WHAT IS WRONG WITH PASSWORDS?
For years, Regular password systems have provided a more than reliable way for people to protect their information, log into accounts securely and validate their identities. However, in more recent times, it has become substantially easier for ‘hackers’ and cybercriminals to break into supposedly secure password systems and access personal critical information [1]. A term was created in light of these situations called ‘Password Vulnerability’. This refers to components that weaken, increase the risk of password theft, and facilitate it. There are multiple factors that cause a password system to be vulnerable. However, there are two main factors which are vulnerabilities created by the user i.e. the desire to choose a simple password, and vulnerability due to inadequate guidelines from organisations which can occur when staff members are given access to password-based login credentials without receiving the necessary training [1].
THE CONCEPT ‘PASSWORDLESS AUTHENTICATION’
Passwordless authentication is an alternative to asking users to input a password for identify verification [2]. Access is granted through alternative reasons such as biometric, possession factors or one-time codes. By removing the drawbacks and hazards of using standard passwords, this method seeks to improve both security and user experience.
This concept is divided into three different principles which are;
- Knowledge factors; something the user is familiar with, such as security questions, passphrases and passwords
- Possession factors; something the user owns, such as hardware tokens, authentication devices or certificates
- Inherence factors; biometrics, fingerprint identification, face scans [3]
There are several applications of this metho including but not limited to Biometric Authentication, One-Time Passwords (OTP) & Device-Based Authentication. Biometric Authentication uses unique physical characteristics, such as iris patterns, fingerprints or facial features to confirm identity. Replication resistance, ease of usage and strong security are some of its benefits however there are also problems with this application, including privacy concerns and the possibility of false positives or negatives. One-Time Passwords are also another suitable method of passwordless authentication. They are temporary codes sent for one-time login sessions either by SMS, email or authentication apps. They provide time-limited access and enhanced security, but they rely on external communication routes and are vulnerable to interception [4]Last but not least, Device-Based Authentication. This application trusts devices for easy login based on features like location, IP address or fingerprints. It is relatively easy to operate, and it also makes logging in easier. Its efficiency is however contingent upon the characteristics of the device being used.
FIDO 2 AND ITS ROLE IN PASSWORDLESS AUTHENTICATION
In this predominant rise of passwordless authentication, a key tool being used is the Fast Identity Online 2 or FIDO2. It has been declared by many in the industry as the clear solution to the worlds password security problem. FIDO2 is easily defined as an open authentication standard created to provide safe and convenient passwordless authentication by the World Wide Web Consortium (W3C) and the FIDO Alliance [5]. It is said to build upon the earlier FIDO Universal 2nd Factor (U2F), increasing its capacity to facilitate multi-factor and passwordless authentication.
But how does FIDO2 work and how exactly does it play a role in passwordless authentication? It provides robust, phishing-resistant authentication through the use of public-key cryptography. It has a very simple three step process;
- Registration: A new key pair is generated upon user registration with a FIDO2-enabled service. The user’s device or security key houses the private key safely, and the public key is transmitted to the service provider.
- Authentication: The service provider sends the user’s device a challenge during login. The device signs this challenge with the private key, then sends the signature back to the service provider.
- Verification: Without requiring a password, the service provider authenticates the user by using the public key that has been saved to validate the signature. [6]
FIDO2 has a good number of advantages seeing as it removes vulnerabilities connected to passwords, such as credential stuffing, phishing and brute-force attacks. Users can also authenticate quickly as they do not need to remember complicated passwords. Unfortunately, nothing is perfect and this tool does come with its fair share of disadvantages. It would take education and change management to move users from passwords to new authentication methods [7]. Implementing safe account recovery procedures without reverting to less safe techniques could also be difficult.
WHAT WOULD YOU CHOOSE?
Having seen the pros and cons for the concept of passwordless authentication and the use of FIDO2, someone reading this might stop to ask themselves, is it worth making the switch from my decent, more comfortable, familiar password system? The choice is evidently yours however I do hope I have been able to aid you in making the right choice!
