There is almost unanimous agreement among cyber security experts that passwords pose a real and imminent threat to their organizations. An average US user may have up to 90 accounts, but it is impossible to remember 90 strong, unique passwords, so either they end up reusing the passwords or storing them somewhere. Recent data breaches have shown that even if users follow all the recommended practices, their credentials may still be leaked. Hackers utilize the vulnerabilities in the user's device to hack into their systems and retrieve sensitive information, including stored passwords. Verizon's "Data Breaches Investigation Report," says that almost 80% of data breaches result from compromised passwords. The list of password-related data breaches is too long, from leaders like Linkedin and Uber to companies on whom we depend for cybersecurity, like Twilio and T-Mobile. Anyone can buy millions of leaked users' private information, such as personal emails, passwords, contact numbers, etc. for a few hundred dollars on the dark web.
Augmenting passwords with perishable-resistant MFA is possible but expensive to implement, to manage, and challenging to train users. The more important point is that it fails to improve the security of passwords themselves. All the problems of passwords still remain and need to be managed. This is where passwordless comes in, which aims to remove the paradigm of passwords and all the associated risks. FIDO Alliance, an open industry organization dedicated to developing and promoting authentication standards, has developed an authentication protocol set to revolutionize authentication.
Passwordless Authentication is an authentication method that allows users to verify their presence, sign in to a website, device, or app, and gain access without any password. Instead of passwords, users provide other forms of evidence to validate their identities, such as biometrics, proximity badges, security keys, and biometric-locked devices that can secure private keys such as phones, etc. Passwordless Authentication paves the way for a highly secured online ecosystem governed by strong authentication factors.
Tech leaders such as Apple, Google, Microsoft etc., have worked with FIDO Sign-in standards and announced that passwordless sign-in methods will be available in their future OS updates on both mobile and web. This passwordless method has been termed “Passkey.”
Passkey promises a faster, highly secure, and frustration-free login experience across devices, apps, and websites, completely eradicating passwords.
The future is passwordless. Passwordless promises the holy grail of authentication, strong security, and great user experience. Users who log into a website or an app will not need passwords at all. All the user needs to do is unlock their phone using FaceID, fingerprint, or Windows Hello. Moreover, passkeys are cross-platform, meaning they will work between nearby devices with the help of QR codes or Bluetooth.
The concept of Passkeys is largely based on public key cryptography and these digital credentials function by generating a pair of keys for smooth authentication procedure — a public key ( stored within the server’s database) and a private key ( safely stored within the user’s device). Owing to it’s availability on the server, the public key can be shared between devices that have their own private keys.
Passkeys have been created according to the WebAuthn standards of authentication. This allows users to enable biometric authentication like Face ID or Touch ID, or use a PIN to validate a login attempt. By dumping the age old protocol of relying on the username-password combination, passkeys utilize a user’s device proximity and biometric verification to prove that the user is the legitimate owner of the account.
If a mobile app or website implements passkeys, users can see a new option for logging in known as “Sign In with Passkeys”. This option will leverage a user’s devices or the unique digital credentials stored within their device’s cloud-like iCloud Keychain. If users don’t have a pre-registered account on the websitesite, they can easily generate a passkey by inserting some basic information along with biometric verification and save the passkey to iCloud Keychain. Once a user creates and registers a Passkey account on their device, the passkey is shared across multiple devices with the same Apple ID.
"33% account-compromised victims have stopped doing business with companies and websites with weak security protocols" - A report by DataProt
Passwords and non-phishing-resistant MFA represent a significant risk to a business. Passwords will soon be a thing of the past as companies swiftly shift to passwordless sign-in modes. However, integrating passwordless authentication can be tedious, occupy a company's resources, and take valuable engineering time. At the same time, any changes to user credentials need expertise in cyber security and rigorous testing to ensure normal business continuity and security. This poses a big challenge to companies, especially small and medium enterprises, who may not have large cyber security teams to implement these standards.
TrillBit was one of the winners of FIDO developer challenge for its data over sound authentication solution in 2021. Trillbit joined the FIDO Alliance in 2022 and is set to launch a standardized passwordless solution SoundAuth. We help your organization to transition to a frictionless passwordless authentication standard for your website, device, or mobile app that ensures your customers' data security and promotes a great user experience. To know more about our product, contact us at contact@trillbit.com.