A
Hello!
With increasing cyber threats, our security practices must evolve. So, why haven’t we embraced more secure solutions? Dr. Adam Lowe says, “The best security is the one people use,” implying usability is key.
The CoinDesk team spoke with Dr. Lowe to unpack this idea.
Lowe is the Chief Product & Innovation Officer at CompoSecure who’s made his career on the cutting-edge of innovation. He has authored several technical book chapters, and is listed as an inventor on over 500 patents and patents pending, including Arculus, a next-gen digital security platform giving people the ability to secure their digital assets and identities.
Lowe’s security expertise extends beyond CompoSecure and Arculus. He previously held an R&D role at a nonprofit supporting US defense and intelligence. Lowe’s experiences give him a deep understanding of web2 and web3 security for users from individuals to government entities.
In this conversation, we’ll explore the current and future state of cyber security and why Lowe believes in a passwordless future.
I think your background provides a lot of context as to how you ended up working at CompoSecure and developing Arculus, but something I’d love to dive in deeper on is how these experiences brought you into web3.
Sure, so, it's been a long journey, starting back to when I was in grad school, around 2011. Bitcoin was rumbling through Academia. I wasn't a big Bitcoin buyer at the time, I certainly wish I was, but that's where I first got my taste of it.
Then I went into defense where I picked up an interest in cryptography that was keeping people, warfighters, and the entire intelligence community secure. I did that for a couple years and then transitioned into payments.
I've been with CompoSecure, our parent company, for about 10 years doing premium metal payment card technology. As crypto matured, I really began to see that as the future of payments and digital identity, and how the two merge together in web3.
From the view of global payments, I kind of saw where this nexus formed and went in to position us well by creating Arculus. Arculus is the digital asset and digital identity side of our business, where we take premium metal payment card technology, add an elliptic curve to enable it to do a lot of things. They can do payments. They can authenticate consumers. And it's also a full Hardware signer for all relevant modern blockchains as well.
So that's kind of the vision: people need to manage their digital identities, and we want to give them the security in their pocket to do so.
We all wish we bought Bitcoin in 2011, but your crypto journey is definitely unique and has given you insights into personal, corporate, and government security.
It seems companies are losing customer data as easily as customers forget passwords. Why is this happening?
Yeah, so I give talks on this all the time and one kind of tongue-in-cheek talk title I had recently was passwords are passe. Because they really are.
What I like to say is, and it's true, that you trust a key to the front door of your house or apartment. You should trust a digital key to your digital life. Not a password.
The fundamental problem with most of these systems, no matter the scale, is that they are knowledge-based. A password is nothing but a shared secret, and for anybody that's ever gone through Middle School, shared secrets don't last very long. So it's inherently a design flaw.
And as you mentioned people often forget it and it has to be reset. Something like half of all call center activities are related to passwords. For companies, this can get very expensive.
Ok, so passwords are passe, but what else is there?
Instead of passwords, which are knowledge based, modern systems are moving toward key-based solutions.
You may have already seen Facebook, Coinbase, and others already using digital keys to manage your digital life. It's the same way you sign an Ethereum transaction with a digital key, but instead, you're digitally signing a challenge that proves you’re you.
It's a massive leap forward in security.
Incrementally better than passwords is something like Google Authenticator, but it's not a great user experience. You have to tab out, go get six digits, tab back in, race against the clock, and hope you get it right. It’s just not great.
This zero trust, key-based approach we're talking about is mandated for all of the DoD this year, and will be mandated for more government agencies as time goes on.
CISA called it the gold standard and you should go for the gold. We really think it's the best approach, and people like Apple, Google, and others agree with us, which is why every Android and iPhone phone supports this.
So what we did with the passkey, and to work within the Fido WebAuth passkey system, is we put them on beautiful, external metal cards that businesses can provide their customers, in their branding.
For low to medium risk things, there’s an app on your phone: you're going to look at your phone, to unlock your favorite website or app.
For medium to high risk things, you use your card, an external key, making it even more secure. You tap the (pass)key (card) to your phone, it signs a challenge, and you’re in.
You said earlier that “the best security is the one that people use” and it reminded me of how my parents just stick with what they know.
What’s your perspective on your technology’s adoption? Is it security my parents would use?
We at Arculus literally have something called the “Adams Mom’s Test,” which requires that my mom can do it without any coaching. And if she can't, and she needs coaching, then it's not simple enough.
The three pillars of Arculus are safe, simple and secure, and simple is definitely very important.
An average transaction that your mom will do just needs to use biometrics on her device. She would just look at her phone or use her thumbprint, and never have to remember a password. I think that’s a big advantage of this technology.
