The Reality of Today's Passwordless Hype

Think about this: what are you actually authenticating when someone requests access to your systems, data, and other critical parts of your business?

54% of IT and cybersecurity professionals have started to transition to passwordless authentication. Unfortunately, most common passwordless solutions are possession-based (e.g. hardware security keys, phone-based push tokens, authenticator apps, and SMS OTPs), which only authenticate “something you have” without any verification of the actual person.

In this blog, we’ll discuss how passwordless authentication works, the pain points with common passwordless authentication methods, and why BIO-key’s Identity-Bound Biometrics solution can help your organization implement passwordless biometric authentication the right way.

Why It’s Time to Ditch Passwords

Passwords are inherently unsecure and provide weak security in the best of circumstances. They can be stolen, shared, guessed, or hacked. But mostly, people engage in bad password habits, such as using weak passwords and reusing them for multiple accounts.

For a password to secure access, it must be strong. According to CISA’s Cross-Sector Cybersecurity Performance Goals for 2022, organizations should have a system-enforced policy that requires a minimum password length of 15 or more characters, including a mix of numbers, special characters, and both upper and lowercase letters. However, strong passwords put a strain on users and offer a poor user experience, which is why most people don’t bother following password best practices.

Instead of trying to make passwords stronger, organizations are getting rid of passwords altogether and embracing a passwordless authentication strategy to improve security. 

What is Passwordless Authentication?

Passwordless authentication involves verifying a user’s identity without the use of passwords. Instead, the individual authenticates using one (or a combination) of these factors:

• Something you know (security question, PIN)
• Something you have (hardware tokens, proximity cards, or phone-based methods)
• Something you are (biometrics, such as a fingerprint, palm scan, facial or voice recognition)

How Does Passwordless Authentication Work?

FIDO (Fast Identity Online) is the authentication protocol behind most of the passwordless solutions today, offering a simpler and more secure user authentication experience.

Developed by the FIDO Alliance, FIDO emphasizes a device-centric model and uses standard public-key cryptography, where a user is challenged to prove possession of the private key to access an online service. >> More information on how FIDO works

FIDO authentication typically involves two steps:

1. Unlock the FIDO authenticator on the local device
   • Can be selected from a range of methods (see next section)
2. Authentication with an online service
   • The local device then supplies the correct private key that corresponds with the service provider’s public key

It’s important to note that FIDO protocols are designed to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

Common Passwordless Authentication Methods

Passwordless authentication requires a user to authenticate with something they have, something they know, or something they are. The most common and widely adopted methods for passwordless authentication include:

1. Phone-Based Methods

• Push notification: Sent directly to the user’s device, alerting them that an authentication attempt is taking place. Users can view authentication details and approve or deny access, typically via a simple press of a button.

• Authenticator app: Usually installed on a smartphone and generates a 6–8-digit code every 30 seconds, and the user has to enter the code into the login field before it expires.
• SMS OTP: A text message containing a unique alphanumeric or numeric code is sent to a mobile number. The recipient then uses this code to log in to a service, website, or app.

2. Physical Security Keys

When a user inserts a security key into their device (or connects one wirelessly), the browser issues a challenge to the security key. The security key will cryptographically sign this challenge, verifying the user’s identity and logging in to the online service

3. Magic Links

Magic links are based on the user's email address, with an expiration time. When logging into an application, the user must submit their email and click the magic link received in their email inbox.

4. Digital Certificates

Digital certificates are provisioned onto a user's mobile device, transforming it into their trusted digital identity for authentication, encryption, and digital signing. When the user’s device is unlocked, they are granted secure access to the connected system or application.

5. Device-Based Biometrics (Not an Inheritance Factor)

Device-based biometrics are still considered a possession factor in terms of what is authenticated to the relying party, or to the organization that owns the online application or asset. Taking the example of Apple TouchID and Microsoft Windows Hello, when a user presents their biometrics, they authenticate to their device. The device then authenticates the user online using public key cryptography. Essentially, device-based biometrics is still authenticating “something the user has” — the device.

Challenges of Common Passwordless Authentication

Possession Factors Can Be Shared, Lost, or Stolen

The issue with possession factors for passwordless authentication is that identity and trust is tied to an item in the user's possession, which can be shared, lost, or stolen.

For example, SMS OTPs are particularly vulnerable to SIM-jacking, where a hacker takes over a user’s phone number and tricks their carrier into transferring it to a new phone. Because of this serious security risk, the US National Institute of Standards and Technology (NIST) proposed a deprecation of SMS as an out-of-band authentication method in 2016. >> Read more about SIM-jacking in this first-person narrative by Dr. Nick van Terheyden

Passwordless authentication that relies on devices is easily compromised because there is no verification of the actual people behind these devices. In March 2022, the FBI and CISA released an alert to warn organizations that Russian state-sponsored cyber actors have been taking advantage of misconfigured accounts set to default MFA protocols, allowing them to enroll a new device for MFA and access the victim’s network.

