Passwordless Authentication is Finally on the Horizon

Written by

For years, we’ve been discussing the vulnerabilities of passwords and the need to ditch them for more robust and secure solutions. However as we leave 2018, we’ve still been hearing about data breaches that are related to poor password choices and authentication policies. 

Earlier this year, we saw a surge in the use of SamSam, a breed of ransomware that exploits poor passwords to infect computers. Also an audit of the IT infrastructure of the Western Australian government found that the passwords of thousands of government employees could have been exposed to unwanted parties.

Recent research shows that the UN is also doing a poor job of protecting its passwords, and dark web markets are replete with username and passwords to most popular online services.

However, every cloud has a silver lining, and we’re finally seeing signs that the industry is moving in the right direction, toward a future where password breaches might become a thing of the past thanks to technological innovation, regulation and cooperation between large and small tech companies.

This year we saw the release of new NIST standards, which make 2FA and passwordless authentication mandatory in settings where government institutions, organizations and companies are handling sensitive data and functionalities.

Also, the GDPR encourages companies to adopt passwordless authentication technologies, because it relieves them of storing and securing user passwords and exchanging them over the network.

We’re already seeing an increase in innovation, including the advent of a number of hardware, software and mobile solutions that enable users to log into their accounts without the need to memorize and enter passwords, or go through frustrating multi-step authentication processes.

Among the most notable innovations we’ve seen is Google’s Titan security key and Yubico’s Yubikey 5 series. Security keys are used as second-factor tokens that are plugged into computers when logging into associated accounts.

On the mobile front, we’ve also seen some new technologies that are easier to use and make MFA more accessible to average users. Authenticator apps such as the Microsoft Authenticator and my own company’s Octopus Authenticator are two examples that are helping provide a frictionless experience to users.

To log into an account, the user receives an authentication request on their mobile device (something they have), which they can confirm by entering a PIN (something they know) or run a biometric test (something they are). This is a true example of multi-factor authentication that requires no password exchange between the client and the server.

However, even the best authentication technologies are of no use if they don’t receive industry-wide support and can’t be integrated into applications.

Hopefully, we’re seeing some promising synergies in the authentication landscape. The advent of the FIDO2 standard has helped pave the way for the adoption of passwordless authentication methods across different online applications.

FIDO2 has the backing of Google, Microsoft, Mozilla and other tech giants, and builds up on the FIDO standard and adds the WebAuthn, a standard web API that enables the integration of secure authentication mechanisms in browser-based web applications. 

Integrating easy-to-use, passwordless authentication into applications has become easy and cost effective, which means more and more online services can finally replace passwords with more secure alternatives. 

To be sure, security breaches won’t go away, and malicious hackers will continue to seek ways to hijack online accounts for financial and political gains. At the very least, we can put massive user account security disasters, like the three billion account hack of Yahoo, in our rear-view mirror.

What’s hot on Infosecurity Magazine?