Passwordless Authentication: safe and seamless customer experience

Passwords are painful and ineffective

Credentials verify user’s identities to control access. The most common way for users to authenticate is a combination of username and password. This model is based on a knowledge factor: the user is required to prove knowledge of a secret to authenticate. Although it is a simple and widely used solution, it also represents the bane of security experts.

Passwords are a pain for users. They are inconvenient to type – especially on mobile devices – and they’re hard to remember. This pushes lots of users to use simple passwords, to re-use them for most accounts and to keep them unchanged for a long time.

Not only are passwords a pain for users, but it is not that hard for hackers to steal digital identities. On registration, the server stores the user secret so it can be compared to the one provided during authentication. As a user, you have no control over what the server does with your password and have to trust that it stores it securely. Servers can be attacked, which may leak tons of passwords (T-Mobile Austria storing passwords partly in clear text is just one example). If a password used multiple times leaks, all accounts using the same password are vulnerable.

78% of attacks on web applications involve using stolen credentials

All these factors add up to a good reason to consider authentication solutions which remove passwords from the equation. Instead of verifying users’ identities with a password, it can be done using procedures based on a possession factor, which is something only the user has (e.g. a registered mobile device or a hardware token) or an inherent factor, which is something associated with the user like a person’s biometric signature (e.g. fingerprint, face, voice, or iris recognition). Passwordless methods improve usability by providing a frictionless user experience and increase approval for mobile solutions.

A secure and standardized solution

Among several technologies which implement passwordless authentication, we find FIDO2, a set of standards created to build a fast, simple and secure authentication experience. FIDO2 also enables two-factor (2FA) and multiple-factor authentication (MFA), which makes it a comprehensive authentication solution.

Written by the FIDO Alliance and the W3C, FIDO2 combines the Web Authentication API (WebAuthn) and Client-to-Authenticator Protocol (CTAP) specifications. FIDO2 standardizes the authentication protocol used between the client and an online service, called the relying party. It enables a wide variety of authenticators to work together in an interoperable manner, creating an ecosystem of client authentication methods. An authenticator provides the cryptographic know-how in the transaction, which relies on public-key cryptography to provide strong passwordless authentication to end users. It generates and stores an asymmetric key pair for the user at initial setup. The private key is stored securely on the authenticator, while the corresponding public key is sent to the relying party. An authenticator can be part of the user's device or an external piece of hardware or software, and can use multiple user verification methods to authorize cryptographic operations. Popular examples of on-device authenticators are biometric authenticators like Touch ID and Face ID on iOS devices, or Windows Hello. External authenticators are security keys that you plug into a computer, such as YubiKey.

Unlike passwords, users’ secrets like the private key or fingerprint data are only ever used by the authenticator in order to unlock it, but not shared with anything else. Because the public key isn't a secret, users don't have to worry about whether the server will keep it safe, and databases become less attractive to hackers, improving the security of the solution.

A user registers for a new service ...

In order to access an online service, the user first has to register, typically by visiting the website and creating a new account. After entering a username, the user is prompted to choose an authenticator which complies with the requirements of the online service. Authenticators may require an enrollment step to be enabled, such as adding a fingerprint to a biometric authenticator.

Before creating user credentials, the selected authenticator needs to be unlocked by the user. That operation depends on the user verification method, e.g. performing a biometric recognition on its smartphone or pressing on a hardware key button to validate the user's presence. In case of a multi-factor authentication, additional user verification is asked.

After being unlocked, the authenticator generates a new public/private key pair unique to the local device, online service and user account. The public key is sent to the online service and associated to the user account, so it can later be used to prove the user's. The private key stays on the local device.

At this point, the registration is complete and the online service informs the user that he successfully signed up.

After registering to the service, the user can now be authenticated. After navigating to the website and clicking the sign in button, the online service asks the user to select an identity and complete the login process with a previously registered authenticator which matches the service's acceptance policy.

The service generates a challenge, which is sent to the authenticator in order to be signed using the private key that corresponds to the user's account. The private key can be accessed only after the authenticator is unlocked by the user in a way similar to registration.

The authenticator signs the challenge and sends the assertion signature to the relying party, which verifies it using the user's public key. If the verification succeeds, the user has proved that he has the private key and is logged in.

Account recovery