Even device-based biometrics are not much better because what is authenticated to the relying party is still a certificate within the device (a possession factor), not the biometric verifying the person’s actual identity. When a user fails on device-based biometric authentication, what comes up as a backup authentication method is usually a password or PIN, thus anyone with the password or PIN can easily bypass the biometric authentication and take over that device.

Another major security risk with device-based biometrics is that each user is in control of the enrollment process, and there is no control for the relying party to prevent unauthorized delegation. In other words, the relying party doesn’t know if the intended user has delegated responsibility or allowed unauthorized enrollment on their device.

Possession Factors Involve High Costs & Investments

Possession factors are costly to deploy and manage in a lot of cases, for example:

Physical Security Keys

• Range from $25 to $100 each
• Requires multiple tokens per person
• Tremendous overhead to distribute
• Re-purchasing costs when employees leave

Phone-Based Methods

• Employer cost for mobile devices and/or data plans (dedicated mobile devices for work)
• Liable for wiping an employee’s phone

Possession Factors are Inconvenient and Implausible for Certain Groups

Inconvenient

• Must remember and carry the phone or security key
• If the phone or security key is lost or replaced, you must re-enroll on every device
• Low accuracy of device-based biometrics leads to PINs and passwords (vulnerable)

Implausible

• No cell phone service: certain buildings, areas, and while traveling
• Users refuse to use their phones for authentication
• Users do not have a smartphone
• When carrying, holding, and using physical devices pose risks to employee safety
• An organization’s security policy forbids it (e.g. contact centers)

Skip the Possession Factor with Identity-Bound Biometrics

With BIO-key’s Identity-Bound Biometrics (IBB) for passwordless authentication, you can use biometrics as a full passwordless solution – no phones or tokens required.

IBB creates a centralized unique biometric identity that can be used to verify the user anywhere, across devices and locations. Unlike device-based biometrics, nothing is bound to the device so you can truly authenticate with “something you are”.

Highlights of IBB:

• Centrally stored biometrics — cannot be shared, forgotten, or stolen
• Enterprise-controlled enrollment
• Non-reversible hashed biometric data
• Perfect for situations where phones and security keys will not work, are not reliable, unsafe, or the user doesn’t want to use them

How Does Identity-Bound Biometrics Work?

Here's a video snippet of how passwordless authentication with IBB works, using desktop login on shared workstations as an example.

Benefits of Identity-Bound Biometrics

Passwordless authentication with IBB addresses a lot of the challenges associated with common possession-based methods.

1. Trusting People — Not Devices

With IBB, you can positively identify the person — not just the device — so you can be sure that only authorized people are gaining access. This includes a full, auditable activity log that gives comprehensive records of logins, record updates, and tracking of users' system and application access.

2. Validating Processes

One thing that IBB can do that other method can’t is process validation. This is especially important in industries such as manufacturing, healthcare, and financial services, where you have to make sure that authorized people are the ones completing steps or taking actions within a process or transaction.

3. Convenient and Easy to Use

One-time enrollment quickly sets up access across multiple devices and locations. IBB with BIO-key’s fingerprint scanners allows for one-touch authentication for a passwordless login at each workstation, or via PortalGuard single sign-on to access a range of web applications — no mobile device or token necessary.

4. Reducing Costs

IBB is very affordable and can be implemented in less than 60 days. If you’re using BIO-key’s fingerprint scanners for IBB, installing one scanner per desktop is a minimal one-time investment, compared to the cost of purchasing multiple tokens or paying for mobile plans.

Case Study: The Orange Bank & Trust Company

As cyber threats continue to present a significant risk to commercial banks, Orange Bank & Trust implemented IBB to move away from passwords and improve their authentication strategy.

What Orange Bank & Trust did:

• Opted for IBB as part of their passwordless authentication strategy to secure access to shared workstations across 15 branches
• Successfully implemented IBB in 45 days and deployed a fingerprint scanner on < 200 desktops, offering passwordless authentication for all employees. Employees only have to scan their fingers to log in to any workstation

Listen to the full story with Orange Bank & Trust

Learn More About Identity-Bound Biometrics

If you’re using the BIO-key PortalGuard platform, you already have access to all the passwordless authentication methods outlined above, as well as IBB for passwordless authentication.

Please don’t hesitate to reach out to Alexander Apostolov, your BIO-key customer success manager, to discuss how you can leverage your investment to its fullest.

You can also download the IBB datasheet for a full overview, product specs, and features.