Password-less Authentication, an introduction

Password-less authentication does not mean ‘less’ authentication or ‘less’ security – if anything, it’s ‘more’ authentication so that we can do away with the reliance on password credentials.

Why password-less authentication?

Simple. It’s those pesky forgetful users and their choices in weak passwords.

But it’s not their fault. Human beings cannot consciously ‘generate’ random passwords let alone remember them.

What we think is random and unguessable actually follows a predictable pattern.

“Everybody has their own personal security tricks, things that they think will foil the crook. You go on the beach, go in the water, put your wallet in the sneaker, stuff a sock over it…who’s gonna know.”

“Everybody has their own personal security tricks, things that they think will foil the crook.”— Pedram Ghovonlou

Need a password? Just at “123” on the end, voila! Password123, who’s going to guess that. Your pet’s name, year of birth, how about a keyboard pattern “qwerty”.

I’ll let you in on a little secret… when everyone does the same trick, it’s not much of a secret.

This is where passwords policies come in – length, upper-lower case, numbers, special characters, forced update every few months and filtering ‘weak’ passwords.

Something like –

• Password must change every 3 months

• Password cannot match your last three passwords

• Password cannot contain your name or username

• Password cannot contain common words or places

• Password must be at least 12 characters in length

• Password must contain at least one uppercase character

• Password must contain at least one lowercase character

• Password must contain at least one number

• Password must contain at least one special character

Now here’s a valid password that meets that policy – Bl4ck@dder4th

Would you remember this password? It’s a substitution on the British sitcom “Blackadder Goes Forth”. That’s easy to remember, right? Uppercase ‘B’, substitute the first ‘a’ with ‘4’ which kind of looks like an ‘A’ then substitute the second ‘a’ with ‘@’. Easy-peasy?

Okay, now change it every 3 months. And remember there’s a policy that you can’t just put a ‘123’ at the end of it.

The most likely outcome is a password reset and probably help desk calls depending on the complexity of the User Self-Service. Even without the strict password policy, people generally can’t remember their passwords.

It’s worth highlighting that the Blackadder example above is subject to a dictionary attack with substituted letters that have similar shapes (i.e. ‘$’ for ‘S’, ‘4’ for ‘A’).

In any case, the more complicated and ‘random’ the password, the less likely the user is going to be able to remember them.

First-hand knowledge

There are a lot of surveys and statistics on this but we [at SALT] have seen this firsthand with one of our customers in Asia who had this problem – their banking regulator required them to have a fairly stringent password policy for their IB login password. This was driving up their help desk call centre costs because of customers calling about forgotten passwords.

Their banking regulator did allow password-less authentication but only if the authentication was done with the user’s biometrics.

What we they did there was to use Safetronic Mobile MFA with the biometric enforcement. This meant that IB users could do password-less login to IB using their biometrics (fingerprint, face) captured through their mobile MFA tokens.

So, from a user perspective, they would use their desktop internet browser to get onto IB where they would either enter their username or have it cached with a 1-click “Login with Mobile MFA”. This would trigger a push notification to be sent to their mobile phone requesting authentication for login to IB. When they opened the push notification, they’d be taken to the Bank’s Mobile MFA app (which in this case was the re-branded Safetronic Mobile MFA app) and then were prompted to sign-in to the MFA app with their biometrics (face, fingerprint), upon completion of the biometric capture they would be logged into IB on their desktop – a 1-click password-less biometric authentication.

Biometrics is not the only way to do Password-less Authentication – it can also be done with mobile and hardware MFA tokens that generates OTPs or perform Challenge/Response signatures. There is a range of MFA tokens from mobile to smartcards and USB tokens to OATH tokens, Vasco tokens, EMV CAP and SMS.

It is worth noting that all of these MFA methods can be supported concurrently for Password-less authentication. And as it so happens [conveniently] are all supported by the Safetronic platform.