Password-less: Your Thoughts

[Orchid]

MalwareTips Community,

We all know passwords have been a topic in passwords leaked online/data breaches, how to make passwords secure, etc. However, only recently have there been talks about getting rid of passwords and going passwordless. Big Tech companies such as Google, Microsoft, and Apple are implementing password-less technology. However, what concerns me is the methods for password-less:

• Biometric Authentication
• Magic Links
• One Time Passwords (OTP)
• Push Notifications
• Authentication Apps

According to the article linked below, Kobi Ben-Meir briefly discuss the benefits of going password-less and choosing the best method for people going password-less for businesses. However, these password-less methods are also not secure (from my point of view). A hacker can still steal the authentication of some of these methods. Truthfully, I would stick to using a password or passphrase and use multi-factor authentication.

So what are your thoughts on password-less?

The Benefits Of Passwordless Authentication And How To Choose The Right Method

 

[HarborFront]

Great with no need to remember passwords

Wait. Assuming you got 100 accounts. Can you remember what combination of

PIN Code
Swipe Patterns
Fingerprint ID...........remember you got 10 finger digits
Face ID (secure method)
Passphrase
Hardware security key
Authenticator app

for the 100 accounts?

I can't. So I still need to keep a hard copy of the 100 accounts with the various combinations as mentioned..........



Ok thats for the remembering part.

Now comes which combi type is the best.

1) Use of hardware security key and secure face ID or authenticator app. If the site/app permits the use of hardware security key then use it

2) Use of secure face ID (or fixed 1 or 2 fingers) and authenticator app

You only have 1 face and the authenticator app will generate numbers you don't need to remember. Forget the rest of the methods if you want to simplify your life. Some phones do not have secure face ID so just use your fixed 1 or 2 fingers will do

 

[ForgottenSeer 98186]

Benefits of fingerprint biometrics

• Overall, fingerprint biometrics is considered to be highly secure and a common method of protection.
• Fingerprints are hard to fake and more secure than a password or token.
• Fingerprint data is stored directly in the device itself, making it more secure and less prone to potential privacy issues or data breaches.

Fingerprint Biometrics: Definition & How Secure It Is | Okta

Fingerprint biometrics are a tool used to identify and authenticate persons for security purposes. Find out where biometric identification and authentication are used.

www.okta.com

What are the challenges of using magic links?
Magic links may offer stronger protection than passwords, but they come with several security blindspots to address:

• Security is tied to the user’s email account. This presents its own set of security risks. Magic emails may be sent insecurely between mail servers and could be visible to employees at the user’s email provider. User inboxes are also easily accessible on unattended devices. To keep magic emails secure beyond doubt, users need to protect their email accounts with multi-factor authentication.
• Admins have no control over link sharing. As with passwords, poor security behaviors introduce vulnerabilities. Admins have no way to see or prevent users from sharing confidential links with others.
• Susceptible to man-in-the-middle attacks. Unless users access their emails through encrypted networks, hackers can intercept less secure connections and steal the session token from a magic link.

Magic Links: Passwordless Login for Your Users

Okta’s complete guide on magic links. Learn how magic links work, how to use them for passwordless login, their benefits and challenges, and more.

www.okta.com

OTP (One Time Passwords) security tokens have their ups and downs

Hard tokens, like RSA SecureID, are a definite upgrade over SMS-based OTPs—relying on something the user has in their possession makes them less exploitable than knowledge-based authentication. What’s more, an OTP device such as Universal 2nd Factor (U2F) authentication security keys use asymmetric encryption algorithms to ensure that the OTP never leaves the token, effectively meaning it can’t be leaked.

However, the tangible nature of hard tokens also works against them. Users need to carry around another device, which can get lost, damaged, or stolen. This makes OTP tokens challenging for IT to maintain, particularly in large organizations, and can compromise security when in the wrong hands.

What is a One-Time Password (OTP)?

A one-time password or passcode (OTP) is a string of characters or numbers that authenticates a user for a single login attempt or transaction. An algorithm ...

www.okta.com

How Secured Is Push Notification Authentication?
The security of push authentication depends on the security of the application receiving the push notification and the device on which it is running. Security, therefore, varies by implementation and security posture of the host device.

