Minimizing Risk in The Rush to Passwordless Authentication

In recent years, banks and financial institutions have been shifting towards passwordless authentication as a means to enhance security and meet regulatory compliance requirements. In fact, according to Allied Market Research, passwordless authentication will become a $40B+ market by 2031, marking very fast growth and adoption. Even the federal government has essentially mandated the use of passwordless authentication, or what they term phishing-resistant MFA, by the end of October 2024. The allure of this approach lies in the promise of heightened protection against cyber threats while offering a frictionless user experience. However, as financial institutions scramble to implement passwordless authentication, there are concerns about the quality of the solutions being adopted, their privacy and enterprise security implications, and the overall user experience. In this blog, we will explore the potential pitfalls of this rush and highlight how privacy-centric, integrated identity platforms that can handle the end to end user journey are emerging as a forward-looking answer to the future challenges of authentication.

The Promise of Passwordless Authentication

Passwordless authentication eliminates the reliance on traditional passwords, which are susceptible to various security vulnerabilities such as weak passwords, password reuse, and phishing attacks. With passwordless authentication,  biometrics, hardware tokens, and one-time codes are instead used to grant access to user accounts. By eliminating passwords, enterprises can reduce the risk of data breaches and enhance user convenience, while also lowering operational costs and associated fraud losses. 

Much of the progress towards passwordless authentication can be attributed to the FIDO Alliance, which has published three sets of specifications, wrapped around the W3C’s Web Authentication (WebAuthn) specification for maximum interoperability. Support for passwordless authentication and in particular biometrics, is also mirrored in surveys that show that when given the option, consumers prefer biometrics for authentication, they agree that biometrics provide the most secure form of online identity authentication and they find it to be the most convenient.

The Pitfalls of Hasty Implementation of Passwordless Authentication

While the move towards passwordless authentication is commendable, the rush to adopt these solutions without thorough evaluation can lead to several issues. Some of the key pitfalls include:

1. False Sense of Security: In their haste to comply with regulations, some enterprises might implement inadequate security measures, leading to potential vulnerabilities in the authentication process. For example, poorly implemented biometric systems could be susceptible to spoofing or injection attacks, compromising the integrity of the entire authentication process. There are also risks in the user registration process and whether the passwordless implementation is connected to the rest of the enterprise security framework. For example, in a workforce authentication scenario, is the process for employee onboarding connected to the device provisioning that would enable passwordless access? How is account recovery handled? We should all bear in mind that fraudsters are like water; they will go to the path of least resistance, so if the underlying identity processes are not unified and connected, the gaps will be exploited by attackers. Put simply, it will do no good for an enterprise to enable passwordless authentication on employee provisioned devices if attackers can call a help desk and, using other stolen employee data, are able to convince an agent to reprovision them on a new device. System architects should be reminded that 80% of data breaches are caused by stolen credentials today, and with the growth of generative AI, the threat of phishing to enable more data to be stolen, will only increase.Another vector to consider from an enterprise security standpoint is how many passwordless authentication solutions work in the first place. Since they primarily rely on the biometric stored in the secure enclave on the device to release a cryptographic key, the systems are essentially verifying that the person who is holding the device is the one enrolled to the device, but that doesn’t mean that that person is actually authorized to access the system or application. In fact, browsers and apps which allow the user to use the device biometrics, tend to allow the user to fall back to an alternative authentication method and that alternative is almost always…...a password or PIN code. So anyone who knows the device password can also release the FIDO cryptographic key and access the application or online service.  This poses serious risks for enterprise security, where in order to support passwordless authentication and Passkeys, the cloud providers will have to maintain a backup of the FIDO credentials (cryptographic authentication keys) on their cloud and make them available on any new device that the authorized person signs in with. This means that all of the users’ FIDO credentials will now be protected by their Google/Apple iCloud or Microsoft account credentials and the requisite security measures. Once again, this means that if an attacker can gain access to a person’s Google/Apple/Microsoft credentials - they can regenerate a person’s authentication keys on their own device and access all their accounts. Considering that millions of Gmail, iCloud, and Microsoft account credentials are available on the dark web and the explosive growth of SIM swaps, this scenario is definitely not a hypothetical one. The same holds true for the password managers that are now positioning themselves as Passkey managers for they too, have been breached. 

2. Subpar User Experience: Introducing new authentication methods without considering the user experience can lead to frustration and resistance. Clunky or inconvenient authentication processes may drive users away, defeating the purpose of passwordless authentication. Most enterprises adopt passwordless authentication with an eye towards compliance with zero trust requirements and in this context, this means that the solutions must interact with legacy hardware and software solutions that can be very difficult to unwind. In fact, a dirty little secret in the passwordless authentication world is that many legacy implementations are “hard-wired” with password authentication and so despite the glaring security issues with passwords, users tend to want a uniform authentication experience across all the applications they use, and this is especially true in a workforce authentication environment where they may be logging in and logging off multiple applications a day. On the consumer side, there are also challenges for usability. Passwordless systems may not work on all devices or browsers and there are plenty of use cases where consumers share devices (i.e., payment terminals, ATMs, self-checkout terminals, travel kiosks, or even households where multiple people use the same mobile phone), or they have a new device for whatever reason, making device based passwordless approaches unsuitable and then the follow on experience can be worse than what it currently is today.From a user experience standpoint, there is also the question of how to minimize friction and enable as much of a “fast track” capability as possible without introducing risk. This is where biometric accuracy rates become critical on multiple fronts - how easily is the biometric captured, what are the false match and false non-match rates. In addition is the question of when and how often to invoke a passwordless authentication request. In a Privileged Access scenario, this can be for every login, but for less risky situations, it might behoove the enterprise to combine passive authentication and other threat detection approaches - either to invoke a biometric authentication request in the first place, or to automatically adjust the biometric matching threshold to make it easier or harder for a user to pass.

3. Compatibility Challenges: Integrating passwordless authentication solutions into existing enterprise systems and platforms may pose compatibility challenges, potentially leading to technical glitches and service interruptions. As stated earlier, zero trust mandates user authentication per application not network and this introduces complexities with integration, web, mobile, call center and chat, a tremendous undertaking for an enterprise that needs to ensure the passwordless authentication system works across the board.  

Anonybit's Privacy by Design Passwordless Authentication Solution: A Glimpse into the Future

Up to now, we have discussed the risks that enterprises may face in their haste to adopting passwordless authentication solutions but there is another dimension which can be a major roadblock - in order to enable end to end security and passwordless authentication, it is necessary for the enterprise to store and manage user biometrics to close the gaps that attackers can exploit, either in the user journey or across the different use cases. Due to privacy and regulatory concerns however, this has been a non-starter for many enterprises.

New privacy-enhancing technologies like multi-party computing and zero knowledge proofs however, have emerged to assuage these concerns and in fact, form the basis for Anonybit’s integrated identity platform called the Genie.   Unlike traditional biometric systems that store sensitive biometrics on centralized servers, creating a potential "honeypot" for hackers, Anonybit takes a different approach, sharding biometric data into an anonymized form that gives attackers nothing to find and nothing to steal, and yet, can still be used to enable passwordless authentication. With this approach, user biometrics can be collected at the user registration stage and be used to provision devices, activate Passkeys, streamline account recovery and support authentication needs regardless of channel, enhancing enterprise security while enabling an improved user experience that is consistent across the board and that does not fallback on weaker forms of authentication.

To see how this approach can work in your enterprise, schedule a demo today.