informa
4 MIN READ
Commentary

Why Passwordless Is at an Impasse

Many widely used business applications aren't built to support passwordless login because identity and authentication remain siloed.

The average user has upward of 100 passwords across various sites and applications. That number, faced with the limits of human memory, is the reason passwordless authentication is so promising. But the limits of the current approach to identity and authentication is holding back that promising development.

The ability to log users securely into a network without having to remember passwords can go a long way to eliminate one element that consistently contributes to data breaches and other exploits: compromised credentials. If users need to remember hundreds of username and password combinations and change them regularly, they will lean on reusing the same familiar combinations. This makes the cybercriminals' job easier, as seen in the latest Verizon "Data Breach Investigations Report," which found 61% of breaches involved compromised credentials.

Replacing password-based authentication with a passwordless login — one that uses a factor such as biometric identification to enable login — is considered a strong solution to the recent surge in cyberattacks. But according to one survey, almost half the organizations polled are still not passwordless, and 22% are not convinced yet of its effectiveness.

Some of the big barriers to adoption are not a result of technology shortcomings but of the state of identity and authentication. Many applications in wide use today are not built to support passwordless login because identity and authentication remain siloed.

Clearing Up Identity Confusion
Identity and authentication are often confused, but they are separate concepts. Identity — establishing who is who — is one process, while authentication involves verifying that identity belongs to the user trying to access the network, an application, resource, etc., and not some hacker who stole or bought those credentials on the Dark Web.

Identity proofing is often part of an organization's onboarding process — when the new employees get their picture taken for their IDs and receive their first passwords — which is often handled by human resources, or HR with an assist from IT. It is the HR department that handles the manual process of verifying those new employees are who they say they are, via physical likeness, validating government-issued ID, etc.

That is all well and good when talking about company employees, but the process becomes more complicated when dealing with contractors, vendors, or machine users who need access to network resources. Some new standards have made it easier to establish a digital identity for users without tangible credentials such as passports or driver licenses. For example, part one of NIST 800-63-3 provides a standardized approach for identity verification, while part two of NIST 800-63-3 and FIDO2 help streamline the use of biometrics for authentication.

The process of identity proofing, which validates a person's identity based on government-issued documents and facial biometrics, is essential to the authentication process. But it remains separate from authentication workflows once enrollment into a system or application is complete. Every time a user logs in to a protected resource, that person is challenged for some form of authentication, such as a password, PIN, or biometric, which is no longer linked to their actual identity.

For example, contrary to popular belief, biometric authentication doesn't replace passwords. It abstracts the complexity of manually entering them in a system. This means that if a password is stolen, a cybercriminal can bypass the biometric authenticator. Also, if biometric identifiers are stored in an authentication database, they, too, become a vulnerable target for hackers.

A new concept, known as a distributed digital identity, marries identity enrollment data and authentication, and makes them inseparable. Instead of simply challenging a user for an authentication factor (password, PIN, biometric) that is checked against credentials stored in a central database owned by an identity provider like Active Directory or Google, a distributed digital identity is controlled by the user.

For example, FIDO2 and NIST store the private key in the secure enclave/Trusted Platform Module (TPM) chip, making it accessible only via a match of the live biometric to the one captured at enrollment, to be shared securely when they choose to do so. Other approaches store a user's private key in an encrypted blockchain for an additional layer of security.

Passwordless login is the answer to security, privacy, and user experience concerns. But it will only become possible if it is enabled by a new distributed identity model that bridges the gap between identity assurance and authentication.

Editors' Choice
Haris Pylarinos, Founder and CEO, Hack The Box
Robert Lemos, Contributing Writer, Dark Reading