REFERENCES
[1] Naveed, S. (2024). types-of-passwordless-authentication-feat-image. [online] Pureversity.com. Available at: https://www.pureversity.com/blog/types-of-passwordless-authentication. [Accessed 18 Sep. 2024].
[2] onelogin (2020). Passwordless Authentication. [online] OneLogin. Available at: https://www.onelogin.com/learn/passwordless-authentication.
[3] Wright, G. (2023). What is passwordless authentication and how does it work? [online] Security. Available at: https://www.techtarget.com/searchsecurity/definition/passwordless-authentication.
[4] Naveed, S. (2024). types-of-passwordless-authentication-feat-image. [online] Pureversity.com. Available at: https://www.pureversity.com/blog/types-of-passwordless-authentication [Accessed 18 Sep. 2024].
[5] FIDO Alliance (2024). FIDO2: Moving the World Beyond Passwords using WebAuthn & CTAP. [online] FIDO Alliance. Available at: https://fidoalliance.org/fido2/.
[6] Yubico (2024). FIDO2 Passwordless Authentication | YubiKey. [online] Yubico. Available at: https://www.yubico.com/authentication-standards/fido2/.
[7] Yeo, J. (2022). WebAuthn, Passwordless and FIDO2 Explained – Duo Blog. [online] Duo Security. Available at: https://duo.com/blog/webauthn-passwordless-fido2-explained-componens-passwordless-architecture.
Passwordless tech is cool and definitely the way forward, using things like fingerprints and security tokens instead of passwords. As we move towards a passwordless world, these new methods are set to make online security much stronger.
David, great blog, amazing, informative read. Password-less authentication is the way forward, I have been using Windows Hello at my organization and since inception I am loving it as it saves me from typing the long 18-20 character tedious password every single time I log in to my workstation and one less thing to stress about mistyping at work eh! This coupled with SSO has definitely made life easy with regards to authentication.
Excellent job! I’m thrilled you chose to discuss this topic, as passwords are a significant issue in today’s landscape of cyber threats. These tools are incredibly helpful, especially for those managing multiple accounts, as they reduce the mental load of creating, remembering, and recovering passwords. Additionally, well-known attacks have little chance now, since there are no passwords to guess or reuse. This technology truly transforms how we secure, access, and trust our accounts. My only concern is that more effort is needed to raise awareness so that more people can take up this great approach to accounts management and access.
Excellent job! I’m thrilled you chose to discuss this topic, as passwords are a significant issue in today’s landscape of cyber threats. These tools are incredibly helpful, especially for those managing multiple accounts, as they reduce the mental load of creating, remembering, and recovering passwords. Additionally, well-known attacks have little chance now, since there are no passwords to guess or reuse. This technology truly transforms how we secure, access, and trust our accounts. My only concern is that more effort is needed to raise awareness so that more people can take up this great approach to accounts management and access.
Great post, it’s great to get a blog about how these passkeys and password authentication methods work. I myself would definitely want to make the swap. I do have a password manager but as I get more and more accounts to things my password manager is getting more and more cluttered. I do have concerns with this FIDO2 though. Like you mentioned I think a big concern is getting a new device or losing the device with the private key. The security then falls to the account recovery procedure and the security of the device. The user still might need a password for the recovery or for their device to allow them to use the private key which could be a weak point in the system. I think this is where authentication should go but I still think it needs to be developed more and adopted more for ease of use and for the weak points in the system to be strengthened.
Great post, it’s great to get a blog about how these passkeys and password authentication methods work. I myself would definitely want to make the swap. I do have a password manager but as I get more and more accounts to things my password manager is getting more and more cluttered. I do have concerns with this FIDO2 though. Like you mentioned I think a big concern is getting a new device or losing the device with the private key. The security then falls to the account recovery procedure and the security of the device. The user still might need a password for the recovery or for their device to allow them to use the private key which could be a weak point in the system. I think this is where authentication should go but I still think it needs to be developed more and adopted more for ease of use and for the weak points in the system to be strengthened.
