Is ‘passwordless’ really a great choice for the future of authentication?

Secfense meta 2a

There are a lot of vendors on the market that are offering passwordless solutions. But what does the so-called passwordless really mean? Will the login process disappear? What will the password be replaced with? How can we protect our data if the password will be out of the picture? Let’s dig deeper into this.

What is a Passwordless sign-in?

There are a lot of marketing pitches that promote a passwordless future. Does that mean that users really don’t have to remember anything, or does this mean that they’re going to be using some other form of authentication? Will futuristic-sounding biometric authentication replace passwords? Or will physical authenticators or combinations of those things create some form of passwordless experience?

So what is passwordless? Well, think of a physical authenticator that we all know – a door key. We use this ancient technology all the time. We don’t use this approach very often, though, when it comes to online access. And there are some good reasons for that.

How to Implement Passwordless Logins with Passkeys A Secfense Guide

Is Passwordless authentication safe?

The threats related to using just a physical authenticator are pretty obvious. It could be stolen, it could be lost, it could be broken, and it could also be duplicated. Generally, you would notice if you didn’t have your key for a little while, it feels a little different in your pocket unless you’ve got dozens of them.

Now think that the key could be on your phone. Or even the phone could be your key. Same thing with a laptop. If your electronic device is your key, then if somebody borrows it from you, this key could be extracted and stolen without your knowledge. So as a result, organizations or online vendors tend don’t use physical authenticators as password replacements.

So, in theory, your cellphone could serve you as a passwordless authenticator. But would it serve the purpose? Would it make the login process smooth WHILE maintaining or improving security? Not really.

So unless the device is used as a second factor (in Two-Factor Authentication), it’s not really an improvement in security like so many of the password vendors are promising but rather a not-so-safe alternative.

 Is the future REALLY passwordless?

What is physiological biometrics?

Another approach to passwordless authentication could be biometrics. A lot of people think that biometrics is the ultimate security, but the truth is very far from it. The problem with biometrics is that almost all of the biometric modalities that exist have ways to be obtained by a bad actor or even unintentionally.

Fingerprint Biometrics
A fingerprint? We leave it on everything. So if you go to a restaurant, the waiter could take a copy of your biometric fingerprint if they really wanted to and then use it against your will.

Eye biometrics and Iris recognition
A similar thing with iris patterns. In fact, iris patterns are fairly easy to obtain, especially if the person is blue-eyed. With just a high-resolution photo of the person, iris patterns can be copied and then used to authenticate.

Biometrics are also not replicable. So if somebody copies your fingerprint or your iris pattern, this is not something that you’re able to change.

The other issue is that biometrics aren’t a deterministic authentication method or a deterministic factor – it’s more like a measurement. Think of a password. It could either be right or wrong. There’s no halfway. 99% correct combination of letters and digits will not let you get through. If you use your device, a key, or phone, or another physical authenticator, then it will either have the right key or the wrong key on it. But biometrics is different. if it’s close and the system believes that it’s really you, then it will accept you.

Biometric authentication is pretty common now. It’s being used a lot with phones that either have fingerprint or face recognition sensors. The good thing about biometric authentication in smartphones is that the biometric template of what it’s comparing against and the comparison can be all embedded in one device.

Biometric authentication, however, is not something that could be used broadly on all sorts of devices. It will most likely never be possible to go to a shop, buy some food, put your fingerprint on the sensor, and then just leave. Why? Because of the irreplaceability of biometric features. Because if your fingerprint could be remembered and stored on shopping equipment or, in fact, other types of equipment, POS, ATMs, etc., then anyone that could copy your fingerprint could basically become you and authorize all purchases, withdraws, and other operations without any problem.

Types of biometric authentication
Types of biometric authentication

Combining PIN and Biometric Authentication

But what if your fingers get dirty or you’re wearing a facemask? In such a case, the biometrics would not work. When your face or fingerprint is not recognized, your phone immediately asks you to authenticate with a PIN. Why?

Well, vendors most often give a biometric authentication option together with an option to exchange it with a PIN. If this combination is in place, then if somebody got your phone, he or she would still need to know your PIN to enter it. Let’s say a hacker intends to use a copy of your fingerprint and fails to authenticate on the first or second attempt. Then he or she will be asked to give a PIN which is the second step of protection and yet an additional burden for the attacker.

Of course, there’s a way to hack a PIN code, but it takes time and effort. And the goal of cybersecurity is to make the attacker’s life hard enough so that he or she is not interested in breaking it. So that the struggle is not worth the attempt. So it’s better for the cybercriminal to pick an easier target than work hard to break through yet another fence.

Biometrics keeps improving; there are fewer and fewer false accept rates which is great. However, the fact that biometric features are not replaceable will most likely never allow this authentication method will replace passwords and be the only factor to use to let you access online resources or approve online purchases.

Another reason for vendors to use biometrics together with a PIN code is a really high false accept rate of the biometric. Most of the devices will give a user only one or a few attempts before they will switch from biometric to PIN. Biometric sensors don’t give the same degree of security as a cryptographic key.

