All Posts Categories

Is this the key? No, something better: the future of passwordless authentication

Sergio  included in  category Security
     2637 words  13 minutes 
/how-to-password/password.jpg

The rapid demise of passwords has been predicted for over 10 years, even Bill Gates didn’t like them. However, we still continue to use passwords so frequently that we can’t quickly abandon them. Despite this, the future is already starting to emerge, where accessing any service can be done, for example, using a fingerprint or facial scan. Passwords will become a thing of the past. Read below to find out how close we are to this future.

In order for your password to be secure, it needs to be complex. In March 2023, the cybersecurity company Hive Systems calculated how long it would take a hacker to brute force a password based on its complexity. Analysts found that a relatively high level of security is provided by a password consisting of 11 letters and numbers of different cases - it would take three years to crack. And if it also contains special characters, it would take 34 years.

However, it is inconvenient for users to remember such complex passwords. People start writing down particularly valuable passwords in their notes or on paper, and then they lose them 😀. Or users use the same passwords for different services. According to study, one-third of surveyed use a single password consisting of memorable dates and names to protect their accounts. And this is despite the fact that most of them know that using the same password can be dangerous. The more often they do this, the higher the probability that one of the resources will have a password leak.

Passwordless authentication eliminates the risks of losing or leaking passwords because you can’t steal what doesn’t exist. From a security standpoint, two-factor authentication is still considered optimal, but passwordless login can be a good alternative for users who, for some reason, do not want to enable 2FA.

The first version of passwordless authentication appeared in the 1980s with the introduction of one-time passwords (OTP), which were single-use passwords stored on physical devices. In the late 1990s, the concept of Single Sign-On (SSO) was introduced. This method allows users to securely authenticate across multiple applications and websites using a single set of credentials. In the early 2000s, smart cards gained popularity. These plastic cards embedded with a microchip were sometimes used as passwordless security tokens.

In the early 21st century, multi-factor authentication (MFA) was added to these methods. MFA requires users to verify their identity using at least two different authentication factors. It gained prominence when companies like Google started implementing this technology in their products. Typically, MFA includes factors of knowledge (passwords and passphrases) and possession of a personal device (one-time codes via SMS). Passwordless authentication is based on the possession factor, thereby mitigating the risks associated with password compromise.

In 2007, PayPal attempted to introduce two-factor authentication (2FA) through SMS-based OTPs, but it did not gain widespread popularity among users. A few years later, PayPal, in collaboration with Validity Sensors, announced plans to create a standard that would support all authentication hardware devices. To achieve this goal, the FIDO Alliance (Fast IDentity Online) was founded in 2012. Lenovo, Nok Nok Labs, and Infineon joined the alliance, followed by Google, Samsung, Microsoft, Intel, Visa, Mastercard, and Amazon, with Apple joining in 2020. The alliance now includes hundreds of companies working together to protect users from phishing and reduce, and eventually eliminate, the use of passwords worldwide.

In 2014, the FIDO Alliance introduced two standards as a result of its efforts: U2F (Universal Second Factor for authentication using dedicated devices) and UAF (Universal Authentication Framework for biometric authentication). FIDO continued to enhance these technologies and, in 2018, collaborated with the W3C consortium to publish standards for passwordless authentication on websites, mobile apps, and web services—WebAuthn and CTAP. Around the same time, Microsoft declared the “end of the password era” in their blog. However, many companies, such as Twitter and Dropbox, started using the WebAuthn standard as a second factor of authentication in addition to passwords.

To change the status quo, FIDO and W3C introduced a new version of WebAuthn in March 2022. The experts proposed using smartphones and biometrics as authentication tools. Following this, Apple, Google, and Microsoft announced their plans to implement the new standard. FIDO stated that passwordless authentication capabilities should be available in Windows, macOS, iOS, as well as in Chrome and Safari browsers by the end of 2023. Currently, WebAuthn is considered the most convenient and secure option for passwordless login, but it is not the only one. According to CanIUse, WebAuthn is supported by over 95% of users today.

Passwordless authentication allows users to access a website, application, or system without using factors based on knowledge, such as passwords, passphrases, or PIN codes. There are two main categories of passwordless authentication:

  • Possession-based: using a hardware token, smartphone, USB device, key fob, or smart card.