Great post, this post really got me thinking about the state of passwords. It feels like everyone hates them for one reason or another, and there are always proposed alternatives. On one hand we have to balance security and try to find best way to validate users and secure data; and on the other hand we have to acquiesce to the user who doesn’t want passwords at all. People don’t want to have to do multiple steps to check their email etc. I would be lying if I said i haven’t considered turning off 2FA for my student email account just so I don’t have to type in a 6digit code every time. Even though we know that “Microsoft and Google 2FA can protect users from automated attacks 100% of the time”[1], how many people use it for everything? In many ways the perfect security system would just know its you without you needed to do anything, but that sounds closer to science fiction than anything we currently have. It feels like balancing these two goals in almost contradictory and I just wonder if passwords are the best solutions in a sea of bad choices… until we evolve as a species of course.
1. https://techjury.net/blog/two-factor-authentication-statistics/
It’s clear that the issues with traditional password systems are growing every day, highlighting the urgent need for advancements in this area. Passwordless authentication, especially with Fido2 seems to be a promising solution to these challenges. This blog also makes us think about whether our present methods are capable enough to keep us safe on the internet. Thankyou for bringing attention to this important topic!
It’s clear that the issues with traditional password systems are growing every day, highlighting the urgent need for advancements in this area. Passwordless authentication, especially with Fido2 seems to be a promising solution to these challenges. This blog also makes us think about whether our present methods are capable enough to keep us safe on the internet. Thank you for bringing attention to this important topic!
Great post! I’m really glad to see we’re moving towards passwordless authentication. Although methods like OTP (One-Time Password) might require a bit more effort, they offer significantly more security than passwords. On the other hand, even alternatives like two-factor authentication (2FA) and biometric authentication come with their own set of challenges—such as biometric errors or losing access to the second factor. (Which did happened to me.)
That said, these options are still far better than relying on passwords. I’ve seen many people end up creating multiple password manager accounts simply because they forgot the password to their manager. And the worst part? If a password manager itself is compromised, it can leave all your accounts vulnerable, defeating the purpose of having a secure system in the first place. Thus passwordless authentication seems like moving a step up for security.
Enjoyed the read, David. My colleagues highlighted how passwordless authentication helps in not only securing access but like Kaushik mentioned it gives a more robust user experience. I would like to click on two points around usability and security. I agree with you that FIDO2 has its share of some disadvantages, especially the private key is stored on the device, which makes it in some cases physically vulnerable is the device is not protected. Imagine if someone knows the passcode of your phone, or what if your phone allows multiple faces to unlock it? From the usability side, as the name “FIDO2” implies, the “O” is being online which is not usable so critical premises like the operation room, top confidential places, and so on. Even though, Passwordless authentication is widely adopted and a step forward toward keyless password methods.
https://www.strongdm.com/blog/fido2#:~:text=Disadvantages%20and%20Challenges%20of%20FIDO2https://www.strongdm.com/blog/fido2#:~:text=Disadvantages%20and%20Challenges%20of%20FIDO2
Great topic and well explained David! Without a doubt finding an authentication model that brings security but at the same time is easy to use will always be a challenge. As you described, FIDO2 seems to be the best option for now.
It brings balance between security and “easy to use” options. But, if you lose the verification device or you don’t have access to the second verification option, it will be complicated to recover the access. It is a good debate topic since there are still users that are not used to this option and implementing this kind of authentication method requires the use of services from external providers.
This post was quite informative, especially the way you broke down the fundamentals of passwordless authentication and explained how FIDO2 operates. I completely agree that a lot of managing changes would be needed if we were to abandon passwords. We depend on passwords so heavily, even while we are aware of their flaws, it’s absurd. Personally, I’m leaning toward passwordless options. I appreciate how you valued the benefits and drawbacks of passwordless and FIDO2 systems. You pointed out the challenge of encouraging users to use passwordless authentication because of the need for change management and education.