Passwordless Authentication is the future

Evolution of Authentication

Since the inception of authentication, password has served as the foundation to provide secure login to protected resources. As time went on, password breach got easy and it continues to grow easier daily. As a result, businesses started pushing for complex password requirements, which makes it challenging for consumers to generate and remember them. People started writing down their passwords on paper or saving them in files, both of which are easily lost or compromised. To solve the challenge of remembering complex passwords, some consumers started using password managers, but it also has its limitations when it comes to compatibility with multiple devices and browsers. As well as it might cause a single point of failure if the hacker compromises the master password.

In order to improve the security of the authentication process, MFA (Multi Factor Authentication) was later introduced. MFA made it easier to do strong authentication, which reduced the risk of identity theft. With MFA, dependency on password got reduced, making password authentication replaceable.

Hence rise of passwordless authentication.

Passwordless Authentication

 Passwordless Authentication is achieved with something you are or something you have and not something you need to remember.

Something you are (Inherence factor)

–   Face recognition

–   Fingerprint

 How does biometrics work?

Registration:

1. When a user registers to a new application/service an approval request is sent to the user’s device. User validates the request using biometric scanner.

2. A private key is generated and stored securely in the device and associated public key is shared with the application/service.

3. Public key is effectively useless without corresponding private key.

4. The private key stored on the device can only sign the challenge from the public key stored at application/service server.

Authentication/Authorization:

1. When a user tries to access the service/application, a challenge is generated and sent to the registered device.

2. User accepts the challenge and unlocks the private key using biometric scanner.

3. Challenge is signed with the unlocked private key.

4. Service/application determines the request was signed with the correct private key and provides appropriate access to the user.

 Something you have (Possession factor)

–   Email address, Smartphone (Magic Links/OTP)

–   Authenticator apps (Push Notification/PIN etc)

–   Hardware keys such as Yubikey

How does magic links/OTP work?

1. The application/service asks the user for their email address/phone number, etc. during registration.

2. A token is generated for the request and associated OTP, or magic link is generated and sent to the provided email address/phone number.

3. The user can click on the link or input the OTP, the same is verified by the service/application if matched, access is granted.

​​Passkeys

Passkeys is one of the known standards while implementing Passwordless authentication. It acts as a digital credential, tied to a user account and a website/app. Passkey uses public-key cryptography to authenticate end user access to relying party websites or apps. The smartphone, desktop, and browser working systems all have built-in functionality for it. Relying entity needs to use built-in WebAuthn/FIDO APIs to use passkeys for sign-in.

 Passkeys can be used to verify without the need to input any kind of personal information, such as a username.

Registration:

1.User needs to login to the relying party with the existing credentials.

2.User need to select “Create a Passkey” option.

3.Device verifies the user using fingerprint/face scan/PIN etc.Passkeys is successfully configured for user account

 4.Upon successful verification, a cryptographic key pair is generated, private key is stored securely in device’s vault and public key is shared with relying party.

 Sign-in with passkeys:

1. User tries to sign-in to the relying party website.

2. Device displays the registered passkey.

3. User selects the passkey.

4. Device verifies the user (fingerprint/face scan/PIN etc).

5. On successful verification user gets logged in.

6. Internally during the sign-in process the relying party sends the challenge to device, after successful verification device generates a signature based on the passkey. This signature is used by the relying party to verify the login credential.

 Below are the few relying parties who are currently using passkeys.

-eBay

-GoDaddy

-Kayak

-Nvidia

-PayPal

Impact of Passwordless Authentication

 Business:

 Considering that most cyberattacks are password-based. If an organization’s access is compromised, it costs a lot of money to take legal action to recover the lost funds, and it harms its reputation. They already put a lot of time, money, and effort into managing and storing credentials securely.

 Businesses need to invest money in passwordless authentication implementation, the investment will pay off in the long run because it will decrease cyberattacks and secure the business more efficiently, while remaining user-friendly.

 Consumers:

 Nowadays, consumers have many accounts with different businesses based on their demands, making it impossible for them to remember all of these passwords. As a result, individuals frequently forget their passwords and have to reset them, which makes for a frustrating user experience. Also consumers tend to use the same password across multiple accounts making it easy for cyber attackers to compromise the service.

With passwordless authentication, users no longer need to make or remember complex passwords. Instead, users may log in using their digital tokens or biometrics, improving the entire experience and streamlining logins. It also gives users more confidence in using the service as the service is secure and less prone to cyberattacks. 

 Benefits:

–   Passwords never expire or are lost, and in the event that they are, users may reset their credentials using self-service solutions, which reduces the need for aid from the help desk and significantly lowers the cost of support related to password management.

–   Uses more secure factors for authentication, biometric and/or possession rather than knowledge based

–   Less prone to cyberattacks compared to password-based

–   Offers a seamless login process for Consumer as no need to crack their head in remembering the passwords

–   Increases consumer trust in commercial services

How to go Passwordless

First a firm must comprehend, accept, and be ready to invest in the benefits of passwordless access. For success while developing a passwordless plan, bear in mind these important practices:

–   Determine use cases for passwordless authentication

–   Simplify and combine strong authentication processes

–   Implement self-service capabilities in case of lost possession-based factors

–   Boost consumer trust in authentication

–   Implement passwordless Beta program and evaluate consumer feedback.

–   Optimize and streamline the passwordless process .

Feel free to contact us if you have any concerns about how passwordless authentication should be implemented in your use case. We are prepared to assist.

Sonal Patil, Senior Identity Solution Specialist