In a recently published study that Goode Intelligence co-authored with HYPR Corp we examined the difference between password-less user experiences and true password-less security.
The study, ‘True Password-Less Security’ reveals that many businesses that appear to have eliminated passwords by supporting smartphone-based biometric authentication are in fact still dependent on a technology invented in 1961 to support a couple of green-screen terminals connected to a mainframe.
We have all read enough on why the password is not fit for purpose in today’s digital age, even the inventor of the password, Fernando J. Corbató, is horrified that his invention is still being widely used saying they have become a “kind of a nightmare”. Wide-scale credential theft linked to the success of credential stuffing attacks – an attack that has “weaponized password reuse at a scale” – has resulted in businesses trying to reduce their reliance on centralized password systems.
Goode Intelligence’s research into identity and authentication technology has uncovered a real urgency to move away from authentication systems that put passwords at the center. In their urgency to replace passwords and also to improve the customer experience of authentication many businesses are embracing smartphone-based biometrics, leveraging the freely available APIs that mobile OEMs have developed. It is a relatively trivial exercise for businesses to leverage Apple’s Touch ID API and Native Android biometric system to support convenient biometric authentication for their mobile apps.
Many of these businesses believe that they have eliminated the password from their systems but the fact is in these scenarios they are still reliant on password-based authentication. These mobile local authentication systems simply store passwords encrypted in the Keychain that the biometric system makes available – if correctly verified by the owner’s biometric – to verify against the stored password in the centralized store. This approach enhances user convenience but fails to improve security or reduce fraud. By continuing to use centralized passwords alongside local biometric authentication systems such as Touch ID, the business maintains a high risk of breach while its users remain susceptible to credential stuffing, phishing and account takeover.
Goode Intelligence believes one method that can reduce this risk is to investigate the use of decentralized authentication. Rather than storing millions of passwords in a single repository, user credentials are decentralized and stored safely on their personal devices. This approach reduces the attack surface, removes the attacker’s primary target and renders credential stuffing attacks infeasible.
One technology that is combining biometrics with decentralized authentication is FIDO-based authentication. FIDO (Fast Identity Online) is currently the most prominent standard for decentralized authentication. FIDO protocols build upon industry trusted PKI standards and seek to decentralize the process of authentication by storing a private key on a user’s device while ensuring only a public key is stored centrally by the service provider.
HYPR is a provider of decentralized authentication that is already being used by millions of password-less users across the Fortune 500 and more information can be found at www.hypr.com