“Forgot your password?”
It’s a question many of us have far too often given the answer “yes” to. Although passwords have been fixtures of online and local system authentication for decades, they are also seriously flawed in some respects, being prone to recycling across multiple accounts, as well as complex requirements that make them very easy to forget.
Worst of all, password-based security by itself is not sufficient for strong authentication in a world of frequent data breaches, phishing campaigns, and dictionary attacks. All of these threats heighten the risk of sensitive login information falling into the wrong hands or needing to be routinely reset to prevent any unauthorized access.
In this context, second factor authentication – also widely known as two-factor authentication, or 2FA for short – has come to the fore. Via technologies such as web fingerprint authentication, 2FA has emerged as a viable alternative and supplement to passwords. It may also be referred to as multi-factor authentication (MFA), either synonymously or to indicate an even more elaborate authentication scheme requiring more than two pieces of information.
Understanding the rise of 2FA: How it strengthens security by going beyond the password
A 2018 survey of 28 million users by researchers at Virginia Tech University and Dashlane found that 52% of respondents had reused their passwords across multiple services. This is risky, for two reasons:
- First, many of these passwords are simple codes like “123456” and as such are relatively easy to guess. When recycled, they expose multiple accounts to the possibility of being broken into via dictionary attacks or thefts stemming from data breaches.
- Second, if such a straightforward password and user ID combination are all that’s needed at login, a cyberattacker only needs one correct entry attempt to gain unfettered access to the account.
Creating stronger passwords, each one unique to its account, would seem like the obvious solution to this overarching problem.
However, doing so requires meeting very specific password requirements – for example, having to incorporate alpha-numerics and certain approved special characters – that vary by site, plus remembering or keeping track of all of these different logins. Indeed, the ongoing proliferation of online accounts tied to mobile, desktop, and web applications has increased the burden of keeping up with a large volume of passwords and ensuring that each one is adequately robust. A 2017 McAfee survey found an average of 23 password-protected accounts per respondent.
On the bright side, major browsers including Apple Safari, Google Chrome and Mozilla Firefox now feature built-in password management features for generating, storing and auto-filling complex logins. There are also numerous dedicated password managers that can be used in conjunction with these same browsers and/or on their own to handle multiple credentials.
Nevertheless, the second problem discussed earlier still applies. Even with a sufficiently complex password in place, all it takes is that login being breached for sensitive data to be put in danger. Unfortunately, this happens quite frequently. Incidents such as the 2015 breach of workplace messenger Slack and the 2019 event affecting e-commerce platform StockX involved leaked passwords and forced resets, underscoring the risks to users and the added overhead for IT departments and security teams.
This is where second-factor authentication makes all the difference. With 2FA or MFA configured, any successful input of a password must be followed by entering another factor, such as a one-time security code sent via email or SMS, an answer to a security question, or a hardware device, e.g. one with built-in web fingerprint authentication.
It’s also possible for strong authentication mechanisms to replace passwords entirely as part of a passwordless 2FA or MFA configuration. The FIDO2-compliant Windows Hello for Business solution from Microsoft is one way to setup passwordless 2FA. It uses a strong credential, such as a private key generated for and associated with a device, as one factor, and a device-specific PIN or biometrics as the other. The FIDO2 standard, overseen by the Fast IDentity Online (FIDO) Alliance, envisions a world without the text-based passwords used today that put accounts routinely in harm’s way.
The technical details of any authentication method that will supplement or replace a password matter greatly given the high stakes for preventing unauthorized access and confirming that each user is who they purport to be. Not all forms of second factor authentication are created equal.
For example, older 2FA security measures such as personalized questions are highly vulnerable to subversion. Google researchers once estimated that an attacker would have almost a 1 in 5 chance of successfully guessing an English-speaking user’s answer to the common security question “What is your favorite food?” SMS texts and emails, both popular forms of 2FA, can be intercepted.
That makes hardware-oriented solutions, such as confirmation through a separate device/channel or unique biometric credentials via a FIDO2 solution, the most robust options remaining. Biometrics, in particular, provides a strong alternative to both other forms of second factor authentication, and to passwords themselves.
Why biometrics are ideal for strong second factor authentication
Think about the shape of your fingerprint or what your face looks like. Unlike a textual password, it’s unique and can’t easily be stolen or guessed. The chances of two people having identical fingerprints is 1 in 64 billion. It, therefore, is a much more reliable indicator that the individual attempting authentication is truly authorized and not an imposter or cyberattacker.
Moreover, when it’s incorporated into a standardized solution such as a FIDO Universal Second Factor (U2F)-certified fingerprint scanner, it’s guaranteed to meet certain requirements for reliability and data security, while also being compatible with a wide variety of services that adhere to the same standards. Let’s look at how web fingerprint authentication in particular works and how it can improve the essential authentication security measures of anything from a web app to an email account.
To start with, a fingerprint scanner reads and then stores a record of the user’s fingerprint, which is used as a reference point each time that same user tries to use it for 2FA or MFA purposes. How a biometrics solution handles this biometric data is important, though.
