PASSWORDLESS AUTHENTICATION: LOGIN TO THE FUTURE

2018-08-17

Identity Management, Data and Information, Security

In the recent past, the topic of passwordless authentication has gained much attention with several news stories circulating with regard to this matter. These stories have emanated from two highly regarded players in the software market; Google and Microsoft. Both vendors have declared their support for passwordless authentication and announced plans to develop technologies in this direction.

It is easy to understand why passwordless authentication is becoming a market trend. Over the last few years, there have been hundreds of millions of cases of password leakage from a variety of services. REMME, whose blockchain-enabled platform provides enterprise-grade security, predicts that this number will soon be in the billions. The sorting, filtering and storing of password dictionaries has already become a major business in response to this. In August 2017, researcher Troy Hunt analysed password leaks and formed a dictionary with 320 million unique passwords for users of various services.

The main attacks on passwords are compromisation, guessing, dictionary or hybrid password attacks and attacks by templates. Another widespread vulnerability stems from users recycling the same passwords for different services allowing for a daisy chain attack. Such vulnerability also extends to password managers which are used by many in order to boost the security of their online presence. These vulnerabilities are clear indicators that passwordless authentication is a worthwhile development.

Multi-factor authentication (MFA) is considered to be a panacea and is presented by some as an alternative solution. However, REMME views this as an unreliable means of tackling the plethora of vulnerabilities password authentication suffers from. The interception of SMS messages in 2G networks is no longer a problem for intruders; similarly, traffic blocking for authentication applications such as Google or Microsoft Authentications is now possible. Therefore, they believe that MFA is not a viable long-term answer to the problem of password authentication vulnerabilities.

Having said this, REMME does pinpoint a roadblock in the integration of passwordless authentication technologies into services and web applications; the modularity of existing modern infrastructure. Used protocols, particularly HTTP/HTTPS, do not support sessions. This means that there is no state support so the sender or recipient does not remember the previous messages or actions. It turns out that at the TCP/IP stack level there is session support between the network interfaces based on TCP sequence and acknowledgement numbers, but there is no authentication. At SSL/TLS level, there is authentication based on asymmetric cryptography and session support, but this interaction occurs between the browser and the web-server (application-server), but not between the web-browser and application. At the application level over HTTP, there is support for sessions but this most often occurs between the browser and the application-server (web-server).

It is very rare to find a modern web-application that can manage and control its own user sessions. For developers, it is easier to use existing session management mechanisms, but this introduces the threat of various attacks: pass-the-hash, hash-injection, replay-attack and others. These attacks are possible at every level of communication which is present in current systems. Each level of interaction is vulnerable to different types of attacks. REMME feel that the best solution would be a ‘pass-through’ authentication process. The authentication process should be integrated into the storage, processing and transmission of information from the beginning to the end. For example, the HTTP protocol is used, not only for encryption but also for server authentication by the client. Before the communication server sends its certificate to the browser, the client checks with the certification authority (CA). Few people are aware that the HTTPS protocol could contain two-way authentication. If the browser sends its certificate to the server, the server will also be able to authenticate it. This provides certain benefits for pass-through authentication. Imagine that the checking of certificates and opening the HTTPS session will be made by the application itself rather than by the web server. This allows the system to provide full end-to-end authentication, not only transfer data protection between the browser and the application server. In order to do this, the user only needs to import their certificate into the repository in the browser.

Although developers will have to implement additional APIs for verifying certificates, managing sessions by applications and to interact with the application server, REMME believes that the benefits of end-to-end authentication outweigh this. All of the technologies required for the implementation of pass through authentication already exist. The main roadblock is now the reticence of developers and vendors to concern themselves with user safety and, of course, in the carelessness of users. However, REMME believes that this will be a problem everyone will be aware of in the near future and hope that this will prove motivation enough for the progression of cyber security.

Find out more about cyber security at Blockchain Live 2018 on September 26th where REMME’s founder, Alex Momot, will be presenting on the Technology and Development stage.

Sign up to stay informed