Passwords have been used as proof of identity for centuries. The famous challenge-response of D-Day (during World War II) was the challenge “flash” and the password “thunder”, used by the 101st Airborne Division to verify friend or foe. Passwords are said to have first entered computing in 1961 (Compatible Time-Sharing System at MIT) and have become the de facto rite of passage to access any system ever since.
However, passwords have been considered the weak link in the Identity space for some time (over 30 years). Humans are not great at creating or managing passwords. Organizations have tried various approaches to fix the problem, including:
- Password expiration
- Minimum complexity
There is evidence that these measures have made things worse. The latest advice from the National Institute of Standards and Technology (NIST) is "Change passwords only if there is evidence of compromise". As for minimum complexity, this can results in users writing passwords down or reusing the same old reliable password.
Remembering multiple, complex passwords can be hard. New users who are required to create an account to make a quick purchase often resort to using their old favorite password. Some password keepers do a poor job, and once one of these keepers is compromised, multiple account break-ins can occur. Not only is the user affected, but an owner of a robust password-protected site could suffer reputational and operational damage if a user is unaware of their password being exposed. You can check to see if one of your accounts has ever been compromised by visiting Troy Hunts well-known site, Have I Been Pwned. One such example is outlined below
Adobe: In October 2013, 153 million Adobe accounts were breached with each containing an internal ID, username, email, encrypted password and a password hint in plain text. The password cryptography was poorly done, and many were quickly resolved back to plain text. The unencrypted hints also disclosed much about the passwords adding further to the risk that hundreds of millions of Adobe customers already faced.
Many users use a password manager to generate, store, and recall unique passwords for each website. This treasure trove of passwords needs to be stored, encrypted, and protected with a master password. The store is often remote to enable access via the numerous devices a user has at their disposal. If this store is ever compromised, that’s a lot of passwords revealed in one place.
Around the late 1990s enterprises in an effort to strengthen authentication resorted to introducing an additional authentication factor. These factors often take the form of something the user has, such as an electronic, one-time token generator. Unlike passwords, a hacker may need to steal the token generator. Token-based authentication dramatically increases the strength of the authentication. This increased strength comes at increased friction to the user, as the user needs to carry around the additional authentication source and sometimes interact with it to generate the token. Physical RSA One Time Token Generators have been successful in the enterprise space. Still, they are not practical for the general internet landscape, as having a separate RSA device for each organization a user wishes to interact with isn't maintainable or cost-effective.
Carrying around a single, one-time token was too much for one user, who just set up an internet web camera pointing to their token generator, allowing them access when required.
Soft tokens go some of the way to solve this impracticality problem by reducing the cost and number of devices. The use of Google and Microsoft Authenticators, based on RFC 4226, allows the user to have a one-time token generator per website using a single application, typically installed on their mobile device or inside their password manager. Care must be taken to backup the data the application uses to generate the one-time token, so this requires the user to be reasonably technical.
The wide-scale adoption of the internet led to the onset of deceptive phishing attacks (circa 1998), where a user receives what looks like a genuine and often urgent email from a website containing actionable links like this:
For the user to believe they are on the official website, the hacker needs to create a replica site. Unfortunately, toolkits for creating replica sites that intercept and forward all requests to the real site are freely available online for anyone performing this style of attack. The hacker creates a replica site, waits for the user to login, and stores their credentials. Even sites that have two-factor authentication (2FA) are vulnerable because the replica site can hijack the login session (steal the cookie) and notify the hacker that there is a live session to the real site they can now use.
To summarise so far, token-based authentication solves the weak human aspect to passwords at an increased cost to the user and the organization. Tokens remove the risk to the organization even if a user's password is not unique across sites, as the token will always be unique. Even with all the additional costs of traditional two-factor authentication, it still can’t beat the phishing attack.
Fixing the Password Problem
- Passwords are too weak and reused many times
- Passwords composed of discoverable, personal data
- User doesn’t distinguish a fake URL from the real one
Computers can solve these problems. A computer knows the difference between a zero and a letter “O”. Removing the human aspect could be the key to providing secure, frictionless authentication.
Authentication servers have access to the user's password in some form, so the authentication solution must address this fact. Having numerous passwords in one place is a risk and requires an organization to take special care of them.
Introducing Simpler, Stronger Authentication with FIDO2
FIDO2 (sometimes referred to as WebAuthn and backed by Microsoft and Google) reduces the human element of authentication and removes the credential store from the server. FIDO2 runs on laptops, desktop computers, and mobile devices, providing a unified form of login in addition to a password, or, completely replacing the password entirely.
There are two forms of FIDO2: platform or roaming.
Platform represents FIDO2 running on your computing device (laptop, desktop, or mobile). Roaming is a device that connects to your computer to perform the authentication, allowing you to roam between machines. The device is often small enough to fit on your keyring. Two of the most common devices are from Google and Yubico. Any user using Mac OS or Windows 10* has a platform Authenticator built-in, resulting in no additional hardware cost to use FIDO2.
*The motherboard must have a Trusted Platform Module (TPM)
How Does It Work
Web sites first need to provide the option for users to register and authenticate with a FIDO2 device. The FIDO2 registration workflow differs from the usual password registration process in that the user no longer generates a password, FIDO2 does. The device generates a cryptographically strong public/private key pair bound to the website, almost equivalent to the password, but with these credentials now being split between the user and the server. The FIDO2 registration process sends the public key to the website. The private key never leaves the user.
For login, the server issues a challenge to the users FIDO2 device. The FIDO2 device creates a cryptographically signed response to the challenge using the private key held on the device. The server verifies the response by decrypting it using the public key it received at registration. With only the encrypted challenge passing over the internet, the user's full credentials never leave their device. And with no credentials stored on the server, the risk and impact of a large-scale, password data breach is hugely reduced.
The user needs to give permission for the FIDO2 device to perform the challenge-response. This can be via a pin, biometric, or a simple touch of the roaming device. On Windows 10 machines, logging in to a web site could be as simple as looking at your webcam, using a fingerprint sensor, or entering a four-digit pin. Similarly, on a Google Pixel 3 phone, the user could authenticate via the fingerprint sensor, resulting in a zero-friction experience.
Users No Longer Need Worry About Being Phished
FIDO2 comes with anti-phishing technology built-in. At registration, FIDO2 binds the public/private key pair with the registration website URL. During login, if a phishing site attempts to sit in the middle, FIDO2 won't recognize it because the phishing website’s URL will be different to that of the registration website, resulting in FIDO2 not taking part in the challenge-response handshake.
By reducing the human element, FIDO2 provides strong, secure authentication with less friction than any other authentication password technology available today. Combined with the anti-phishing support, FIDO2 is, without doubt, the gold standard of internet-based authentication.
Choose FIDO2 and experience the following benefits:
- Users don't have to create and manage strong passwords
- Protect the FIDO2 credentials with biometrics
- A hacker can't steal credentials from the website
- Every website has a unique set of credentials
- Zero effort to authenticate
- Prevents phishing
Try it for yourself. Perform a FIDO2 registration and login at: fido.identityserver.com
Move your ASP.NET web site to strong, modern authentication in just a few lines of code using the IdentityServer.com FIDO2 for ASP.NET component.