The FIDO™ Alliance has released new authentication specifications that enhance security and privacy, standardize the authentication experience and underlying APIs, improve the usability, and extend the FIDO paradigm to more types of devices, platforms, and environments. With the publication of FIDO2 (comprised of FIDO’s CTAP and W3C’s WebAuthn specification), FIDO has more effectively bridged the gaps between mobile devices, traditional computing devices, and web applications.
Authentication is a core component of identity management. It has been a leading area of research and product development for decades, because legacy username/password-based authentication systems are inherently insecure and suffer from usability issues. Password resets are expensive, too.
Various annual surveys show that password compromises are associated with between 70-80% of data breaches. User surveys consistently show that >75% want non-password alternatives. For years, security practitioners have advocated for requiring the use of “stronger” passwords in a vain attempt to thwart the growing problem of compromised passwords. Increasing the length of passwords, adding special characters, and recommending the use of phrases instead of words have been common tactics. Password cracking tools are evolving. Rainbow tables are yesterday’s news compared to new machine-learning enhanced tools such as PassGAN, which employs Generative Adversarial Network algorithms to home in on user passwords.
Knowledge-based authentication (KBA, aka security questions) is another common authentication method, unfortunately. KBA is used especially for password reset operations. However, KBA is even less secure than password authentication.
Strong authentication is usually defined as a combination of at least two of the following factors: something you have, something you know, or something you are.
For situations demanding better security, 2-factor cryptographic-based devices such as smartcards and hardware tokens have been used, particularly for enterprise solutions. These too suffer from usability and account recovery issues. Occasionally 2-factor authentication systems are broken when the underlying cryptography is broken. Two-factor authentication systems are also generally more expensive, and thus not economically practical for consumer-facing scenarios.
Smartphones have become nearly ubiquitous. They possess sufficient computing power to perform cryptographic keypair generation, signing, and transmission encryption to make them a compelling alternative to older forms and form factors of authentication. Moreover, in recent years, many smartphone manufacturers have built biometric authentication capabilities into their devices.
Mobile biometrics represent an interesting alternative in the market. They shift the burden away from user memory, as they don’t have to remember a password; instead relying on matching runtime biometrics samples to samples stored at the time of registration. Biometrics can be easier to use, though all the various forms of biometrics have some usability issues. Biometrics can also be attacked with fake samples, such as photos to 3-D printed fingerprints in some cases.
However, well-designed biometric authentication solutions offer advantages over username/password and KBA. Key differentiators in biometric solutions include:
- Validation of samples to templates on mobile devices, with no transmission or storage of templates on authentication servers.
- Presentation Attack Detection (PAD), or liveness detection, to mitigate against attacks with fake fingerprints, etc.