Passwordless authentication

Last updated

Passwordless authentication is an authentication method in which a user can log in to a computer system without entering (and having to remember) a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier (username, phone number, email address etc.) and then complete the authentication process by providing a secure proof of identity through a registered device or token.

Contents

Passwordless authentication methods typically rely on public-key cryptography infrastructure where the public key is provided during registration to the authenticating service (remote server, application or website) while the private key is kept on a user’s device (PC, smartphone or an external security token) and can be accessed only by providing a biometric signature or another authentication factor which is not knowledge-based.

These factors classically fall into two categories:

Some designs might also accept a combination of other factors such as geo-location, network address, behavioral patterns and gestures, as long as no memorized passwords are involved.

Passwordless authentication is sometimes confused with multi-factor authentication (MFA), since both use a wide variety of authentication factors, but while MFA is often used as an added layer of security on top of password-based authentication, passwordless authentication does not require a memorized secret and usually uses just one highly secure factor to authenticate identity (i.e., an external security token), making it faster and simpler for users.

"Passwordless MFA" is the term used when both approaches are employed, and the authentication flow is both passwordless and uses multiple factors, providing the highest security level when implemented correctly.

History

The notion that passwords should become obsolete has been circling in computer science since at least 2004. Bill Gates, speaking at the 2004 RSA Conference predicted the demise of passwords saying "they just don't meet the challenge for anything you really want to secure." [1] [2] In 2011 IBM predicted that, within five years, "You will never need a password again." [3] Matt Honan, a journalist at Wired , who was the victim of a hacking incident, in 2012 wrote "The age of the password has come to an end." [4] Heather Adkins, manager of Information Security at Google, in 2013 said that "passwords are done at Google." [5] Eric Grosse, VP of security engineering at Google, states that "passwords and simple bearer tokens, such as cookies, are no longer sufficient to keep users safe." [6] Christopher Mims, writing in The Wall Street Journal said the password "is finally dying" and predicted their replacement by device-based authentication, however, purposefully revealing his Twitter password resulted in being forced to change his cellphone number. [7] Avivah Litan of Gartner said in 2014 "Passwords were dead a few years ago. Now they are more than dead." [8] The reasons given often include reference to the usability as well as security problems of passwords.

Bonneau et al. systematically compared web passwords to 35 competing authentication schemes in terms of their usability, deployability, and security. [9] [10] (The technical report is an extended version of the peer-reviewed paper by the same name.) Their analysis shows that most schemes do better than passwords on security, some schemes do better and some worse with respect to usability, while every scheme does worse than passwords on deployability. The authors conclude with the following observation: “Marginal gains are often not sufficient to reach the activation energy necessary to overcome significant transition costs, which may provide the best explanation of why we are likely to live considerably longer before seeing the funeral procession for passwords arrive at the cemetery.”

Recent technological advancements (e.g. the proliferation of biometric devices and smartphones) and changing business culture (acceptance of biometrics and decentralized workforce for example) is continuously promoting the adoption of passwordless authentication. Leading tech companies (Microsoft, [11] Google [12] ) and industry wide initiatives are developing better architectures and practices to bring it to wider use, with many taking a cautious approach, keeping passwords behind the scenes in some use cases. The development of open standards such as FIDO2 and WebAuthn have further generated adoption of passwordless technologies such as Windows Hello. On June 24, 2020, Apple Safari announced that Face ID or Touch ID would be available as a WebAuthn platform authenticator for passwordless login. [13]

Mechanism

A user must first register with a system before their identity can be verified. A passwordless registration flow may include the following steps: [14]

Once they have registered, a user can log in to the system via the following process:

Benefits and drawbacks

Proponents point out several unique benefits over other authentication methods:

While others point out operational and cost-related disadvantages:

See also

Related Research Articles

<span class="mw-page-title-main">Password</span> Text used for user authentication to prove identity

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA for performing two-factor authentication for a user to a network resource.

