Has Our Passwordless Future Already Arrived?
It seems like yesterday we needed to sell the idea of a passwordless future. In less than two years, use cases and the adoption of passwordless solutions have exploded onto the scene – from large corporations to small businesses, to the devices we use every day.
In a positive turn that’s seemingly ahead of schedule, the conversation has shifted from “why passwordless?” to, “how do we most effectively implement it?” Let’s talk about how.
Current Passwordless Authentication Solutions
For the uninitiated, passwordless authentication refers to methods of authentication that do not require the use of traditional passwords (think “ABC123” – a shockingly common one). There are several popular methods of passwordless authentication, including:
In a passwordless future, One-time passwords (OTPs): OTPs are unique codes that are generated and sent to a user’s mobile device or email address. The user must enter this code to authenticate their identity. When combined with a traditional password, this is known as two-factor authentication, or 2FA. We’ve gone into great detail about the burdens this system can cause for the end-user here.
Smart cards: These are physical cards that contain a chip or magnetic stripe that stores authentication information. The user must insert the card into a card reader to authenticate their identity. This is one of the more promising implementations, but the standard smart card is missing something. More on this later.
FIDO (Fast Identity Online): FIDO is an open standard that enables passwordless authentication using public key cryptography. This method involves using a security key, such as a USB key or a mobile device, to authenticate a user’s identity. The USB security key market is booming right now, but the execution and user experience leaves much to be desired.
Social login: Social login allows users to log in to websites and apps using their social media credentials, such as Facebook, Google, or Twitter. While this method does not require the user to create and remember a separate password, the obvious problem is that they are linked to social media platforms that still rely on traditional passwords. Now if your Twitter account is compromised, the negative effects can multiply.
Biometric authentication: This involves using a user’s unique physical characteristics – such as fingerprints or facial recognition – to authenticate their identity. This is also promising, but not on a stand-alone basis. We’ve covered biometric authentication here.
Overall, passwordless authentication methods offer a more convenient and secure way for users to verify their identity without having to remember complex passwords. Our passwordless future relies on biometric validation.
Unfortunately, it’s not that simple.
The Problem with Online Validation in a Passwordless Future
When accessing any type of protected data online, there is a fundamental process called validation taking place in the background that usually involves cryptography. Simply put, validation is the way a machine is able to check the validity of your password or key. Offline validation is generally considered more secure than online validation because the validation process takes place without being connected to the internet—thus eliminating the possibility of someone seeing your keys in the first place.
Offline validation methods are essential to a passwordless future and typically rely on physical hardware – such as smart cards or security keys – that are used to grant a user access to a device, platform, or service without being connected to the internet.
Online validation, on the other hand, relies on network connections to verify a user’s identity. This can make such a system more vulnerable to various security threats, including phishing attacks, brute force attacks, and other forms of cyberattacks. If an attacker is able to intercept the authentication process, they may be able to gain access to your sensitive data – or worse, your entire company’s data.
So we’ve established that a passwordless future and its solutions that rely on smart cards and biometrics for the validation process are the most secure, and we’ve concluded that keeping as much of the validation event as possible offline is far more secure than hosting it online.
What if a solution already exists that combines all of those principles in the palm of your hand? Meet Multi-Pass.
The Solution: Offline Biometric Authentication & Multi-Pass for passwordless future.
Multi-Pass solves for reducing the number of instances we transmit biometric data across a network, which can be vulnerable to interception or theft. Instead, it involves storing a biometric template hash locally on a physical device – the Multi-Pass card – and using that device to authenticate the user’s identity, while only connecting to the internet at the authentication point and never moving the biometric data.
This effectively eliminates the risk of data breaches or other privacy violations such as identity theft that can occur when sensitive biometric data is unnecessarily shared – and even worse, stored – across a network. As a reminder, once your biometric data is breached, it’s breached forever. You can’t change your fingerprint, face, or iris in the same way you would change your compromised password or device.
While biometric authentication offers a secure and convenient alternative to traditional password-based authentication and most other forms of passwordless authentication, taking as much of the interaction as possible offline is by far the most promising advancement we have today. Specifically, Multi-Pass is the most secure solution we have today and usher in the passwordless future we’re moving toward.