The Future of Passwordless Authentication
- Ashen Weerathunga
- Associate Technical Lead - WSO2
Do you recall what your first password was? It was probably something easy that you could remember easily, such as your birthdate or the name of your pet. However, as you created additional online accounts, your passwords grew more complex and difficult to remember. It's a problem that many people face. As a result, many of us tend to reuse passwords across many accounts, exposing our personal information to theft.
According to the DataProt following are some interesting stats about passwords
- 90% of internet users are worried about getting their passwords hacked
- 53% of people rely on their memory to manage passwords
- 51% of people use the same passwords for both work and personal accounts
- 57% of people who have already been scammed in phishing attacks still haven’t changed their passwords
- The password “123456” is still used by 23 million account holders.
Due to these reasons, it’s important to think about additional ways to enhance the security of your personal accounts rather than depending only on passwords.
In the early days, additional hardware devices such as smart cards were required if you needed to enhance the security over password authentication. Since smartphones have become ubiquitous, there is no need for such additional hardware to improve the security of consumer accounts. Thanks to smartphones, SMS OTP, TOTP, and push notifications have been widely used as second-factor authentication mechanisms, which provide more protection than traditional password authentication. But still, those options are not considered phishing resistant.
The FIDO Alliance and the W3C WebAuthn community have been working for around a decade on addressing these problems while providing a better user experience with Passwordless authentication. They have published a white paper in March 2022 with a proposal on how to address the full range of use cases with FIDO. It explains the Organization’s vision for solving usability and deployability limitations that prevented the wide adaption of FIDO passwordless authentication, especially in the consumer space. Despite many challenges along the way, it looks like the industry is finally coming together to end the use of passwords.
How FIDO Addresses a Full Range of Use Cases
The organization has proposed two approaches to achieve its mission “help reduce the world’s over-reliance on passwords.”
Use your mobile phone as a roaming authenticator.
The proposed additions to the FIDO WebAuthn standards define a protocol that uses Bluetooth to communicate between the user’s phone and the device they are trying to authenticate. Bluetooth requires physical proximity, which means we now have a phishing-resistant way to use the user’s phone during authentication. It's a big deal because it means that two-factor authentication can be made more secure without requiring users to carry around an additional piece of hardware. With this change, we can expect to see a lot more widespread adoption of FIDO for consumer space which can also be used to upgrade existing two-factor deployments that currently use the user’s phone as a second factor for a higher security level.
Multi-device FIDO credentials:
This is about providing better support for platform authenticator implementations by syncing FIDO credentials between users’ devices. If the user loses or gets a new phone, all the existing FIDO credentials should be synced to the new phone. So it will remove the need to re-register the device and create fido credentials, which is a big usability concern that users have to go through. It’s not an improvement to the FIDO specification but rather a change they expect from the FIDO platform authenticator vendors such as Apple, Google, Microsoft, etc.
Where are we now?
The changes suggested by the FIDO Alliance are still in the proposal stage. However, most vendors already have the technologies that can potentially be used to implement the proposed changes.
Apple has announced a smiler technology at the WWDC21 event called Passkeys in iCloud Keychain, which is based on the FIDO WebAuthn standard. It will be helpful to achieve multi-device FIDO credential syncing functionality as the FIDO alliance has proposed.
According to the FIDO’s proposal, when you want to log in to an application on your Mac, it would check that your iPhone or Apple Watch is within Bluetooth range. It will allow you to log in to your application without additional actions.
Google also supports using your phone’s built-in security key to sign in to Google apps. It uses Bluetooth and GPS to determine proximity to make it phishing resistant, and it’s built on top of FIDO Webauthn standards.
Microsoft is also working on "Windows Hello," enabling a passwordless experience that adheres to FIDO Webauthn standards. With Windows Hello, users can sign in to their devices and apps using a PIN or biometric authentication factors such as fingerprint or facial recognition.
Along with these vendors, It’s exciting to see all the major browsers, including Chrome, Firefox, Safari, and Edge, are moving towards full support for this specification, which will be required to fill the gaps and accelerate the adoption of FIDO Passwordless in the consumer space.
It’s clear that the industry is slowly but surely moving away from passwords and towards more security measures. The FIDO Alliance is trying to set the standards that will be important for the broader adoption of Passwordless technology.
The latest proposal by the FIDO Alliance is a step in the right direction to overcome existing limitations. With support for mobile phones as roaming authenticators and credential syncing, the full range of use cases can be better supported and adopted.
The future of authentication is moving beyond just passwords. With big players such as Google, Microsoft, and Apple supporting the standard, we believe that the potential for FIDO surpasses traditional two-factor authentication mechanisms such as SMS OTP, TOTP, and push notifications.
With a better user experience and the increasing demand for stronger security, it’s only a matter of time until FIDO2 becomes the new standard in online authentication. Have you started preparing for the switch?