If it puts that information into a plain text file that is stored on breachable infrastructure, then many of the advantages of biometric security disappear. An August 2019 breach of a biometric database underscored the risks. Imagine having your readable fingerprint data exposed, but naturally being unable to change your fingerprint. Keeping the data only on the local device is essential.
Under the hood, if a fingerprint scanner follows FIDO U2F specifications, it uses a type of public-key cryptography in conjunction with a private key built directly into the trusted hardware. This type of asymmetric cryptography hinges on the biometric credential (the fingerprint, in this case), which in addition to being unique to the original device holder is further strengthened by the hardware’s features for preventing both false negatives and false positives.
Minimizing those incidents is essential, as it preserves the key value propositions of using biometrics in the first place, namely:
- High convenience: Rather than having to enter a long password or one-time code, or spend time trying to remember the answer to a security question, authentication is virtually instant and highly reliable, with a negligible error rate.
- Strong and dependable authentication: At the same time, this ease of use doesn’t compromise the integrity of the login. Biometrics provide the perfect balance of convenience and strength, as they can’t be forgotten or guessed in any meaningful sense.
- Seamless, widespread compatibility: “It just works” has long been an ideal to aspire to with business tech, but in the case of biometric authentication, it’s really true. FIDO U2F fingerprint scanners can be used for second factor authentication in a variety of cloud-based services, web applications and social media platforms.
- Great portability: Web fingerprint authentication doesn’t require a physically large interface to perform. Everything needed for secure login can be contained in a small device that fits on a keyring and can be plugged into a standard USB port.
- Less risk from cyberattacks: Requiring biometric 2FA not only lessens the danger of data breaches, but also helps curb sophisticated replay attacks, which repeat or delay data transmissions such as one-time passwords and nevertheless have them processed as legitimate messages. Phishing is eliminated as well, since the biometric credential can’t be extracted via email or another message type.
Benefits of incorporating fingerprint authentication into everyday workflows
Second factor authentication is one of the strongest possible hedges against the traditional risks of password-based security. While it is not a recent invention, it took time to gain widespread adoption and only accumulated critical mass among businesses recently. A 2019 survey by Spiceworks projected that by 2020, 90% of businesses would utilize some form of 2FA that included biometrics.
If that prediction pans out, it would represent a remarkable increase just from the adoption rates of 2019, when 62% percent of organizations reported having implemented biometric authentication. Among the parties that were already relying on biometrics for 2FA, fingerprint authentication was by far the preferred option, garnering a 57% share of responses. Facial scanning was a distant second at 14%, while more niche options such as hand geometry analysis and voice recognition accounted for the remaining share.
Aside from the clear-cut benefits of strengthening authentication and improving the login experience, 2FA and biometrics in particular allow for a consistent, scalable experience across sites and devices - a pivotal differentiator in a world of ubiquitous cloud services and multi-device workflows. This has greatly enhanced the adoption of second factor authentication and bodes well for its future.
The pivotal role of web authentication APIs
Thanks to FIDO2-compliant authentication APIs like the World Wide Web Consortium’s WebAuthn and the FIDO Alliance’s own CTAP, software vendors have a straightforward way to enable standardized support for biometric authentication across their applications.
Desktop web browsers including Chrome and Firefox, web apps such as Github and Dropbox, and password managers like Dashlane and Roboform leverage these APIs so that end users can easily authenticate via a FIDO U2F fingerprint scanner or another authentication mechanism like a hardware key. A simple JavaScript API call is all it takes for a website to begin accepting modern second factor authentication.
Moving toward a passwordless reality
Similarly, the spread of mass-market platforms for passwordless authentication shows how biometrics can be used for convenient strong authentication in everyday contexts. Windows Hello and its enterprise counterpart Windows Hello for Business are among the most prominent solutions in this space. Both are FIDO2 certified, providing a streamlined way to authenticate into the ubiquitous Windows operating system with a fingerprint scanner or other unique biometric credential – no password required. By not needing to rely on a password to secure the potentially sensitive data stored on their PCs, Windows users can substantially lower the danger of identity theft caused by unauthorized logins.
Looking ahead at how web fingerprint authentication will evolve
The Windows Hello solutions today offer perhaps the clearest view into what life after passwords might look like. Fingerprint authentication, facial scans and other forms of biometric sign-in could eliminate the risk and tedium of relying on passwords. But are organizations and consumers ready to make that leap?
The Spiceworks survey cited earlier found that many organizations were still getting up to speed on how biometrics worked and what levels of security and privacy they could provide, and were still sticking with some form of password-based authentication. However, the ongoing and widespread frustration with passwords across many groups – plus the inadequate level of protection they provide given the effort and trouble involved – has created high demand for alternatives. A 2017 Aite Group study captured these two perspectives, finding that while respondents liked the familiarity of passwords, 85% of them wished for more modern mechanisms.
Web fingerprint authentication via solutions like Kensington’s VeriMark Fingerprint Keys can make the transition beyond passwords easier, through advanced biometric technology, FIDO U2F certification and broad integration and compatibility. You can learn more by downloading our eBook on Moving Past the Password with VeriMark and VeriMark IT.