Sunday, April 16, 2023

Passwordless authentication and MFA

There is a push to stop using passwords to authenticate into systems. In 2020 Microsoft announced in its blog that it hopes to make its customers go passwordless in 2021. They plan on achieving it by using FIDO2 security keys such as Yubikey, (smart) phone-based sign-in tools such as the Microsoft and the Google Authenticators, and biometric tools such as fingeprint authentication. They are not alone; Apple and Google have also working on that not only to login to their devices but also websites and apps.

Here is the fun part: those solutions are being pushed as "you only need to pick one of them and you are secure!" Want to login to your phone? Just show your face! Get into your house? Stick your finger at it! How about your bank? Click on something in your phone! So, what it is doing is replacing one form of authentication -- passwords (boo! Hiss!) with a passwordless solution.

What is wrong with this picture?

Does anyone remember Multi Factor Authentication (MFA)? The idea is to use more than one form of authentication so if one is compromised your account is still not compromised. That was usually done by using one authentication from each of the following groups:

  • Something you know. Like a password.
  • Something you have. Like a badge or a Yubikey.
  • Something you are. Like your Iris.
The so-called passwordless solutions being mentioned started their lives as a second factor in the MFA design, but now they are being pushed as the only form of authentication required. That implies those companies do think they are very strong against attacks to be used on their own.

When the FBI and the CISA announced MFA can be hacked, they are really talking about the secondary, passwordless, authentication of the MFA process, password being the primary (which has its own issues, but we are talking here about increasing the odds that the multiple authentications will not all be compromised at the same time). is not a panacea. Like everything else, passwordless authentication can be hacked;see the Uber data breach.

Bottom line

Passwords can be compromised. Passwordless authentication can also be compromised. There is no panacea. Both together should be a bit more secure than each of them. If you are bound not to have passwords at all, get two distinct MFA systems.

As the old say goes, Two is One, One is None.