Digital transformation is impossible without authentication and digital trust. Despite their shortcomings, passwords are widely used and in many environments are still the principal means of authentication. Almost every part of our digital lives and particularly our work lives relies on passwords.

As history shows, passwords are in practice quite difficult to protect as weak passwords are chosen, passwords are reused for many applications and organizations struggle to securely process and store them. In most data breaches, stolen or weak passwords play a central role and it is even estimated that on some major online platforms, the majority of login attempts are caused by attempts to abuse stolen credentials.

Passwordless authentication has been a buzzword for some time. Evidently, passwordless authentication eliminates the problem of using weak passwords and can increase user experience by removing the need to memorize and type passwords. And, at least in theory, it avoids the problem of storing passwords or their representations (hashes) thereby reducing the likelihood of credential leaks. Eliminating passwords for authentication has been a long-standing goal and an increasing number of alternatives has emerged. Although complete elimination of passwords is still illusory, reducing reliance on them is feasible.

Authentication

Authentication is a process by which an entity such as a user or a system presents an identifying element, for example, a username or a certificate and then proves that this identifying element belongs to it. When using passwords, this proof is furnished by presenting a password that is only known to the presenter and to the presentee.

Authentication Factors

A classic way of categorizing authentication factors is the distinction between something we know (usernames, passwords, PINs), something we have (a device such as a hardware token) and something we are (an individual property, for example a fingerprint or voice).

Traditional authentication solutions based on usernames and passwords are called single factor authentication, the password being the single factor. Nowadays, they are often considered old fashioned and inconvenient, sometimes also referred to as “high-friction” with respect to the end user experience.

Multi Factor Authentication

Authentication with usernames and passwords alone_ does not provide sufficient protection anymore._ An obvious approach to improve authentication security is to use one or more additional factors on top of usernames and passwords in the authentication process, hence the term multi factor authentication (MFA). Usually, one additional factor such as a one-time password (OTP) or a push notification is used which is called two factor authentication (2FA). Strictly speaking, multi factor authentication demands that the two factors are of a different category. Using two different factors of the same type is therefore sometimes called two-step authentication to make a distinction.

Today, two factor authentication using a password and an additional factor is the accepted de facto authentication standard for implementing so-called strong authentication. However, passwords are still part of the process in these schemes, but it is harder to abuse them. Using two factor authentication with passwords does not protect against password theft, but it does protect against accessing a system without using the second factor, rendering password leaks potentially less harmful. Common password security practices must also be applied in MFA scenarios that use passwords.

Increasingly, additional factors are being introduced such as user behavior, device type or geolocation as well as business rules to determine which authentication factors to apply to a particular user in a specific situation. The strength and the number of factors used for authentication illustrates an important fact: Authentication is not absolute but rather has a degree of assurance or trustworthiness. In other words, it must be sufficiently good for the intended authentication purpose while still being practicable.

Although using multiple authentication factors increases security, the adoption of traditional MFA is still not very widespread, even though its use has noticeable increased in the last years.

Passwordless Authentication

Passwordless authentication is the_ term used to describe a group of identity verification methods that do not rely on passwords_. In a passwordless authentication scheme, access is gained without providing a password and the claimed identity is proven by other forms of evidence. Passwordless Authentication is often used as part of multi-factor authentication mechanisms.

Passwordless authentication technologies typically fall into one of three categories: Biometrics, which identifies users by a physical characteristic such as a fingerprint, face scan, voice print, or unique behaviors, tokens including hardware and software keys, and device authentication which enables user access from authorized devices.

Biometrics such as fingerprints or face recognition are frequently used and have become widely deployed in the realm of mobile apps. This approach employs two authentication factors, something you are (biometric) and something you have, the PC or mobile device you are logging in with. This form of passwordless multi-factor authentication can be quite secure and it provides a convenient user experience since the user is not required to pick up a second device or to get a code from an SMS or email.

