Is the password-free world real?

There have been talks about a passwordless future for a long time, but for a long time many companies were not yet ready to switch to new technologies. They had questions about security, standardization, the cost of technology development and support, and the ability of end users to use these resources.

However, in the last few years there has been a certain breakthrough in this field. Thanks to W3C standardization, the FIDO (Fast Identity Online) authentication standard was adopted and implemented. And according to FIDO Alliance calculations already 4 billion devices, as well as 88% of browsers today, are ready to support the new standard. Its main plus is in the architecture, which allows you to use devices to recognize the owner without transmitting biometric data to the server. Thus, they remain protected from theft by criminals.

Let’s see how passwordless authentication works in practice, and what choices developers have when implementing it, and what authentication methods are offered to end users.

Types of passwordless authentication

Passwordless authentication is very similar to two-factor authentication (2FA), only without the first step. If you’ve had to protect devices with two-factor authentication, you’re already familiar with methods for verifying your credentials, such as OTP passwords in apps or SMS, and phone or email verification. But there are other ways:

• Social login or the ability to login through a trusted site.
• Sign in with Windows Hello.
• Authentication using an external device (security key).

Let’s consider them in more detail.

Login through social networks

You have probably already used links in e-mail to get directly into the account of some service without entering a password. This method is based on generating a unique, temporary URL that opens your application only when you need it. It is enough to be a registered user of Google or popular social networks to be able to enter accounts in this way. Some services also open access through banking.

Windows Hello

With the advent of Windows 10, a new method of identification became available for users: biometrics. If your devices have face, voice, retina, or fingerprint sensors, you can set up the appropriate verification. This method allows you to protect the operating system and access to Microsoft services not only in conditions when the computer is constantly in the office or when you need to log into the system from someone else’s device, but also in those cases when you need to protect corporate or other confidential information on a personal computer.

External devices

About 15 years ago, external devices, tokens, or security keys with asymmetric encryption for two-factor authentication began to gain popularity. Small and light, visually similar to a flash drive, but fundamentally different in terms of functionality, they work like house or car keys: with the key you can open the lock, without it – not. Keys can be used not only for two-factor authentication, but also instead of password login, provided the devices support FIDO protocols.

Let’s see how reliable the methods listed above are and why they still haven’t replaced passwords.

Choosing between security and convenience

Passwords

Password authentication is more of a habit that has been built up over the years. Such authentication only seems to be the safest, since the principle of its operation is the most understandable to the average user. However, it has a serious drawback: simple passwords are quickly broken by hackers, and complex (more reliable) passwords are often forgotten. If you write them down on paper, or even save them on your device, one day someone will see them or extract them with the help of spyware. It turns out that you cannot write down passwords, but the question arises, where to store them?

Password managers

Once upon a time, password managers — services that store passwords — came to the aid of users. It is enough to remember one single password to reliably protect the rest. But here another problem arises: likewise, a hacker, having gained access to one password, can open all your accounts.

With all that, this method of storing information is much better than the one described above, and many IT companies oblige employees to use it, with their help they transfer the necessary accesses. However, for the average user, it may seem complicated or expensive, because, as a rule, for reliable services, it is necessary to pay a subscription fee on an ongoing basis. There is another problem — not all ordinary users can understand the tools of such services.

Mobile devices

Most verification methods are done using a mobile phone. First it was SMS, then windows in pop-up applications, finally applications for generating one-time codes.

And in 2013, when Apple first presented its Touch ID development, a real breakthrough occurred. Biometric authentication is now available to billions of users.

It would seem that with a device, Internet users can be completely protected from cyber fraudsters, and finally all companies can switch to passwordless authentication. But questions remained:

• SMS can be intercepted by attackers;
• what to do if the user loses the phone or the smartphone falls into the hands of fraudsters;
• what to do if the device breaks;
• how will the services be used by people who still use push-button phones because they do not have the ability or desire to purchase smartphones.

Single entrance

A single login through social networks or banking is a very convenient and reliable way of authentication, but it also has its drawbacks:

• you need to securely store a complex password;
• in a cyberattack, a fraudster can gain access to all services by cracking one password.

Security keys

Provided that you choose certified security keys from a proven manufacturer, you get many advantages over other authentication methods:

• You buy security keys once and use them all the time. There is no subscription fee like with password managers. But if you want to use the latter, then securely protect one unique password, which, if there is a key, you do not have to remember.
• You can use security keys not only to protect all popular services, where the possibility of connecting them is available, but also to protect the operating system.
• What’s more, with security keys you can create single sign-on conditions for all accounts without creating passwords where you won’t want to remember them.

The main thing! Without security keys, crooks have no way to get into your accounts, even if they gain access to password managers and/or steal all of your passwords.

The only disadvantage of keys is the possibility of losing them. But in this case, manufacturers recommend buying a pair of keys so that in case of loss, you can open access with another key.

Which authentication method is the most convenient and secure?

Many security experts recommend external devices such as YubiKey security tokens or keys. Their advantages:

• Keys manufactured by YubiKey enjoy the well-deserved trust of millions of users in 160 countries.
• According to the price and quality, YubiKey keys are recognized as one of the best. They are used by employees of Google, Facebook and even employees of US government agencies.
• YubiKeys support FIDO2 and FIDO U2F protocols, so you can use them both for 2FA and instead of a password.
• YubiKeys have different form factors, so they can be easily selected for any devices.
• Recently, the manufacturer released a separate series of YubiKey keys with biometric protection. They are even more reliable, because a fraudster cannot get into the account, even if he somehow gets the opportunity to steal the physical key.
• A wide selection of proposed devices will satisfy any user: there are inexpensive options with a minimum set of functions for home use and professional devices for closing extremely complex tasks that require enhanced protection.

Our company’s specialists, who have been working in the field of security for more than 30 years, believe that a password-free world is not just possible – it is the near future. Of course, many companies will try to make this transition smooth — perhaps allowing users to choose between the old and the new way of verifying their identity over time.

In any case, passwordless authentication will very soon replace password authentication, so we recommend that you think about which methods and devices to choose for it now.And if you need help in this matter, you can always contact us!