SecureAuth Named a Leader in KuppingerCole Leadership Compass Report for Customer Identity and Access Management

Passwordless Authentication: Going Beyond Passkeys

Passwordless Authentication - Going Beyond Passkeys
Nawshad Hoossanbuksh
Technical Director, Product Strategy
November 21, 2023

Get the latest from the SecureAuth Blog

Introduction

To overcome the shortcomings of password-based authentication, organizations are exploring innovative mechanisms for signing in. In this blog, we’ll delve into various mechanisms and technologies that address the limitations of passwords and highlight the pros and cons of these solutions.

Mechanisms to Replace Passwords

Authenticators are means to prove a user’s identity in the digital world. There are different types of authenticators that provide different levels of assurance to the relying party the end user is interacting with. The National Institute of Standards and Technology (NIST) has introduced Authentication Assurance Levels (AAL) to categorize the strength of authentication methods. AAL1, AAL2, and AAL3 offer progressive levels of assurance to enhance security. More information on AAL can be found here.

Authenticators rely essentially on at least one of the following criteria:

  • something you know (password, pin)
  • something you have (smartphone, token, certificate)
  • something you are (biometrics)
  • something you do (behavioral biometrics)

When considering replacing password with different authenticator(s), we should obviously consider the robustness and the user experience related to the use of the credentials. Below is a list of the most secure form of authenticators being used today in lieu of password and the challenges that come with them.

  1. Kerberos:

Kerberos is a network authentication protocol that uses tickets to verify users’ (and host) identities without exposing passwords. Though Kerberos requires a domain password to login on the workstation, it allows end users to access resources without having to re-authenticate again. Kerberos provides strong security for user authentication and has been widely adopted in enterprise environments with Windows Domain controllers. However, Kerberos relies on a rather complex infrastructure and set up, with a Key Distribution Center that acts as the third-party arbitrator who validates the identity while the Kerberos-enabled service or host needs a registered Service Principal Name (SPN) in the domain controller. Moreover, the authentication mechanism isn’t really designed for heterogenous platforms running in a hybrid or multi-cloud environment.

  1. Certificate-Based Authentication:

Certificates offer a robust authentication method, leveraging public-key cryptography to ensure secure access. This form of authentication is widely employed in SSL/TLS connections and digital signatures. Additionally, certificates can serve as the primary means of logging into web applications. These certificates can be individually generated for end users and then either automatically or manually deployed on their workstations.

When an end user accesses an application that supports certificate-based authentication, the client will use its private key to sign a token. The server, in turn, can verify this token using the corresponding public certificate. Various security measures can be implemented during this validation process, including checking the certificate’s issuer or verifying its revocation status.

Nonetheless, certificate-based authentication does present its share of challenges. Firstly, it comes with a relatively high total cost of ownership. Organizations must consider the complete lifecycle of certificates, encompassing their generation within the PKI infrastructure, deployment, secure storage on end-user workstations, expiration revocation, and rotation.

Also, from a security perspective, achieving non-repudiation is not always guaranteed. If a device’s access is compromised, the certificates stored on that workstation become vulnerable as well. In essence, if a hacker gains control over an end-user’s workstation, the risk of impersonation and account takeover is significantly elevated.

  1. Biometrics:

Biometrics leverages unique physical or behavioral characteristics, such as fingerprints, facial or voice recognition, for authentication. Biometrics offer strong security while enhancing user convenience. However, its adoption isn’t as high as the industry was expecting, most probably due to its practical limitation and from a data privacy standpoint. Not everyone is, and should be, comfortable using fingerprint on devices that they do not fully own or trust. What happens if one’s biometric data is compromised? Methods involving the use of synthetic data or deep fake technologies have proven to be effective in compromising biometric credentials through spoofing. Biometric credentials cannot be revoked and replaced with new ones.

  1. Passkeys:

Based on FIDO standards, Passkeys provide a secure means of authentication using public and private keys. The private key can be generated and stored securely on the end user device, the ‘Authenticator’, while the public key is used by the website to validate the signature.

At a high level, users authenticate themselves by signing digitally a challenge received from the application they are trying to access. The private key used for the signature is typically stored locally on a device’s secure storage which can be unlocked during authentication using biometrics or PIN, depending on the device.

Prior to Passkeys, the private key was bound to the device where it was generated and securely stored. And this is based on the WebAuthn specification which is part of the FIDO2 standard. However, with Passkeys, now that private key can be used by a different device to authenticate to apps and web application.

Passkeys was undoubtedly designed to improve user experience and adoption so end users accelerate their journey to a passwordless era. However, this does not come without cost. Aside from the challenge of limited cross-browser and cross-platform support, there is a noteworthy concern regarding the security keys’ migration across devices. Even more crucially, these keys are now synchronized with the cloud services of Google, Microsoft, and Apple, albeit in an encrypted form. This development significantly heightens the security risks associated with passkeys. In a Workforce environment where organizations could easily enforce the use of managed devices only to access corporate resources, Passkeys are making this control technically more challenging.

Risk-Based Authentication

Cybercriminals are leveraging modern techniques to outpace the authentication safeguards that organizations establish. Strategies like social engineering, phishing attacks, or the fatigue associated with multi-factor authentication have demonstrated their effectiveness in compromising users’ access to valuable resources. Selecting the appropriate passwordless authentication solutions is crucial to ensure that the strength of authentication remains robust enough, enabling a seamless and secure authentication experience for end-users. Some of the key security aspects to consider when going passwordless include:

  • MFA Fatigue: Passwordless solutions should reduce unnecessary friction while maintaining or improving security through other authentication factors. Asking end users to constantly re-validate their identities when accessing applications will significantly increase the risk of inadvertently accepting a rogue authentication request, while negatively impacting user productivity.
  • Account Takeover (ATO) Prevention: Without a strong passwordless authentication solution, organization may significantly increase the risk of ATO.
  • Phishing Resistance: FIDO-based authenticators provide substantial protection against phishing attacks, while other authenticators may lack the robustness required for standalone use.
  • Replay Resistance: Authenticators being used in lieu of static credentials should be resistant to replay attacks. Geo and Network reputations combined with credential stuffing detecting can add an extra layer of protection to the authentication service.
  • Brute Force attacks: Implementing a passwordless system could potentially increase susceptibility to push fatigue attacks. Therefore, it is essential to integrate behavioral and contextual authentication methods, such as device fingerprinting and network/application-level rate limiting mechanisms. This proactive approach helps thwart brute-force attacks and fortify the defence against unauthorized access attempts.

Relying on traditional form of authenticators to provide a passwordless experience isn’t enough in today’s ever evolving threat environment. Hence, it is of utmost importance to integrate authentication factors with state-of-the-art AI/ML authentication techniques, including behavioral and sequential modeling, to unleash a new set of capabilities to detect anomalies in real-time prior, during and post access to resources. With the increasing volume of data available across the different stack of the Identity and Access Management landscape, leveraging threat intelligence based on different sources would provide a comprehensive risk scoring of the authentication requests and provide end users a secure frictionless continuous authentication journey.

Conclusion

In conclusion, moving beyond traditional passwords to more secure and user-friendly authentication mechanisms is imperative in today’s cybersecurity landscape. Organizations should prioritize mechanisms like behavioral risk-based authentication to enhance security while providing a smoother frictionless user experience. By addressing the shortcomings of passwords, organizations can fortify their defenses using continuous authentication based on AIML against evolving threats while maintaining user satisfaction and adoption.

Related Stories

Pin It on Pinterest

Share This