Imagine a passwordless future. Understanding passwordless authentication and risks

User passwords have and continue to be a target for hackers because they are easy to exploit. People choose easy to crack passwords, write the passwords down, or reuse passwords. According to Forbes, 74 % of data breaches start with privileged credential abuse. 1 The gold standard for authentication is multi-factor authentication that combines user identity with a one-time generated password or layers other techniques such as out of band, SMS, or email to a traditional password. These different techniques offer user complexity and have inherent vulnerabilities that improve security but can still be exploited. 

The next generation in security and convenience is passwordless authentication, which promises to eliminate the password. 

Passwordless authentication uses public-key cryptography, where a public key is provided during registration, and a private key is kept on a device. Private keys are only accessed using biometrics or another factor that is not knowledge-based.

Having unique passwords for every account and application can mean having 30+ passwords to memorize. Although password vaults can simplify the management of passwords, imagine not needing any passwords to access accounts and applications. Passwordless authentication makes password phishing a thing of the past. Phishing attempts to trick the unsuspecting user into giving their password to the hacker. With no passwords, there is nothing to share. Imagine your time savings by no longer remembering, entering, or regularly resetting passwords. According to an Information Security survey, the top benefits of passwordless authentication are better security (69%), as well as time (54%) and cost (48%) saved, and the ability to access from any location (53%).2. 

What is passwordless authentication?

Passwordless authentication refers to verifying a user's identity without using a password. Instead of a password, the user authenticates using something they have (such as a mobile device) or something they are (such as a biometric). Every time a user requests access, a new authenticating message is generated. Hence, no credentials are fixed within the passwordless platform, so there is nothing for an attacker to steal. 

Examples of first-tier passwordless authentication are: Biometric authentication (i.e., fingerprint, facial recognition, and voiceprint); dedicated hardware security tokens (i.e., YubiKeys); Authenticator applications (i.e., Microsoft authenticator); and Certificate-based authentication (i.e., X.509 client certificates). 

Biometric authentication solutions collect the physical characteristics of the individual through a sensor. The biometric algorithm generates a data model that uniquely represents the individual, be it a voiceprint, fingerprint, or facial characteristics. The data model authenticates users' access to their private key combined with a public key to access applications and other network resources. 

Dedicated hardware security token solutions replace passwords and take various shapes like a USB token or a key. The USB token is plugged into your computer. Each token has unique code built on it, which generates the private key to authenticate users to applications. The dedicated hardware security token uses the Fast Identity Online (FIDO2) protocol. 

Authenticator apps that generate constantly changing OTPs or use other PIN-based methods are certainly more secure than relying on email account security, but they aren't truly passwordless. An authenticator app is only as secure as the device it's running on. There are many ways to defeat a device's security: malware, man-in-the-middle attacks, and outright theft are all options that a hacker could take. Since there's nothing intrinsic linking the account to the user, targeting the device that holds the authenticator is all that's required.

Second-tier passwordless authentication such as email magic links and authenticator apps are not truly passwordless? As long as most email providers require only a password, verification that involves an email account can't be completely passwordless. Because of this, email OTPs fall prey to the fact that they're a pseudo-password gated by another, weaker password. OTPs via SMS are even less secure because they are vulnerable to SIM swap attacks in which a hacker will divert text messages to their device. The same is true for magic links. Anyone with access to the email account in question can use the link. While they are extremely convenient, they still invite passwords to part of the process. 

How does passwordless authentication work?

The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) to develop a standard for strong authentication for web applications. FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol 2 (CTAP2).

The FIFO2 WebAuthn is an authentication standard allowing users to securely log in without entering any password. Built-in biometric sensors now shipping with every modern laptop or smartphone or modern hardware tokens, all work with WebAuthn.

FIFO2 WebAuthn begins with registering users with applications. The following are the steps used in the registration process:

1. When a user registers for an app or service, a registration approval request is sent to their device. They confirm this request using their biometric reader.
2. A private key is generated for the user.
3. A corresponding public key is sent to the app or service.
4. The public key is registered. The only way to unlock the public key is with the private key.

Once users are registered, they can authenticate to applications using the following steps:

1. When the user tries to log in, a challenge is generated and sent to their device.
2. The user approves the challenge by unlocking the private key with their biometric reader or hardware device
3. The challenge is signed using the private key.
4. The public key determines if the correct private key was used and the user is logged in.

Risks of passwordless authentication

As good as passwordless systems are, there are still some inherent risks. The following provides some of the risks associated with passwordless systems:

• Poor identity proofing – To establish access to an application, users register themselves by requesting, accepting, and confirming their request using a biometric reader. After confirmation, the system generates a private key, and a public key is provided to the user's application. As discussed, the public and the private key combination authenticate the user. Identity proofing requests that the user provide adequate proof of who they say they are before registering during account registration. If the user is not required to provide sufficient evidence of their identity, their identity can be stolen. And be used to register the user for one-time password access to the application.
• Fall–back to passwords – Fall back to passwords references what the systems will rely upon with the passwordless authentication system fails. For example, many facial recognition systems will default to a simple password for access when the facial recognition fails. From a security perspective, this is no different from having the password only, representing a significant vulnerability in these systems.
• Stolen end users' devices -- The Theft of mobile devices is another common risk associated with passwordless authentication. If a malicious actor can obtain and unlock a user's device, they can intercept PINs, One time passwords (OTP), and links generated from authentication apps, SMS, or email. You probably think the malicious actor will have to unlock the device using a fingerprint or facial recognition. As discussed prior, devices all have fall-back passwords that enable a device to be unlocked with a six-digit numeric pin code.
• Credentials used on backend – Credentials used on the backend refer to the ability for other users to access the same systems using password credentials while you're using a passwordless hardware token. If some users use a password without a second factor or a corresponding passwordless system for authentication, then the system's security is still reliant upon password security.
• Malware intercepts OTP – Some websites request users to provide a password and a numeric code OTP token as a second factor for authentication. OTPs may be provided using emails, text messages, or generated by mobile apps like Authy or Google Authenticator. A hacker can intercept the OTP and login into the system using malware or phishing techniques.  

Summary

In summary, passwords are not going away, particularly in large enterprises. While this is true, passwordless authentication offers significant improvements in securing your enterprise and should be implemented for selected applications considering the risks described in this paper.

References

1. Louis Columbus "74% of data breaches start with privalaged credential abuse" Feb 26, 2019. https://www.forbes.com/sites/louiscolumbus/2019/02/26/74-of-data-breaches-start-with-privileged-credential-abuse/

2. Dan Raywood. "Techniccal and cost concerns of passwordless authentication bother security leaders. Oct 1, 2020. Technical and Cost Concerns of Passwordless Authentication Bother Security Leaders - Infosecurity Magazine (infosecurity-magazine.com)

3. Passwordless Authentication: What It Is and How It Works. https://www.beyondidentity.com/resources/passwordless-authentication

4. Passwordless Authentication: A Complete Guide [2022]. https://www.transmitsecurity.com/blog/passwordless-authentication-guide