Password-less Authentication

Introduction

Password-less authentication is current industry trend to remove passwords from online world to login. In this post, I will be exploring some of the concepts around password-less authentication.

Password is one of the factor to identify yourself who you are authorised to login to application but last 6-7 years password is susceptible to different type of attacks such as brute-force, stolen password database(credential stuffing) and password reuse attacks which makes password is less secure.

Why password-less?

Given password is not strong authentication any more so current cyber security industry warrants strong authentication 🤔 mechanism. Questions may arise why not multi-factor authentication (MFA) in addition to password based authentication is not strong enough. Answer is “yes” it provides strong authentication and defence in depth but it also makes user to carry some additional device in addition to remembering numerous passwords. There are different type of MFA such as software MFA (a.k.a) Virtual MFA and TOTP – Time based one time password via mail or SMS . So to keep in mind these additional factors are not bullet proof compared to Hardware based MFA.

Virtual MFA / Push-notifications / SMS based MFA also susceptible to sophisticated attacks such as SIM swapping attack for SMS and continuous push-notifications to end-user eventually user accepting the push notification and finally virtual MFA relies on mobile security and MFA. So Hardware MFA come as strong factor authentication.

Phishing resistant MFA – Spear/Whale Phishing is a commonly exploited vulnerability in online by tricking the users to click on fraudulent links aims to steal credentials or any other sensitive data from computer. Normal MFA such as virtual MFA, TOTP is susceptible cannot provide protection against phishing attacks. This is where phishing resistant MFA ( FIDO2) uses hardware keys is immune to such attacks and provide strong protection for login. More details about this topic is nicely presented in yubico . Let’s look at how to remove password.

How to achieve password-less ?

Discussed in great depth about Password alone is 💪 not enough for strong authentication which requires additional factor and it will be mostly multi-factor authentication but typing and remembering more passwords is tedious tasks for different websites.

Password-less meaning is by removing passwords to login by providing enough assurance for the application to login by identify the device posture (Up-to date with patching / compliant as per organisation requirement ) and network layer (trusted network. For e.g. not allowing login from cafe shop) and considering other factors such as does user logged into device using touchId or face ID before allowing access.

What happens if application is not getting green signals then application decides to prompt for alternator factor of authentication like MFA to provide access or even password in some cases to prove who you are.

Conclusion

Password-less authentication is not about removing passwords completely. Its compensated with additional form of factors to the application to provide assurance before authorising the users to perform any operations.

References

  • https://www.yubico.com/resources/glossary/phishing-resistant-mfa/
  • https://www.okta.com/resources/whitepaper/how-to-go-passwordless-with-okta/

Posted

in

,

by

Tags: