All of us have gone through the chagrin of forgotten passwords and would be very happy to kill the password needed for digital access. Security breach, hacking, stolen data, identity theft etc., are increasing telling us that passwords are the weakest link in cybersecurity. Passwords are not just a challenge for individual users but also for organisations and static devices connecting the internet, satellites and and an estimated 30 bn IoT devices.

Today, 80% of all data traffic between smart devices is unprotected

Marek Ostafil, cofounder of Polish startup Cyberus Labs

The Memory Challenge

In a world where life has become easier with access to most of the services moving online an average user has at least one email account, multiple bank accounts, many social media accounts, online tools, shopping sites, utility services payment applications and so forth. If a person is employed she will have access requirements to many enterprise applications. All of them need to be accessed through “User ID” and “Password” which needs to be remembered at all times. 

As far as passwords are concerned they remain complicated to protect the user and the application. Different applications use different protocols like using a mix of capital letters, numbers, and special characters without using patterns similar to ones used in any of the personal information.  Many applications to enhance security ask the user to change the passwords regularly adding to the memory overload as storing them in writing is risky. This ultimately ends up with most people avoiding too much effort into creating a complex password and sticking with one password and later incrementing it.

Passwords used for ease

Source: Nordpass

We now partly understand why people use easy-to-guess passwords — they simply have too many to remember. So there’s no surprise that people use either  very easy passwords or have a few and reuse them for all accounts

Chad Hammond, a security expert at NordPass

Websites and applications have now tried to eliminate the “UserID” part of the problem by asking users to use their email ID, Google login or Facebook login as their UserID. While this has reduced the friction of having to remember individual UserIDs, it makes the user more vulnerable as a single leak provides a hacker the access to all the users applications.

Social engineering phishing aimed at work-from-home employees during pandemic and malware directed at remote workers, whose devices were no longer protected by the defences of the corporate network saw a jump. Estimates vary, but for many companies the cost of resetting the passwords of their employees are between $25 and $75 each time, taking into account the need to have account recovery and call centre staff.

It is estimated that password-related complaints received in 2019 cost organizations $2.1 billion USD

The FBI Internet Crime Complaint Center

The Hacker Technique

As passwords are the general way to authenticate users, hackers find ways to crack these and breach personal or corporate data. There are many ways to achieve this;

  • Password spraying: SentinelOne a cybersecurity platform, says that the simple technique is to get access to UserIDs of a targeted application. Then an automated bot runs a combination of UserIDs against a list of commonly used passwords.
  • Brute force attacks: This a laborious technique where an algorithm tries to guess the password by running the UserID against stuff like all the words in the dictionary or combination of alphabets.
  • Shoulder surfing: This is an old school style where people capture UserID and passwords by peering over the shoulder and memorising the UserID or ATM pins. This is mostly done by people who have access to you or are insiders.
  • Key Logging: A malicious software is placed into the victim’s computer which then logs the keystrokes and sends it to the hacker.
  • Copying Passwords: This is used when a user has maintained a physical copy of UserIDs and passwords. Once this list is stolen the accounts of this user can be breached.
  • Phishing: This is the technique which uses mind games more than technology to get access to a victim’s UserID and password. So an email sent from one closely resembling the original asking for credentials or a malware loaded email, or something more sophisticated like a man intercepting data flowing between the user and the website is used to capture the real credentials and then used to access the victim’s account.
  • Application vulnerabilities: All applications, software have loopholes which an intelligent attacker can crack open. They can also place malware which can leak the credentials without the user knowing about the leak.
  • Bribe/Extortion: Mostly used in outsourced or organisations with large databases where an insider steals data and hands it over to an attacker for a bribe or extortion.
  • Negligence: Databases left open due to human error or accidental dumps during electronic transfers could cause loss of data.