Implementers of biometric authentication solutions must decide where to store and match the biometric data, that is the template that is computed from the biometric property. Using asymmetric cryptography allows to ensure that biometric templates are used decentral on end-user mobile devices, avoiding the need to store and exchange biometric data in the form of shared secrets. Authentication to a service is performed by matching biometric properties with the template stored locally on the end user device and once it is matched, the device communicates with the service using tokens, avoiding the transmission of biometric information. Of course, the private keys must be well protected, ideally by using a hardware-based solution such as a trusted platform module (TPM) which many modern devices already have built-in or by means of a hardware key.

One of the most known standards using such mechanisms is the FIDO2 standard which stands for Fast IDentity Online, an overarching term for the Web Authentication (WebAuthn) specification from the World Wide Web Consortium’s (W3C) and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP). FIDO2 makes it possible to use an authentication process where login credentials do not leave the user’s device and are not stored centrally, eliminating the risks of phishing, password theft and replay attacks.

Some solutions touted as passwordless authentication methods look like they eliminate passwords but in effect just hide them behind another factor. For example, mobile applications offering the possibility to use fingerprint logins might just use your fingerprint to retrieve a password that is stored on the device. When logging in, this locally stored password is then submitted to the app or service, effectively still using the same username and password based single factor authentication as before.

Outlook

It is unlikely that passwords will disappear any time soon. Although they have many flaws, everyone knows how to use them which is a strong advantage over many technically superior alternatives. Fortunately, passwordless authentication, such as Touch ID or Face ID on smartphones, is starting to achieve real market traction and is being increasingly deployed in enterprise applications for consumers and employees, reflecting the increasing demand for it.

Three points to consider moving away from usernames and passwords sooner than later:

• There is a good chance to considerably improve the user experience, a key factor for having a real chance to introduce any new authentication method.
• Passwordless authentication, when implemented correctly, can be much more secure. It can eliminate a list of attack vectors from credential stuffing to phishing attacks.
• Potentially faster login times into applications or devices.

Naturally, no alternative comes without risks. Quite sophisticated attack methods were developed to circumvent multi factor authentication using traditional methods such as SMS codes ore one time passwords. Also, once a biometric identifier is compromised, it cannot be easily replaced. It is virtually impossible to update your fingerprint or face or retina. If biometric information is exposed, the resources protected by this authentication method are at risk.

Despite the possible drawbacks and weaknesses of multi factor authentication, biometrics and passwordless mechanisms, when correctly implemented, are better alternatives to using only usernames and passwords which should be avoided or replaced wherever feasible. Especially when authenticating across different trust levels such as logging in to services on the Internet, accessing corporate resources from untrusted networks, etc.

Unfortunately, many applications and services still don’t offer the possibility to use more modern authentication methods, although the situation is improving while legacy applications are usually password-based and cannot be changed. In areas where usernames and passwords must still be used it is advisable to make sure that these credentials are only valid in a small scope, ideally for only that particular purpose.

No single form of authentication will be optimally secure, user-friendly, and cost-effective in all cases, resulting in the adoption of multiple approaches. Transitioning from traditional password-based authentication to more modern approaches is usually a longer journey rather than a single project but has the potential to significantly improve security and user experience.

About the Author

Tomaso Vasella has a Master in Organic Chemistry at ETH Zürich. He is working in the cybersecurity field since 1999 and worked as a consultant, engineer, auditor and business developer. (ORCID 0000-0002-0216-1268)

Links

• https://2fa.directory/
• https://blog.1password.com/totp-for-1password-users/
• https://fidoalliance.org/fido2/
• https://fidoalliance.org/fido2/fido2-web-authentication-webauthn/
• https://fidoalliance.org/specifications/download/
• https://www.digitalshadows.com/blog-and-research/automating-2fa-phishing-and-post-phishing-looting-with-muraena-and-necrobrowser-2/
• https://www.openwall.com/presentations/PHDays2012-Password-Security/
• https://www.wired.com/story/what-is-credential-stuffing/