idemeum is a passwordless and private digital identity platform.
This technology guide from idemeum will help us first take a look at the current state of password-based authentication, and then we'll dig into various technologies that can help you go passwordless with your apps.
Digital identity is so critical to everything we do online, yet it gets compromised in almost every cyber security breach. Every now and then we would hear the news and learn about yet another data breach where identity compromise would be at the core of it. But not everybody is willing to accept the simple truth - we are not equipped with the proper tools to protect our identity. We keep using old inefficient architectures and tools that have been invented decades ago.
First passwords probably arrived at the Massachusetts Institute of Technology in the mid-1960s, when researchers at the university built a massive time-sharing computer called CTSS. The punchline is that even then, passwords didn't protect users as well as they could have.
Fast forward 60 years and we are still using the same "strings of characters" that can ruin our lives and reveal everything about us. Your email. Your bank account. Your files. Your private photos. Your location. No matter how complex, no matter how unique, our passwords can no longer protect us. We constantly try to patch passwords, but we are unsuccessful. Take Multi-Factor Authentication as an example. Despite the obvious benefits, users are still leveraging it on a selective basis due to the significant user experience friction that it introduces.
At idemeum we believe patching passwords is no longer an option. We have to come up with simple, secure, and passwordless technology stack to handle our authentication online.
Using passwords to access online services is a commonplace experience and so are the user frustrations.
Passwords have survived for that long probably due to the three major reasons:
When one starts digging into real password experience and implications the reality becomes more disappointing.
The reality is that we are all annoyed by passwords. We've got dozens to remember, some of them annoyingly complex, and on any given day, as we read e-mails, send tweets, and order groceries online, we're bound to forget one, or at least mistype it. Moreover, we know passwords are going to compromised. That will happen sooner or later. And no one is going to enjoy it when that happens.
Passwordless authentication (or “modern authentication,” as it is known in the industry) is the term used to describe a group of identity verification methods that don’t rely on passwords. Biometrics, security keys, certificates, and specialized mobile applications are all considered passwordless authentication methods.
We will now get deeper into each passwordless technology:
Before digging deep into each technology area we also recommend reading our post about identity lifecycle, as it will help understand user digital identity journey holistically.
Certificate based authentication allows users to securely access an application by exchanging a digital certificate instead of a username and password.
To create a digital certificate, Public Key Infrastructure (PKI) 🔐 must be used. PKI allows for what is called an asymmetric encryption. Client generates two keys: private key that is kept secret by its owner, and public key that is disseminated widely and openly. Leveraging this asymmetric key pair, PKI enables:
Client can then create a digital certificate that will conform to X.509 standard. X509 certificate will have various fields to identify the owner, including public key, subject name, validity period and others. The key here is that digital certificate needs be signed by some trusted 3rd party, so that this certificate can be trusted to represent identity of the owner.
In order to use digital certificate to authenticate to a target application, client will need to share a X.509 digital certificate with the application along with the proof of possession. Proof of possession will be represented by a nonce signed by a private key. When application receives the digital certificate, it can extract the user information from that certificate, and then will verify proof of possession to make sure that the requestor actually owns the private key.
Certificate based authentication is very popular in enterprise space due to the fact that most employee devices are managed with MDM, and it is convenient and easy to provision certificates to client devices.
However, certificate based authentication is not as prevalent in consumer and developer space, as it is quite complex to install and manage X.509 certificates on unmanaged user devices. Some vendors try to create mobile and desktop applications that aim to simplify certificate provisioning and management, but the user experience will still be complex for ordinary users.
With magic links an application sends a unique URL link to user's email address or mobile phone via SMS. There is no need to enter any credentials. Instead, the user clicks on the magic link to authenticate. Since the magic link includes unique one-time authentication token, the user is logged in and redirected to an application landing page.
Magic links enable great frictionless experience for the users as there are no credentials to remember and very few steps to perform.
However, we believe that to provide best possible experience magic links need to be combined with cross app Single Sign-On, so that when the users verify their email with magic link they can maintain the session and seamlessly login across applications.
OTPs are heavily used in multi-factor authentication flows, but one-time passwords or one-time codes can also be used as a standalone authentication method.
OTPs are time-bound numeric codes linked to a reference.
The biggest advantage offered by OTPs in contrast to standalone passwords is that they’re safe from replay attacks. In plain language, an adversary who uses trickery to capture your OTP can’t reapply it, since it’s no longer valid for future logins or sessions.
A hardware security token is a physical device that validates user’s identity and grants access to the target application or resource. The user must possess this token to complete the authentication process. Hardware tokens can be used as a primary authentication method, or used in combination with other authentication factors such as username and password.
Hardware tokens come in many forms, most commonly as USB tokens, key fobs, and wireless Bluetooth tokens. Also, there are three main types of hardware tokens.
Connected tokens - a user must plug the security token into the system, computer, cardholder, etc. to complete the verification. Two examples of this type of token includes a USB token and a Common Access Card (CAC), the latter of which requires the use of a CAC reader.
Disconnected tokens - these are the small devices that look like a sim card, keychain fob, or USB flash drive. These tokens generate a unique and temporary cryptographic code that must be input by the user to gain access to a computer resource.
Contactless tokens - with contactless tokens, you don’t need to connect to a device or enter any access codes. Instead, contactless devices connect with the system wirelessly. Based on the connection’s credentials, the system either grants or denies access. The most noteworthy examples of contactless tokens are Bluetooth tokens.
The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.
WebAuthn is part of the FIDO2 framework, which is a set of technologies that enable passwordless authentication between servers, browsers, and authenticators. Today WebAuthn is supported by major browsers, including Chrome, Firefox, Edge, and Safari.
Webauthn allows applications to integrate with strong biometric authenticators built into end user devices, like Windows Hello or Apple’s Touch ID. Instead of a password, a private-public key-pair (known as a credential) is created for a website. The private key is stored securely on the user’s device; a public key and randomly generated credential ID is sent to the server for storage. The server can then use that public key to prove the user’s identity.
Let's first look at the major components required to enable passwordless authentication with Webauthn.
Here is the high level flow to show how Webauthn authentication is performed on the web.
Webauthn is the modern authentication protocol that is currently undergoing broader adoption across website and browsers. It offers strong passwordless authentication for the users, however as you can see it is not solving enrollment / registration step. To provide complete frictionless experience to users Webauthn needs to be paired with other tools such as magic link or online identity proofing to address user enrollment.
You can try Webauthn demo here.
The last passwordless method we wanted to cover is using your mobile phone as an authenticator. It is also called Passwordless MFA as it combines multiple authentication factors together:
There are various implementations that we have seen in the industry, but we believe that the best and most secure implementation should be leveraging FIDO and Hardware Backed Security on a mobile device. Meaning that authentication shall be driven by FIDO protocol, and both iOS and Android support FIDO today. And the FIDO private keys need to be protected by HSM modules on mobile devices (Secure Enclave on iOS or TEE / StrongBox on Android).
The most typical authentication flow is to install and leverage a mobile app that will handle authentication.
When we talk about Passwordless Authentication we immediately think and focus on authentication only. However, we need to think about user digital identity journey holistically - how will users enroll into our identity system, how will we authenticate them strongly yet providing great experience, and how will we let users manage and maintain their digital identity.
At idemeum we believe that at this day and age there are 3 major requirements for implementing a successful login system for a modern application:
At idemeum we build All-in-One Passwordless Identity Platform. We are happy to help you solve your sign up and login challenges.
Also published here.
Create your free account to unlock your custom reading experience.