A World Without Passwords?

Q. I am sick to death of having to remember passwords. Is there any hope of getting rid of them soon?

A. "I love passwords," said no one, ever!

The idea of remembering hundreds of passwords is nauseating and, for many, results in poor password hygiene. A 2017 report from LastPass indicates the average business user has 191 passwords to manage. I personally have over 300!

In the world of cybersecurity, there are continuous efforts to develop tools to keep our data secure. Yet, not much has changed since the original computer passwords were first used in the 1960s.

In addition to passwords, multifactor authentication (MFA) adds a second layer of security — and frustration. Once thought to be the end-all of account access, MFA no longer provides enough security for passwords to hide behind.

Hackers have developed social engineering tactics that trick victims into providing their MFA key, which the hackers use to change the user's authentication settings. While MFA still should always be used when available, it doesn't relieve the password-induced headaches.

Fortunately, some new technologies are starting to chip away at replacing the password. Let's look at a few.

Biometrics and FIDO

The first widely used attempt at a "biometric password" was the fingerprint scanner. At this point, many of us have registered our fingerprints with at least our phone, and maybe even our laptop. Facial-recognition technology has become another popular tool for biometric authentication. Apple, Android, and Windows all use fingerprints and facial recognition as authentication options.

In early iterations of biometric authentication, an app would simply catalog your password and retrieve it every time you authenticated your identity. Today, the FIDO (Fast IDentity Online) Alliance has created a universal authentication method to enable online applications to leverage the biometric authentication functionality of a local device.

If you have recently upgraded your iPhone or Android device, you may have noticed a significant number of apps prompting to allow you to authenticate using your fingerprint (or face). This is due to the adoption of FIDO2.

The authentication actually takes place via a cryptographic key that is created when you first register your biometric authentication with an app. You might have set this up on a banking app on your phone. At first login after installation, you probably a message saying something like, "Would you like to enable login using fingerprint?" When you choose "Enable," it prompts you to authenticate with your fingerprint, which allows you to use your fingerprint for future logins.

Behind the scenes, registering your fingerprint creates a private key that is unique to that app and your device. A public key is then created and sent to the app provider to be associated with the user and the app. The private key never leaves the device, so if you get a new phone in the future, you will have to go through the registration process again. This method ensures biometric data is never shared with the app or the app provider. This is extremely important for privacy purposes. FIDO2 is truly a passwordless authentication method. To put this to a test, simply change the password on the website of one of your apps that uses biometrics on your phone. You will find, after changing your password on the website, that you can still access the app on your mobile device without updating the device with the new password.

Additional alternative authentication methods are available, including a one-time password link. When logging into a website, a user enters their username, and a password "link" is sent to their email address. The link allows the user access and expires in a short time. While this is passwordless, it is neither convenient nor secure.

App authentication

Often used as another form of multifactor authentication, app authentication uses an additional app on your mobile device to prompt for account access before logging in. Microsoft is now rolling out the ability to use app authentication exclusively as a method of passwordless authentication. When providing your username for various Microsoft online resources, the Microsoft Authenticator app on your mobile device will send a prompt to your screen requesting access. Assuming your mobile device is close by, this is a fairly convenient and secure method of authentication.

Behavioral biometrics

Behavioral biometrics recognizes and authenticates users based on behaviors such as keystrokes, mouse movements, mouse click speed, etc. The behaviors are dynamic and regularly changing, which makes them incredibly hard to fake and makes behavioral biometrics an incredibly secure method of authentication. This method is also very convenient, as it does not require a user to take specific action. This approach does raise some significant privacy concerns due to the recording of user behavior, including keystrokes.

Regulatory issues

A successful voyage to a passwordless future will require overcoming some regulatory considerations. For example, current payment card industry (PCI) compliance regulations require users handling credit card information to authenticate via password when accessing these systems.

Similarly, the Health Insurance Portability and Accountability Act of 1996, P.L. 104-191, requires the use of passwords to protect health records. As the use of passwordless authentication alternatives become more popular, regulators will need to evaluate and update the rules to allow for these newer and more secure methods to be used.

While there has not been a silver bullet to eliminate passwords altogether, it's clear that we are on our way to a passwordless future. While we wait for a complete solution, you should take the time to enable FIDO/biometric authentication not only for the pure convenience of it, but for the increased security as well.

(Source:  AICPA – CPA Letter Daily - Journal of Accountancy – June 22, 2020)