One reason we think smart cards are such a great vehicle for this is that everybody has them. Smart cards globally are 20 to 25 times more ubiquitous than iPhones. Everyone thinks everybody has an iPhone. Well, there's 20 times more smartcards than iPhones.
Returning to crypto, I regularly hear of people who store their entire portfolio in the same wallet they connect to everything.
Given the idea that the best security is one that people actually use, how do you see this adoption unfolding in web3, and how will it enhance protection for users engaging with dApps?
I think you will see a change from hot wallets soon. The challenge with old and previous cold storage methods, glorified USB sticks, is that it was just way too complicated to use—not user-friendly, involves constant uploads and downloads, and not very viable.
With Arculus, we've made it easier to use than many hot wallets.
You get that ease of use with maximal security on a multifunctional platform. As I mentioned before, we can put payment on the card, we can make it the FIDO authenticator that we talked about that logs you into web2 platforms.
Your whole digital life can be in a card that you regularly carry, and it's just as easy to use as your favorite hot wallet, but the keys are in your pocket. There's no way to hack it because the only place your private keys exist are on that card.
Also, it's 3FA, but easy 3FA:
You have that independent depth of defense that keeps your crypto safe and can fully function within the Web3 environment. You can use WalletConnect to your favorite DEX, you do whatever trade you wanna do, and you're rocking and rolling.
What emerging cyber threats do you foresee in the coming years, and how does Arculus address them?
Sure, so everyone cites AI. I think it's a reasonable thing to pay attention to since it lowers the bar for cyber attacks.
With AI, you can be less capable than you used to be to launch a reasonable cyber attack because the AI will help you code and will help you execute it at a lower knowledge threshold. So we will see a greater scale and volume of attacks from that.
We have to have our systems ready to be able to defend against that volume of attacks. We’re protecting against future attacks by removing the kind of SIM swap fishable credential problem that we talked about, because you either have the key or you don't.
An attacker can bang against that wall all they want. If they don't have the cryptographic key to unlock the account or unlock those privileges, they're not gonna get in. That's why it's so mission critical that we get away from this knowledge-based system that allows attackers in.
What about in the world of web3 and crypto?
I think that one of the threats, especially in web3, comes from this big movement to try to onboard people. We gotta get more people in the space and we gotta onboard them. While that's true, you see a lot of platforms moving to social login to try to make onboarding easier.
If those accounts aren't secure, then all you've done is take web2 problems and bring them into a web3 world because you're right back to passwords, email, and the same old problems.
What happens when the hacker says ‘I forget my 2FA?’ and the solution is that you get an email link? All the hacker would have to do is SIM swap you and we’re back where we started.
We can’t push web2 insecurity into web3.
This discussion has echoed the “not your keys, not your crypto” sentiment. But what about custodians and DAOs? Can Arculus support multi-party systems like multi-sigs?
We partner with a number of people and work with multiple systems. We feel like we're the most secure, easiest to use cryptography engine, so why would we be prescriptive about how people should use it?
We could work on, for example, something like Gnosis Multi-Sig, where we can sign for one of those contracts and be a signer, M of M signer, in that multi-sig ecosystem where you could use that Fido WebAuth login to log you into a platform.
We really think we're an easy-to-use, flexible cryptography system that can work in that corporate or centrally-held environment just as easily for a consumer. I think the answers to those different problems are different. We're a Swiss Army Knife where we can pull out the appropriate tool and help solve the problem.
I've noticed Arculus partners with both traditional payment solutions and web3 companies. Can you elaborate on this?
Sure. So we do a lot with the likes of Solana, Aptos and Sui and others, really focused on bringing Web3 and payments together. As I mentioned earlier, we can manage identity using the Fido web auth standard, which these chains are picking up for a kind of easy ZK login. But we also are able to help support payments using these networks.
We're one of the few people in the world privileged to make Visa, MasterCard, American Express cards. During the last Solana Hacker House, we did a talk and showed how you could tap our cards and it could run over Visa rails or tap to send over Solana Pay over Solana rails.
It’s really unifying those payment systems and using stablecoins as payment and settlement instruments and bringing that web3 into real daily use cases that I think is just fantastic.
Anything else before we wrap up?
I want to reiterate that the ease of use combined with security and simplicity really positions Arculus well to be a leader in the space. Every time somebody says, ah, self custody or cold storage is too hard and you put Arculus in their hands, you have a convert.
With our technology, we really mean “tap” into Web3 to make payments simple and secure. Our technology is here to protect people's digital assets and identities.
