In our everyday lives we use usernames and passwords very often. More often than not, we have to input a password to access something, our email account, when shopping online, using a remote system or even our mobile phone. This secret we call “Password” is usually something that no one else knows, or so we think, and proves that we are the account/resource holders, well except for that video streaming platform password that we share with all our friends 😉
Inputing passwords can be boring and tedious, especially if those are long and complicated. In order to make the user experience better, systems apps and websites offer various ways to make this process more user friendly. Almost everyone has seen and used a “Remember me” type checkbox when authenticating to an app or website. This usually, allows the user to authenticate once and not have to input their username and password for a long time or even ever again on “trusted” computer or phone. Password managers is another example. Dedicated apps that helps us create, store and use passwords.
People by nature are lazy creatures. People will find ways to make their life easier, sometimes this comes at an expense like lessening security. It is very common to use common/simple passwords on multiple accounts, so that you don’t need to remember different long and complicated passwords. In 2023 the most commonly used password was “123456” and “password“.
Websites and apps try to tackle this by enforcing strong “Password Rules”. Common examples are things like using a mixture of uppercase and lowercase characters, include at least one number and a special character and make sure that your password is more than 12 characters long. Let’s see an example of a “good” password following these rules:
Password1234!
Found yet another way to “cheat the system”…
To summarise, the “secret” that we use to prove our identity in a system is fragile and easy to break. It is a single point of failure for many systems and can be found in many ways, brute forcing, social engineering or if we are really lazy and we wrote on a Post – It, just by looking around our desk.
For all those reasons and more passwords are not safe, so companies and experts are working hard to improve the situation and therefore improve the security of their systems. Usually those methods introduce more friction to the end user. Usage of stronger passwords and checking those against common password dictionaries, check against password repeatability, usage of 2FA and more. All those methods will make it harder for a bad actor to gain access to a system and stealing your secrets, however it will make it harder for a valid user to gain access to a system as well.
In that sense, we all know that some passwords can be hacked or acquired easily. Either through social engineering or even brute forcing attempts. At the same time we know that we must protect the security of our accounts and systems. So what do we do? Could the solution be to stop using passwords all together? Over the last few years there has been a lot of noise about going “Passwordless”, but what that does really mean?
Passwordless authentication is the term used to describe a group of identity verification methods that don’t rely on passwords. So if we do not rely on passwords, what do we rely on? What would be that “secret” that only we hold, that will prove our identity and thus give us access to a protected resource over the internet?
There are many types of going Passwordless. Many methods like Biometrics, security keys, and specialized mobile applications that are considered Passwordless and can provide a secure alternative to inputing a password and sending it over the net.
If we take a closer look to some of those methods, they might sound a bit familiar. Given that almost everyone in the world at the moment has access to a mobile phone and can use SMS, a common answer to Passwordless is to use a One Time Password (OTP) instead of a user generated password. In this scenario, the system knows the user’s mobile phone. When an authentication is attempted the system collects the username and sends an OTP to the registered mobile number. The user will be required to use this OTP in a specified timeframe to get access.
A similar pattern is to send the OTP via email. Therefore the user would need to have access to the registered email to retrieve the OTP and input it in the specified timeframe. In both cases, we trust that the means of delivery are not compromised. If the SIM card is compromised and a bad actor receives the SMS instead of the valid user then the system is compromised. Similarly if a bad actor has access to the user’s email. More details on SIM cloning and other SMS based attacks can be found here. OTPs are an easy and quick to use way of going Passwordless, but are might not be the definite answer especially in systems that have strict security requirements.
Going Passwordless using Push Notifications seems to be a way that has been gaining ground over the last few years. Systems that support this method utilize dedicated “Authenticator applications” like the Forgerock Authenticator app, that are registered with the system and receive a push notification when an authentication attempt happens. The user will need to act on the notification in a specified timeframe and “approve” the attempt. A common attack bad actors use to break this system is called “Push Bombing”. During this attack a user is flooded with push notifications, and is more likely to “approve” an authentication attempt that was originated by a bad actor. Popular authenticators like the Forgerock one have added number challenges and other defensive means, before the user can “approve” the attempt to mitigate this attack.
All those methods can be used in Passwordless scenarios or as 2nd Factors of Authentication (2FA) to secure the system even more. SMS and Email are not super sophisticated but they are widely accessible, easy to set up and maintain and can elevate the security of system. Earlier though we mentioned biometrics as a Passwordless method. How can “biometrics” be used? Do we need specialised expensive equipment?
Luckily most people that own modern smartphones already use Biometrics. Apple and Google have included fingerprint and face recognition scanners on most of their devices from 2013 onwards. Those biometric scanners more commonly known with their marketing names (FaceID, TouchID, etc) register the user’s biometric with the mobile operating system and can be used to unlock the device it self, unlock information stored in the secure storage and more. Now how can we use those platform biometric authenticators to provide a secure Passwordless experience on a website or application we’ve build? This were a not so new standard from W3c comes in play, named WebAuthn.
This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web or native applications, for the purpose of strongly authenticating users. A public key credential is created and stored by a WebAuthn Authenticator at the behest of a WebAuthn Relying Party (website or service), subject to user consent. Subsequently, the public key credential can only be accessed by origins belonging to that Relying Party. This scoping is enforced jointly by conforming User Agents and authenticators. Additionally, privacy across Relying Parties is maintained; Relying Parties are not able to detect any properties, or even the existence, of credentials scoped to other Relying Parties.
In simpler words, a strong authenticator ( like those on modern iOS and Android device, or security keys) is used to perform 2 distinct ceremonies.
- Register: Create a Public / Private key pair and store the private part on the secure storage element of the authenticator. Send the Public key to the server
- Authenticate: Unlock the stored Private key and use it where the Relying Party is presented with an Authentication Assertion proving the presence and consent of the user who registered the public key credential
This cryptographic method of authenticating is a highly secure method of Creating, Registering and Using secrets. Furthermore, the secret (Private key) is stored securely on the users device (or account) and can only be accessed by authenticating the user on the device itself.
WebAuthn and FiDO keys have had recently their 5 minutes of fame in the public eye recently. Last year Apple, Google and Microsoft announced that they will all support “Passkeys”. This is essentially another name for WebAuthn keys. There are some differences to how WebAuthn and FiDO 2.0 keys worked before that, but the technology is the same.
So what are those “Passkeys” and how can they help us not use passwords anymore? Passkeys are a specification that is built on top of WebAuthn, so the same cryptography and rules apply. Except that now the Private key is synced across your cloud accounts (iCloud, Google Password Manager), making it available to all your devices. In other words, what you generate on your computer can now also be used on your phone. At this time iOS, MacOS and Android provide full support for those keys and Microsoft will be bringing it to Windows 11 on future updates. Additionally, password managers like LastPass and 1Password, will be introducing Passkeys support in the near future. The wide adoption and the interest of all the big players makes this a great candidate for a spec that will bring “Password-less” closer to reality.
In summary, there are a few technologies that allow users to move away from passwords already available. Some better, some worst and some new that are gaining ground. Will passkeys be the final solution to the password problem, probably not in the end, but it will pave the way to other more interesting technologies like decentralized identities. In the present though they seem as a great option to stop using passwords as much as we can and secure our digital lives in smarter and more secure ways. Stay tuned for more…