Leverage passwordless authentication for better experiences and security
This a guest post by Ben Goodman, SVP of Global Business and Corporate Development at ForgeRock
The average consumer has dozens of accounts, from their email to their bank or social media, that rely on passwords to access them. This can result in an unmanageable amount of username and password combinations, and many consumers reuse login credentials across accounts. This phenomenon has pushed passwords to the top of the list of attack vectors used in data breaches. If a breached password was reused across multiple sites, the cybercriminal now has the resources to commit ongoing fraud. To combat this, passwordless authentication has emerged as the go-to solution with biometrics leading the charge.
How biometrics started the passwordless revolution
Previously, biometrics were not widely used as the sensors were costly and not high quality. In addition, consumers simply did not trust the new passwordless solutions. The process of eliminating passwords began with the use of biometrics in smartphones in the form of facial recognition or fingerprint scanning. These solutions changed how we authenticate and access our devices. Today, a majority of Americans own a smartphone (81 percent) and likely use a form of passwordless authentication multiple times a day.
As smartphones have become pervasive, users now trust this method of authentication. What’s more, sensors are less expensive and easier to embed due to their widespread use in devices. However, passwords, PINs and usernames for applications and services are stored within the device’s secure element for authentication. While convenient for the user, the login credentials are present and could potentially still be exploited by a hacker.
Because of this risk, the Fast IDentity Online (FIDO) Alliance was developed to create free, open standards for passwordless authentication. FIDO, alongside WebAuthN, provides an API that can be implemented on any website or service and communicates directly to a browser to initiate FIDO-based authentication. Together, FIDO and WebAuthN process the biometric information to authenticate from the app the user wants to access.
Ensuring security with passwordless solutions
As passwordless authentication solutions hold the data of the user’s fingerprints, facial characteristics or iris, organizations must have the proper security measures in place to ensure customers have a secure, frictionless experience, including:
- If stored centrally, make sure data is non-reversible. Data consumed by the application should be hashed so that it cannot be reassembled. Biometric data must be put through a non-reversible algorithm, centrally stored in a secure form.
- Multi-modal authentication systems. Multi-modal solutions are useful where a company wants a choice as to which mode of authentication they prefer, from iris scan to facial recognition or thumbprint scan. With this approach, organizations provide the user with the same choices. Additionally, these systems offer a management layer, a user experience layer, and developer tools that make the solution adaptable to any device.
- Behavioral authentication. Create behavioral biometric profiles for users by collecting and analyzing human-device interactions, such as scrolling patterns, finger size and speed. These can help determine if the user is a human or a bot, thus protecting the device from an intrusion.
- Device reputation. Look for an organization that can track devices involved with illicit behavior. This will verify that the device is trustworthy or if it appears to have been hacked.
Regardless of the passwordless authentication solution an organization uses, they must layer in behavioral biometrics and device reputation, among other security solutions, to ensure the user is protected. Cybercriminals can use breached passwords beyond the original incident, potentially causing mass fraud to the victim. Organizations must take this into consideration and rethink their approach to the user-login journey – which in turn can create a better, more secure user experience.
About the author
Ben Goodman is Senior Vice President of Global Business and Corporate Development at ForgeRock. He is responsible for company wide corporate development, global strategic partnership and technology ecosystem efforts.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.