We are going to take a look at the advances made in information security that focus on strengthening authentication systems based on the passwordless philosophy.
Several media outlets have recently echoed the effort that the major tech companies have invested in implementing authentication systems that are geared towards resolving the security issues inherent to traditional password-based authentication mechanisms, with the aim of improving information security.
This effort is starting to bear fruit, and it is not only the major tech companies that are incorporating authentication solutions, but also many companies from various industries, including the banking sector; we are already incorporating them into our systems instead of using the traditional password.
In this article we are going to delve into the fundamentals of these solutions and analyse Passkeys in detail. These are a new type of credential based on public-key cryptography and biometric verification proposed by FIDO Alliance and the World Wide Web Consortium.
Weaknesses of password-based authentication systems.
Passwords are currently, par excellence, the most widespread authentication mechanism employed to protect information, and given their nature, also the most vulnerable.
Although it is fair to say that the majority of systems require users to comply with certain rules when setting these passwords (minimum number of characters, special characters, numbers, caps, etc.) and that they are subject to policies requiring them to be renewed every so often, the fact is that there are many attack vectors that allow stealing these credentials, thus becoming subject to information security breaches that provide malicious users access to unauthorised systems and data.
Among the various attack vectors are the following:
1. Password attacks: Brute force attack
This is a trial and error method by means of which passwords of a certain length are generated sequentially. The aim is to obtain a specific user’s access key.
2. Password attacks: Dictionary attack
It is similar to a brute force attack, but instead of generating passwords, it uses predefined password dictionaries that usually contain passwords commonly employed by users or passwords that have been stolen from other systems through previous attacks.
3. Password attacks: Sniffers/Keyloggers
Extraction of credentials by monitoring network traffic (sniffers) or by recording keystroke entries made by a user on a computer keyboard (keyloggers).
4. Password attacks: Phishing/Smishing/Vishing
Attack that, through spoofing and by means of communications (SMS, email, telephone calls) to customers, obtains the access credentials of services to which the user is subscribed or their keys in order to carry out fraudulent operations.
5. Password attacks: Reusing credentials
This method consists in using credentials from prior exfiltrations to achieve a non-authorised access to other services in which the user has set the same credentials.
6. Password attacks: Credential exposure
Lastly, this type of attack takes advantage of an inadequate protection of computer resources that contain information related to the user’s credentials and which have become accessible to third parties via the internet, such as the publication in search engines of plain-text files with user or system credentials.
Passkeys, the passwordless system to the rescue.
Passkeys is the technological alternative proposed by the FIDO Alliance to replace password technology with a common standard of authentication that is much more reliable. It is based on public-key cryptography and is available already in most operating systems and web browsers.
The only requirement for users is to have a device with cryptographic capacity, such as smartphones, IT equipment with biometric readers or USB security keys, since access to local credentials will be protected by means of biometrics (local or remote), PIN, patterns (in the case of smartphones) or even smartcards.
It is worth stressing that the potential of Passkeys is not only limited to protecting access to internet services, but that it can also be employed in authentication processes for the authorisation of risk operations online, which reinforces security even more.
The functioning of Passkeys consists of two steps:
- The first step involves the user registering via the FIDO authenticator they have available and that matches the acceptance policy of the service in question. Once the FIDO authenticator is unlocked, a unique pair of public-private keys is created for the local device, the service in question and the user account. The public key is stored in the online service and is associated with the user’s account, and the private key is stored on the user’s device and its access is protected in such a way that access thereto is achieved through the secure local authentication method defined by the user.
- The second step is the authentication itself when the user wishes to access the online service. The user will be requested to log in with a previously registered device that matches the service’s acceptance policy. Once the user unlocks the FIDO authenticator, they need to select the local private key corresponding to the service and sign the FIDO challenge, which is sent to the service to complete the appropriate verifications.
The Registration process is represented by the following image:
Passwordless: Information more protected but with weak points.
We can surely say that the arrival of this authentication mechanism will be a turning point in terms of security, as we will evolve to no longer depending on a datum that the user “knows”, but on what the user “is” (biometrics) or “knows” (pattern or PIN) and also “has” (cryptographic key on their local device).
This paradigm shift exponentially increases security, as for a malicious user to illicitly access a service, they would have to be in possession of the user’s device and ask them to complete the authentication with their biometrics or use the mechanism of access to the vault of cryptographic keys defined by the user.
However, there are still weak points that need paying special attention in order to guarantee the highest level of security, such as a first step involving enrolment, which in most cases will probably require an authentication based on passwords with Two-factor authentication, or credential recovery processes in the event of losing the device storing them.
The key to guaranteeing the entire system’s security is, precisely, designing those processes in such a way that they ensure the user’s authenticity, as well as the integrity of the process, thus minimising the risk of identity or credential theft by malicious users.
Will passwordless become the definitive authentication system?
Far from it. As technology progresses, new authentication systems with new capacities, yet to discover, will appear, or may even be so experimental that they will not be considered as plausible in the short term.
However, the transition to passwordless authentication systems is a major breakthrough in security and protection when compared to traditional authentication mechanisms. Therefore, whether it involves security or it is due to the convenience provided by authentication of not having to remember or enter passwords, the effort required to implement this technology is fully justified, and this will result in a competitive edge that companies will surely highlight to their users.
We hope that in the future (as near as possible), when we talk about passwords, we have the same sensation as we have today when we remember the 5.25-inch floppy disks we used in our old computers to store barely 1 MB of information.