The session features host and Mobile Mentor Founder, Denis O’Shea, Yubico Solutions Engineer, Shakeel Aziz, Microsoft Cloud Endpoint Technical Specialist, Nick Cordova, and Mobile Mentor Digital Identity Lead, Demetrius Cooper.
During the conversation, the group discusses the history of authentication practices including the two-factor authentication solution, FIDO U2F, and the passwordless authentication protocol, FIDO2.
Read below for a synopsis of this conversation on industry standards for Passwordless Authentication.
How far have we come in terms of industry standardization for passwordless authentication? What is the history behind it and what is happening today?
Shakeel Aziz: When when I talk about passwordless authentication, the first question I ask customers is what passwordless means to them. And if we really think about passwordless technology, it’s not technically new. We’ve had password authentication since the sixties. In the eighties and nineties, we had what we call smart card authentication. Smart card authentication can be considered a passwordless form of authentication because it does not use a traditional password. The password is replaced by a four or six-digit pin, similar to what you use in your ATM account today with your bank card. That is essentially a passwordless form of authentication.
That authentication has been limited in use specifically within industries that are highly regulated or in the public sector. The issue with smart cards and smart card technology is that it requires extensive infrastructure. It requires what we call, public key infrastructure, which requires servers to be deployed and managed. There’s a whole extensive process that goes around securing public key infrastructure. This is not something that could be scaled out into the consumer world or into organizations that are relatively small or medium-sized. So, what we saw is just a continuation of using, passwords, because that’s really all we could do. And then, we layered it with multifactor authentication using standards such as Oath, which allowed us to use six-digit codes.
For example, your traditional RSA token was very common in the eighties and the nineties, which did a good job of protecting accounts.
In about 2012, and 2013, Yubico, along with Google, started to look into providing a passwordless experience. It came about with some work to perform passwordless authentication into an e-commerce site. The goal there was to make it as easy as possible to conduct a transaction.
The very first standard that came out of that was Fido and Fido UAF. It was essentially a universal framework. And building on that, a few years later, we came to what we called Fido U2F, which stands for Fast Identity online. FIDO U2F was designed as a two-factor solution. It still required a password. The second factor, in this case, would be a hardware security key. And so Yubico created the Yubikey and there were other vendors out there that also made keys.
The idea was those keys would be designed with similar technology as smart cards but would be implemented in a different way – where you wouldn’t need that complex infrastructure that smart cards would require. The concept would be that the authenticating party (or what we call the ruling party) would have this infrastructure built into their back end. So it would be relatively easy to have a user be provided with the key, that key registered with the service, and when that user logged in to the service, it would be a two-factor authentication flow. They would have a username, but they would have a password, but then they would provide the second factor in the form of a possession factor being hardware security key. That’s what FIDO U2F was designed around. It was created around what we call strong authentication, which refers to Authentication that’s backed by public key cryptography.
So if we think about the Oath Standard, as mentioned earlier, your traditional RSA token six-digit code uses symmetric encryption which is public key cryptography, and the use of public-private key pairs which is a shared secret between the user and the service. FIDO is essentially using asymmetric encryption, which is public key cryptography and the use of public-private key pairs. So it’s a much more secure form of authentication because there is no shared secret. The biggest problem we’ve seen with the password is that it is a shared secret. It’s something that the server or the service has to know.
In 2014, Fido U2F gained some steam but wasn’t widely adopted because what is needed for a solution like this to gain adoption at scale is the buy-in from the identity platforms, the browsers, and the operating system. You need all these three components ready and have features and functionalities built-in to support this type of authentication.
Denis O’Shea: You also need the buy-in from the end user to change their behavior.
Shakeel Aziz: Yes, absolutely. That’s an excellent point because one of the barriers to the adoption of Passwordless technology is behavior change. We’re still tackling that today.
If we fast forward to 2018, we see the building of the Fido alliance. This consists of a few partners and global leading organizations such as Microsoft, Yubico, and Google, dedicated to continuously building on top of the Fido specification and creating what we can now call FIDO2. FIDO2 is designed to be a passwordless authentication protocol. So FIDO U2F was designed to be a two-factor authentication solution, but FIDO2 is designed to be a passwordless authentication protocol.
The thought leaders in the space realized a long time ago that we need to remove the password from the authentication flow because passwords are the weakest link. Two-factor authentication is great, but it still consists of providing a password to a service to a malicious user, etc. FIDO2 was designed to eliminate the password from the authentication flow. When you do that, you don’t send a password across the wire. It’s all cryptographically authenticated in the back end.