A Response to the W3C and FIDO Alliance WebAuthn Web Standard Announcement.
At the opening of the RSA Conference 2019 in San Francisco, the Fast IDentity Online (FIDO) Alliance along with the World Wide Web Consortium (W3C) announced Web Authentication (WebAuthn), a component of FIDO2 specifications, is now an official web standard and will “move beyond vulnerable passwords“. Several media outlets have published headlines proclaiming the death of passwords. In fact, for several years, we have seen countless articles on this subject. To be very clear, the password is not on the verge of extinction.
As a member of the FIDO Alliance, Keeper believes it is essential to articulate why passwords are critical and how they will integrate with the FIDO Alliance’s initiatives. This comprehensive, and necessarily technical, blog post aims to do just that.
The new FIDO2 specification and specifically the WebAuthn component supports a use case for “passwordless login”. This particular component is what has fueled some of the media hype about passwords becoming obsolete. A great explanation of this fascination with passwordless login and the organizations that push for it is even included in the Wikipedia “Password” entry. Author, Troy Hunt also wrote a great blog post on the subject. We share Troy’s sentiments.
The other side of the FIDO2 specification which is absolutely critical and growing in adoption by top-tier websites is the use of Universal Second Factor (U2F) for two-factor authentication. The WebAuthn component of FIDO2 is backwards compatible with FIDO U2F devices, and creates some confusion around terminology. This use case, where FIDO2 and security keys are used as a second-factor for authentication, is widely considered the best way to protect accounts, although it doesn’t generate the same level of attention. “The password is dead” makes a great headline but is both misleading and confusing.
Keeper Security utilizes FIDO2 for two-factor authentication.
Biometric authentication works in very specific use cases for very specific reasons. For example, logging into an app on iOS utilizing Face ID or Touch ID is a fantastic use case. However, in this scenario the user’s password is being stored in the Keychain. When implemented securely, biometric authentication retrieves a password from the Keystore and authenticates the user to the app. Using WebAuthn on a desktop web browser works differently. The authentication is not a secure enough single-factor passwordless login to websites with serious security concerns
A common example of this mischaracterization is found in this VentureBeat article:
“WebAuthn is already implemented on sites such as Dropbox, Facebook, GitHub, Salesforce, Stripe, and Twitter. Now that WebAuthn is an official standard, the hope is that other sites will jump on board as well, leading to more password-free logins across the web.”
Unfortunately, this is not accurate. The websites above have implemented U2F authentication.and do not support single-factor, passwordless login. Why not? Because single-factor, passwordless login has too many functional and security issues to become pervasive.
Here’s what Dropbox actually states on its website:
“Will this replace passwords?
Right now, we’re using WebAuthn to make it easier for you to add an extra level of security to your account. A natural question is if we still need passwords too. Your credentials could be stored on a device like your phone, laptop, or security key, and services could use WebAuthn to sign in to your account after you scan your fingerprint or input a PIN on the device. There are still many security and usability factors to consider in these scenarios before replacing passwords entirely, and we believe that enabling WebAuthn for two-step verification strikes the right balance for most users right now.“
For liability reasons, no website or application which is responsible for protecting critical user data is going to adopt a pure passwordless login for any number of reasons, including, but not limited to:
- Utilizing a single device for both the first and second factor login is, by definition, less secure. Hence, most organizations will not accept it.
- The ability to support passwordless login would require millions of application developers, websites and software vendors to build the technology and user experience – across all of its legacy applications, websites and systems including across all new assets. Additionally, each software developer will need to consider and build technology to handle the logistics of account recovery, identity verification and issues covering multi-device and multi-platform scenarios. The number of these scenarios, when it comes to safeguarding a person or company’s digital assets, is massive.
- WebAuthn as a first (and only) factor with passwordless login depends on a device, security key or similar physical hardware. In a single-device world, it is unacceptable to have a situation where a lost, stolen or damaged device results in a catastrophic loss of a person’s accounts and private data.
- For those of us that have multiple devices, it is an even more frustrating problem. We live in a multi-device and multi-platform world where we must have access to our applications and services from different devices, platforms and browsers. In a passwordless login scenario, we would be forced to use a particular device on a particular platform, with no clear mechanism for syncing the data between them.
- In the real world, people lose devices, upgrade devices or forget their password(s). Further, smartphones are the #1 most stolen device globally because cybercriminals know that our digital lives and records reside on these small devices. For the new FIDO2 method, requiring that users should have multiple devices or “backup keys” to protect their data is unrealistic because there are droves of people globally that only have one device.
