There is considerable interest in going passwordless and adopting biometric authentication for application access. According to a recent survey by Cisco:
- 52% of IT decision makers are actively considering passwordless solutions
- 79% plan to implement such a solution within the next two years
However, it’s not a straightforward strategy. IT decision makers expressed concerns around the security of passwordless methods, especially in comparison with multifactor authentication (MFA).
Cisco also surveyed consumers about how comfortable they feel with using their fingerprints to access online accounts, and 69% said they are very or somewhat comfortable.
“I was surprised to see this level of comfort,” said Ted Kietzman, product marketing manager, Cisco Duo. “But it could be that with the prevalence of Touch ID on iPhones, people have gotten used to using their fingerprints to access their accounts.”
However, consumers too have concerns about replacing a password with a biometric factor. For example, they are worried that attackers might try to replicate their biometrics. Also, they don’t fully trust companies to store their biometric data.
With these concerns in mind, organizations considering a move to passwordless should be prepared to ask vendors about how their solutions resolve some technical metrics.
Benchmarks for passwordless
Kietzman recommends three technical metrics to help conceptualize passwordless solutions. These considerations can also be used to evaluate vendors, he said.
- No shared secrets. Many people consider their biometric information to be a secret that shouldn’t be shared. To address this, a passwordless solution should create an asymmetric key pair with a public and a private key. Anyone can have the public key and it can be stored by any service. However, the private key never leaves the authenticator solution. It is only used to unlock and authenticate access requests.
Kietzman suggests asking vendors: What happens in cases where the application doesn’t accept asymmetric credentials?
- Origin binding. In this scenario, credentials are limited to the domain to which they are registered. The authenticator checks, and would reject, fake service domains. Also, origin binding ensures that using credentials at a hacked domain would not work.
“Ask the vendor if their solution forces the user to make sure they’re at the correct domain,” Kietzman said. “The answer should be ‘no.’ Passwordless solutions that are strongly origin bound don’t make the user even think about this.”
- Channel binding. In this method, communication from the authenticator to the website is strongly tied to the browser session that it is attempting to authenticate. This means that a malicious actor cannot remotely signal, turn on, or access an authenticator. An example of a solution that is strongly channel bound is Touch ID on the iPhone, a feature that is difficult to remotely access.
“Ask vendors if their solution bootstraps trust with a QR code to gain access to accounts,” Kietzman said. “This is an area where channel bindings can be weak and where QRL jacking can occur, in which an attacker uses social engineering to hijack a session and gain access.”
Continue the conversation
Amid the interest in going passwordless, take the time to vet solutions, Kietzman said.
“There’s a lot of buzz in the market these days about passwordless,” he said. “These three metrics hopefully make the concept more concrete and offer context for further discussions.”