Biometrics is really a convenience factor rather than a security factor. Authenticating with PIN and biometrics both have weaknesses that are different from one another, but they both are not free from flaws, that’s for sure.

Is the future REALLY passwordless?
Is the future REALLY passwordless?

Passwordless again

Pins are really simpler or weaker passwords. But as long we’re using them as a second factor, for example, combined with a physical authenticator, then it’s still way better than even the most complicated password. Even the worst 2FA is better than the best password.

There are big databases of hashed passwords that get stolen every day. There are tons of really great passwords there. But it doesn’t really matter how complicated your password was if it got stolen and simply copied and pasted to compromise your account.

The PIN can be that simple because apart from PIN, you actually need a local, physical device. So the bad actor would need to have both your PIN and your device to get through, which makes it twice as hard to obtain two factors than simply one.

But let’s say the bad actor has your device, and he or she wants to attempt to brute force your phone. That’s why the vendors offer a certain limit on how many tries a  user can make during a given hour or a day.

There are other combinations of authenticators that are passwordless as well. A physical authenticator that will send you a text message. It could be a physical authenticator and an email. Both are very widely used, but both offer limited security as both your phone number and email address can get easily compromised.

So. a Passwordless future depends on what you call a password, really.

Is PIN a password as well?

Or when they say passwordless, what do they really mean password… AND something else. Which in this case, makes all the second-factor vendors passwordless solutions.

The big benefit of 2FA for an everyday user is that if you’re using two-factor authentication, you don’t really need to think that much about making your password strong, as the second factor does the job for you. So it’s enough that you have some password, any password, and as long as the second factor is strong enough, it will be really hard (discouraging) for an attacker to point you out as a potential victim.

How do you implement Passwordless authentication?

There are a lot of cybersecurity vendors who offer FIDO2 standards or some other form of strong authentication. Most of them do not need access to client credentials, so they can stay safe in client infrastructure (no need to share any data with a third-party vendor). However, in most cases, the implementation of passwordless authentication across the entire company is hard or, many times, simply impossible.

There’s also a problem related to keeping one method of authentication and the inability to switch to a different one. If a company decides to go with one authentication method, it’s hard to shift to a different one when such a necessity will come up. One of the best ways to tackle this is to go with the user access security broker approach. Security broker allows organizations to deploy and scale any authentication method on any number of applications. You can start using passwordless on top of any app or any IAM that your company uses. The deployment is frictionless, and any authentication method can be changed with any other at any time. You can order free tests of passwordless transformation with Secfense here. The test usually takes 7 days, and after the POV (proof of value), you will know exactly how your infrastructure will work with passwordless authentication. You can also book a 15-minute demo, and you will see how we add FIDO MFA to one of your apps in minutes which is a first step to going full passwordless.

Antoni takes care of all the marketing content that comes from Secfense. Read More

Testimonials

We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that the User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.

Krzysztof Słotwiński

Business Continuity and Computer Security Officer

BNP Paribas Bank Poland

As part of the pre-implementation analysis, we verified that users utilize a wide range of client platforms: desktop computers, laptops, tablets, smartphones, and traditional mobile phones. Each of these devices differs in technological advancement, features, and level of security. Because of this, and also due to the recommendation of the Polish Financial Supervision Authority (UKNF), we decided to introduce additional protection in the form of multi-factor authentication mechanisms based on FIDO. As a result, users of our applications can log in safely, avoiding common cyber threats such as phishing, account takeover, and theft of their own and their clients’ data.

Marcin Bobruk

CEO

Sandis

We are excited to partner with Secfense to enhance our user access security for our web apps. By integrating their User Access Security Broker, we ensure seamless and secure protection for our applications and systems, delivering superior security and convenience to our customers.

Charm Abeywardana

IT & Infrastructure

Visium Networks

Before investing in Secfense, we had the opportunity to talk to its existing clients. Their reactions were unanimous: wow, it’s so easy to use. We were particularly impressed by the fact that implementing their solution does not require the involvement of IT developers. It gives Secfense a huge advantage over the competition, and at the same time opens the door to potential customers who so far were afraid of changes related to the implementation of multi-factor authentication solutions.

Mateusz Bodio

Managing Director

RKKVC

Even when the network and infrastructure are secured enough, social engineering and passwords can be used to gain control of the system by attackers. Multifactor authentication is the current trend. Secfense addresses this and allows you to build zero trust security and upgrade your current systems to passwordless applications within minutes, solving this problem right away,” said Eduard Kučera, Partner at Presto Ventures and cybersecurity expert – former Director in hugely successful Czech multinational cyber security firm Avast.

Eduard Kučera

Partner

Presto Ventures

One of the biggest challenges the world is facing today is securing our identity online. That’s why we were so keen to have Secfense in our portfolio. They make it possible to introduce strong authentication in an automated way. Until now, organizations had to selectively protect applications because the deployment of new technology was very hard, or even impossible. With Secfense, the implementation of multi-factor authentication is no longer a problem, and all organizations can use the highest standards of authentication security.

Stanislav Ivanov

Founding Partner

Tera Ventures

Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.

Dariusz Pitala

Head of IT

MPEC S.A.