The facts and fiction of passwordless journey

Dear Readers,

This week’s blog is about the passwordless authentication journey.

Passwords require ongoing management from both users and IT staff. For the average user, keeping track of ever-multiplying passwords of varying complexity is, at minimum, a hassle and often a challenge. Forgotten passwords can delay work or trigger account lockouts. Users often reuse passwords across accounts or write them down to aid memory, further compromising an already weak system. Password reuse can also multiply the impact of hijacking, phishing, and data breaches, making it possible for an attacker to unlock multiple accounts with a single stolen password.

Given the security risks and usability problems that passwords present, passwordless authentication is a far better and safer method of ensuring only the right people have access to the right things and for the right reasons.

Ambimat Electronics, with its experience of over forty years, desires to draw the attention of its readers and potential customers towards this blog post about their new product called AmbiSecure key and how it will benefit us.

The facts and fiction of passwordless journey

Mentioning the word “passwordless” may have unpredictable reaction with many security professionals. They may either give a smirk, or simply walk-out. Such reaction is understandable as they know that term “passwordless” is a loaded word, and there are many differing and contradicting opinion regarding the same.

The objective of this article is to outline the challenges that password displays, the definition of passwordless, and what organization can look forward to as passwordless authentication develops. Before we begin discussing on passwordless, we must first talk about passwords.

The password paradox

The most common form of user authentication is passwords; however, they are not liked by many as they tend to offer poor security and mediocre user experience.

Password are considered shared secrets, as it is known by the user and the validation process is usually stored across several computing devices. Additionally, passwords can be shared over messages or notes. Anyone who has the knowledge of the secret, including services, or device can fall victim to cyberattacks.

When it comes to password, security and usability is inversely related, this means the better the security the worse user experience, and vice versa.

So, is it time to say bye-bye to password? Afraid not.

Even though passwords are vulnerable, they aren’t that bad and are still used for various reasons:

  • Convenient and Portable — almost anything can be protected by a password or shared secret — device access, accounts, services, and documents can be protected by passwords. Accessing something becomes very convenient as password doesn’t not depend on anything, hence, making it a simple form of authentication.
  • Compatibility — Beside few exceptions, almost all app and service use a password. Although some services and apps may require user to input some additional second factor authentication for verification, but the fact remains that password are versatile and universal. The use of passwords has become a daily habit and therefore, we do not have think twice before reaching to the conclusion whether or not password is compatible with a particular service.
  • Interoperability —Password can easily be given to access computer, smartphone, or anything that we require access to. It is universally supported, and no unnecessary upgrade is required to use them, such as latest mobile device or installing client software. They simply do their job — to authenticate users.

If the ultimate objective is to abolish password authentication, any substitute must offer substantial improvement in both security and usability without compromising on the above three factors. With keeping this in mind, let us move on to define “passwordless”.

Defining passwordless authentication

Over the years, the word “passwordless” has rapidly grown and today it is being widely used by security, authentication, and identity solution providers — each in its own way.

So, to define passwordless we say that “passwordless is the method of authentication where the user does not require a password at login”

Although it seems straightforward, but there is a lot to unpack here. There are several implementations of passwordless authentication, and they all have different tradeoffs.

Few passwordless implementation are meant to address usability issues:

Short Message Service (SMS) — As the need to remember is avoided therefore, many consider that SMS is a form of passwordless verification. Typically, users are sent a one-time
password (OTP) to authenticate themselves. This OTP is effective for a short time. However, OTP is a just another form of password.

Email Magic Link — A user receives a unique link in their email and when it is clicked, it verifies the user for that specific device.

SMS can be used as an alternative to send magic link. Nonetheless, both of these authentication flows may provide usability than passwords, however, both are vulnerable to phishing attack. User may be tricked into entering the OTP or clicking the magic link, therefore, both methods of passwordless solution do not offer much security.

Other password implementations are intended to address security issues:

Smart Cards (PIV/CAC) — Smart card are very efficient in protecting against phishing attacks. The card is inserted into a reader by the user, and the smart card if validated with a unique PIN. This is perfect method to stop remote phishing attacks in their paths. When it comes to portability, compatibility, and interoperability legacy smart cards are not a good choice. The scalability of traditional smart cards can be costly and complex while implementing it. This makes it hard to use and inaccessible for most users and businesses.

Password Vs. PIN

There is not much difference between password and PIN from usability standpoint — this is something to remember. However, from a security standpoint, they are very much different. When a password is entered, it is validated on a server, unfortunately, this means that they can either be stolen or intercepted. A PIN on the other hand, is limited to the device. For example, when we use our ATM pin it only unlocks our credit or debit card, but is never stored or transmitted elsewhere. This is the reason why when a debit or credit card is stolen, user are only required to set the PIN in the new card.

There are a few reasons why this dissimilarity is significant.

As compared to passwords PIN are more secure

User still need to memorize something as most methods of strong passwordless authentication require a PIN.

The PIN is released to perform a function only when user fingerprints or face is read over biometric authenticators, and when biometric isn’t available it reverts back to the PIN. So what we mean to say is that PIN is not replaced by biometric authenticators.

Identity platforms and open standards roles

The goal of scalability is achieved through a rich open standards ecosystem that combines security, usability, as well as portability, compatibility, and interoperability. AmbiSecure has supported open security standards from the very beginning, to achieve this goal. It has also made its way by pioneering the Webathon and FIDO open standards to integrate them in operating platforms, and browsers. These standards paired with AmbiSecure allows strong authentication across several devices, applications, and services.

Open standards have also been accepted by identity and access management solutions to deliver the functionality and scalability that organization require to adopt strong passwordless authentication for business crucial services and applications.

Organizations who have invested in IAM platform, they can explore the passwordless option they have to offer. As an alternative to non Webathon/FIDO passwordless experience, most will have mobile authentication app to strengthen user experience on various legacy systems. Although mobile authentication app can be susceptible to phishing, yet they are considered stronger than passwords which is why IAM platforms support hardware security keys like AmbiSecure.

The bridge to passwordless

This is what the AmbiSecure was designed for — to meet you exactly where you are and to evolve with your security infrastructure. Hardware security keys don’t require client software or peripherals, like card readers. Additionally, hardware security keys are intended to support multiple set of security protocols. With AmbiSecure phishing resistant hardware security key users can now put a stop to account takeovers as a second-factor authentication above password. Hardware security keys can be deployed in a passwordless environment as a smart card or a FIDO security key in identity and access management scenario. The AmbiSecure hardware security key is truly a bridge to passwordless.

AmbiSecure for Identity and Access Management Solution

FIDO2 is a standard that simplifies and secures user authentication. It uses public-key cryptography to protect from phishing attacks and is the only phishing-proof factor available. Corporations around the world and across many sectors, including healthcare, can benefit from Fast Identity Online or Fast ID Online (FIDO) authentication, which their employees and users can use to minimize security risks, and improve overall user experience. The AmbiSecure key and card is FIDO certified which offers superior security by combining hardware-based authentication and public key cryptography to effectively defend against phishing attacks and eliminate account takeovers.

AmbiSecure helps organizations accelerate to a password-less future by providing FIDO2 protocol support. Not only does FIDO2 supports two-factor authentication, but also paves the way for eliminating weak password authentication, with strong single-factor (passwordless) hardware-based authentication. The AmbiSecure provides a simple and intuitive authentication experience that users find easy to use, ensuring rapid adoption and organizational security. AmbiSecure key or card does not require a battery or network connectivity, making authentication always accessible.

Reference:

https://www.yubico.com/blog/separating-fact-from-fiction-in-your-journey-to-passwordless-authentication/

Simple explanation to passwordless
Use Multi-factor Authentication (MFA)