The journey to passwordless - the person behind the device
- Marcia Klingensmith 
- Feb 18, 2021
- 4 min read
2023? 2025? Later? When will we go passwordless? We've been saying "within the next five years" for more than five years now. Our current password model is still a challenge, security challenges get worse, you have more to track, flopping between operating systems makes tracking complex passwords event harder... and of course our human foibles make it easy for fraudsters to phish, harvest, and replay our passwords.
OTP (one time passcode) adds a light layer of security, but these "shared secrets" can still be stolen. The answer lies in using more "behind the scenes" authentication methods that the bad guys will find hard to replicate. Things like the uniqueness of your device and location, your behavioral and usage patterns, your location. Of course even if you are able to validate and recognize the returning device... you need to be able to tie this information to the user of the device.
Back in 2013 the FIDO Alliance (https://fidoalliance.org/what-is-fido/) wanted to design and deliver an authentication model solution that would reduce the world's reliance on passwords and better secure the web and apps. The vision? To deliver a solution that's stronger, phishing resistent, seamless and easy enough for users to do automatically with a single gesture from their possession-based device, using public/private key cryptography, shifting from server side authentication and shared secrets, to a more decentralized model. They continue to expand and deliver on this vision and FIDO standards are becoming adopted globally with more than 4 billion devices now supporting FIDO and many governments and companies using their protocol.
The concept is that the physical device (laptop, tablet, phone, etc.) mediates the authentication on your behalf, and serves as an "authenticator". When you set up or enroll an account, a unique public/private key pair is created - public key in the cloud, private key on your device. The private key can only be unlocked with your verification (biometric, password, etc). This configuration aligns with global policies such as GDPR and PSD2.
To truly get to a passwordless world, you need to go beyond just authenticating the device, you need to know and validate the user interacting with the device, also known as Identity Verification Assurance. This would combine verifying the user managing the device, verifying the device, and binding the two together.
- Device validation 
* Optimally this process begins with a device scan for signals of use by a bad actor - device tampering, malware, velocity signals (multiple names, emails, etc)
2. Identity Validation
* If device is "safe", then the identity verification process would typically start with the user presenting an government issued identity document
* Validation of this identity document as legitimate and untampered with
* User taking a selfie (picture of themselves), usually with some form of liveness detection to ensure the user isn't trying to spoof the photo
* Comparison of the selfie to the government issued ID to ensure the person presenting the ID is the actual person associated with the ID
* The selfie (or rather a fingerprint template of the selfie) would be stored on the local device for use for account recovery
3. Bind user to device
* Once the user has been validated, they register their device as an authenticator
* In the future when this device is presented you would have greater confidence of the user and their device
Because this is such an important next step in the journey to passwordless, FIDO is developing standards around the document verification process, facial recognition, and liveness detection. Best practices around the the storage of a biometric, or any credential for that matter, is that it reside on the user's device.
I haven't tried it out yet, but I understand that E-Bay now lets you use your platform authenticator instead of a password.
With regards to FIDO standards and decentralized identity - right now there is no direct collaboration although there are a lot of overlaps of participants involved in the conversation. FIDO is not an identity solution, and the decentralized identities are not authentication solutions, so at some point these two worlds will merge.
Another area to watch is the Internet of Things (IoT) which is projected to grow to almost 32 billion devices by 2025 (https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide). Often times IoT devices have no password, or an easy-to-hack default password, and so can be considered a "weak link". There are two main scenarios tied to the IoT use case:
1) Trusted installer: This is like you setting up a Ring Doorbell or an Alexa at home. You are setting up your own access/authentication credentials (a QR code might even be used in this set up).
2) Unintended Installer: This is more like a manufacturing environment where a contractor is
setting up thousands of devices, but doesn't really have the authority to configure the security on the devices. FIDO is exploring rapid and secure methods of onboarding devices in this untrusted environment, with a solution that could be ready as early as Q2 2021.

So keep watching the evolving FIDO trends, and keep your customers safe. One plug for my company LexisNexis Risk Solutions - with our products and services you can validate the users digital identity and physical identity with one API call including identity validation, and we're the biggest player in the market.
Let me know your thoughts.









Comments