Will WebAuthn replace passwords or not?

The humble, much-maligned password has been in the news again lately. The FIDO Alliance and W3C announced in April the release of the password killer web API named WebAuthn. But, are we singing the “Bye, bye password” song, only to start up a chorus of “You say goodbye and I say hello”? Let’s take a look at the ebb and flow of password(less) authentication.

First, there was the password

We have had a sort of love/hate relationship with the computer password, ongoing for the last 40 years at least. The tech community keeps promising the demise of the password, then it never comes to pass…Instead, according to LastPass, business users have to manage, on average, 191 passwords each! And, according to Pew Research, we aren’t even using password managers, with only 12% of respondents in a 2017 survey using them, and 49% writing passwords down on paper. No wonder then, that LastPass found that 81% of data breaches were ultimately due to password compromise.

Then there was HOTP/TOTP and SMS text code

It felt, at one point, certainly from a technologist’s perspective, that the use of authentication apps, like Google Authenticator, might hold the key to cheap, secure, second-factor authentication. SMS text code was also, seemingly, a good way to get the ‘out-of-band’ needed for a good 2FA mechanism. However, SMS code and authentication apps never really took off, or at least have had a mosaic uptake. Currently, less than 10% of Gmail users use a second factor for login.

But, it isn’t all doom and gloom for second-factor use. Singapore, for example, seems keener on the use of 2FA. In a recent survey by the Cyber Security Agency of Singapore, on public security awareness, they found that between 2016-2017, there was a 13% increase in users enabling second-factor for access control to accounts. It would be interesting to see why 2FA in Singapore is more accepted than in other countries, perhaps they are early adopters and we will see a trickle across effect in the uptake of 2FA?

Now there is WebAuthn

Welcome to the promised land in the form of passwordless login. The new API from W3C and FIDO offers just that, a way to remove the need for a password and have automated login via a device/biometric – no second factor – WebAuthn IS the only factor. WebAuthn is based on our old friend public-private key cryptography. In a nutshell, signatures are sent between a relying party (usually website) which stores the public key, and an authenticator (device or browser) using a biometric to authenticate you to the device – it’s neat, it’s easy to implement, it has some excellent security features that can help prevent phishing using PKI/biometric – but is it the panacea of authentication?

As always, the devil is in the detail. It is the ‘what if’s’ that always flush the issues out with an authentication measure. For example, what if you lose your phone and need to login urgently? Systems always need a fallback position. This is generally a lower threshold which then becomes the attack vector. Although WebAuthn holds much promise, the fallback to a password, or on the mobile device a PIN code (the fall back for a biometric) takes us back to square one. And, the biggest challenge will be in the creation of secure credential recovery for WebAuthn based services when this is the only factor engagement.

Then there was a password, again

We are all sick of passwords; I have so many I can’t keep track and end up using recovery systems all the time. I am no fan. However, I am a pragmatic person and recognize that the password may be a pain in the proverbial, but it has its place in history and its future is assured. But, we can’t continue blindly abusing our passwords – as was shown recently in a Brian Krebs blog post which showed employees posting passwords in clear text on collaboration portals such as Trello.

Passwords may have a longer lifespan than hoped but we need to up our game in supporting their continued use. On this matter, NIST gave some sound advice when they updated their advisory recently. Long-standing practices around password policy were placed in the out-folder and others, such as maximum password length, were updated to reflect the longer length of more memorable passphrases. Passwords, it seems, are here to stay for a while yet, and we need to develop a ‘healthy password culture’ that takes human behavior into account. And, tools for password policy implementation, such as the excellent zxcvbn password strength estimation method, offer a good way to prevent password guess attacks, for example.

WebAuthn may be a great way to improve usability and build a more secure login system, but we should always be cognizant of passwords too. Security best practices, such as the NIST guidelines are finally catching up with how human beings use technology.

Other considerations: database encryption, admin passwords, and security best practices

In terms of consumer password best practices, NIST guidelines, Special Publication 800-63-3: Digital Authentication Guidelines was recently updated with some very sensible changes around authentication and specifically password best practices. One of the advisories is to make sure that passwords are salted and hashed before storing in a database.

However, we also have to remember that the vast majority of data breaches are down to password exposure, malicious or otherwise. Mass database breaches are via exposure to the administrator password, not the consumer account owner. But, in terms of administrator passwords, the NIST guidelines still apply – even administrators are human beings after all. But in the case of an administrator what you can do that is more difficult with the general public, is to force the use of second factor.

If we assume that in the short term at least, passwords or PINs are always going to be with us, either as a factor or as a fallback, we have to look at security best practices and putting policies in place to mitigate password exposure which ultimately exposes sensitive data stored in a database or data warehouse.

Passwords for the people

Passwords would definitely make it onto a list of the ‘Top Ten Most Annoying Things About the 21st Century”. However, like many things that come to test us, they have their positive side too. While other authentication measures continue to fall back on the old password as a backup we must continue to improve how we use and apply passwords. Applying basic tenets of human behavior to the use of passwords, and not forcing people to act in an unnatural manner, will hopefully help alleviate the pain inherent in their use.