Pushkar Marathe - Jun 18, 2019

Biometrics Brings Us One Step Closer to Eliminating Passwords for Good

There are two primary means of authentication in use today: basic and multifactor. With basic authentication, the user ID and password are the most common. Recently, however, you have likely seen the adoption of two-factor authentication (2FA) or multifactor authentication (MFA). They are, in essence, the same thing.

Multifactor authentication involves something you know (your password and user ID) and something you have (your phone). With multifactor authentication, you log in with your user ID and password, and then the second-factor authentication is typically sent to you as a text message to your smartphone. You enter the information, usually a code, from that text message as a second means of verifying that you are the person who is authorized to access the account. This is the typical “state-of-the-art” authentication mechanism used today.

The User ID / Password and 2FA Are Hackable

The above authentication methods are all efforts to provide greater security, but they are insufficient because they are not solving the root problem: a centralized system where those passwords or shared secrets, like the single-use codes sent via text message or email (a one-time password or OTP), are sent from a server to the user as part of the authentication mechanism. This is the part of that process that can be hacked — people can intercept those messages. Although 2FA offers additional security, it doesn’t solve the root of the problem, which is the centralized shared secret system.

How FIDO2 Works

When it comes to authentication, there’s a concept of a continuum between very secure and easy-to-use, and you have a choice between one or the other. Sites and apps can increase security by adding complexity, such as requiring multiple fields of information — your mother’s maiden name, the last four digits of your Social Security number and so on. This does increase security, but it is at the expense of the end user’s experience. If those sites and apps make authentication easy, it becomes less secure.

This is where FIDO2 protocols come in as a way to apply the appropriate level of authentication while making it easy and convenient for end users to access information and resources. The premise of the FIDO Alliance (FIDO stands for “Fast Identity Online”), creator of these protocols, is to remove the need for a centralized repository of passwords, whether it’s the user’s password or the OTPs that are generated from the centralized server.

FIDO2 accomplishes this through public-private key pairs. By distributing the keys out to end users so that their private key is stored on their device and there is nothing stored by the service provider, except the public key, which cannot be used to decrypt anything except what the user intends it to. With this model, there is no database to hack, allowing an attacker to gain access to a huge pool of passwords There is also no service-generated password or OTP to hack into or intercept.

In other words, FIDO2 eliminates the problem of centralized stored passwords altogether. Because it is decentralized, it takes care of the root problem of authentication.

The Continuum of Security Versus Convenience

Because FIDO2 is cryptographically secured and decentralized, it does not have anything stored that can be compromised and is set up in a way that is incredibly easy for the end user. There is no need to remember a password, your second-grade teacher’s name or any other “thing you know.”

You don’t have to wait for that text to access an account. FIDO2 is capable of using biometrics, meaning you could simply touch the biometric fingerprint reader and gain access to that account instantly. It makes it very simple for the end user yet is more secure.

Security and convenience come together with FIDO2 protocols. Users have a better experience, but that experience is based on cryptography. What is stored on the security token is a private key, and the only thing that’s stored on the FIDO server is the public key. This means there is nothing to hack.

A New Challenge for Hackers

Having the opportunity to hack into the database of a corporation with millions, tens of millions or hundreds of millions of user passwords is a rich reward and a worthwhile pursuit for hackers. With the new FIDO2 model, there’s no centralized way of accessing all of the user credentials in that database, because everything stored there is an individually-encrypted public key. Hackers would now have to decrypt each user’s credentials separately to gain access to one specific website or login. That’s a very different attack surface and much less inviting.

The End of an Era

What will drive the end of the password era? The biggest driver will be the potential for breach and the expenses associated with it — not just the financial costs, but the reputation damage that accompanies it. By removing the “things you know” element for users, there is no shared secret to compromise. Imagine a world where passwords, Social Security numbers, credit card numbers and so on are eliminated from all centralized depositories — there is nothing left to breach. FIDO2 allows authentication to become both easier and more secure, while supporting user’s control over their data protection and privacy.

About the Author

Pushkar Marathe is the Senior Engineer at StrongKey Inc., where he designs and develops the various crypto (security) products. He is also the company’s engineering team lead. He has a degree in computer engineering from Rajarshi Shahu College of Engineering in Pune, India and a Master’s in computer science from San Jose State University.

ALSO SEEN IN: The New Stack