In 2020, 81% of data breaches were due to compromised credentials. phishing are responsible for 70% of the attacks against passwords

Verizon Data Breach Investigations Report

Password Alternatives

An international standard called FIDO (Fast ID Online) is working on security and authentication across industries. The objective of the FIDO international standard is to make passwords obsolete by replacing them with possession and biometric factors.

Multiple solutions are being tried like chip-and-pin, two-step verification, biometric solutions, among many other things. The alternatives too have their challenges and are not foolproof. For example, biometrics data must be closely guarded for both privacy purposes and to prevent spoofing, when hackers try to trick cameras or sensors with photos, masks or moulds of their victim.

There are several alternatives for passwords, including;

  • Biometric: Fingerprint readers, iris scanners, voice recognition, facial identification, vein recognition systems are some of the techniques used to authenticate the right user.
  • Social media: Using social media IDs to authenticate instead of creating a new UserID and password.
  • Multi-factor: Authentication is done using two or more steps, like using an electronic code generator token.
  • Grid authentication: These are cards which provide access while using a combination PIN.
  • Push notifications: This technique provides a code to the user’s mobile device which is then used in place of a password.
  • Digital certificates: These are cryptographic files which are stored locally on the machine or a USB device which validates the machine along with the user.

The user registers by entering their email address or a phone number. Login to the app takes place by clicking the temporary link in the user’s inbox. The app on the user’s mobile phone places an authentication cookie, which enables the user to continue from that device without having to go through any further authentication

Erka Koivunen, CISO at F-Secure


The cybersecurity space has players providing security for individual users as well as for enterprises of various scales. With multiple ways of authentication emerging many fields, startups are trying to provide specialised tools for specific applications. 

Face recognition replacing passwords


Zoloz founded in 2012, was acquired in 2015 by the Ant Group, a company which combines biometrics, industry-leading spoof detection technology and Optical Character Recognition for a comprehensive solution set that protects, connects and enhances user identity. It acquired Eyeverify, an US-based company whose proprietary technology is used for biometric identification by scanning the blood vessels in the iris.

Total funding received to date: USD 10.5 M 

Password free continuous access


Founded in 2011, based out of Toronto, Nymi creates a wearable connected worker platform that provides people with a handsfree, continuous, private, and secure link to their workplace networks. The Nymi Connected Worker Platform delivers forward-thinking applications  that make work incredibly secure, yet refreshingly easy all on a secure wristband wearable. After authentication, the Nymi Band stays active and ready-to-use so long as it remains on your wrist. On-Body Detection sensors provide continuous authentication that the person wearing a Nymi Band is the intended user. Total funding received to date: USD 30.4 M

Single password access


Founded in 2009, New York startup Dashlane has developed a password manager and secure digital wallet. The app captures all the passwords and payments in one place which can be controlled by a single password which the user can remember. They have a free, premium and business version that supports more than one device.

Total funding received to date: USD 185 M

Password Plus multi factor security


Founded in 2015, Arizona based startup Trusona sells their tools to organisations and application creators. They have a single password-less technique which uses multi-factor authorisation to let an employee login into the organisation’s network and then not worry about having to login with new passwords into other applications. The multi-factor authorisation lets the user access a system by providing an email link to click on or by scanning a QR code using their phone. A single password entry uses a combination of location, machine, and time to ensure that others cannot access using the same password or login into another device.

Total funding received to date: USD 38M

Secret Double Octopus

This security system uses the technique of validating the user logging into an application by seeking approval from the user’s personal mobile device, thus breaking the link between the device seeking access and the device authorising the password. Founded in 2015, this Israeli company connects a computer seeking verification to the user’s mobile through bluetooth. It involves a two step process. The  verification device sends a request for access to the mobile device of the user which has to be first approved. Then the authentication happens by the user biometrically verifying herself on the mobile device, which then sends an approval token over the bluetooth link to the computer. This helps enterprises eliminate passwords for employees logging into their devices.