Push Notification Authentication Pros and Cons | Secret Double Octopus

analysists and security professionals recomand Push notification as a secured alternative to SMS and OTP, lets see how it works.

doubleoctopus.com

 

[MuzzMelbourne]

99.9% of the time I use a password because I'm forced to by the service/app provider. Sure, banking, legal, private... need a password and secondary authentication, but only if you are transacting online. But, 2FA to get to an article on Ubuntu Forums? Or keep track of your view history on Youtube, etc. Surely life would be simpler if we could choose yay or nay to enter into the whole password thingy in the first place.

 

[piquiteco]

@Orchid You forgot to mention Yubikey Security Key,Titan Security Key,etc...and then who knows PassKey maybe passwordless login is future.

 

[Zero Knowledge]

@Orchid You forgot to mention Yubikey Security Key,Titan Security Key,etc...and then who knows PassKey maybe passwordless login is future.

That's where we are headed. YubiKeys/Security Keys will become very common over the next 5 years. All corporate/business logins will need it and 2FA.

The threat landscape has already shifted, and attackers are now intercepting and phishing for MFA codes and push notifications.

It's the constant arms race between attackers and defenders or good vs evil.

 

[Ink]

If it's easy to use, more will use it.

• Biometric Authentication
• Magic Links
• One Time Passwords (OTP)
• Push Notifications
• Authentication Apps

I use all of the above, some services don't have/allow one or the other.

As for passwords themselves, if it's the case of Netflix forcing logins after 30 days to prevent account sharing. Passwords will be the weakest link. No one wants to type-in a 24 alphanumeric password using a TV remote (exaggerated). I'm not a Netflix account holder to know what account security they offer.

 

[ForgottenSeer 98186]

That's where we are headed. YubiKeys/Security Keys will become very common over the next 5 years. All corporate/business logins will need it and 2FA.

Hardware keys? Not so much

• Companies do not want to pay for them (imagine a $250,000 budget for YubiKeys, they can get more comprehensive protection with that money)
• Employees loose keys
• SMBs are more likely to have a better experience with keys

2FA? Yes

• It is already very common as part of identity management, such as Duo, Okta, Delinea, SalPoint, etc

 

[Orchid]

@Orchid You forgot to mention Yubikey Security Key,Titan Security Key,etc...and then who knows PassKey maybe passwordless login is future.

@piquiteco, I never really heard about YubiKey until recently and didn't know what it was until researching it yesterday. Thank you for mentioning it to me.

If it's easy to use, more will use it.


I use all of the above, some services don't have/allow one or the other.

As for passwords themselves, if it's the case of Netflix forcing logins after 30 days to prevent account sharing. Passwords will be the weakest link. No one wants to type-in a 24 alphanumeric password using a TV remote (exaggerated). I'm not a Netflix account holder to know what account security they offer.

@Ink, I use Netflix consistently, and Netflix doesn't have any account security, as far as I'm aware. Netflix has a Profile Lock where you have to enter a PIN to access your profile, and there is an option to enter your phone number, but I don't know if Netflix would use that as a form of authentication. I will do some research and get back to you on that.

That's where we are headed. YubiKeys/Security Keys will become very common over the next 5 years. All corporate/business logins will need it and 2FA.

The threat landscape has already shifted, and attackers are now intercepting and phishing for MFA codes and push notifications.

It's the constant arms race between attackers and defenders or good vs evil.

@Zero Knowledge, Maybe/Maybe not. YubiKey does have vulnerabilities too. The YubiKey validation server is cloud-based. If a hacker can get to the server, it might be game over, and you have to trust the company won't do any suspicious activity. From my research (so far), FIDO2/WebAuth is the most secure way to secure a passwordless account.

References
PrivSec - Multi-Factor Authentication
YubiCo OTP

 

[ForgottenSeer 98186]

@Zero Knowledge, Maybe/Maybe not. YubiKey does have vulnerabilities too. The YubiKey validation server is cloud-based. If a hacker can get to the server, it might be game over, and you have to trust the company won't do any suspicious activity. From my research (so far), FIDO2/WebAuth is the most secure way to secure a passwordless account.

References
PrivSec - Multi-Factor Authentication
YubiCo OTP

The links above are for developers that wish to implement Yubico technology on their websites or in their applications.

Your interpretation of the documentation is incorrect. The Yubikey validation server for OTP is implemented on the web services server - for those that want to implement Yubikey as a 2FA method on their website.

The Yubikey you buy from Yubico is not sending anything to Yubico. A Yubikey stores no data, needs no network connection, and does not run on software.

The only contact ever necessary with Yubico is to register and activate the Yubikey remotely, which saves no user information.

 

[cruelsister]

FIDO2/WebAuth is the most secure way to secure a passwordless account.

