Jim Clark on founding Netscape, PKI, and the elimination of passwords
Jim Clark, internet pioneer, discusses how the groundwork for Beyond Identity's novel approach to passwordless authentication was first laid 25 years ago when he was building Netscape, the world's first commercial web browser and why it took this long to eradicate passwords from the online world.
Where the idea began
It goes back to Netscape in the mid 90s, which kind of kicked off the Internet, the commercial Internet. I founded Netscape, along with a group of students out of the University of Illinois, and we created a security system based on public key cryptography, so-called certificates, which are digitally signed public key documents and that technology was used to ensure that you're talking to the right website and that you have a secure communication channel.
We made it so that the user could also have a certificate, but we realized that it was a difficult thing to achieve because you have to have someone sign it and so there needs to be a certificate authority that can sign these certificates digitally. That was relatively easy to do for websites, but quite difficult because of the magnitude of the number of people in the world. We figured just use the password, and it hit me this credential that you give (username and password) and a password system can be replaced with the credential of a public key.
There's a lot of complications in public-private key encryption, but basically think of a key as a token that you can use an algorithm on to encode information. So that token has an asymmetric nature—public key, private key. Private key you maintain completely on your own. Public key you share.
By giving your public key signed by you to your website, you're handing it your new credentials, and those credentials can replace the old credentials, but they have the unique advantage that the public version of that is known by the website and anyone else that might want to know it, but the private version is a secret. In fact, you keep it stored in your own private device, like a phone or a computer.
So instead of sharing what I call a symmetric key, which is what a password is, you share an asymmetric key and that asymmetry means that it's a very safe system because no one ever knows the secret. You don't actually share the secret, you share a public version of it.
How TLS was leveraged
This protocol that we invented in Netscape called SSL, TLS, does that automatically. It's sort of an idea that was sitting there.
Once the backend stuff was in place, everyone's still going toward this other objective and we thought about it and said it's sitting there in front of you and if you just think of it differently and use it a little differently, you can leverage TLS, and give the user his own certificate authority. He then has the ability to create new credentials for himself, or for his children, or for his wife or employees, or you know a small set of people for other devices and that gives him an immense amount of power and it gets rid of a whole bunch of problems.
Beyond Identity is truly passwordless
A lot of people are saying we're getting rid of passwords. It's a very confusing term because people can use a password manager and say they're getting rid of passwords. They're not really, they're just storing them concentrated in one place. So we really are getting rid of passwords, replacing them with public and private keys. It's an integrated set of things that allows you just over time to sweep all your passwords away.
You know, it's sort of an atonement for having kicked-off passwords in the beginning. I hate passwords. I hate the whole process and it's become so ingrained in our lives that it'll take years to extract ourselves and put the right mechanism in place, but once you do we're going to have a far more secure solution.