FB pixel

UK passwordless authentication guidelines include FIDO2 and MFA biometrics

Categories Access Control  |  Biometrics News
UK passwordless authentication guidelines include FIDO2 and MFA biometrics

The UK National Cyber Security Centre (NCSC) has published new guidelines to help businesses adopt passwordless authentication, including biometrics and FIDO2 solutions.

More specifically, the guide aims to provide organizations with secure and practical ways of authenticating customers who are accessing online services, particularly those in the retail, hospitality and utility industries.

The NCSC report opens by highlighting growing adoption rates in passwordless authentication and how these technologies can provide a higher security level than traditional passwords.

“Since the average user has so many online accounts, creating different passwords for all of them (and remembering them) is hard,” reads the post.

“Inevitably, users will devise their own strategies to cope with ‘password overload.’ This includes using predictable patterns to create passwords or re-using the same password across different systems.”

According to NCSC, attackers regularly exploit these coping strategies, leaving both customers and organizations vulnerable.

To increase the security of online authentication, the guide describes four categories of passwordless access: multi-factor authentication (MFA), OAuth 2.0, FIDO2, magic links and one-time passwords (OTP).

“The most common authentication method that goes ‘beyond passwords’ is to implement multi-factor authentication,” reads the guide.

MFA can use as a second factor PIN codes, security tokens generated by a USB device, biometric details (such as fingerprints or face scans), and smartphone apps.

NCSC adds that the most appropriate second factor to use during MFA implementation will depend upon the organization’s services and that providing users with a choice of second factors will ensure companies cover the broadest customer base.

The post then looks at the OAuth 2.0 protocol, used in single sign-on (SSO) authentication, which enables customers to sign in to a new service using their existing account (e.g., Google or Facebook).

NCSC says that while OAuth 2.0 enables users to take advantage of their provider’s security measures (including MFA), it also depends on that provider’s server status to complete authentication. Further, should an attacker compromise the credentials of the provider’s account, this method will let them have access to the services that use it for authentication.

“For this reason, the security posture of the OAuth should be considered, and only OAuth providers which demonstrate appropriate security should be selected,” reads the post.

Next, NCSC explores FIDO2 authentication, which can include a personal device like a smartphone or laptop with a trusted platform module (TPM) or a physical USB key (often with built-in biometrics) and can be used for passwordless logins or as a second factor.

The Security Centre says that, in most cases, users would be responsible for purchasing the token and losing it means losing the ability to authenticate to the service they’re trying to access, so they should register a backup.

“Whilst major phone and computer vendors are enabling FIDO2 natively on their devices […] there remain a number of adoption barriers including usability and upfront cost,” reads the guide.

Finally, NCSC explores magic links and OTPs as a method of passwordless authentication, saying they provide an easy user experience, eliminating forgotten passwords and password breach issues. While convenient, the guide explains that these technologies share the same limitations as device-based MFA.

“As with MFA, if a criminal has access to a user’s phone, they could access accounts associated with that phone number.”

For practical examples of each of these passwordless authentication methods, the NCSC guide is available here.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News


Australia, Nigeria announce moves to ease digital birth registration

Governments in Australia and Nigeria are working on digital birth registration to make it easier for parents to qualify their…


Biometric video injection attacks getting easier; ID R&D helps devs mitigate

Through the use of generative AI and open-source tools, hackers are gaining the ability to easily create deepfakes and voice…


Innov8tif patents document authenticity check method to boost IDV security

Smartphones play a central role in remote identity verification (IDV), enabling a host of advanced functionalities that compliment biometrics, including…


Idemia and Iowa collaborate on mDLs in Samsung Wallet

Idemia is bringing mobile ID to Samsung Wallet in Iowa, in collaboration with the state’s Department of Transportation (DOT). The…


UNHCR to seek provider for BIMS lightweight fingerprint and iris scanners

Biometrics firms should be aware of a forthcoming procurement opportunity with the United Nations High Commissioner for Refugees (UNHCR), which…


IDnow and Idiap researchers create biometric PAD dataset for better generalization

A new dataset for conducting research on facial recognition presentation attack detection (PAD) has been developed by a team of…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events