Source: coindesk.com
With increasing cyber threats, our security practices must evolve. So, why haven’t we embraced more secure solutions? Dr. Adam Lowe says, “The best security is the one people use,” implying usability is key.
The CoinDesk team spoke with Dr. Lowe to unpack this idea.
Lowe is the Chief Product & Innovation Officer at CompoSecure who’s made his career on the cutting-edge of innovation. He has authored several technical book chapters, and is listed as an inventor on over 500 patents and patents pending, including Arculus, a next-gen digital security platform giving people the ability to secure their digital assets and identities.
Lowe’s security expertise extends beyond CompoSecure and Arculus. He previously held an R&D role at a nonprofit supporting US defense and intelligence. Lowe’s experiences give him a deep understanding of web2 and web3 security for users from individuals to government entities.
In this conversation, we’ll explore the current and future state of cyber security and why Lowe believes in a passwordless future.
I think your background provides a lot of context as to how you ended up working at CompoSecure and developing Arculus, but something I’d love to dive in deeper on is how these experiences brought you into web3.
Sure, so, it's been a long journey, starting back to when I was in grad school, around 2011. Bitcoin was rumbling through Academia. I wasn't a big Bitcoin buyer at the time, I certainly wish I was, but that's where I first got my taste of it.
Then I went into defense where I picked up an interest in cryptography that was keeping people, warfighters, and the entire intelligence community secure. I did that for a couple years and then transitioned into payments.
I've been with CompoSecure, our parent company, for about 10 years doing premium metal payment card technology. As crypto matured, I really began to see that as the future of payments and digital identity, and how the two merge together in web3.
From the view of global payments, I kind of saw where this nexus formed and went in to position us well by creating Arculus. Arculus is the digital asset and digital identity side of our business, where we take premium metal payment card technology, add an elliptic curve to enable it to do a lot of things. They can do payments. They can authenticate consumers. And it's also a full Hardware signer for all relevant modern blockchains as well.
So that's kind of the vision: people need to manage their digital identities, and we want to give them the security in their pocket to do so.
We all wish we bought Bitcoin in 2011, but your crypto journey is definitely unique and has given you insights into personal, corporate, and government security.
It seems companies are losing customer data as easily as customers forget passwords. Why is this happening?
Yeah, so I give talks on this all the time and one kind of tongue-in-cheek talk title I had recently was passwords are passe. Because they really are.
What I like to say is, and it's true, that you trust a key to the front door of your house or apartment. You should trust a digital key to your digital life. Not a password.
The fundamental problem with most of these systems, no matter the scale, is that they are knowledge-based. A password is nothing but a shared secret, and for anybody that's ever gone through Middle School, shared secrets don't last very long. So it's inherently a design flaw.
And as you mentioned people often forget it and it has to be reset. Something like half of all call center activities are related to passwords. For companies, this can get very expensive.
Ok, so passwords are passe, but what else is there?
Instead of passwords, which are knowledge based, modern systems are moving toward key-based solutions.
You may have already seen Facebook, Coinbase, and others already using digital keys to manage your digital life. It's the same way you sign an Ethereum transaction with a digital key, but instead, you're digitally signing a challenge that proves you’re you.
It's a massive leap forward in security.
Incrementally better than passwords is something like Google Authenticator, but it's not a great user experience. You have to tab out, go get six digits, tab back in, race against the clock, and hope you get it right. It’s just not great.
This zero trust, key-based approach we're talking about is mandated for all of the DoD this year, and will be mandated for more government agencies as time goes on.
CISA called it the gold standard and you should go for the gold. We really think it's the best approach, and people like Apple, Google, and others agree with us, which is why every Android and iPhone phone supports this.
So what we did with the passkey, and to work within the Fido WebAuth passkey system, is we put them on beautiful, external metal cards that businesses can provide their customers, in their branding.
For low to medium risk things, there’s an app on your phone: you're going to look at your phone, to unlock your favorite website or app.
For medium to high risk things, you use your card, an external key, making it even more secure. You tap the (pass)key (card) to your phone, it signs a challenge, and you’re in.
You said earlier that “the best security is the one that people use” and it reminded me of how my parents just stick with what they know.
What’s your perspective on your technology’s adoption? Is it security my parents would use?
We at Arculus literally have something called the “Adams Mom’s Test,” which requires that my mom can do it without any coaching. And if she can't, and she needs coaching, then it's not simple enough.
The three pillars of Arculus are safe, simple and secure, and simple is definitely very important.
An average transaction that your mom will do just needs to use biometrics on her device. She would just look at her phone or use her thumbprint, and never have to remember a password. I think that’s a big advantage of this technology.
