For more than a decade, we’ve been promised that a world without passwords is just around the corner, yet year after year, this security nirvana proves just out of reach. Now, for the first time, a viable form of passwordless authentication is about to become available to the masses in the form of a standard adopted by Apple, Google, and Microsoft that enables cross-platform, multi-service passwords.
Password cracking schemes pushed in the past suffered from a number of problems. A key deficiency was the lack of a viable recovery mechanism when someone lost control of phone numbers or physical tokens and phones linked to an account. Another limitation was that ultimately most solutions failed to be, in fact, truly passwordless. Instead, they gave users options to log in with a facial scan or fingerprint, but these systems eventually turned to a password, and that meant phishing, password reuse, and forgotten passcodes all the reasons why we hate passwords to begin with, no don’t go
A new approach
What’s different this time is that Apple, Google, and Microsoft seem to agree on the same well-defined solution. Not only that, but the solution is easier than ever for users and less expensive to implement for big services like Github and Facebook. It has also been painstakingly designed and reviewed by authentication and security experts.
Current multi-factor authentication (MFA) methods have made significant advances in the last five years. Google, for example, allows me to download an iOS or Android app that I use as a second factor when signing in to my Google account from a new device. Based on CTAP, short for Client Authentication Protocol, this system uses Bluetooth to ensure that the phone is close to the new device and that the new device is, in fact, connected to Google and not to a site disguised as Google. That means it’s not phishing. The standard ensures that the cryptographic secret stored in the phone cannot be extracted.
Google also offers an advanced protection program that requires physical keys in the form of separate dongles or end-user phones to authenticate logins from new devices.
The big limitation at the moment is that MFA and passwordless authentication are implemented differently, if at all, by each service provider. Some providers, like most banks and financial services, still send one-time passwords via SMS or email. Recognizing that these are not secure means of transporting security-sensitive secrets, many services have moved to a method known as TOTP (short for Time-Based One-Time Password) to allow the addition of a second factor, which effectively increases the password with the factor “something I have”.
Physical security keys, TOTPs and, to a lesser extent, two-factor authentication via SMS and email represent a significant step forward, but three key limitations remain. First, TOTPs generated through authenticator apps and sent via text or email are susceptible to phishing, just like regular passwords. Second, each service has its own closed MFA platform. That means that even when using forms of MFA that don’t allow spoofing, such as separate physical keys or phone-based keys, a user needs a separate key for Google, Microsoft, and any other Internet property. To make matters worse, each OS platform has different mechanisms for implementing MFA.
These issues give way to a third: complete unusability for most end users, and the non-trivial cost and complexity each service faces when attempting to offer MFA.