On-Device Authentication Month: The Post-Password Internet

Posted on May 10, 2018

Let’s be honest: while the proclamation of the password’s death came frequently over the past four years, outmoded text-based security has refused to stay in the ground. If the password was dead in 2014, then it is now an undead monster, omnipresent and dangerous, in need of a full-on purge. We need a cure for the undead password, putting our twelve-character security corpses to rest so we can build a safer and more convenient digital community.

For a long time, FIDO standards have been heralded as the cure to the password problem, and now, thanks to the WebAuthn and CTAP standards introduced as components of FIDO2, there is finally a delivery method for bringing strong online authentication to everyday internet users.

The Password Has Failed

Passwords have failed us for longer than we’ve had viable alternatives. By their very nature, strings of alphanumeric characters just aren’t secure. Completely knowledge based, passwords can be shared, deducted, stolen, guessed and hacked without any physical intervention. In the world of the internet that means anyone, anywhere can potentially gain unauthorized access to secured accounts.

But susceptibility to IT villainy is only half of the story. Because passwords are vulnerable to hacking, an evolving set of best practices has emerged to make the average password just difficult enough to crack that it’s not worth the time of a hacker. Every user should never reuse passwords, which should all be at least 12 characters long and contain uppercase letters, lowercase letters, numbers and symbols. They should not contain or be based on words found in the dictionary (swapping es with 3s, doesn’t cut it). The best passwords are nearly impossible to memorize individually, and given the fact that the average internet user has multiple password protected accounts for banking, music streaming, email, cloud storage, food delivery, online shopping, retail loyalty programs, movie streaming, app stores, social media and more, the task of committing so many obscure codes to memory is herculean.

Survey findings from Digital Guardian taken from a sample of 1,000 randomly selected Google users in 2017 revealed that 61 percent reused passwords across multiple accounts. It’s no surprise why that’s the case. IBM’s 2018 Future of Identity Study, based on survey results taken from nearly 4,000 adults in Europe, Asia and the US showed that, especially among younger Millennials, convenience is paramount in the login process.

Replacing Passwords

Biometrics solve all of the password problems, and consumers understand this. The research report Mobile Biometrics in Financial Services: A Five Factor Framework conducted by Mastercard and University of Oxford’s Department of Computer Science showed 90 percent of its 449 person survey sample believe biometric security is better than passwords. Once again, the conclusion follows directly from the very concept of the authentication type.

As a biological identifier biometrics can’t be shared or guessed or hacked in the traditional manner. The closest equivalent of a traditional password crack attack is the presentation attack or spoof in which a bad actor creates a false body part modelled after the user in order to perform their identity and bypass the biometric security. The highest profile version of presentation attacks are conducted on iPhones whenever Apple’s smartphone line undergoes a biometric upgrade, for instance, last autumn a research lab by the name of Bkav used expensive and painstakingly constructed masks to spoof Face ID on the iPhone X.

Where on-device authentication goes even further in this regard, is it removes all risk of a remote hacker. Because the template storage and matching process happens within a secure element on the device being used to authenticate, a hacker can’t simply scrape photos from your Facebook profile and present them to their own webcam in order to gain access to your online banking. Any wannabe fraud must not only create a working spoof of your face, but the must also steal your physical device that you use to authenticate for that specific service. Given that individual banking credentials barely fetch enough on the black market to cover the cost of materials to spoof an iPhone X, let alone the time and risk of nabbing your phone, there is little to worry about in terms of becoming a random victim.

The New Online Experience

On-Device Authentication Month: The Post-Password Internet The security aspect aside, the post -password internet is simply going to be more user friendly. Biometrics are intuitive, easy to use and impossible to forget. Last week, Twitter sent a message to every single one of its users, owning up to a security mishap that left passwords exposed on an internal database. As a result, they recommended a password change. Sure enough, because most users access Twitter via an always signed-in mobile app, they couldn’t remember their initial passwords in order to authorize their new security code. I was among these users and sure enough I had to do the cumbersome ‘forgot password’ reset involving email and second factor authentication, as well as updating my password manager apps. If biometrics secured my app, none of that would have happened. And if those biometrics were on-device, Twitter’s incompetence wouldn’t have affected me in the first place; a breach of their servers means nothing to the user whose credentials are in a secure element.

The change will feel natural and come as a relief. WebAuthn is supported by Microsoft Edge, Mozilla Firefox and Google Chrome, meaning that support for device-based authentication can be built into the very browser most users use to access their accounts in the first place. FIDO2’s CTAP standard, meanwhile, takes advantage of the familiarly in biometrics brought about by the mobile revolution that kicked off five years ago. Biometric authentication is available on all phones, and soon, those phones that are FIDO compatible will be used to login to the currently password protected spaces.

In the end,the post-password internet will be less frustrating. We live on the internet, and the restricted spaces where we expect privacy should be treated like our private spaces in the real world. We demand at least second factor security for our front door, our mailbox, and our office, and now we will finally have that same assurance and convenience for our email, bank accounts, and social spaces.

*

Stay posted to FindBiometrics throughout May as we continue to bring you more On-Device authentication Month coverage. Be sure to sign up for our upcoming webinar, Preparing For a Post-Password Internet, for an in-depth and interactive discussion on the topic with an expert panel.