Absolutely! The advent of quantum computing will eventually make this mandatory (unless Quantum2FA is implemented).

A good overview of the stuff Orchid (love that name- I have ~40 myself) mentions can be seen here (with WebAuthn at 6:33):

 

[ForgottenSeer 69673]

I agree, Orchid is a nice non hostile looking name. I am in that boat for sure!!!!

 

[MuzzMelbourne]

I like cruelsister - but only have one of those...

 

[kC77]

I'm a big fan of the yubikey bio... Use it for every service I can, so much more secure.. quicker and easier than totp... Fido/webauthn no need to register it and unlike the normal non bio yubikeys you at least have the requirement of biometrics instead of just "any human can touch it"

I would worry about owning a non biometric yubikey about "if I was in an accident or incapacitated.. Or death..." With a standard key the only protection is the pin you have set.

With a non biometric key I'd really worry about storage and placement of my backup key..

With existing totp it was such a bind to open an authenticator app... Copy a code ... Sometimes waiting for it to timeout.. Then pasting it, that quite often I just click "trust this device/remember me"
While 2fa is good... Its the fact or saving that device that leads to a potential weakness.

With the yubikey bio and the supported services I have no need to "trust or remember" any device ... Just an extra prompt to tap my key and read biometrics for 2fa... Takes 2 seconds.


Sites still requiring totp seem old school... And often out of laziness if its generic site/forum or something non critical I'll Just "trust this device"
Even so this is only on devices I own and trust.

Yubikey bio..Amazing device... Highly reccomend.

 

[TairikuOkami]

You can always change your password, if something happens, but you can not change your face nor fingeprint, they could even get damaged, not to mention you can simulate any face or a voice and a fingeprint can be stolen from a video or a photo! A few months MS has a big outage, people could not use passwordless login for hours, MS suggestion was to use a password.

 

[HarborFront]

I'm a big fan of the yubikey bio... Use it for every service I can, so much more secure.. quicker and easier than totp... Fido/webauthn no need to register it and unlike the normal non bio yubikeys you at least have the requirement of biometrics instead of just "any human can touch it"

I would worry about owning a non biometric yubikey about "if I was in an accident or incapacitated.. Or death..." With a standard key the only protection is the pin you have set.

With a non biometric key I'd really worry about storage and placement of my backup key..

With existing totp it was such a bind to open an authenticator app... Copy a code ... Sometimes waiting for it to timeout.. Then pasting it, that quite often I just click "trust this device/remember me"
While 2fa is good... Its the fact or saving that device that leads to a potential weakness.

With the yubikey bio and the supported services I have no need to "trust or remember" any device ... Just an extra prompt to tap my key and read biometrics for 2fa... Takes 2 seconds.


Sites still requiring totp seem old school... And often out of laziness if its generic site/forum or something non critical I'll Just "trust this device"
Even so this is only on devices I own and trust.

Yubikey bio..Amazing device... Highly reccomend.

Does it works on android phone? The website didn't say so

YubiKey C Bio - FIDO Edition

YubiKey C Bio - FIDO Edition

www.yubico.com

And how is it compared to the YubiKey 5C NFC without bio?

 

[ForgottenSeer 98186]

For FIDO2 that supports Windows logon, I have had good results with cheap Thetis keys:

Thetis

Protect Your Online Account

thetis.io

For logins to Microsoft account managed devices and all the types of Microsoft cloud account logons - Office 365, Skype, OneDrive, etc - I think the only real option is Yubikey although there are other options such as Fetis:

Blog

Learn more about what's happening within the tech and cybersecurity industry and the developments in our business and security keys within our Yubico Blog.

www.yubico.com

 

[monkeylove]

I think they're still requiring passwords, but include OTP, etc.

 

[Thales]

They can steal your fingerprint and your face but they cannot steal your thoughts. So, password is still the best.

 

[kC77]

Does it works on android phone? The website didn't say so

YubiKey C Bio - FIDO Edition

YubiKey C Bio - FIDO Edition

www.yubico.com

And how is it compared to the YubiKey 5C NFC without bio?

it works on my pixel 7 usb c needs to be plugged in as the bio has no nfc

the bio is much more basic, it only supports fido/webath but requires biomentric touch
the 5nfc has much more features fido/webauth/otp/challenge response/customizable slots etc and can be used with nfc ... way more features, but only requires a touch from any human which im not a fan of (unless you protect it with a really really strong pin.... then you would have to enter that each time)