For over a decade, we’ve been promised a world without passwords is just around the corner, and yet year after year, this security nirvana turns out to be out of reach. Now, for the first time, a workable form of passwordless authentication is set to become available to the masses in the form of a standard adopted by Apple, Google and Microsoft that allows the use of cross-platform and cross-service passwords.
Password cracking patterns that had been forced in the past caused many problems. The key drawback was the lack of a viable recovery mechanism when someone lost control of the phone numbers or the physical tokens and phones associated with the account. Another limitation was that most solutions were not really passwordless in the end. Instead, they gave users the ability to log in using face or fingerprint scanning, but those systems eventually fell back to the password, and that meant phishing, password reuse, and forgotten passwords – all the reasons we hated passwords – no don’t go away.
A new approach
This time around, Apple, Google, and Microsoft seem to be on board with the same, well-defined solution. Not only that, but the solution is easier than ever for users and the implementation of large services like Github and Facebook is less costly. It has also been carefully developed and validated by authentication and security experts.
Current multi-factor authentication (MFA) methods have made significant progress in the last five years. For example, Google allows me to download an iOS or Android app that I use as a second factor when logging into my Google account from a new device. Based on CTAP – short for client for authentication protocol – this system uses Bluetooth technology to ensure that the phone is near the new device and that the new device is in fact connected to Google and not to a site claiming to be Google. This means that it cannot be scammed. The standard ensures that the cryptographic secret stored on the phone cannot be mined.
Google also provides an Advanced Protection Program that requires physical keys in the form of standalone dongles or end-user phones to authenticate logins from new devices.
The big limitation these days is that MFA and passwordless authentication are implemented differently – if at all – by each service provider. Some providers, like most banks and financial services, still send OTP passwords via SMS or email. Realizing that these are not a secure means of transmitting secret security-sensitive data, many services have switched to a method known as TOTP – short for time-based one-time password – to allow the addition of a second factor that effectively increases the password with the “something I have” factor. “.
Physical security keys, TOTP and, to a lesser extent, two-factor authentication via SMS and email are an important step forward, but there are still three key limitations. First, TOTPs generated by authentication apps and sent via SMS or email are phishing, just like regular passwords. Second, each service has its own closed MFA platform. This means that even when using unsecured forms of MFA – such as standalone physical keys or phone-based keys – the user needs a separate key for Google, Microsoft, and every other Internet service. Worse, each operating system platform has different MFA implementation mechanisms.
These problems give way to a third: sheer uselessness for most end-users, and the non-trivial cost and complexity each service grapples with when trying to offer MFA.