Total funding received to date: USD 21M

Passwordless through sound matching


Futurae is similar to the Secret Double Octopus in the way it authenticates with a very offbeat solution of using ambient noise between the device seeking access and with the user’s mobile device nearby. Founded in 2016, Swiss startup Futurae has a unique solution for front end users. The solution matches the user logging in to an office device with their phone proximity. If the user has her phone nearby and she logs in with a valid email ID, the solution matches the ambient noise captured by the device and the phone and validates the user. This technique is called Soundproof.

Total funding received to date: USD 7.55M

Decentralised password access


Hypr is an app which leverages biometric authorisation with a higher security twist called decentralised authentication. It means the authorisation data stays in the mobile device of the user and only sends a token validating the veracity of the user. Hypr was founded in New York- in 2014. Since the Hypr module is embedded in the user device it can be incorporated into smart devices to validate other devices accessing it, thus securing even IoT networks.

Total funding received to date: USD 75.5 M


A unique way of validating users is by creating a unique signature based on the way the user types on the computer keyboard. Samples of a user’s typing behaviour are analysed based on the time it takes to press, release, and move between keys on their keyboard which is then stored as a pattern to authenticate when the user tries to access in the future. TypingDNA was founded in 2016 in Romania. A story in PC World says that they are trying to leverage as to what other traits may be detectable based on a user’s typing behaviour like a person’s gender, age, IQ, openness and even personality.

Total funding received to date: USD 12.3 M

Passwordless access through behaviour pattern


BioCatch founded in 2011 in Israel, believes that people interact with machines in unique, measurable ways. Built on an IP portfolio of more than 60 granted patents, their technology prevents new account fraud, account takeover fraud and detects social engineering voice scams, by analysing human, digital, physical, and cognitive behaviour. BioCatch uses a complex algorithm made by combining a large set of parameters through the interaction between the human and the device. The parameters range from which hand a person favours and muscle usage to geolocation and navigation behaviour. It can even spot malicious bots.

Total funding received to date: USD 216 M

My take

Biometrics has immense advantages over passwords in the kind of breaches that are possible. Yet it isn’t foolproof as the biometric data of a user if hacked can be very tough to be changed as  the biometric details of an individual are not changeable like a password.

Yet there are continuous innovations taking place in cybersecurity to try and provide as impregnable a solution as possible. Technologies are trying to emulate two factor authentication along with biometrics to ensure that two independent pathways will reduce the chances of being compromised along with loss of biometric data. While technologies evolve, the challenge faced by organisations in trying to secure their data and transactions is the complexity of installing a competent yet easy to use security process. Hence, we will see different types of authentication taking precedence over others depending on the type of usage, an example being voice recognition for a call centre, facial recognition for gated security etc. 

Given the speed of innovation it is a tough bet to take on which of the above startups will generate higher value for its investors. My bet would be on HYPR for its basic kernel is defined by the validation happening at the user’s device rather than a central database, limiting the chances of breaches on the central devices. Compromises to the user’s device can also be made by using hash codes and private keys for the tokens validating the user before providing access.

While all of the above solutions will continue to evolve, passwords continue to remain simple from a technology application perspective and will not get killed anytime soon.

For more extensive analysis and Market Intelligence reports feel free to approach us or visit our website: Venture Capital Market Intelligence Reports | VCBay.

We try our best to fact check and bring the best, well-researched and non-plagiarized content to you. Please let us know

-if there are any discrepancies in any of our published stories,

-how we can improve,

-what stories you would like us to cover and what information you are looking for, in the comments section below or through our contact form! We look forward to your feedback and thank you for stopping by!

Next Article

Previous articleAn aerial imagery and earth observation startup, Near Space Labs, raises USD 13M in Series A round
Next articleEgypt based Cartona gets USD 4.2 Million in a pre-Series A round
The author has over two decades of experience navigating, crossing channels, sinking, and floating across different retail businesses and various categories. He believes that the final game of any business is in getting its consumers to enjoy the whole process of pre to post-purchase moments, and a smart investor chooses businesses that consistently delivers these moments.


Please enter your comment!
Please enter your name here