Although passwords are an integral part of everyone today, passwordless authentication quickly caught fire all of a sudden. Whether using cell phones, banking, checking e-mail, or even entering homes, passwords are the most widely used authentication method. With more and more passwords required for more and more digital platforms and services, many users use the same password for all of their access because it is easier to remember.
However, using the same password for multiple authentications only makes it easier for cyber criminals. Therefore, users were urged to develop stronger passwords. What started out as a few digits for passwords quickly required more complex characters for security. Despite this, many users often recycle the same passwords and just add a few new characters.
Unsurprisingly, cybercriminals could easily compromise these passwords. Even large companies have been easily hacked due to weak passwords. Thus, multi-factor authentications have been introduced. But even with this, cybercriminals could still access codes normally sent by SMS to mobile devices.
With passwords becoming easier to compromise, biometric authentication is now proving to be the most secure bet for organizations looking to protect their employees and their business. Biometric authentication uses the biometric capabilities of users, normally fingerprints, retina scanners, palm readers, etc. to grant access.
Several organizations have tested and advocated biometric authentication, with Microsoft deciding that biometric authentication is a more secure authentication method than passwords. Microsoft has since announced that it is removing passwords in some of its products such as email, and allowing users to have only biometric access.
TechHQ met Andrew Shikiar, Managing Director of FIDO Alliance, to find out if a future of password-less authentication is legitimately possible. Here is what he had to say.
Why do people still struggle to create strong passwords today?
I think the real question is why people still use passwords today. No password can be secure. The fundamental problem with passwords is that they are a human readable shared secret that resides on a server. And anything on the server can and most likely will be stolen. It’s a historical dependency that we have on knowledge-based authentication, which is where users log into services based on what they know. The attacks won’t stop until we break our reliance on Knowledge Base authentication.
Is biometric authentication the best alternative to reduce password dependency?
We need to move away from this old model of centralized shared secret authentication. The question is, where do we go? Big tech companies like Google, Microsoft, Samsung, Intel, Qualcomm and service providers like Amazon, Facebook, Twitter are working on it from a needs perspective.
From a technical standpoint, the approach we think we need to take is a user-friendly approach to asymmetric public key cryptography. The difference between a public key cryptography approach and a knowledge-based approach is that instead of having knowledge base credentials on a server, you have a cryptographic key pair, with a public key on the server and a private key that must match precisely sitting on the user’s device.
So now to log in, instead of trying to remember what I said to the server, which could be intercepted by any sort of hacker, I just need to prove I’m in. possession of my device. And I can prove that possession, either by literally touching something or grabbing a pin or using biometrics, and so it drastically changes the rules of the game for hackers that there really is nothing left to happen. . You can’t take those credentials, you can’t steal or sell them.
I think something like biometrics is the direction we’ll be heading to see user-friendly password-less authentication happen on a massive scale.
Today, most services allow you to log in with your device through biometrics. This is good because it changes the behavior of the user. That being said, since it removes the password from the user’s brain, it allows them to access the more complex password.
If you use a password manager, keychain, or something like that, it allows you to create a very complex password which is more difficult to crack. And that’s a behavioral important step but, at the end of the day, it’s a transitional step to move beyond passwords, where instead of having a complex password, you actually have a public key.
So, yeah, I think biometrics and possession-based authentication are the future. Whether you prove that possession by who you are, or by what you have, or a combination they are in, and that’s the key to stemming these types of data breaches and other password-related hacks.
Is using the same biometrics a concern for users?
It takes a lot of education for it to develop and spread. The basic thing that people need to understand is about biometrics and there are different ways to do biometric authentication.
For Fido and most banks, authentication is done locally on the device. Your biometric data never enters a central server. It won’t be a biometric hack, or someone could steal your fingerprint or visual representation. This makes it impossible for hackers to do a scalable biometric attack.
With possession-based authentication, it’s one approach at a time, where a hacker literally has to be with you to steal your face or fingerprints. It removes high value high damage attacks. Of course, when someone comes up and puts a gun to your head and forces you to log in, it’s a whole different scenario and really beyond the reach of any kind of technology.
The bottom line is that users authenticate locally on their device and that authentication data or anything of value is not transmitted over the internet, as this is where phishing attacks happen, attacks of the middle man occur.
Is biometric technology expensive to implement?
The advantage of biometric technology is that it is built into most of the devices we have today. Most Windows machines and mobile devices are equipped with a biometric reader.
Another way for businesses to implement passwordless is through the use of security keys. Hardware tokens cost between $ 20 and $ 60 per user and can be distributed to employees to log in as a second or primary factor.
The good thing about these devices is that they prevent phishing and password resets. Resetting passwords can cost businesses millions of businesses every year. Most technologies are already built into devices, and businesses just need to deploy them.
Technology is also improving. For example, facial recognition can now detect the liveliness of the subject. Technology is improving and we are helping to establish standards for biometric certification with other standards bodies.
We do not specify the biometric modality, so it could be a finger, retina, venous pulse, or vocal sounds on a local device.
As an industry, we learn and set best practices. We try to troubleshoot issues like account recovery to see what happens when you lose your account or need to re-register a new account to make this process a bit smoother.
Will we end up getting rid of passwords in the future?
We cannot get rid of passwords completely. But I think some things are going to happen, especially from a user experience perspective. More consumer services will offer authentication and password-less logins and rely on device biometrics.
But eventually, more of them will offer true password-less authentication where you don’t have a password. Ultimately, there will be less friction when you log in. Part of possession-based authentication is knowing what you’re doing. Initially, it will take some adjustments.
For example, users will wonder why it is so easy to log into a bank account. Is a fingerprint secure enough? People are used to friction. It will take a while to get used to it.
The challenges are partly technical, partly educational and mature. We need to make progress in all three areas to move this forward and make it a practice.