Celebrate World Password Day by Eliminating Passwords
Chris Collier, Technology Advocate for Identity and Access Management, HYPR
13 Min. Read | May 5, 2022
Intel created World Password Day — the first Thursday of May — in 2013 to improve awareness for the critical need for securing passwords. It's simple, really, most applications and operating systems provide a reliable, but inefficient way to manage and store passwords. And of course, passwords are insecure by nature.
Many people observe World Password Day by campaigning for stronger passwords, or even ceremoniously resetting passwords, but what if we celebrated this day by considering a future without passwords?
Intel blog: "While World Password-less Login Day doesn’t have the same ring to it as World Password day, eliminating passwords completely is not only more convenient — it’s more secure."
So how close are we to making it World PasswordLESS Day?
Identity Federation and SSO
Identity federation and single sign-on (SSO) address the password problem by focusing on reducing the number of passwords that users need to manage. While these efforts have been wildly successful, they often rely on a “master” password, typically an authoritative credential that holds the power to unlock access to a multitude of other applications.
This naturally led to the introduction of longer, more complex password policies and introduced the world to “Log in with ____,” as well as multi-factor authentication (MFA) as an additional layer of security for these applications.
The MFA Explosion
As of 2022, MFA is so commonplace that virtually every computer user has received an SMS text message with a one-time password. Many other users have installed various free authentication apps on their smartphones from vendors such as Google or Microsoft. Many users enable MFA voluntarily to protect certain applications that contain personal information or provide access to financial accounts. For more sensitive applications, providers may actually require users to perform MFA whether voluntarily or not — this was the approach taken by Salesforce.
While MFA is a far more secure option than passwords alone, as technologies continue to evolve, there is growing demand to reduce and eventually eliminate the use of passwords altogether. These technologies may also play very well together in support of the many different use cases that workforce users and customers face.
Fortunately for mobile applications, developers can easily replace password logins with TouchID, FaceID, TrustedFace and other biometric authentication methods.
So, it sounds like the problem is solved, right? Well, not quite
Security improves to a degree, but usability and productivity can suffer. I expect that most readers have experienced usability challenges with at least one of the common methods below:
- Hardware and software OTP tokens
- Email and SMS OTP
- Push Notifications (out-of-band)
As I stated above, with 19 authentication apps on my phone, it’s obvious that this technology is prevalent, and I’m sure that I could install another 19 authentication apps by tomorrow.
The issue that I have with this personally, is that even if I were to use 100 authentication apps, I know for a fact that I can’t retire 100 passwords.
MFA Still Leaves Security Gaps
Over 90% of all cyber attacks are built to exploit user error or behavior. This includes attack attempts exploiting user negligence or malicious acts is on the rise. These attacks compose two-thirds of attacks, most commonly caused by users mismanaging or losing their laptop computers. Users can be trained to identify common attack vectors, and training is a very important contributor to reducing risk; however, passwords and MFA methods that use shared secrets can still be compromised through phishing, man-in-the-middle and other attacks. Moreover, hackers are increasingly targeting MFA methods. For example, push attacks increased by 33% last year.
What Is Passwordless Authentication?
We’ve discussed the problem and it’s exhausting, so let’s move on to the solution. As the name suggests, passwordless login methods do not rely on a static password to be remembered by the user and the application or system. Instead several techniques can be implemented based on one or more of the following standards.
FIDO2 is a technology standard that is based on public key cryptography, which allows for user authentication to be performed using a smartphone, smart key or platform authenticator. Regardless of the authenticator leveraged, the authentication process is performed between the user and the device. The device communicates the authentication result with a Relying Party, which does not require a user password to be stored on any infrastructure. While the Relying Party must maintain the user’s public keys, which are required to validate the user and device, this public key does not represent a credential that could be used to impersonate a user; in fact, public keys are intended to be shared by design.
As the name implies, FIDO2 is on its second major iteration. This version is designed to accelerate adoption for workforce and consumer use cases and includes two major components (protocols), WebAuthn and CTAP. These protocols are already embedded in the Windows operating systems, as well as supported natively by Google Chrome, Microsoft Edge, Safari and other major web browsers. In addition, iOS and Android devices provide ) hardware that performs biometric authentication using a fingerprint or using the front-facing camera for facial biometric identification. Further, the proliferation of TPM components on Mac and Windows laptops, combined with embedded fingerprint readers, allow a large number of laptop computers to support these protocols out-of-the-box.
