Brian Herlihy, Chief Marketing Officer at MBX Biometrics delves into the protocols that can be used for authentication online.
A rare find
A few years ago, I found a black and white photograph in my grandfather’s attic. As a lifetime Boston Red Sox fan, I couldn’t believe my eyes.
It was Ted Williams shaking hands with Babe Ruth circa 1943. A quick Google search told me the photograph was real.
What really piqued my interest was the autograph of Ted Williams.
Did the Splendid Splinter really sign this picture of him with the Bambino? Was this real? How would I know if this rare, autographed picture is authentic?
These days, it’s difficult to determine what is real and what isn’t.
It’s even more difficult to determine who is real and who isn’t… especially with access control, including online.
Are you authentic?
Before we discuss solutions that are available to make our lives more secure in the cyber-space, let’s dig deeper into authentication: what has been commonly used, improvements and where the future is taking us.
Passwords
Passwords are the most common form of user authentication – while easy to create, they offer poor security and bad user experience.
They are still widely used for several reasons:
- A password can be applied to almost anything. It’s easy to implement this form of authentication
- Every app and service that we use has a password. It may require an additional second factor to authenticate but entering (many) passwords is something we do every day
- Whether you’re authenticating on a computer, phone or Netflix, you can easily input a password. Passwords are universally supported; they just work
However, some of the disadvantages of using passwords include:
- Passwords can be forgotten
- Passwords can be stolen
- Passwords are easy to guess
- Simple passwords such as a series of consecutive numbers or simply typing ‘password’ are unfortunately also commonly used and they are not secure at all
- A password is often stored across various devices/services and may even be mistakenly shared or be the target of a cyber-attack
- A password is transmitted and validated on a server, which means it can be intercepted or stolen
Improvements to security
Multi-factor authentication
Single-factor authentication requires users to log into an application with only one type of evidence for authentication, which, typically, is a password.
Multi-factor authentication (MFA) requires a user to present two or more pieces of evidence.
Password-less
Password-less authentication is any form of authentication that doesn’t require the user to provide a password at login.
Two examples are:
- SMS (short message service) is considered password-less because you don’t need to remember a password. Usually, you’re sent an OTP (ironically called a One-Time Password), a code that is valid for a short period of time that the user can use to authenticate themselves
- Email magic links are a safer alternative to passwords because the link is only sent to the user’s specific email address
These two methods of authentication offer better usability than passwords, but both are highly susceptible to phishing.
Other implementations of password-less authentication are specifically designed to address security issues:
- PIV/CAC (personal identity verification/common access card) – “Smart cards” are one of the most effective ways to protect against phishing. The user must insert their smart card into a reader and validate the smart card with a unique PIN. This is a surefire way to stop remote phishing attacks. Usability and security are both top notch
- PIN (personal identification number) – A PIN is local to a device compared to a password that resides on a server that can be breached. When you use your debit card at an ATM, the PIN only unlocks the debit card. It is never transmitted or stored elsewhere. That’s why when you have a debit card stolen and are issued a new card, you are required to select a new PIN. PINs are short, non-complex and hardly, if ever, changed. Compare that to a password that is highly vulnerable and must also be changed constantly to become longer and even more complex to be “stronger” and unguessable
FIDO2 (Fast Identification Online 2)
FIDO2 is a password-less authentication protocol that offers several advantages over traditional password-based authentication:
- Security – FIDO2 uses cryptographic credentials that are unique to each online service and are never stored on servers, reducing the risk of password theft and phishing attacks. As the cryptographic key is kept on the user’s device, attackers who steal credentials won’t be able to access the account
- Privacy – FIDO2 keys are unique to each website, so users can’t be tracked across sites
- Convenience – Users can log in using biometric devices like fingerprint scanners or facial recognition cameras, or by plugging in a security key
- Scalability – Websites can enable FIDO2 using a JavaScript API call that works across many browsers and platforms
- Ease of use – Major device manufacturers have invested in FIDO2, so it’s possible to implement multi-factor authentication with a mobile device, without changing the device itself
- Access control – FIDO2 can simplify access control for IT teams and help-desk staff by reducing the time and cost associated with managing passwords and usernames. For example, IT security managers can use FIDO2 Attestation to automatically inspect devices during registration to ensure they meet compliance requirements
There are two implementations of FIDO2 – hardware security keys that are securely stored on a device or FIDO passkeys that are stored in the cloud by Apple, Microsoft or Google.
- Hardware security keys are stored only on one device while FIDO passkeys can be shared on multiple devices
- Only device-dependent FIDO security keys are considered “phishing-resistant”. More government agencies are mandating phishing-resistant multi-factor authentication
- A walk-away log off feature is an important advantage over USB FIDO tokens where the user forgets to remove the USB token and remains “logged in” even if he or she leaves the building
Let’s forget passwords
Let’s go one step further. Adding fingerprint biometrics to the mix creates a third factor deterrent.
It offers something you know (a PIN), something you have (a physical device like an access card) and something you are (a fingerprint).
A biometric device is a more secure and versatile alternative to the various keys available for both the FIDO2 and two-factor authentication (2FA) markets.
Most importantly and unlike a USB token or key, if lost or stolen, a biometric FIDO2 compliant access card cannot be utilized by an unauthenticated user whose fingerprint is not a match for the device.
The good news and the not so good news
The good news is that authentication continues to evolve for a crazy world where increased security is mandatory.
Passwords will, unfortunately, continue to be used but other means for authentication will still evolve.
This will allow us to be safer while saving us billions of dollars and a lot of heartache along the way.
The not so good news is that although my picture of Ted Williams and Babe Ruth proved authentic, my four-year-old son eventually scribbled over Ted’s autograph in red magic marker, making it 100% worthless in a collector’s market.
The curse of the Bambino lives on.
This article was originally published in the September edition of Security Journal Americas. To read your FREE digital edition, click here.