The Solid Passwordless Option

Try to give your employees and yourself a delightful and seamless way to authenticate. Passwordless authentication is a method in which users can log in to a computer system without the need for a password or any other knowledge-based secret. We’re sharing a document which talks about passwordless authentication and the use of security keys. You’ll learn about why passwords are becoming a thing of the past by reading this document in its entirety.

 

What’s wrong with passwords?

Passwords are not enough, and weak passwords are everywhere. A report from TeleSign reveals that over half of consumers use five or fewer passwords for all of their accounts. Verizon’s data breach analysis reports for the last three years also state that 80% of account vulnerabilities were due to weak or stolen passwords. From 2015 to 2019, when the same analysis was done based on more updated data breaches, the situation is still the same.

 

Can strong passwords save the world?

Organizations or enterprises typically deal with these weak passwords by enforcing complexity rules and composition rules. Essentially all of us have seen them, such as “Password should require one uppercase, one lowercase, one number, and so on.”

Firstly, it’s a pain for users. The other part about these complex rules is that they don’t even work. Research has shown that when you have hardwired composition rules, users deal with them in extremely predictable ways, like replacing A with the @ symbol or adding an exclamation mark at the end of the word. Therefore, these rules don’t add anything significant in terms of security.

Phishing is also becoming an increasingly important issue concerning the malware. It is becoming more and more possible because of the emergence of automated phishing kits and even multi-factor phishing. The most famous phishing techniques can also be seen in our slide with descriptions.

 

Security Key can indeed prevent phishing issues.

In addition to the bad news above, the security key is the solution to the phishing problem and It can solve it successfully. Even if a malicious actor has a person’s username and password, the personal account won’t be stolen.

In 95% of cases, web platforms and service providers can certainly do the first gate-keeping and block malicious access based on geolocation risk analysis, device security, history, etc. But that 5% is also critical, and Something that can solve this 5% is multi-factor authentication.

There are now many multi-factor authentication methods available – SMS, TOTP, mobile push, and so forth.

But many of them have their own issues, and phishability is one of the bigger ones. In particular, SMS, OTP is, in a sense, a “clear code” that users know so that it can be stolen in the same way. Therefore, OTPs and most traditional 2FA methods are not the solutions to solve all the problems.

Consequently, in the document you can see that Google lists the advantages and disadvantages of 2FA according to the guaranteed range. SMS and voice-based passwords are the least secure of these methods. And all other 2FA still have the chance to be phished. Most people also know that SMS is the weakest.

FIDO2 and Security Key

The solution to the phishing problem is a hardware FIDO security key designed to withstand phishing. The core concern for which users are struggling is authentication. When users arrive at a site and enter their credentials, they have no way of knowing that the site is genuine, correct, and legitimate. Although there are TLS or other methods that users can verify or recognize the website URL, it is still tough to tell by users.

The security key is born to solve this problem. The way security keys protect credentials is by applying Cryptographic theory and communicating locally with the host.

In other words, when people plug the security key into the device, there will be information sent from the host to the security key. It also verifies the source based on, for example, where you are, where you are browsing. The key will not interact with the client and the server until it recognizes that the site is genuine. All of this is created with open standards; such a mechanism interacts in two standards- Webauthn and CTAP.

WebAuthn enables online services to use FIDO Authentication through a standard web API built into browsers and related web platform infrastructure. CTAP enables expanded use cases over previous FIDO standards. It enables external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn and serve as authenticators to desktop applications and web services, and they can communicate with each other through USB, NFC, BLE interfaces.

 

How Does FIDO2 Work?

This standard is based on public-key cryptography to secure the authentication process. FIDO2, a new standard, uses a private and public key to validate users and guarantee the security of the authentication process. To use the standard, the user should first set up an account at websites that support FIDO2. The following procedure is straightforward: 

1. Do registration and sign up with a FIDO2 security key.
2. The client service will generate a FIDO2 authentication key pair.
3. Your FIDO2 key sends the public key to the service, while the private key containing sensitive information stays on your device.

Once the secure FIDO2 session is established, the setup credentials are stored permanently, allowing for later logins. The next time users want to access the service; they have to follow these steps:

1. Provide username and email.
2. The service will give a cryptographic challenge.
3. Use the FIDO2 key to sign the challenge.
4. The service’s server verifies response and provides access to the account.

 

Truly Passwordless

When doing passwordless with the FIDO2 security key, you need to use “PIN+Touch” or “Fingerprint” for user authentication. Fingerprint-enabled security keys provide an actual passwordless experience for users. A swipe of your fingerprint authenticates your identity, and no one can steal it. A weak PIN can still be guessed, while a strong PIN will be challenging to remember. Also, entering a PIN on an unknown device can be risky. When you enter a PIN in a public place, people can easily get your PIN.

 

Free download:

The Solid Passwordless Option

 

If you are interested in any of our AT.Wallet’ technical details, please feel free to contact us.