Think about this: what are you actually authenticating when someone requests access to your systems, data, and other critical parts of your business?
54% of IT and cybersecurity professionals have started to transition to passwordless authentication. Unfortunately, most common passwordless solutions are possession-based (e.g. hardware security keys, phone-based push tokens, authenticator apps, and SMS OTPs), which only authenticate “something you have” without any verification of the actual person.
In this blog, we’ll discuss how passwordless authentication works, the pain points with common passwordless authentication methods, and why BIO-key’s Identity-Bound Biometrics solution can help your organization implement passwordless biometric authentication the right way.
Passwords are inherently unsecure and provide weak security in the best of circumstances. They can be stolen, shared, guessed, or hacked. But mostly, people engage in bad password habits, such as using weak passwords and reusing them for multiple accounts.
For a password to secure access, it must be strong. According to CISA’s Cross-Sector Cybersecurity Performance Goals for 2022, organizations should have a system-enforced policy that requires a minimum password length of 15 or more characters, including a mix of numbers, special characters, and both upper and lowercase letters. However, strong passwords put a strain on users and offer a poor user experience, which is why most people don’t bother following password best practices.
Instead of trying to make passwords stronger, organizations are getting rid of passwords altogether and embracing a passwordless authentication strategy to improve security.
Passwordless authentication involves verifying a user’s identity without the use of passwords. Instead, the individual authenticates using one (or a combination) of these factors:
FIDO (Fast Identity Online) is the authentication protocol behind most of the passwordless solutions today, offering a simpler and more secure user authentication experience.
Developed by the FIDO Alliance, FIDO emphasizes a device-centric model and uses standard public-key cryptography, where a user is challenged to prove possession of the private key to access an online service. >> More information on how FIDO works
FIDO authentication typically involves two steps:
It’s important to note that FIDO protocols are designed to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
Passwordless authentication requires a user to authenticate with something they have, something they know, or something they are. The most common and widely adopted methods for passwordless authentication include:
When a user inserts a security key into their device (or connects one wirelessly), the browser issues a challenge to the security key. The security key will cryptographically sign this challenge, verifying the user’s identity and logging in to the online service
Magic links are based on the user's email address, with an expiration time. When logging into an application, the user must submit their email and click the magic link received in their email inbox.
Digital certificates are provisioned onto a user's mobile device, transforming it into their trusted digital identity for authentication, encryption, and digital signing. When the user’s device is unlocked, they are granted secure access to the connected system or application.
Device-based biometrics are still considered a possession factor in terms of what is authenticated to the relying party, or to the organization that owns the online application or asset. Taking the example of Apple TouchID and Microsoft Windows Hello, when a user presents their biometrics, they authenticate to their device. The device then authenticates the user online using public key cryptography. Essentially, device-based biometrics is still authenticating “something the user has” — the device.
The issue with possession factors for passwordless authentication is that identity and trust is tied to an item in the user's possession, which can be shared, lost, or stolen.
For example, SMS OTPs are particularly vulnerable to SIM-jacking, where a hacker takes over a user’s phone number and tricks their carrier into transferring it to a new phone. Because of this serious security risk, the US National Institute of Standards and Technology (NIST) proposed a deprecation of SMS as an out-of-band authentication method in 2016. >> Read more about SIM-jacking in this first-person narrative by Dr. Nick van Terheyden
Passwordless authentication that relies on devices is easily compromised because there is no verification of the actual people behind these devices. In March 2022, the FBI and CISA released an alert to warn organizations that Russian state-sponsored cyber actors have been taking advantage of misconfigured accounts set to default MFA protocols, allowing them to enroll a new device for MFA and access the victim’s network.
Even device-based biometrics are not much better because what is authenticated to the relying party is still a certificate within the device (a possession factor), not the biometric verifying the person’s actual identity. When a user fails on device-based biometric authentication, what comes up as a backup authentication method is usually a password or PIN, thus anyone with the password or PIN can easily bypass the biometric authentication and take over that device.
Another major security risk with device-based biometrics is that each user is in control of the enrollment process, and there is no control for the relying party to prevent unauthorized delegation. In other words, the relying party doesn’t know if the intended user has delegated responsibility or allowed unauthorized enrollment on their device.
Possession factors are costly to deploy and manage in a lot of cases, for example:
Physical Security Keys
Phone-Based Methods
Inconvenient
Implausible
With BIO-key’s Identity-Bound Biometrics (IBB) for passwordless authentication, you can use biometrics as a full passwordless solution – no phones or tokens required.
IBB creates a centralized unique biometric identity that can be used to verify the user anywhere, across devices and locations. Unlike device-based biometrics, nothing is bound to the device so you can truly authenticate with “something you are”.
Highlights of IBB:
Here's a video snippet of how passwordless authentication with IBB works, using desktop login on shared workstations as an example.
Passwordless authentication with IBB addresses a lot of the challenges associated with common possession-based methods.
With IBB, you can positively identify the person — not just the device — so you can be sure that only authorized people are gaining access. This includes a full, auditable activity log that gives comprehensive records of logins, record updates, and tracking of users' system and application access.
One thing that IBB can do that other method can’t is process validation. This is especially important in industries such as manufacturing, healthcare, and financial services, where you have to make sure that authorized people are the ones completing steps or taking actions within a process or transaction.
One-time enrollment quickly sets up access across multiple devices and locations. IBB with BIO-key’s fingerprint scanners allows for one-touch authentication for a passwordless login at each workstation, or via PortalGuard single sign-on to access a range of web applications — no mobile device or token necessary.
IBB is very affordable and can be implemented in less than 60 days. If you’re using BIO-key’s fingerprint scanners for IBB, installing one scanner per desktop is a minimal one-time investment, compared to the cost of purchasing multiple tokens or paying for mobile plans.
As cyber threats continue to present a significant risk to commercial banks, Orange Bank & Trust implemented IBB to move away from passwords and improve their authentication strategy.
What Orange Bank & Trust did:
Listen to the full story with Orange Bank & Trust
If you’re using the BIO-key PortalGuard platform, you already have access to all the passwordless authentication methods outlined above, as well as IBB for passwordless authentication.
Please don’t hesitate to reach out to Alexander Apostolov, your BIO-key customer success manager, to discuss how you can leverage your investment to its fullest.
You can also download the IBB datasheet for a full overview, product specs, and features.