One reason we think smart cards are such a great vehicle for this is that everybody has them. Smart cards globally are 20 to 25 times more ubiquitous than iPhones. Everyone thinks everybody has an iPhone. Well, there's 20 times more smartcards than iPhones.
Returning to crypto, I regularly hear of people who store their entire portfolio in the same wallet they connect to everything.
Given the idea that the best security is one that people actually use, how do you see this adoption unfolding in web3, and how will it enhance protection for users engaging with dApps?
I think you will see a change from hot wallets soon. The challenge with old and previous cold storage methods, glorified USB sticks, is that it was just way too complicated to use—not user-friendly, involves constant uploads and downloads, and not very viable.
With Arculus, we've made it easier to use than many hot wallets.
You get that ease of use with maximal security on a multifunctional platform. As I mentioned before, we can put payment on the card, we can make it the FIDO authenticator that we talked about that logs you into web2 platforms.
Your whole digital life can be in a card that you regularly carry, and it's just as easy to use as your favorite hot wallet, but the keys are in your pocket. There's no way to hack it because the only place your private keys exist are on that card.
Also, it's 3FA, but easy 3FA:
You have that independent depth of defense that keeps your crypto safe and can fully function within the Web3 environment. You can use WalletConnect to your favorite DEX, you do whatever trade you wanna do, and you're rocking and rolling.
What emerging cyber threats do you foresee in the coming years, and how does Arculus address them?
Sure, so everyone cites AI. I think it's a reasonable thing to pay attention to since it lowers the bar for cyber attacks.
With AI, you can be less capable than you used to be to launch a reasonable cyber attack because the AI will help you code and will help you execute it at a lower knowledge threshold. So we will see a greater scale and volume of attacks from that.
We have to have our systems ready to be able to defend against that volume of attacks. We’re protecting against future attacks by removing the kind of SIM swap fishable credential problem that we talked about, because you either have the key or you don't.
An attacker can bang against that wall all they want. If they don't have the cryptographic key to unlock the account or unlock those privileges, they're not gonna get in. That's why it's so mission critical that we get away from this knowledge-based system that allows attackers in.
What about in the world of web3 and crypto?
I think that one of the threats, especially in web3, comes from this big movement to try to onboard people. We gotta get more people in the space and we gotta onboard them. While that's true, you see a lot of platforms moving to social login to try to make onboarding easier.
If those accounts aren't secure, then all you've done is take web2 problems and bring them into a web3 world because you're right back to passwords, email, and the same old problems.
What happens when the hacker says ‘I forget my 2FA?’ and the solution is that you get an email link? All the hacker would have to do is SIM swap you and we’re back where we started.
We can’t push web2 insecurity into web3.
This discussion has echoed the “not your keys, not your crypto” sentiment. But what about custodians and DAOs? Can Arculus support multi-party systems like multi-sigs?
We partner with a number of people and work with multiple systems. We feel like we're the most secure, easiest to use cryptography engine, so why would we be prescriptive about how people should use it?
We could work on, for example, something like Gnosis Multi-Sig, where we can sign for one of those contracts and be a signer, M of M signer, in that multi-sig ecosystem where you could use that Fido WebAuth login to log you into a platform.
We really think we're an easy-to-use, flexible cryptography system that can work in that corporate or centrally-held environment just as easily for a consumer. I think the answers to those different problems are different. We're a Swiss Army Knife where we can pull out the appropriate tool and help solve the problem.
I've noticed Arculus partners with both traditional payment solutions and web3 companies. Can you elaborate on this?
Sure. So we do a lot with the likes of Solana, Aptos and Sui and others, really focused on bringing Web3 and payments together. As I mentioned earlier, we can manage identity using the Fido web auth standard, which these chains are picking up for a kind of easy ZK login. But we also are able to help support payments using these networks.
We're one of the few people in the world privileged to make Visa, MasterCard, American Express cards. During the last Solana Hacker House, we did a talk and showed how you could tap our cards and it could run over Visa rails or tap to send over Solana Pay over Solana rails.
It’s really unifying those payment systems and using stablecoins as payment and settlement instruments and bringing that web3 into real daily use cases that I think is just fantastic.
Anything else before we wrap up?
I want to reiterate that the ease of use combined with security and simplicity really positions Arculus well to be a leader in the space. Every time somebody says, ah, self custody or cold storage is too hard and you put Arculus in their hands, you have a convert.
With our technology, we really mean “tap” into Web3 to make payments simple and secure. Our technology is here to protect people's digital assets and identities.
Source: coindesk.com