S/KEY is a one-time password system developed for authentication to Unix-like operating systems, especially from dumb terminals or untrusted public computers on which one does not want to type a long-term password. A user's real password is combined in an offline device with a short set of characters and a decrementing counter to form a single-use password. Because each password is only used once, they are useless to password sniffers.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

<span class="mw-page-title-main">One-time password</span> Password that can only be used once

A one-time password (OTP), also known as a one-time PIN, one-time passcode, one-time authorization code (OTAC) or dynamic password, is a password that is valid for only one login session or transaction, on a computer system or other digital device. OTPs avoid several shortcomings that are associated with traditional (static) password-based authentication; a number of implementations also incorporate two-factor authentication by ensuring that the one-time password requires access to something a person has as well as something a person knows.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing transactions such as wire transfers.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Mutual authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. It is a default mode of authentication in some protocols and optional in others (TLS).

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

<span class="mw-page-title-main">Google Authenticator</span> Two-step verification app

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate. Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought. It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.

multiOTP Authentication system

multiOTP is an open source PHP class, a command line tool, and a web interface that can be used to provide an operating-system-independent, strong authentication system. multiOTP is OATH-certified since version 4.1.0 and is developed under the LGPL license. Starting with version 4.3.2.5, multiOTP open source is also available as a virtual appliance—as a standard OVA file, a customized OVA file with open-vm-tools, and also as a virtual machine downloadable file that can run on Microsoft's Hyper-V, a common native hypervisor in Windows computers.

<span class="mw-page-title-main">FIDO Alliance</span> Industry consortium working on authentication mechanisms

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface for authenticating users to web-based applications and services using public-key cryptography. WebAuthn credentials are sometimes referred to as passkeys.

<span class="mw-page-title-main">Secret Double Octopus</span> Israeli software company

Secret Double Octopus (SDO) is a cybersecurity software company specializing in passwordless authentication for enterprise environments.

References

  1. Munir Kotadia (2004-02-25). "Gates predicts death of the password". News.cnet.com. Retrieved 2020-04-12.
  2. Kotadia, Munir (25 February 2004). "Gates predicts death of the password". ZDNet. Retrieved 8 May 2019.
  3. "IBM Reveals Five Innovations That Will Change Our Lives within Five Years". IBM. 2011-12-19. Archived from the original on 2015-03-17. Retrieved 2015-03-14.
  4. Honan, Mat (2012-05-15). "Kill the Password: Why a String of Characters Can't Protect us Anymore". Wired. Archived from the original on 2015-03-16. Retrieved 2015-03-14.
  5. "Google security exec: 'Passwords are dead'". CNET. 2004-02-25. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
  6. Grosse, Eric; Upadhyay, Mayank (January 2013). "Authentication at Scale". IEEE Security & Privacy. 11 (1): 15–22. doi:10.1109/MSP.2012.162. S2CID   57409. Archived from the original on 2013-04-23. Retrieved 2 July 2022.
  7. Vijayan, Jaikumar (2014-08-14). "Russian credential theft shows why the password is dead". Computer World. Archived from the original on 2015-04-02. Retrieved 2015-03-14.
  8. Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes". Cambridge, UK: University of Cambridge Computer Laboratory. doi:10.48456/tr-817. ISSN   1476-2986 . Retrieved 22 March 2019.{{cite journal}}: Cite journal requires |journal= (help)
  9. Bonneau, Joseph; Herley, Cormac; Oorschot, Paul C. van; Stajano, Frank (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy. San Francisco, CA. pp. 553–567. doi:10.1109/SP.2012.44.
  10. "Use passwordless authentication to improve security". Microsoft.com. 2020-01-28. Retrieved 2020-04-12.
  11. "Making authentication even easier". security.googleblog.com. 2019. Retrieved 2020-04-12.
  12. "Apple Developer Documentation". developer.apple.com. Retrieved 2020-10-07.
  13. "Passwordless Authentication: A Complete Guide [2022] - Transmit Security". Transmit Security. 13 January 2022. Retrieved 12 April 2022.
  14. "No password for Microsoft Account: What does passwordless authentication mean?". Business Today. Retrieved 12 April 2022.
  15. 1 2 Deighton, Katie (22 March 2022). "Technology Alliance Says It Is Closer to Killing Off Passwords". Wall Street Journal. Retrieved 12 April 2022.
  16. "Accelerating the Journey to Passwordless Authentication". IBM. Retrieved 12 April 2022.
  17. 1 2 "Passwordless Authentication" (PDF). World Economic Forum . Retrieved 12 April 2022.
  18. Smithson, Nigel (June 9, 2020). "Issues with Multi-Factor Authentication: PSA for MFA App Users". sayers.com. Archived from the original on 2020-08-10. Retrieved 2 July 2022.