Authentication solutions have primarily relied on knowledge-based, single-factor (password) with dramatic consequences: Identity compromises, data breaches, eroded reputation. To mitigate risks and create a frictionless experience, moving beyond passwords means adopting a passwordless solution.
The definition of authentication in the digital world is authentication is “the process or action of verifying the identity of a user or process.”
The verification of a user’s identity is performed through a process called “identity proofing,” which ultimately verifies and validates attributes that belong to the user, like first and last name, date of birth. In the recent years, biometrics have been added to the mix to further prove the individual’s identity.
Did you know that in the second century BC, Roman guards used to shared a secret, watchword, when changing shifts? And even more fascinating, back then they were already using the three types of authentication factors that are still leveraged by authentication solutions today:
There is not just one recipe for authentication. Different groups of user attributes can be combined to authenticate.
Naturally over the centuries and more precisely in the recent years, the authentication process has shifted to become increasingly complexity. Technology changed constantly, and authentication solutions have had to follow as well as possible to mitigate risks of cyber attacks. Hence the need to combine multiple types of authentication factors in an attempt to make cybercriminals' lives more difficult. Look at online payment systems that now require a password and a temporary code sent by SMS. This is a prime example of a 2FA solution: the password is the first authentication factor and the SMS is the second authentication factor, as long as the latter is received by the cellular phone that belongs to the person, who needs to authenticate...
The reality is that password have become obsolete. The reason essentially lies in the fact that hackers have developed tools that can easily compromise them. 81% of data breaches are caused by poor password management. And the increase in sophistication with which hackers are now able to compromise credentials has made the problem much worse.
Passwords represent the authentication mechanism of choice for just about anything. But, a password is highly insecure for four main reasons:
For businesses, the transition to passwordless authentication has become ineluctable, given the flawed security passwords and authentication solutions leveraging them offer.
Passwordless authentication offer four major advantages over knowledge-based, password-based, authentication:
Increased revenues, lower costs.
Passwordless authentication. decreases the costs inherent to password management and, ultimately, data breaches, while improving revenues thanks to enhanced productivity and customer loyalty and trust.
A few staggering statistics:
By going passwordless:
Enhanced user experience.
86% of customers are ready to pay a premium for more user-friendly experience, which infers that if a platform’s authentication experience is not satisfactory, then customers will take theirbusiness elsewhere. With passwordless authentication, the user having to manage passwords disappears. And let's face it, having to remember dozens of different usernames and passwords, prompts many people to re-use passwords, choose weak ones, or note them down on their phone, email account or with sticky notes on their computer monitor. Finally, passwordless authentication solutions leverage a user's smartphone, which adds a lot of convenience.
Standards and compliance.
The FIDO Alliance is an open industry association and a major proponent of passwordless authentication, to the point of having created open standards for passwordless authentication to online and mobile services.
The FIDO Alliance has developed FIDO2 in collaboration with the World Wide Web Consortium (W3C). FIDO2 became a web standard in March 2019.
In a nutshell, when users authenticate to a site that supports FIDO, their identity is verified with a simple action, such as scanning a fingerprint or touching a security device. The website and the user’s authenticator conduct a challenge- response to verify that the user is in possession of the correct private key. Each service uses a unique key pair, and the private key never leaves the user’s device. FIDO2 is supported by all leading web browsers, making its reach nearly ubiquitous on modern devices.
Eliminating passwords means enhanced security.
To go passwordless dramatically decreases a company's exposure to data breaches, simply because the organization doesn't need to store users' passwords on its servers anymore. At the end of the day, passwordless solutions do not require that personal information be stored for authentication purposes. To put it simply, there are no passwords to steal. Moreover, when the authentication is performed on the user side, no personal information is transmitted over the internet, which makes man-in-the-middle attacks virtually impossible. Lastly, the biometrics users leverage to authenticate are kept on the user's device. Consequently, the risk of online fraud and identity theft is greatly reduced.
Authentication with facial biometric technology
Recent technological advances in smartphone cameras and machine-learning models mean facial recognition and document scanning can now be used to verify people remotely and at scale. In short, when creating a new account on an online service, users take a picture of their government ID and the application compares the picture with that of the person taking the picture. By using facial biometric authentication, users no longer need to associate a password with their account.
Extra security with hardware keys
In a recent research assessment, Google compared the standard baseline of password authentication with security keys, smartphone- based one-time password (OTP) generators, and two-step verification (2SV) over SMS. While no option is perfect and any form of 2SV is better than none, Google found that security keys provide the strongest security while also offering the best mix of usability and deployability.
Security keys come in a variety of form factors ranging from a small USB, NFC or Bluetooth device that can live on a user’s keychain to something built into a user’s mobile phone that can securely authenticate when they need to sign into a new device. The common factor here is that the device must be physically and locally present when authentication happens.
User experience first with QR code authentication
Complex animated QR codes can also be used to authenticate without passwords. Users logging in scan a QR code with a smart device to bind the session to their user identity. A confirmation message is then displayed in an app on the device verifying the authentication which triggers a biometric scan confirming that the users are who they say they are. Then, an authenticated session is passed to the relying party and the user is logged in.
The dynamic QR code scan has many advantages such as preventing session hijacking or session replay attacks. Since the code is animated, unique and has a very short life span, it provides a secure way for binding sessions to identities while at the same time providing a seamless experience that doesn’t require complex pairing between devices.
Seamless authentication with behavioural analysis
Behavioral authentication uses non-identifiable but individually unique factors to confirm identity. Users may not see a password login, but their identity will be authenticated in the background using factors such as non-identifiable behavior attributes from mouse movements to typing speed and habits, login history, network details like IP address, browser used, etc. While each of these non-identifiable factors is not enough on its own, when they combine as a single-security mesh, authentication becomes both secure and invisible.
All these factors can be brought together in a big data set and apply artificial intelligence and machine learning to analyze and accurately differentiate legitimate users from criminals and fraudulent authentication – regardless of the credentials presented.
Fewer passwords with zero-knowledge proofs
Zero-knowledge proofs (ZKP) are a challenge/ response authentication protocol in which parties are required to provide the correctness of their secrets, without revealing these secrets.
It allows authentication of users in such a way that a password never leaves the user’s device or browser. In simple terms, a ZKP authentication process can transform a password into a complex and unique abstract string, like a Rubik’s cube with a completely random pattern. The abstraction is transferred to a server and stored. The challenge is to prove that the Rubik’s cube pattern on the client is the same as the one on the server by generating a series of random permutations that match both the Rubik’s patterns. In this way, the entire pattern is never transferred but you can still prove, to a very high probability, that the two patterns are the same. One of the main advantages is that the verifier cannot learn anything from the authentication procedure.
ZKP technology can eliminate the exposure of private user data during authentication or identity verification. It can even be used beyond authentication, allowing users to reclaim and control the use of their digital identity.