  • Biometric-based: using fingerprint, retina or facial scans, or voice recognition.

Typically, the process of passwordless authentication follows this scheme:

  1. The user logs into device, starts a session, or opens an application and provides their information, such as their name, phone number, or email address.

  2. The user then needs to confirm their identity by inserting a flash drive, using a token, smart card, key fob, opening a link sent to their smartphone, or scanning their fingerprint, face, or retina.

  3. If the device or biometric information matches the data stored in the database, the user is granted access.

There are several methods of passwordless authentication available today. Here are some of the most popular ones

An OTP code (one-time password) is a single-use password generated by secure hardware devices or software programs. These codes are usually numeric and can be received via SMS, push notifications, email, or as part of a phone number from which the user receives a call. OTP codes can also be generated by dedicated smartphone apps like Google Authenticator. Some services can generate OTP codes themselves after the user has successfully authenticated. These codes have a long validity period, allowing the user to save them for future use, such as when they don’t have access to their smartphone or SIM card.

A hardware token is a small electronic device that resembles a key fob or flash drive. It can be physically connected to a computer or smartphone, and encryption keys are stored on the token itself. There are also contactless tokens that do not require a physical connection to the device. Additionally, there are hardware tokens that can generate an OTP code for each login attempt based on either an event-based counter (HOTP) or a time-based counter (TOTP):

  • HOTP (HMAC-based One-Time Password) generates a one-time password based on a secret key and a counter. Each time the user presses a button on the token, the counter increases, and the next password is generated using the updated value. HOTP tokens require synchronization between the server and the user’s device.

  • TOTP (Time-based One-Time Password) is a type of OTP that generates a one-time password based on a secret key and the current time. The server and token are configured with the same time interval, typically 30 seconds, so the password changes every half-minute when using TOTP. TOTP is considered less vulnerable to attacks, as the limited time of validity reduces the chances of intercepting the password.

In conclusion, passwordless authentication eliminates the need for traditional passwords and instead relies on possession-based factors or biometric characteristics to verify a user’s identity. This approach enhances security by reducing the risk of password-related vulnerabilities, such as weak or stolen passwords.

Passkey is a unique cryptographic token that is exchanged between a website and user devices. This access key allows for authentication using biometric systems on smartphones or computers, such as fingerprint or facial scanners. To log into an account, users simply need to scan the QR code generated by the browser and confirm their identity on their smartphone. This method of authentication is based on the WebAuthn standard.

Passkey is already supported by Apple, and recently Google implemented this technology across all its services and platforms. One of the main advantages of Passkey is that access keys can be synchronized across different devices, depending on the application and operating system being used.

The principle behind Passkey is that one of the keys is stored on the mobile device or computer, while the other is stored in the cloud. Since users do not have direct access to these keys, they cannot be transferred to fraudsters, and a breach of one service does not result in the loss of all digital accounts.

OAuth and OpenID - Single Sign-On Technology

This method allows for authentication across various web services using a single account without the need for entering a password. Essentially, users can utilize their social media accounts, for example, to authenticate themselves. Many internet companies, including Facebook, Google, and Twitter, employ this approach. With OAuth support, websites receive user data from online service providers with the user’s consent. Instead of using a username and password, an access token provided by OAuth and OpenID providers is used for authentication.

The same principle applies to cross-authorization on mobile devices. Users who are logged into a social media app, for instance, do not need to authenticate themselves again when accessing another app that supports OAuth.

This method involves granting access to a session between a computer and a mobile device where the user has already been authenticated. During the authentication process, the website generates a specific QR code, which the user scans using their mobile device and confirms the operation within the corresponding mobile application. Upon logging into the account, the service generates a temporary one-time token, a unique combination that cannot be reused on another device, unlike a password. Interestingly, based on our observations, users tend to appreciate this method of authentication because they have full control over the entire login process. They don’t have to wait for an OTP code via a message; everything they need is literally in their hands.

This method also involves logging in using a single account and eliminates the need for one-time passwords if the user is already logged into one of the mobile applications that support this feature. During the authentication process, a push notification is sent to the user, allowing them to transfer the authentication session to another application or website. All that is required is to confirm the authorization within the push notification.

