PASSWORDLESS AUTHENTICATION
An average internet user has an infinitely growing list of accounts on several online platforms. Five different social media accounts, two different hospital accounts, three or more online banking or finance-related accounts, and the list keeps growing like this.
Due to how important the information contained in these platforms is, malicious actors are constantly looking for a way to gain access and steal these data. How can we protect our data?
The most common way is to use passwords. We can choose to use one complex, unguessable password for all our social media accounts. That should be enough. We use this password for all our accounts until there is some form of data breach on any of the internet services on which we are registered users. Your password gets into the wrong hands and they hack into as many of your accounts as they can find.
Perhaps one very complex, unguessable password for all online accounts is not the best solution, so we choose to have separate passwords for each account. Your data is secure, Life is amazing, but there is one little problem. You cannot keep track of all your passwords. You start forgetting some. Or worse still, there is a data breach and one of your accounts is affected. Same old story.
The problems arising from the use of traditional passwords as the main way of user authentication have led to attackers using some of the following techniques to gain access to sensitive information:
man-in-the-middle attacks.
Phishing.
Keylogging.
brute force method.
credential stuffing.
To learn more about these techniques, click here.
These problems made developers search for new and more effective data protection methods. This search birthed the concept of passwordless authentication, which allows user to gain access to their accounts without entering a password.
Passwordless authentication makes use of all or a combination of any of the following:
something you are: Biometrics like fingerprints, retina scans, and face recognition.
something you have: Authenticated and authorized smart cards, proximity badges, etc.
something you know: A password, a secret word or phrase, a pin.
Passwordless authentication is often used as part of a multi-factor authentication (MFA) solution. Multi-factor authentication is another modern step taken in a bid to protect sensitive data. Here, users are required to provide more than just their password. When using multi-factor authentication as a step in multi-factor authentication, two or more passwordless authentication steps may be implemented.
Multifactor authentication is a very strong data protection technique, but it can easily lead to a bad user experience. Having to take about three or more steps each time you want to access your account can be overwhelming. This led to the development of adaptive multi-factor authentication. Unlike the standard, one-size-fits-all authentication methods, adaptive MFA selects the appropriate multiple authentication factors based on a wide variety of reasons.
Users’ risk profile: Is the user an admin, a manager, or a regular user?
level of sensitivity of data: How sensitive is the data being accessed?
Users’ location: A user recently accessed his account from location A. Ten minutes later, there is an attempt to log into the account from a location that is almost at the other end of the world. This suspicious behavior will trigger extra authentication steps in a device that has adaptive multi-factor authentication configured.
Device profile: Is this device a registered device, or a new one? Has it been flagged for suspicious activity before, or is it clean? Has the user ever logged into his account with this device or is this a new one?
User behavior: In a banking app, for instance, Mr. Adam rarely withdraws money from his account. A request to withdraw an amount that is almost equal to the total amount in the account is certainly an unusual activity, and this will trigger extra authentication steps in an account that has adaptive MFA activated.
The quest for data for data protection and privacy is a noble one. New methods will always be engineered because malicious actors are relentless, they almost always find a way to bypass existing security protocols. A good number of data breaches involve compromised credentials like leaked passwords due to the carelessness of users. Protecting your data is a job that starts with you.