Towards a Passwordless Authentication Future
In the past five years, great advancements have been made in securing online accounts. The advancements have been across building awareness in protecting user accounts and in maintaining their privacy and online identity security. Unfortunately, these advancements are still not enough to address the flood of identity fraud. According to Javelin’s 2021 Identity Fraud Study, 59% of identity fraud victims experienced a total account takeover, reporting losses that averaged almost $1,800 per victim across multiple accounts. This has led to account takeover becoming the top fraud loss for consumers in 2020 with over $6 billion in personal losses. As such, experts across the industry agree that authentication should continue to be strengthened and aim to eliminate passwords and use stronger authentication factors such as biometrics.
The evolution in strong authentication during that time has been remarkable. Strong authentication has traditionally been synonymous with multi-factor authentication (MFA). Unfortunately, passwords are not only inherently broken, but are also still the most ubiquitous authentication factor — so practically any current application of MFA is being undermined by their inclusion. A superior approach — high-assurance strong authentication — merges MFA with strong cryptography. In this model, in which two or more factors are in use, at least one of the factors leverages public key infrastructure (PKI) to prevent replay attacks. In the past five years, the prevalence of high-assurance authentication has consistently grown in adoption from 5% in 2017, to 16% in 2018 and up to 24% in 2021. However, passwords are still prevailing over the other more secure authentication methods and are still being used by 49% of users across their accounts. The good news is that biometrics is gaining traction, both in the perception of security and usage, with 24% of users using them for various purposes in their daily online interactions.
The advancement in the adoption of high-assurance authentication has happened in large thanks to the efforts led by the FIDO Alliance to prompt its availability in both browsers and smartphones. Since 2013, FIDO has been working to enable strong authentication via an open set of standards and specifications that link user devices to an online service, and then rely on the stored biometric that is on the device to provide the strong authentication experience. However, much work remains.
In a keystone paper published last week, FIDO acknowledges the need to evolve in order to increase high-assurance authentication ubiquity, especially in consumer applications. One of the main challenges to overcome is the fact that FIDO credentials are generated for a specific device; each device or browser must be separately provisioned. Managing device is not only difficult, but and also creates openings for attackers to exploit. The FIDO Alliance sees this as a key area for improvement, calling for the issuance of multi-device FIDO credentials that will allow users to authenticate from anywhere, anytime, and from any device, and they expect that the industry will evolve to support this.
Specifically, FIDO experts expect the device manufacturers to shoulder the responsibility for transferring the FIDO cryptographic authentication assets from device to device. This opens up significant new areas for concern that go to the heart of the two key concepts FIDO is out to ensure – security and privacy.
First, a challenge with which many businesses across all industries are struggling – how do you trust a new device for a user? How do you establish a high-enough level of assurance with the new device that will allow for the entire set of FIDO authentication keys to be entrusted to it?
Second, how do you securely backup and transfer sensitive digital assets, such as FIDO authentication keys, without exposing them to potential compromise in transit or at rest whilst in vendor storage? And related to this, how does this happen across different device manufacturers who are disincentivized from working together?
The first challenge requires the vendor to perform high-assurance authentication when the user’s main anchor of trust goes missing – their on-device stored biometric. FIDO bases its security on the use of biometric authentication as a strong authentication factor. The biometric is stored on the device protected by special hardware elements and are bound to the specific device. This way they achieve both an ownership authentication factor (something-you-have) and an Inherence factor (something-you-are). When moving to a new device, the biometric samples from the original device are no longer available, and thus vendors fall back to using authentication factors with lesser assurance levels such as passwords and one-time passwords (OTPs). To augment that risk, they will possibly include in the process a special migration passphrase, such as a 12-word mnemonic, similar to the ones used by many crypto-wallets for account recovery. With this approach, users would then be required to securely store the mnemonic, and further – remember where it is stored when they move to a new device after a couple of years. It is highly doubtful that this will be a practical solution that can address a broad swath of the population, as the crypto-currency industry is already experiencing.
The second challenge is a no lesser feat. Sending cryptographic assets to backup facilities exposes them to eavesdropping by attackers in transit. Further to that, if a vendor’s facility is hacked into, ALL the cryptographic keys of ALL the users that provide access to ALL of their accounts can become compromised all at once.
The solution to achieve both these objectives lies in a decentralized cloud infrastructure that can provide high levels of authentication assurance regardless of the device. Applying biometrics to a decentralized cloud infrastructure aligns with the privacy principles of FIDO, where a user is in control of the use of their biometric and the biometric itself is not accessible across multiple parties.
The technology to enable this is fairly new. Innovated by Anonybit, this approach leverages multi-party computing and zero-knowledge proofs in a unique way that can break down the biometric data into anonymized pieces. The pieces (or anonybits) are not only secured individually over a decentralized network, but can also be matched in a decentralized manner as well, ensuring their security both at rest and in process. This approach can anchor the biometric as the root of trust in a device migration scenario and eliminate the need for less secure authenticators or for cumbersome 12-word mnemonic passphrases. It also has the critical added benefit of being able to ingest biometrics from the onboarding process and link them to the device-binding process without compromising on user privacy as mentioned before.
The same infrastructure can also be used to secure cryptographic assets like the FIDO credentials during transit and storage. cryptographic assets can be sharded and distributed over a decentralized network and only after a user authenticates biometrically, does the assets get released onto the user’s new device.
The FIDO Alliance got it right. To make this method of authentication ubiquitous, it is critical to get past the inhibitors for adoption. A decentralized biometrics cloud infrastructure provides the framework to make it happen.