Replacing Passwords with Hardware-bound Authentication Through Smartphones

Posted June 21, 2022

Just over a year ago we wrote about the exciting advances in authentication that could propel the world towards a passwordless existence. These efforts toward strong authentication and eliminating passwords could severely limit the effects of phishing attacks and better protect system users while also eliminating the need to remember passwords. Reducing our reliance on passwords while also eliminating phishing within the enterprise removes two of the most prominent attack vectors.

Regular readers of this blog know that multi-Factor Authentication (MFA) increases account security by requiring multiple forms of verification to prove identity. Where passwords are a single means of authentication, MFA requires at least two pieces of evidence or factors in order to verify identity. MFA uses any combination of authentication factors across three factor types:

1) Something the user knows

2) Something the user has

3) Something the user is

Combining the security benefits of MFA with the recent standards proposed by the FIDO Alliance and the W3C WebAuthn community will markedly improve the usability and deployability of secure authentication mechanisms.

Traditionally, MFA solutions that included hardware-bound authentication (something the user has) provided the highest level of authenticator assurance level (AAL). Examples of hardware-bound authentication are often found in government secure locations where employees use Personal Identity Verification (PIV) or other kinds of smart cards as part of their authentication. Combined with biometrics and a username, MFA utilizing smart cards or hardware tokens covers all three MFA factor types and provides the highest level of security. But there is always a tradeoff to strong security — often resulting in less accessibility and/or ease of use. The lack of wide distribution of smart cards and their readers limits their use. Think about needing to log in on a public device where there is no card reader — you essentially have no access.

In a joint effort to make hardware-bound authentication more secure and usable for all, Apple, Google, and Microsoft recently announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. This new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers. At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”

Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency.

The FIDO and WebAuthn standards that will now be built into all major web browsers will enable low-cost deployments of authentication mechanisms with very high assurance levels. As adoption progresses, an attractive alternative to traditional smart card authentication will be widely available and high-assurance authentication in the consumer space will become a reality. Users will now be able to merely unlock their smartphones to sign in to websites or online services. And by utilizing smartphone location services, device proximity requirements can also reduce the effects of MFA prompt bombing attacks. We may not be ready to say goodbye to passwords once and for all, but the world is taking a very large step in that direction. Contact us to learn more about how strong authentication can help secure your data and critical infrastructure.

Kyle Vinar

Kyle Vinar is Partner / President of Verus Corporation. He oversees all business operations and coaches Verus teams to continually improve on their solutions from client experience to product development and overall solution implementation. He works with all Verus resources to increase efficiencies and excellence in every aspect of their organizational roles. Kyle believes that people are the last real competitive edge that a company can have and constructing a rich culture is a vital step in running a world-class organization. Therefore he strives to create a culture within Verus that allows everyone to show up authentically and grow both personally and professionally, which in turn allows Verus Corp team members to provide clients with top-of-the-line service. Kyle helps balance strategy, capacity, and culture in such a way that has allowed Verus Corp to achieve exponential growth since he joined the company in 2013. One of Kyle’s greatest professional achievements has been in helping lay the foundation upon which Verus Corporation could be named the 2nd Best Place to Work by the Minneapolis/St. Paul Business Journal. Kyle holds a Bachelor of Science in Marketing from St. Cloud State University. He lives in Champlin with his wife and 3 children. He has enjoyed volunteering as a soccer coach for over 6 years and was the former Director of Coaching for Rebels Soccer Club. If Kyle isn’t on the sidelines of one of his children’s soccer games or in the audience of his eldest’s musicals, he can often be found cruising scenic routes on his Harley, in a deer stand, or on the golf course.