NoPassword - Security By Design

NoPassword is committed to pushing industry standards and best practices forward by reimagining and continuously innovating authentication process and identity and access management.

Security By Design

No Centralized Credential Database

NoPassword is designed to perform local biometric authentication, which means the user’s biometrics do not leave their smartphone and are NOT stored on a centralized database. Eliminating a centralized database of credentials, such as biometrics and passwords, renders NoPassword impervious to attacks that steal users’ credentials from the server.

No More Manually Entering Credentials

Users who use NoPassword biometrics do NOT manually type in any credentials, such as passwords or 2 factor tokens. Therefore, keyloggers, phishing, and social engineering cyber attackers that try to spoof user’s credentials, CANNOT be performed on the NoPassword solution.

Self-defense and Protection

Furthermore, self-protection features are built into the NoPassword authentication mobile app and SDK that prevent any tampering or interfering with the NoPassword authentication application. NoPassword prevents running the authentication application on rooted or jailbroken mobile devices to prevent jeopardizing users’ PII and sensitive information.

Eliminating Chance (Probability) of Remote Attacks

To access a user’s account, an intruder would need to steal the user’s phone, then, spoof the user’s specific biometrics, and imitate the hidden features extracted from the user’s phone. Each of the aforementioned tasks are complicated to achieve and require extensive resources. For instance, there are anti-spoofing features built into the NoPassword biometric authentication engine that prevent intruders from spoofing biometrics. In the unlikely event that an intruder manages to do so, the hacker would only threaten a single user’s access, which is not scalable and cannot be performed remotely to access thousands or millions of users’ accounts.

Built-in Security

FIDO UAF Certified

NoPassword is FIDO UAF Certified and complies with FIDO UAF server and client requirements. NoPassword only integrates biometric authentications that are also FIDO UAF certified. That being said, while we believe FIDO is a good starting point for the industry, today’s enterprise requires ultimate security which is beyond FIDO’s recommendations.

Secure Biometric Authentication

Biometric raw data is converted into a mathematical model through an irreversible process, where the biometric raw data is then deleted from the user’s device. Then, the mathematical model is encrypted using AES-256 encryption and only stored on the user’s smartphone for future authentication purposes.

Multi-layer Encrypted Communications

PKI model is used throughout NoPassword solution to communicate and send authentication results. All the communication involved in the the NoPassword solution travels through TLS channel. PGP encryption is always used to enhance messages sent and received between different points of the solution.

Secured Data in Transit, Runtime, and At Rest

Information in transit and at rest is always encrypted throughout the solution,  this including information stored on the NoPassword server. The NoPassword application leverages whitebox cryptography techniques to utilize sensitive information stored on the user’s smartphone. Hardware modules are used to store encryption and communication keys. To learn more, click here.

Secure Authentication Process

Every time a user is successfully authenticated based on biometrics (Human Factor), NoPassword leverages its patent pending technology to communicate with the authentication server. The communications to the server is subject to 5 layers of security. To learn more, click here.

Strong Authentication Engine

In contrast to conventional password based authentication systems that rely on checking static credentials stored on a database,  NoPassword authentication engine uses Public Key Infrastructure (PKI). It checks the authenticity of hidden features extracted from the user’s phone, which includes both static and dynamic information, to successfully authenticate the user.  

AI Driven Solution

Artificial Intelligence driven monitoring is an important feature of NoPassword because it ensures the health of the NoPassword authentication application on the NoPassword server and user’s smartphones.

Regulatory Compliance

NoPassword complies with standards including NIST 800, OWASP, ISO 27001, PCI DSS, and others. Third-party auditors regularly and continuously audit NoPassword operations and infrastructure to ensure the security of NoPassword services. Currently, NoPassword solution is also going through FIPS 140-2 validation process.

Continuous Code Review and Pen-testing

Continuous code reviews are performed as we release new features to guarantee new versions and updates of NoPassword products meet or exceed our high standards. Moreover, NoPassword is currently undergoing compliance validations and certification reviews for a number of certifications and regulatory compliances. Keep in touch to get informed.

Continuous Security Innovation

NoPassword Security is also about Privacy and Convenience

At NoPassword, we believe that we are only able to improve the security if the technology we develop is adopted and admired by a large number of users. This is only possible if it is easy-to-use and does not intrude on the user’s privacy. Consequently, privacy, security, and convenience are the three pillars of NoPassword. We listen to the opinions of our users, their stakeholders, and, more importantly, observe the trends of the industry to constantly improve our user experience. Let us know what you need, and there is high chance that we can offer it today.

Staying Ahead of the Industry

The NoPassword team is made up of world class scientists and cyber security engineers who are constantly coming up with innovative ideas. We are at the beginning of our journey and are ready to push beyond industry standards and best practices. We are never just satisfied when it comes to security and we strongly believe there is still a lot to do to ensure we are always ahead of malicious intruders and hackers.

There is More to Come...

NoPassword takes advantage of an agile development team that improves security features and user experience throughout the NoPassword solution. You don’t need to wait for an update. Updates to the mobile applications, mobile SDKs, web applications, universal directories, and the NoPassword authentication engine are released monthly, without interrupting users. Enterprises take advantage of our Saas and Cloud services will automatically receive new features.

© 2019 NoPassword Inc. All Rights Reserved. Powered by NoPassword Inc.

Modernize enterprise workforce and consumer identity by substituting passwords with NoPassword Human and Hidden Multi-Factor Authentication (H²MFA™).