A Passwordless Future: Part 2
In Part 1 of our series, we talked about the world’s desire to eliminate passwords and how smartphone providers have contributed to getting us closer to this goal through the use of biometrics. In this post, we’ll take a look at the importance of industry standards.
Until recently, there was no easy way to use biometrics to ditch passwords unless you were willing to endure tedious efforts to retrofit your application. Even when biometrics sensors became more ubiquitous, there was a huge gap between the sensor and the applications that needed to use it for login. You would potentially need to build integrations for each biometric sensor on each platform for every application, as there was no standard to tie them together.
Even as smartphone vendors rolled out biometric authentication experiences on their devices, there was still a password in the background that was used to authenticate to applications and services. The smartphone vendors used a sleight of hand, where they would store usernames, pins, and passwords in the device’s secure element and “replay” them to applications on demand after biometrics unlocked the secure element. Although the experience was more convenient for the user, the password still presented a potential risk for hackers to exploit. What the industry needed was a universal passwordless standard that could be used by every application.
FIDO leads the march toward a passwordless future
Now, with the help of its member community of identity, security, and biometrics experts, the FIDO Alliance has developed and promoted free, open standards that have taken passwordless authentication to the next level, so it can be more easily adopted.
In 2018, FIDO adopted the WebAuthN specification created by the World Wide Web Consortium (W3C) as part of its FIDO2 standard. This provides an application programming interface (API) that can be easily implemented on any website or service and can communicate directly to a browser like Google Chrome, Microsoft Edge or Apple Safari to initiate FIDO-based authentication. This democratized passwordless authentication in a significant way.
These specifications are designed to delegate authentication to endpoints like mobile phones or computers. And the specifications are agnostic when it comes to the actual modality used for authentication. They can even work in mixed environments, where one user may be authenticating with facial recognition, another with an optical code, and yet another with a thumbprint.
FIDO has already established a foothold among technology leaders. In fact, Apple recently joined the FIDO Alliance and holds a seat on the board. Other leading organizations that are members include Amazon, ARM, Facebook, Google, Intel, Microsoft, Mastercard, PayPal, Samsung, Visa, and VMware. Apple MacBooks with the Touch ID recognition feature, have integrated FIDO.1 And Samsung has already shipped devices where the biometric sensor is FIDO-enabled. Thanks to FIDO and WebAuthN, application owners can finally remove the password completely.
How FIDO’s distributed approach differs from a centralized approach
Let’s take a deeper look at how FIDO and WebAuthN differs from traditional approaches to biometrics and passwordless authentication.
In the past, biometric data would be sent to a server, processed, and then stored as minutiae points, which were mapped to the biometric scan. Every time a person would present their iris or thumbprint to access a device, the stored data would be used to confirm a match and then grant access. The upside to this method is that the minutiae points were typically meaningful only to the biometrics system, so cybercriminals could not steal the minutiae points and recreate a thumbprint or iris. The downside was that people were uncomfortable with the centralized storage of their biometrics.
FIDO and WebAuthN, on the other hand, work by decoupling someone’s biometric information to authenticate from the app a person wants to access. WebAuthn introduces the concept of “authenticators” that can roam. They can move between computers by using USB, near-field communication (NFC), or Bluetooth or between platforms, as they are built into the operating system. Authentication can be as simple as an action that proves that a person is present such as touching a USB fob or native biometrics, such as a fingerprint.
During the initial registration, a unique cryptographic key pair is created. This is a private key that is kept secure within the authenticator and a public key that is sent to the service. During authentication, a simple challenge/response occurs. Only a signed response using the correct private key will complete authentication. In a typical flow, FIDO and WebAuthN are used in conjunction with a secure element, so that the cryptographic keys can be generated and stored there. The biometric unlocks the key that’s sent to the server. Each service generates a unique key pair, so not only would a hacker need to attack every single device, they would also need to identify and compromise each key.
All biometrics data is stored on the device rather than on a central server. Because of this, a fraudster would have to steal this information by hacking one device at a time. But, generally speaking, it’s not a worthwhile pursuit for a cybercriminal due to the amount of time this would take. Essentially, there’s no central treasure chest where hackers can gain access to thousands of devices, passwords, or minutiae points that they can potentially leverage for other attacks.
The power of WebAuthN is the flexibility and range of authenticators that can be used. WebAuthN authentication is built into operating systems such as Microsoft Windows 10 with Microsoft Windows Hello, which allow keys to be stored on laptops and USB fobs and even USB, NFC, and Bluetooth devices. This enables users to carry their authentication method with them across multiple devices.
ForgeRock offers a more flexible alternative while still supporting FIDO standards
ForgeRock provides a comprehensive approach to passwordless authentication. Not only do we provide native support for WebAuthN, we also have alliances with partners that have developed curated FIDO solutions for many different types of applications. We’ll take a deeper dive into the ForgeRock difference in Part 3 of this blog series.
Click here to learn more about the FIDO Alliance.
1 https://www.securityweek.com/apple-joins-fido-alliance