As instances of leaked passwords and credentials continue to skyrocket – wreaking havoc in the workplace and with consumers alike – passwordless solutions – like Apple's Face ID and the workforce security token, YubiKey – are becoming increasingly popular to mitigate cases of fraud and identity theft. But how effective are they?
In this piece we introduce some of the core issues with modern passwordless solutions that rely on local authentication technology, by looking at the two aforementioned popular solutions. But first, let's explain what local authentication is.
Local authentication relies on hardware technology – essentially devices, whether they be a users smart phone or a portable USB – to authenticate users. With local authentication, there is an area within the device where a user’s login information (or 'secret') is stored. A “secret” can be anything used to authenticate the user – from passwords to private cryptographic keys, to biometric samples.
All kinds of hardware devices can be turned into instruments for local authentication. For example smartphones, laptops, swipe cards and portable USB sticks are all examples of devices that are being used today to authenticate people all over the world.
Solutions that require users to login using a trusted device tend to be more secure and easy to use than those that rely on. Those that don’t make it easier for malicious attackers to break into a user’s accounts, either by stealing the hardware device itself and using it on another device, or stealing information about the hardware device and replicating it to create an unauthorized duplicate.
Systems that use local authentication usually combine another method of authentication, like passwords, PINS or biometrics to provide strong MFA.
Local authentication systems store private information in a secure part of the hardware device. The security issue with storing private information on portable hardware devices is that they can easily be stolen or lost. In that case, to bypass local authentication, the only security barrier a hacker needs to break into is the hardware device’s internal system.
While this is generally enough to deter non-professional hackers, strategies and technology used by professional cybercriminals are evolving to keep apace with the most sophisticated security systems. Generally the longer an attacker has with the hardware device, whether that be someone’s phone or USB, the more chances they have of breaking into it to steal private information.
Reliance on hardware devices for authentication can pose significant disruptions to the user experience, which can easily frustrate users. For example, if a USB authenticator or smart phone is accidentally left at home, a user can be locked out of all their accounts.
Other issues with user experience are when the user has to jump between multiple devices in order to authenticate themselves; this can be extremely tiresome for users when they need to repeatedly do this throughout the day.
Besides the security risks of storing private data within the hardware device’s internal systems, many local authentication systems also use centralized storage systems to store user login credentials, or “secrets”, so that they can verify a match at the time of authentication.
Centralized storage systems are frequently targeted in sophisticated cyber attacks — putting user accounts at higher risk of being compromised.
There are a number of different security systems that leverage local authentication. Some of the most well known are Apple’s Face ID — which is used to access and make payments with compatible iOS devices and third party apps.
Another example is YubiKey, a portable USB stick that provides a second factor of authentication by giving user’s a one-time password (OTP) that they use along with their usual password, adding a layer of security when accessing their private keys and digital wallets.
Apple’s FaceID utilises local authentication to provide a biometric MFA solution that combines a user’s biometrics with their registered — or “trusted” — device. Apple securely stores a user’s biometric data within the “Secure Enclave”. This encrypted part of the iOS chip is designed to securely store sensitive user data, including a user’s sensitive biometric templates.
While Face ID offers a high degree of security, it’s actually possible for an attacker to bypass the secure enclave.
The more sophisticated the attack, the greater the likelihood they’ll break into a user’s accounts. The FBI famously worked out how to bypass Apple’s internal security systems, breaking into suspects’ phones and accounts — all without any cooperation from the suspects or Apple.
Since users often delay reporting lost and stolen devices in the hopes that they will be returned, cybercriminals may have the luxury to perform sophisticated attacks, similar to those launched by the FBI, in order to breach a user’s accounts.
This security flaw jeopardizes user privacy — as private information stored within the internal systems of an Apple device, or in the Secure Enclave, is vulnerable to malicious attacks performed by hackers.
If Apple didn’t store sensitive information locally on the device, then losing access to one’s device would not be a privacy or security threat.
Another common issue with local authentication, and in particular with Face ID, is that these solutions are developed to only work with specific systems. For example, Face ID is only compatible with iOS devices — which means that it discludes those who do not have an Apple device, and cannot be used at large scale for organizations and governments that rely on other software systems.
YubiKey is another example of local authentication. YubiKeys are USB sticks that act like physical keys that users plug into their computer when they want to login to their accounts. They then present a one time password that can be used with a normal password to unlock access to the user’s accounts.
As an external hardware device, YubiKeys are at risk of being lost, stolen or misplaced. One of the biggest risks with YubiKeys are that they can easily fall into the wrong hands without the original owner realizing for an extended period of time.
To make things more complicated, YubiKeys do not need to be registered to a user’s trusted devices. Without this layer of protection, an intelligent attacker who came upon a user’s YubiKey could potentially use it to break into the owner’s accounts through another device.
Not requiring trusted devices also allows malicious attackers the opportunity to execute more sophisticated attacks. For example, a clever attacker could supply an unsuspecting user with a fake or tampered YubiKey. Once the victim registered their online services using the tampered device, the attacker could impersonate them and gain access to their accounts from an unregistered device.
This means that a user must completely trust the person or business they purchase the YubiKey from, as well as any other centralized systems that they may share their YubiKey password with — like centralized cryptocurrency exchanges.
YubiKeys are disruptive to the user experience as they require the user to plug in a secondary USB device to unlock their accounts. While the user may not mind doing this to unlock access to certain accounts, using a YubiKey to access every single account would be too disruptive to the daily user experience.
The YubiKeys size and portability means they are also at greater risk of being lost. Misplacing a YubiKey can cause frustrating disruptions to the user experience — especially when a user may have just left the device at home.
For the enterprise, the YubiKey is an expensive MFA solution; not only must YubiKeys be purchased upfront and distributed to all users or employees, these small devices must also be continually replaced, placing unnecessary financial burden on either the user or the organization.
Fast Identification Online (FIDO) is a best-practices protocol for local authentication, in particular for biometric authentication.
With FIDO a user’s “secrets” are stored on registered devices. To unlock access to their accounts, a user must present a biometric sample that matches those stored within the device — if it’s a match, the user will gain access to their accounts and personal information.
FIDO’s framework reduces instances of phishing and man in the middle attacks, however it cannot guarantee that breaches won’t occur; since a user’s “secrets” or private information is always stored on a hardware device with local authentication, they are always at risk of being compromised.
By leveraging a distributed network — rather than hardware devices or centralized storage systems — to store a user’s private authentication data, Keyless makes it much easier to guarantee privacy and security than local authentication solutions.
In the next part of this series we explain in further detail how Keyless’ platform greatly improves security, privacy and usability standards in authentication — in particular with safeguarding sensitive biometric data — which should be protected with much more robust security technology than what local authentication solutions can offer today.