24 Mar, 2020 | 3 min read

Passwordless: The Death of Passwords!

  • Sachini Wettasinghe
  • Job Title - WSO2

Passwords are called “shared secrets” that actually cannot be kept as secrets. Although there are numerous ways to provide authentication, passwords are still the most commonly used method. However, passwords are vulnerable to a vast variety of attacks—such as brute force attacks, replay attacks, social engineering, phishing, or malware.

The evolution of passwordless authentication

To prevent breaches, users are typically encouraged to enter passwords that are unique, long, and complex, with combinations of letters, numbers, and special characters. On top of this, it is also recommended to change passwords from time to time. But, with the number of accounts that one person would have to maintain, it is not feasible for him or her to remember a large number of passwords, which ultimately exacerbates their frustration.

Then came the multi-factor authentication and adaptive authentication for the rescue. However, few users enable these features, mostly owing to lack of knowledge or the number of steps and complexity involved in activating these. Security breaches, where attackers bypassed multi-factor authentication via phishing attacks, have not helped either. Although these security measures have reduced the risk of using passwords alone, passwords still remain the weakest link.

Then, FIDO2 introduced Passwordless Authentication! Now, we can finally pay our condolences to passwords.

What is passwordless authentication with FIDO2?

FIDO2 is a phishing-proof passwordless authentication protocol developed as a joint effort between the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP) specification and the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification. FIDO2 offers a single-factor passwordless sign-in experience, which eliminates the hassle of remembering and typing usernames and passwords. Utilizing public-key cryptography, FIDO2 has replaced passwords with biometrics/plug-in authenticators/security keys to help create a better user experience.

An authentication flow with passwords

What happens in traditional credential management is that a password is created and stored in a server (relying party) during the signup or registration process. So, when it comes to the login or authentication process, the relying party matches the password given by the end-user against the previously stored password. But, FIDO2 has eliminated this model of storing user credentials in a server, whereas it makes sure that the cryptographic login credentials never leave the user’s device and are never stored on a server. This security model has eradicated all sorts of password theft and the risk of phishing attacks.

A passwordless authentication flow

How does it work

Let’s dive into how FIDO2 uses asymmetric cryptography to authenticate users in a passwordless manner. The three main factors that drive this whole process are:

  • The FIDO2 authenticator (biometrics, security keys, smartphone, etc.)
  • The client or browser that operates as the mediator
  • The relying party

There are two flows in FIDO2: registration, and authentication. In the registration flow, a relying party-specific credential key pair (private key and a public key) is generated in the authenticator. From this key pair, the public key is sent over to the relying party and the private key never leaves the authenticator. In the authentication flow, the user makes the request to login, when the user is prompted to provide a pin or biometric. This triggers the authenticator to send an assertion to prove that the user possesses the private key. Then, the relying party validates the assertion with the public key, such that it will allow the user to login upon successful validation. The most salient factor that enables passwordless authentication with FIDO2 is the concept of Client-side-resident Public Key Credential Source or the Resident Key, which is/are stored on the authenticator instead of being encrypted and stored on a server.

Ensuring user-friendly authentication leads to customer satisfaction, and, within this context, passwordless authentication is of paramount importance to build CIAM solutions. Now, you can try out passwordless authentication using FIDO2 with WSO2 Identity Server 5.10.0. With a one-step registration, within a few seconds, you can enable passwordless authentication to your websites and applications, replacing passwords that are going obsolete. All you need to have is an authenticator that supports resident keys.

So, now it’s time to say goodbye to passwords!

Please do comment below for any questions or clarifications.