You Can’t Reset Your Fingerprint
Unlike passwords, you can't reset your fingerprint after a cyberattack. Here's how passwordless technology prevents biometric theft.
Join the DZone community and get the full member experience.Join For Free
Although passwords are a long-trusted security technology, the cyber security world has been calling to get rid of the “old faithful authentication method” in favor of technology that doesn’t even rely on typing on passwords for user authentication and seems right out of a sci-fi movie. Many people are rightly skeptical and even fearful of what this might mean for them and their precious information. However, there really is no need to be afraid. At the root of it, passwordless technology is simpler and much more trustworthy than password-based technology, it also helps prevents credential theft and many other cyber threats.
Password-based authentication is a user authentication technique that relies on knowledge-based systems, meaning that individuals trying to gain access to information must know of a phrase or word that has been previously set to secure said information. In today’s security systems, knowledge-based systems that use passwords are predominantly used for information security and user authentication. Despite their long history and wide usage, passwords and PINs have a number of shortcomings.
Simpler or more meaningful passwords are easier for users to remember but are equally easier for hackers to break, making the account and the information contained in it more susceptible to attacks. On the other hand, more complex and arbitrary or random passwords are more secure but are difficult to remember. To make matters worse, users are asked not to use the same password on different devices or accounts, and humans can only remember so many passwords, leading to them undoing the security that has been set up by writing them down, or by using similar passwords for different purposes.
Passwords might be a common method of authentication, but they introduce several security risks. Hackers can easily gain access to critical business systems and users’ accounts by use of hacked or stolen passwords. Also, the higher the number of accounts that require users to create and remember passwords, the more likely they are to engage in poor security practices like password reuse or sharing. Passwordless authentication, in comparison with password-based authentication, is inherently more secure because it completely eliminates the risks associated with passwords, all while ensuring information is secure and users are authenticated properly.
Passwordless authentication is any method of verifying the identity of a user that does not require the user to provide a password. In light of the shortcomings of password-based systems that have been revealed in recent years, this is ideal, especially as a passwordless system seems to be the ideal outcome. However, the lack of trust comes in the principles and technology that form the base of passwordless technology, like using facial recognition or adaptive MFA, which involves intelligent behavior analysis of user activity.
Security Principles and Technology of Passwordless Technology
The security principles that passwordless technology relies on are based on the ability to gather attributes about a user’s identity, and then combine them to form the identity that the system recognizes as the authorized individual in order to grant access to information. True passwordless technology relies on possession and inherence factors, which is something that a user has, rather than a knowledge factor that is vulnerable to theft, sharing, reuse, misuse, and other risks. It works by replacing passwords with other authentication factors that are inherently safer.
Passwordless authentication relies on the same principles as digital certificates: asymmetric cryptography with a private and public key pair. The public key serves as a lock, while the private key unlocks it. Asymmetric encryption involves using the two separate but mathematically related public and private keys to encrypt and decrypt data, respectively. The public key is open to everyone and anyone can access it and encrypt data with it.
Due to the secure nature of Asymmetric cryptography, only authorized people, servers, machines, or devices can have access to the private key. The private key is then stored on the local device and can only be accessed by using a set authentication factor like a fingerprint, one-time password (OTP), voice recognition, and so on. The public key will then be provided to the system on which the user has set up the account.
Adaptive Multifactor Authentication
This goes beyond just using authentication factors like hardware tokens, biometrics, or OTPs. Adaptive MFA uses machine learning to develop patterns of normal user behavior. In the event that the system notices a change from that user’s pattern of behavior, it regards the login attempt as risky and takes appropriate actions to either require more forms of authentication or to block access completely.
Liveness detection in biometrics involves a system determining if a fingerprint, face, or other biometric option is real, for instance, from a live person present at the real-time point of capture, or a fake artifact, lifeless body part, or prosthetic device.
Liveness detection is made up of a set of technical features that work to counter biometric “spoofing” attacks where a person with malicious intent has made a replica imitating a person’s unique biometrics like a glass eye, fingerprint mold, a recorded voice, or even a 3D face mask made of silicone, then presents this replica to the biometric scanner to bypass the identification and authentication steps of the system. Liveness detection checks use algorithms that analyze the data collected from biometric scanners and readers to detect and verify if the source is a false one.
Decentralized digital identity technology is a standards-based system that provides users with greater privacy and control over their data. It is a form of security architecture where identifiers like usernames are replaced by independent IDs, allowing data exchange with technology and blockchain in order to protect and secure operational security. When it comes to authentication, decentralization puts the power in the hands of the users. There is no central authority needed to verify an individual’s identity, rather it makes use of decentralized Identifiers or DIDs, a special type of identifier that allows for decentralized digital identification.
They are designed to be independent of centralized registries, repositories, identity providers, and certificate authorities. Authentication of a user’s identity will only happen once and the proof of user identity is saved in an identity trust fabric (ITF). The ITF and its supporting infrastructure act as a middleman between the user and any service providers they use, it also handles all identification and access requests. This means that authentication is automatically carried out by the third-party verification system, without the user needing to input any information.
Zero Trust Principles
A major security principle that supports passwordless technology is known as the Zero-Trust security model. Zero-trust principles help protect against identity and access-based security risks by requiring all users to be authenticated, authorized, and continuously validated before they are given access to applications and data. As a security strategy, zero-trust and passwordless technology work together to form a coherent policy while removing the password risk factor. Instead of requiring users to input passwords at every turn, for example, a zero-trust passwordless solution would have multifactor authentication involving something the user possesses like their phone, and something they are, like their fingerprint.
With 91% of information security experts stating that stopping credential-based attacks is their main reason for implementing passwordless technology, more and more people are beginning to realize that passwords are a major risk factor in information security.
There’s no question that the reputation passwords have for securing access and being necessary for security is slowly dwindling. And as a new age of security where cyberattacks are growing more persistent and sophisticated is beginning, it is more important than ever to introduce passwordless technology, but first and foremost educate them on the underlying technologies that secure it. With secure, user-friendly principles and technology, passwordless technology is quickly becoming the future of cybersecurity.
Opinions expressed by DZone contributors are their own.