Replacing Passwords with Hardware-bound Authentication Through Smartphones
Just over a year ago we wrote about the exciting advances in authentication that could propel the world towards a passwordless existence. These efforts toward strong authentication and eliminating passwords could severely limit the effects of phishing attacks and better protect system users while also eliminating the need to remember passwords. Reducing our reliance on passwords while also eliminating phishing within the enterprise removes two of the most prominent attack vectors.
Regular readers of this blog know that multi-Factor Authentication (MFA) increases account security by requiring multiple forms of verification to prove identity. Where passwords are a single means of authentication, MFA requires at least two pieces of evidence or factors in order to verify identity. MFA uses any combination of authentication factors across three factor types:
1) Something the user knows
2) Something the user has
3) Something the user is
Combining the security benefits of MFA with the recent standards proposed by the FIDO Alliance and the W3C WebAuthn community will markedly improve the usability and deployability of secure authentication mechanisms.
Traditionally, MFA solutions that included hardware-bound authentication (something the user has) provided the highest level of authenticator assurance level (AAL). Examples of hardware-bound authentication are often found in government secure locations where employees use Personal Identity Verification (PIV) or other kinds of smart cards as part of their authentication. Combined with biometrics and a username, MFA utilizing smart cards or hardware tokens covers all three MFA factor types and provides the highest level of security. But there is always a tradeoff to strong security — often resulting in less accessibility and/or ease of use. The lack of wide distribution of smart cards and their readers limits their use. Think about needing to log in on a public device where there is no card reader — you essentially have no access.
In a joint effort to make hardware-bound authentication more secure and usable for all, Apple, Google, and Microsoft recently announced plans to expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. This new capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.
“The standards developed by the FIDO Alliance and World Wide Web Consortium and being led in practice by these innovative companies is the type of forward-leaning thinking that will ultimately keep the American people safer online. I applaud the commitment of our private sector partners to open standards that add flexibility for the service providers and a better user experience for customers. At CISA, we are working to raise the cybersecurity baseline for all Americans. Today is an important milestone in the security journey to encourage built-in security best practices and help us move beyond passwords. Cyber is a team sport, and we’re pleased to continue our collaboration.”
Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency.
The FIDO and WebAuthn standards that will now be built into all major web browsers will enable low-cost deployments of authentication mechanisms with very high assurance levels. As adoption progresses, an attractive alternative to traditional smart card authentication will be widely available and high-assurance authentication in the consumer space will become a reality. Users will now be able to merely unlock their smartphones to sign in to websites or online services. And by utilizing smartphone location services, device proximity requirements can also reduce the effects of MFA prompt bombing attacks. We may not be ready to say goodbye to passwords once and for all, but the world is taking a very large step in that direction. Contact us to learn more about how strong authentication can help secure your data and critical infrastructure.