UK passwordless authentication guidelines include FIDO2 and MFA biometrics
The UK National Cyber Security Centre (NCSC) has published new guidelines to help businesses adopt passwordless authentication, including biometrics and FIDO2 solutions.
More specifically, the guide aims to provide organizations with secure and practical ways of authenticating customers who are accessing online services, particularly those in the retail, hospitality and utility industries.
The NCSC report opens by highlighting growing adoption rates in passwordless authentication and how these technologies can provide a higher security level than traditional passwords.
“Since the average user has so many online accounts, creating different passwords for all of them (and remembering them) is hard,” reads the post.
“Inevitably, users will devise their own strategies to cope with ‘password overload.’ This includes using predictable patterns to create passwords or re-using the same password across different systems.”
According to NCSC, attackers regularly exploit these coping strategies, leaving both customers and organizations vulnerable.
To increase the security of online authentication, the guide describes four categories of passwordless access: multi-factor authentication (MFA), OAuth 2.0, FIDO2, magic links and one-time passwords (OTP).
“The most common authentication method that goes ‘beyond passwords’ is to implement multi-factor authentication,” reads the guide.
MFA can use as a second factor PIN codes, security tokens generated by a USB device, biometric details (such as fingerprints or face scans), and smartphone apps.
NCSC adds that the most appropriate second factor to use during MFA implementation will depend upon the organization’s services and that providing users with a choice of second factors will ensure companies cover the broadest customer base.
The post then looks at the OAuth 2.0 protocol, used in single sign-on (SSO) authentication, which enables customers to sign in to a new service using their existing account (e.g., Google or Facebook).
NCSC says that while OAuth 2.0 enables users to take advantage of their provider’s security measures (including MFA), it also depends on that provider’s server status to complete authentication. Further, should an attacker compromise the credentials of the provider’s account, this method will let them have access to the services that use it for authentication.
“For this reason, the security posture of the OAuth should be considered, and only OAuth providers which demonstrate appropriate security should be selected,” reads the post.
Next, NCSC explores FIDO2 authentication, which can include a personal device like a smartphone or laptop with a trusted platform module (TPM) or a physical USB key (often with built-in biometrics) and can be used for passwordless logins or as a second factor.
The Security Centre says that, in most cases, users would be responsible for purchasing the token and losing it means losing the ability to authenticate to the service they’re trying to access, so they should register a backup.
“Whilst major phone and computer vendors are enabling FIDO2 natively on their devices […] there remain a number of adoption barriers including usability and upfront cost,” reads the guide.
Finally, NCSC explores magic links and OTPs as a method of passwordless authentication, saying they provide an easy user experience, eliminating forgotten passwords and password breach issues. While convenient, the guide explains that these technologies share the same limitations as device-based MFA.
“As with MFA, if a criminal has access to a user’s phone, they could access accounts associated with that phone number.”
For practical examples of each of these passwordless authentication methods, the NCSC guide is available here.