Let’s briefly discuss these protocols to better understand what each provides.
CTAP (Client to Authenticator Protocol) provides a secure communication channel between a browser and the authenticator device. Before the FIDO2 CTAP protocol was available, there were no secure protocols or policies to enable secure communication between web applications and services to local hardware (defined as a “roaming authenticator”), such as a security key. With Microsoft, Google and Apple adopting the CTAP standard, compatibility across those browsers is essentially integrated and productized. This allows IT professionals to focus entirely on the roaming authenticator compatibility, which should also be a straightforward process, as the FIDO Alliance oversees conformance and formal certification testing for hardware vendors.
I should mention that CTAP is not required to securely communicate with smartphones and platform authenticators. The CTAP standard is most commonly associated with the use of USB and NFC devices.
Ok, so now that we removed the burden of allowing the browser to communicate with a roaming authenticator, what about everything else?
WebAuthn is the API standard that enables secure communication between the authentication device with the Relying Party (the application or service requiring authentication) without requiring the device information to be known by the Relying Party. In the context of WebAuthn, the authentication devices include platform authenticators and smartphones in addition to USB and NFC smart keys. WebAuthn is designed to transport the authentication status of the user after the user has performed a successful biometric authentication on the device, by releasing the authentication request that has been signed by the user’s private key stored on that device. From there, it’s standard cryptographic verification of the private key by validating it against the public key that is stored by the Relying Party.
WebAuthn is the core component to eliminate the need to share a secret with the system or application. This standard is based entirely on authentication using PKI and provided the mechanisms to eliminate the need for all shared secrets. Like CTAP, this API is supported by all major web browsers, to simplify adoption and integration with your applications.
The WebAuthn APIs are implemented through updates to the application’s login and registration forms on your website. HYPR provides the remaining elements to support the new passwordless login flow.
Visit the FIDO Alliance website to learn more about the technical details of the CTAP and WebAuthn standards.
PKI Smart Card & Smart Key
I’m not going to go into great detail about smart card login (or certificate based login), as this technology has been available for years. Windows natively supports smart card login for domain-joined systems and there are millions of users worldwide. There is no controversy over this passwordless login method, which involves a private key stored on a chip that is accessible by providing a PIN and signing login requests to a Windows domain controller. For macOS, there is a similar workflow. In the end, a user inserts a card, types a PIN, and gains access to a system without a password or any shared secret.
Not quite. The expense of purchasing, printing, issuing, replacing and managing smart cards causes a tremendous amount of hesitation by IT professionals. This method is extremely secure, and extremely difficult and expensive. But, since I am not writing this as an effort to focus on the negative aspects of MFA, I want to focus on the benefits adopting smart card authentication, but with a twist…no cards, no readers, no CMS, no expensive printers and supplies and none of the other headaches associated with sourcing smartcards (and believe me, it’s not as simple or quick as you would expect).
If you are considering a smartcard project, and you want to know what it’s REALLY like, feel free to send me an email: firstname.lastname@example.org; I’ll gladly have a conversation with you about the process and save you a significant amount of time and money. Remember, that I’m not anti-smartcard, I simply can’t recommend their usage anymore for non-military workforce users or consumers.
Why do I care? Well I’ve made a career out of IAM and MFA, and one of my colleagues reminded me a short time ago of something that I said to him during his interview. I was quoted as saying “I want to put a smart card into the hands of every person”. Thankfully, that work was done for me. You have one, your boss has one, your spouse has one, and I would not be surprised if your children have one. If you haven’t guessed by now, it’s your smartphone. All modern smartphones provide the ability to function as a smart card, when the right technology is in place to leverage this functionality.
