Can Zero-Knowledge Cryptography Solve Our Password Problems?

While multifactor authentication, single-sign-on infrastructure, and stronger password requirements have improved the security of most enterprise identity and access management (IAM) environments, the longevity of passwords continues to pose problems for businesses, especially in granting temporary access to contractors and third-party partners.

A variety of vendors are trying to solve this problem. Last week, for example, data-security firm Keeper Security announced one-time shared passwords that allow companies to grant third-party partners temporary access to data and resources without adding them to the company’s overall IT environment. The approach allows specific types of documents to be shared to a single user device, automatically removing access when the time expires.

The business case is all about securing access granted to contractors, says Craig Lurey, chief technology officer and co-founder of Keeper Security.

“We get asked constantly to allow short term, temporary access to third parties without requiring them to onboard as a licensed user,” he says. “With this new feature, there is not 20 steps anymore. It is just instant, but preserving that encryption, simplifying the secure-sharing process, and eliminating the need to send private information over text messages.”

Credential Theft Is Big Business

Supply chain breaches, stolen credentials, and the proliferation of software keys and secrets continue to undermine IT and data security. In March, secrets-detection firm GitGuardian found that developers leaked 50% more credentials, access tokens, and API keys in 2021, compared to 2020. Overall, 3 out of every 1,000 commits exposed a sensitive password, key, or credential, the company said at the time.

Failing to protect software secrets, user passwords, and machine credentials can lead to compromises of application infrastructure and development environments. Attackers have increasingly targeted identities and credentials as a way to gain initial access to corporate networks. Last week, for example, software security firm Sonatype discovered that at least five malicious Python packages attempt to exfiltrate secrets and environment variables for Amazon environments.