- The more we try to fill various functionality, multi-device and security gaps in the real world, the more complex it becomes for the user. A lost, damaged, stolen or replaced device under a single-device authentication scenario using passwordless login, could be catastrophic for a user. Requiring “backup devices” adds another level of complexity that few users will take advantage of (and requires even more functionality built by application developers). Using Bluetooth, NFC, alternate login schemes and multi-platform use cases as defined in the WebAuthn paradigms raises even more issues.
- Shared access to an account becomes very difficult with passwordless login. Since it becomes necessary to physically pass “what you have” to another user (which might contain secrets you don’t want to share) the burden is on the website developer to implement user management for each account.
- Local cyberattacks become much easier for a cybercriminal if a person relies on a single, physical device as their only factor, especially if the device itself does not have integrated identity verification. As such, a security token can be taken from you and used without your consent. Even worse, you won’t even know that it happened if you utilize and rely on a single device.
- Without a mechanism for automated account recovery via password or identity verification, customer support will become far more challenging and insecure.
The Right Path and the Right Message: Password Management with FIDO2 for Two-Factor Authentication
The best solution for securely accessing websites and applications is with strong encryption and two-factor authentication using FIDO U2F in a zero-knowledge security architecture. This is how Keeper was designed.
For strong encryption and security protocols in the enterprise, we recommend the regular use of a Yubikey security device for 2FA. This type of two-factor authentication method is easy to use, hyper-secure and supported by nearly every platform. As a caveat, this is not yet fully supported on iOS. But, thanks to a new device being created by Yubico this year, it will soon become widely available. These security keys have other pervasive security benefits aside from securely accessing sites and systems. Google reported that U2F security keys completely neutralized employee phishing scams.
The use of a password security platform like Keeper combined with hardware-backed two-factor authentication has far greater security and user benefits over passwordless login schemes:
- A strong and secure vault that uses a zero-knowledge security architecture to encrypt, store and protect user data on every single device, across every major operating system and on all popular web browsers
- Unique, random and high-strength passwords are generated for each site and application
- Support for U2F and other two-factor authentication methods such as Duo, RSA SecurID and TOTP
- Biometrics support across all available mobile and desktop platforms
- Both cloud-based and local authentication that support every environment
- An encryption model that supports both private and shared data
- A visually optimized, modern and native application that is supported across all platforms (every major operating system), applications, websites and unlimited devices.
- With the new Autofill support for password managers on iOS12 and Android O, the convenience and ease of use driving greater mass-market usability.
- Keeper creates the leading, zero-knowledge cybersecurity platform for preventing password-related data breaches and protecting customer data. FIDO and WebAuthn does not address the protection of stored data. Private data such as bank account numbers, payment cards, SSH keys and metadata must be protected – for consumers and businesses.
- Keeper supports FIDO U2F protocol in its 2FA library, along with other popular 2FA systems including Google Authenticator, Duo and RSA SecurID. The WebAuthn component of FIDO2 is backwards compatible with FIDO U2F devices. Keeper utilizes the U2F (universal second factor) authentication method using any FIDO2-compatible security key. Within Keeper, customers can enable this feature from the “Settings” screen on the Web App or Desktop App.
- Keeper also supports FIDO compatible Windows Hello, Apple Touch ID and Face ID technology for login on those respective platforms. As cybersecurity software developers, we classify this as a “convenience” feature (as opposed to a security feature) to shorten login times and reduce user friction. In these use cases, the encryption key is still derived from a user’s Master Password, however, the key is subsequently stored in the secure enclave of the device and retrieved via successful authentication. So even though we’re taking advantage of “passwordless login” capabilities, there is still a “something only you know” (i.e. a password) required.
- Encryption of data requires “something only you know” (i.e. a password). This is the whole purpose of a Master Password because something only you know can be used to derive an encryption key (and be usable on multiple devices, support lost devices, enable account recovery, etc).
- For business customers who log in to their Keeper Vault using Single Sign-On (SSO), the Master Password and Encryption Keys are controlled and managed by Keeper SSO Connect software which is hosted by the customer on-premise and based on the customer’s security requirements, can be backed by a secure HSM module.
Conclusion: There is No Silver Bullet When it Comes to Secure Authentication
Despite the hype, passwords just aren’t going away. Passwordless login on the web has many security and usability issues to overcome, including:. supporting multiple devices, account recovery, identity verification, customer support, device hijacking, and countless other real-world scenarios.
The use cases which utilize FIDO2 linked to password-based logins combined with two-factor authentication provide the optimal balance of usability and security. We are excited about the future of authentication and look forward to the continuing evolution of FIDO2, biometrics and multi-factor authentication.
-Craig Lurey, CTO & Co-Founder, Keeper Security