This is one of the more archaic methods of authentication that is still used by some individuals. An email is sent containing a URL link with a one-time token. This token allows the user to authenticate themselves on the website, which verifies the token and grants access. However, this method is not very secure, as it requires accessing the email service, which, in any case, will require some other form of authentication.

Passwords themselves have ceased to be a significant obstacle for fraudsters. Passwordless authentication protects against two of the most dangerous and common cyber-attacks: phishing and password theft. Even if a person receives phishing emails, they do not have any credentials to provide to the fraudsters. Additionally, it is more difficult to forge biometric data or steal an OTP code compared to brute-forcing a password.

According to IBM’s estimates, in 2022, the average global financial losses due to data breaches reached $4.35 million, with healthcare ($10.10 million) and financial ($5.97 million) organizations being the most costly targets.

Many people will breathe a sigh of relief knowing they no longer have to come up with passwords and memorize them. Essentially, users have a unified “account” across all services with passwordless authentication, where the login is their phone number and the password is a one-time code. With Passkey enabled, authentication becomes even easier.

Furthermore, passwordless authentication allows for access to devices in any circumstance. For example, when traveling abroad, SMS messages may not arrive, but a QR code will reliably work.

With passwordless authentication, there is no need to spend time registering or repeatedly entering a long password, which is prone to errors. Modern authentication methods (such as Face ID) are even faster than using a password manager for authentication.

In business, passwordless authentication significantly improves data protection by making it much more difficult for fraudsters to steal confidential customer information. This enhances the company’s reputation as a reliable and responsible partner. Another advantage for businesses is that they gain an audience with verified ownership factors. Customers who use simple passwords can easily turn out to be bots, but with biometrics, this likelihood is greatly reduced.

Eliminating passwords also makes life more convenient for customers. They no longer have to spend time memorizing complex passwords or searching for lost credentials. Instead, they simply need to verify their identity using unique biometric information or another passwordless authentication method.

Despite the benefits, there are some pitfalls to consider. With passwordless authentication, the security of an account is essentially tied to the user’s device (smartphone or electronic key), and losing it can result in losing access to the account if there is no factor rotation in place. Additionally, if someone else finds the device, they may use it for unauthorized access to services.

Therefore, when choosing passwordless authentication, it is important to responsibly ensure the security of the device and have backup access options in place. Otherwise, account recovery may need to be done through customer support. It is also important to remember to lock the phone and SIM card with a PIN code or a pattern lock for added security. From a security standpoint, passwordless authentication using biometric technologies is considered the most reliable form.

Many online services have long established traditional password authentication. They do not see authentication as something technological or independent, so they do not think about modernizing the authentication process. They also do not consider that authentication methods can have a positive impact on their business metrics, even though such solutions can, for example, increase the number of registrations on a service as it is easier to authenticate with a phone number than to create an account.

Furthermore, transitioning to a new authentication method requires significant investment. Implementing a new system is not a quick process; it is a lengthy and complex endeavor that involves substantial expenses for purchasing the necessary hardware and software. The cost of these innovations will be particularly high for large companies with clients scattered around the world. In the case of SMS authentication, they would have to maintain relationships with hundreds of different mobile operators and send messages to users in various countries.

Lastly, most people are so accustomed to using passwords that it is difficult for them to accept alternative authentication methods.

Nevertheless, passwordless authentication offers solutions to many problems for both businesses and users. Firstly, it provides a high level of security. Secondly, it speeds up the login process. Thirdly, it eliminates the need to remember multiple passwords. While a password manager can help with this, it is not universally applicable. Problems may arise when trying to authenticate on a new device if you do not store the keys in a cloud storage and need to remember the password after all.

However, passwordless authentication is not a panacea. In the case of targeted attacks on a user (e.g., an administrator of a large social media community or a celebrity), SMS messages can be intercepted, and a smartphone can be lost, temporarily denying access to the account. Some of these issues can be addressed by implementing WebAuthn for authentication, but even this standard does not eliminate all possible vulnerabilities.

Related Content

/free-pavel-durov/free-pavel.png

The Arrest of Pavel Durov: A Turning Point in the Privacy Debate

Updated on 2023-07-06  3067bd6
Read markdown View source Edit this page Report issue
 passwordlesspasswordsauthenticationsecurity
Back | Home