Passwordless Experiences Are Not as Secure as They Seem

Large enterprises are adopting device biometrics such as iPhone Touch ID, Face ID, and their counterparts across the fragmented Android device ecosystem to enhance customer experience. Often, features such as these that remove friction are also talked about as improving usability and security, due to the many problems associated with passwords.

Passwords have not kept pace with the growth in online services, especially on mobile, so it’s natural that device biometrics have eclipsed the username/password scheme in terms of convenience. With an 81% of large-scale data breaches being the result of weak or stolen credentials, passwords being the dominant form, it would also seem clear that using biometrics to authenticate into accounts and authorize payments has answered the question of how we’ll reduce the number of mass breaches. If only this were true.

It’s important that we first arrive at a clear standard for what passwordless authentication is before we make an assumption about the security benefits of a user interface where a customer is no longer exposed to the hassles of password-based authentication. If we define passwordless as an end state in which there is no password, then most implementations of device biometrics score high on usability but fail to answer the challenge of how the service provider will protect itself and the users from the risks of password-based authentication.

Most biometric authentication is added on top of legacy systems where the consumer and enterprise share a secret, a password, stored centrally on servers with all other consumers’ passwords. When a bank customer uses Touch ID, he/she uses their fingerprint to unlock the device or paste in a password from the device’s keystore. The end state is still that the user and enterprise depend on centralized password-based security to protect assets and privacy – something we know doesn’t work no matter how friction-free the experience.

Password-based authentication with or without biometrics does nothing to protect the enterprise and consumers from today’s onslaught of credential reuse and phishing attacks. Credential reuse attacks rely on established user habits of recycling passwords across multiple accounts and have an alarming 2% success rate. This makes these automated attacks everyone’s problem against the backdrop of millions of credentials from prior, unrelated data breaches available to hackers.

Phishing has also enjoyed success – enough to say we are on the cusp of hearing about our 2018 holiday shopping experience being tainted by payment fraud, account takeover, prepaid cash-out scams, and even data breaches in the employee access example. Growing in their sophistication to deceive consumers by mimicking a valid service, attacks such as these are the result of simply handing over your data to protect yourself or access a too-good-to-pass-up discount.

An end state of no password erects a technical barrier against credential reuse and phishing since neither a user nor a malicious third-party can possess, exchange, or make use of a credential that is weaponized. It also solves the social engineering aspect of credentials-based attacks. This is because a true state of no password is a decentralized, public key infrastructure (PKI)-based framework where impossible-to-share credentials, or a combination thereof, are decentralized onto end-user mobile devices. In it, identity is tied to one or more biometrics, possession of one’s phone, the likely true secret of a device unlock PIN, and more as geolocation and behavioral traits come into play.

Hackers can’t spray the target bank with credentials from the breach of a social media platform because the bank now holds no authentication secrets with their customer. The two communicate their login and payment requests and consent over PKI. There’s no database against which to match all of these credentials obtained on the dark web, 2% of which are shown to be valid. Sending a form to a holiday shopper asking them to change their department store password? The customer no longer has anything to input, even if emotionally compelled to do so as hackers intend. Even if they did have something, the hacker is excluded from the trusted app and server loop where authorized conversations take place.

A lethal combination of using transferable credentials and storing them centrally is what makes fraud against consumers and large-scale data breaches possible. Going further, compounded breaches make the supply of credentials a precious resource for future breaches. None of this is addressed with device biometrics when they are configured as they are to work rather superficially with legacy, password-based authentication. And none of this will subside until large service providers start migrating to systems entirely free of passwords and away from ones that are targets for credentials-based attacks and supplying entities for more attacks.

Device biometrics are a step in the right direction. The emergence of these features has already proven that they are accurate enough to make passwords unnecessary. Device biometrics also make a user’s ownership of a passwordless credential possible since this hardware can work with architecture that keeps the template on the device but uses it to initiate trusted login and payment requests.

Biometrics also get all of us further accustomed to the notion of an online world 100% lacking in passwords, which is great for mobile, for IoT, and for security. This has put us in a great position to make the further leap of eliminating passwords, and this is where some decision-makers are seeking clarity.

The drawbacks and challenges

Misconceptions about what passwordless means slow our journey to a true passwordless state. This is caused by the proliferation of convenience features on mobile devices. A few years after Apple launched Touch ID in 2013, 89% of users with enabled devices were using the feature for unlocking devices. Today, the Android market is saturated, and many banking apps support biometrics for easy login (with the introduction of FaceID, key players like Chase, Wells Fargo, HSBC and more are implementing biometric authentication features on their mobile apps). It’s almost unthinkable that a viable smartphone would lack one or more sensors.

Passwords are being back-burnered so often that even today, when given the option to fully retire passwords, some executives reply with, We’ve already done that with Touch ID. This is in contrast to 2014 when executives cited the use case of many customers having basic smartphones as a reason to table the password question. So today, we have plenty of appropriate hardware deployed, but convenience is obscuring the root password question.

Then there is the apparent choice of what standards and solutions an enterprise should use to eliminate passwords. FIDO Alliance’s open standards were developed specifically for secure passwordless authentication and have taken a decade to gain support, notably from GAFAM, to achieve a high degree of scalability and interoperability. There are also standards that have failed to gain traction, like the Biometric Open Protocol Standard ****(BOPS), and the new tailoring for user authentication of multiparty computation (MPC). No matter what best suits an enterprise, security teams and digital transformation leaders face a pivotal build vs. buy question followed by the reality of open standards providing building blocks – not a ready-to-deploy solution.

Finally, turning consumer and employee devices into secure digital keys without passwords adds tremendous certainty to authentication but it does not solve the identity question. The former is Am I who I say I am? and the latter is Who am I? If fraudsters compile enough personal details on a target, they might go the route of mimicking someone’s identity to the point of registering a device in their name to access accounts. In January 2016, there were 2,658 reported incidents where fraudsters took over a user’s mobile account or opened a new one in the user’s name. This represented 6.3% of all identity thefts reported to the FTC that month. Authentication by any method should always be paired with identity proofing technologies to securely enroll the right person into a service, including with the proper documents, as people access more services remotely and make fewer contacts at bank branches for example. According to the Federal Reserve, about 61% of US customers used a mobile phone to check a bank account balance or recent transaction in 2017.

Once these questions are settled, the road to an end state of no password can be a smooth journey; and it should be a quick one. The groundwork for passwordless security and the expected ease of rolling it out has been laid by the availability of passwordless features, associated devices, and the appetites for simplicity these have created.

Convenience is a strong motivator for accelerating our move to passwordless authentication and payment authorization. If we start with the goal of removing the password entirely, we’ll realize all of the benefits to the experience of making passwords an afterthought. And we’ll achieve the gains to security that retiring passwords for use altogether makes possible.