Is now the time finally for passwordless authentication?

As more tech providers look to passwordless authentication methods, its only a matter of time before passwords are no longer a primary authentication method.
8 October 2021

Way back in 2010, France’s President Nicolas Sarkozy (L) visited the biometric passport office at Laon city hall, northern France, during a visit on the future of the French civil service. (Photo by PHILIPPE WOJAZER / POOL / AFP)

Despite passwords being an integral part of everyone today, passwordless authentication has been quickly catching fire all of a sudden. Be it for operating mobile phones, banking, checking emails, or even entering homes, passwords are the most used authentication method. With more and more passwords being required for evermore digital platforms and services, many users use the same password for all their access as it’s easier to remember.

However, using the same password for multiple authentications only makes it easier for cybercriminals. Hence, users were asked to develop stronger passwords. What initially started as just several digits for passwords soon required more complex characters to ensure security. Despite this, many users often still recycle the same passwords and just added a few new characters.

Not surprisingly, cybercriminals could easily compromise these passwords. Even large corporations were easily breached due to weak passwords. As such, multi-factor authentications were introduced. But even with that, cybercriminals were still able to access the codes normally sent via text messages to mobile devices.

With passwords being increasingly easy to be compromised, biometric authentications are now proving to be the safest bet for organizations looking to safeguard their employees and company. Biometric authentication uses the biometric capabilities of users, normally fingerprints, retina scanners, palm readers, and such to grant access.

Several organizations have been testing and advocating biometric authentications with Microsoft deciding biometric authentication being a more secured authentication method compared to passwords. Microsoft has since announced that it is doing away with passwords in some of its products such as emails, and allowing users to only have biometric access.

TechHQ caught up with Andrew Shikiar, Managing Director of FIDO Alliance, to find out if a passwordless authentication future is legitimately possible. Here’s what he had to say.

Why are people still struggling to create strong passwords today?

I think the real question is, why are people still using passwords today. No password can be secured. The fundamental problem with passwords is that they are a human-readable shared secret that is on a server. And anything that sits on the server, can and eventually most likely will be stolen. It’s a historical dependence we have on knowledge-based authentication, which is where users log in to services based on what they know. Attacks won’t stop until we break our dependence on knowledge base authentication.


Is biometric authentication the best alternative to reduce dependence on passwords?

We need to move away from this old model of centralized shared secret authentication. The question is what we many to move to. Big tech companies like Google, Microsoft, Samsung, Intel, Qualcomm, and service providers like Amazon, Facebook, Twitter are working on it from a requirement standpoint.

From a technical standpoint, the approach we believe we should take is a user-friendly approach to asymmetric public-key cryptography. The difference between a public key cryptography approach and a knowledge-based approach is that instead of having a knowledge base credential sitting on a server you have a cryptographic key pair, with a public key on the server and a private key that needs to match precisely sitting on the user’s device.

So now, to log in, instead of me trying to remember what I told the server, which could be intercepted by any sort of hacker, I just need to prove that I’m in possession of my device. And I can prove that possession, either through just literally touching something or entering a pin or by using a biometric, and so what this does is it changes the playing fields dramatically for hackers that there’s really nothing to happen anymore. You can’t take those credentials, you can’t steal them or sell them.

I think something like biometrics is the direction that we will head in to see user-friendly passwordless authentication happen at scale.

Today, most services allow you to log in with your device via biometrics. This is good as it changes the user behavior. That being said, as it’s taking the password out of the user’s brain, it allows them to come to the more complex password.

If you use a password manager, a key chain, or something like that, it allows you to do a very complex password that is harder to hack. And that’s an important step behaviourally but, ultimately, this is a transitory step to moving beyond passwords entirely, where instead of having a complex password, you actually have a public key.

So, yes I think biometrics and possession-based authentication is the future. Whether you prove that possession by who you are, or by what you have, or some combination they’re in, and that’s the key to stemming this type of data breaches and other hacks that are related to passwords.

Is using the same biometric a concern for users?

A lot of education needs to happen for this to grow and scale. The fundamental thing people need to understand about biometrics and there are different ways to do biometric authentication.

For Fido and most banks, the authentication is done locally on the device. Your biometrics never go into a central server. It’s not going to be a biometric hack, or someone could steal your actual thumbprint or a visual representation. This makes it impossible for hackers to do a scalable biometric attack.

With possession-based authentication, it’s a one at a time approach, where a hacker literally has to be with you to spoof your face or your fingerprints. It takes away the high-value high damage attacks. Of course, when someone comes and puts a gun to your head and forces you to the login, that’s a whole different scenario and really out of scope of any sort of technology.

The core thing is for users to authenticate locally to their device and that authentication data or anything valuable is not transmitted over the Internet because that’s where the phishing attacks happen, the man in the middle attacks happen.

passwordless authentication

(Photo by Dimitar DILKOFF / AFP)

Is biometrics technology expensive for implementation?

The good thing about biometric technology is that it’s built into most devices that we have right now. Most Windows machines and mobile devices have a biometric reader on them.

Another way companies are implementing passwordless is using security keys. Hardware tokens cost anywhere between $20 and $60 per user and can be distributed to employees to log in as a second factor or primary factor.

The nice thing about these devices is that they prevent phishing and password resets. Passwords resets can cost companies millions of companies each year. Most of the technologies are already built into devices, and all businesses need to do is deploy them.

Technology is also getting better. For example, facial recognition can now detect the liveliness of the subject. The technology is improving and we’re helping set standards for biometric certification along with other standards organizations.

We don’t specify the biometric modality, so it can be a finger, retinal, veins pulse, or voice sounds on a local device.

As an industry, we’re learning and we’re establishing best practices. We’re trying to tackle things like account recovery to see what happens when you lose your account, or you need to re-enroll a new account to make that process a little smoother.

Will we eventually get rid of passwords in the future?

We can’t fully get rid of passwords. But I do think a couple of things will happen, especially from a user experience standpoint. More consumer services will offer passwordless authentication and logins and rely on device biometrics.

But eventually, more of these will offer true passwordless authentication where you don’t have a password. Ultimately, there will be less friction when you log in.  Part of possession-based authentication is knowing what you’re doing. Initially, it’s going to take some adjusting.

For example, users will be thinking about why it is so easy to log in to a bank account. Is a thumbprint secured enough? People are used to friction. It is going to get some time to get used to this.

The challenges are part technical, part education, and maturity. We need to make progress in all three fields to advance this and make it a practice.