Oh No, Not Another Article About Passwords: Will WebAuthn Replace Passwords or Not?
The humble, much-maligned password has been in the news again lately. The FIDO Alliance and W3C announced in April the release of the password killer web API named WebAuthn. But, are we singing the “Bye, bye password” song, only to start up a chorus of “You say goodbye and I say hello”? Let’s take a look at the ebb and flow of password(less) authentication.
First, there was the password
We have had a sort of love/hate relationship with the computer password, ongoing for the last 40 years at least. The tech community keeps promising the demise of the password, then it never comes to pass…Instead, according to LastPass, business users have to manage, on average, 191 passwords each! And, according to Pew Research, we aren’t even using password managers, with only 12% of respondents in a 2017 survey using them, and 49% writing passwords down on paper. No wonder then, that LastPass found that 81% of data breaches were ultimately due to password compromise.
Then there was HOTP/TOTP and SMS text code
It felt, at one point, certainly from a technologist’s perspective, that the use of authentication apps, like Google Authenticator, might hold the key to cheap, secure, second-factor authentication. SMS text code was also, seemingly, a good way to get the ‘out-of-band’ needed for a good 2FA mechanism. However, SMS code and authentication apps never really took off, or at least have had a mosaic uptake. Currently, less than 10% of Gmail users use a second factor for login.
But, it isn’t all doom and gloom for second-factor use. Singapore, for example, seems keener on the use of 2FA. In a recent survey by the Cyber Security Agency of Singapore, on public security awareness, they found that between 2016-2017, there was a 13% increase in users enabling second-factor for access control to accounts. It would be interesting to see why 2FA in Singapore is more accepted than in other countries, perhaps they are early adopters and we will see a trickle across effect in the uptake of 2FA?
Now there is WebAuthn
Welcome to the promised land in the form of passwordless login. The new API from W3C and FIDO offers just that, a way to remove the need for a password and have automated login via a device/biometric – no second factor – WebAuthn IS the only factor. WebAuthn is based on our old friend public key cryptography. In a nutshell, signatures are sent between a relying party (usually website) which stores the public key, and an authenticator (device or browser) and a biometric to authenticate you to the device – it’s neat, it’s easy to implement, it has some excellent security features that can help prevent phishing using PKI/biometric – but is it the panacea of authentication?
However, as always, the devil is in the detail. It is the ‘what if’s’ that always flush the issues out with an authentication measure. For example, what if you lose your phone and need to login urgently? Systems always need a fall-back position. This is generally a lower threshold which then becomes the attack vector. Although WebAuthn holds much promise, the fall-back to a password, or on the mobile device a PIN code (the fall back for a biometric) takes us back to square one. And, the biggest challenge will be in the creation of secure credential recovery for WebAuthn based services when this is the only factor engagement.
Then there was a password, again
We are all sick of passwords; I have so many I cant keep track and end up using recovery systems all the time. I am no fan. However, I am a pragmatic person and recognize that the password may be a pain in the proverbial, but it has its place in history and its future is assured. But, we can’t continue blindly abusing our passwords – as was shown recently in aBrian Krebs blog postwhich showed employees posting passwords in clear text on collaboration portals such as Trello.
Passwords may have a longer lifespan than hoped but we need to up our game in supporting their continued use. On this matter, NIST gave some sound advice when they updated their advisory recently. Long-standing practices around password policy was placed in the out-folder and others, such as maximum password length, were updated to reflect the longer length of more memorable passphrases. Passwords, it seems, are here to stay for a while yet, and we need to develop a ‘healthy password culture’. Tools for password policy implementation, such as the excellentzxcvbn password strength estimationmethod, offer a good way to prevent password guess attacks, for example.
WebAuthn may be a great way to improve usability and build a more secure login system, but we should always be cognizant of passwords too. Security best practices cannot be avoided.
Other considerations: database encryption and security best practices
What password vs. authenticator API is all about is controlling access to data records. As mentioned earlier the vast majority of data breaches are down to password exposure malicious or otherwise. If we assume that in the short term at least, passwords or PINs are always going to be with us, either as a factor or as a fall-back, we have to look at security best practices and putting policies in place to mitigate password exposure.