HYPR has bridged the gap from smartcard to smartphone to enable the world to take advantage of this capability. HYPR’s passwordless MFA (PMFA) platform removes the dependency on passwords for login to Windows, MacOS and Linux. Further, HYPR and our partners can deliver this same functionality using smart keys. Smart keys are not only capable of functioning as a FIDO2 device, but they also provide a standard PC/SC smartcard interface and Windows compatible mini-driver to function as a smartcard AND smartcard reader for domain login to Windows. This approach reduces costs significantly, and allows for the HYPR platform to support smartphones and keys simultaneously, using common infrastructure.
A Step Even Further — QR Codes
A NEW authentication method is gaining popularity and involves acquiring a credential during the login process itself. This is performed by generating a dynamic, short-lived code that the user can scan with a smartphone. The use of QR Codes is a growing trend that not only creates a simple user experience, but also eliminates man-in-the-middle attacks, reduces vulnerability to phishing attacks and satisfies certain use cases where FIDO2 authentication is not an ideal fit. QR code authentication can leverage FIDO2, but is not limited to the FIDO standard; in addition the authorization standards such as SAML and OIDC can still be leveraged as credentials once authentication has succeeded.
Where would QR Code authentication be beneficial? A few common scenarios involve systems that are highly restrictive due to the specific nature of their usage or configuration. Even IoT devices such as televisions and terminals such as ATMs could potentially adopt this authentication approach. HYPR currently leverages QR Code authentication for workstation login, SSO portal login and direct integration with web applications, but I fully expect the use cases to expand.
QR codes can be scanned by any smartphone camera using a feature within a native mobile application. When the QR scanning functionality is embedded within a Relying Party’s mobile app, phishing attacks are virtually eliminated as only valid QR Codes are accepted within the application. When implemented using FIDO2 to authenticate to the applications, any phishing attack would be detected and rejected, even if the user scans a counterfeit code. This also ensures a seamless user experience, as users can scan, accept and authenticate the entire process from within the mobile application.
NOTE: integration of QR Code authentication does not depend on the presence or modification of an application on a smartphone, as standard cameras can also be used if the application design supports this.
This topic requires a dedicated article and more to expand awareness of how this technology is being developed to contribute to passwordless authentication. I’m tempted to make the claim that this was an accidental discovery, but I use this technology every day, and I am confident that it will become a disruptive technology (that’s a GOOD thing) in the immediate future.
If you agree with my opinion, or you want to engage in supporting this effort, I suggest that you follow and/or engage the OASIS Technical Committee.
The OASIS Technical Committee was created to design and standardize passwordless implementation and integration to make adoption easier. The committee is also defining the terminology to help explain and educate what passwordless authentication means, and what qualifies as a true passwordless experience. Standardization will greatly improve the security of the solutions that developers are creating with passwordless login via QR Code in mind.
Choosing a Standard…or Not
The technologies described in this article are not mutually exclusive. While they are not necessarily inter-compatible on their own, technology pioneers such as HYPR are combining them into a single platform that enables the adoption of passwordless protocols and standards, so that the right combination can be implemented to achieve a common goal.
Becoming fully passwordless is achievable, but it’s probably not going to happen all at once. If we go back to the beginning of this article, there are common steps that have already been taken to reduce the number of passwords that users must remember. If your organization has adopted a SAML SSO platform and/or an OIDC federation technology and/or a multi-factor authentication platform, then you are on the right track.
HYPR can help close the gap to truly passwordless authentication from the desktop to the application. It’s not any single protocol, biometric method, login method or device, but the most effective combination of all of those. These technologies deserve serious consideration along with other IAM strategies to ensure that the ultimate result is a true passwordless environment that can be celebrated on World Password Day.
If we can eliminate Daylight Savings Time, then we can eliminate passwords, and on the first Thursday in May, 2023, we can celebrate World PasswordLESS Day.
Just for Fun:
Some of the most interesting facts about World Password Day* include:
- 1961 marked the year when the Massachusetts Institute of Technology (MIT) created the computer password. This made it possible for multiple people to use a shared computer system.
- In 1976, Public-key cryptography was created to enable users to authenticate each other without exchanging a cryptographic key.
- A study done by Morris and Thompson in 1978 demonstrated that it is easier to guess passwords through personal information than it is to decipher them.
- 1986 marked the year when the two-Factor Authentication was adopted.