Passwordless Authentication

Published by Joe D on

We know the routine.  Open an application or go to a web site, enter in your user ID, and authenticate with a password.  Lately, however, you have noticed a third step.  Once you enter your password, you receive another instruction to enter a code sent to your mobile device or email.  Once you enter the code, your device is registered, and that step is “hopefully” not required for future logins.

 

User ID + Password + Confirmation on Trusted Device = Successful Login

 

The idea is to add another element of human intervention, your approval, to prevent an unauthorized user, who may have access to your credentials, from accessing your secure account and information.  We have learned in previous briefings that gaining access to or discovering one’s security credentials is becoming easier by the day.  While in theory and practice, this works well and provides a stronger level of security, convincing users to take an additional step is not as easy as it appears on the surface.

 

What if it was possible to remove a step from this process?  If I have a trusted device that receives a notification when my ID is being used and I must approve this usage, is a password necessary?  Technically, the trusted device provides that second form of authentication making the password unnecessary.  Th is can often be observed in the registration of apps on video streaming devices.

 

User ID + Confirmation on Trusted Device = Successful Login

 

There are some risks associated with this form of authentication, however, that must be considered:

  1. Security of the trusted device:
    1. If we are receiving authentication requests on a mobile device, the device must also be secure. To ensure that the device is secure, it must be protected with another form of authentication (password, fingerprint, or facial recognition biometric, inactivity timers).
    2. If we are receiving authentication requests via email, the email must also be secure. If there is a weak password on our email account or we do not have multi-factor authentication enabled, unauthorized access may be quite easy.

 

When all is said and done, the use of trusted devices and accounts in authentication to eliminate a step in the process may prove to be more efficient and secure.  However, at the end of the day, regardless of the technology employed, we still rely on the human in the process to be both the weak and strong link.

Categories: Uncategorized