews with the biggest names in cybersecurity, AI, cloud technology, and SaaS. Using his knack for communications and a growing network of cybersecurity leaders, he provides newbies and experts alike with beyond-the-fluff online privacy tips, and insider perspectives on the ever-evolving tech world.

Leave a Comment