Passwordless-Authentication

Rohit Ranjan
6 min readJan 21, 2024

--

Passwordless

Passwords are one of the oldest forms of digital security and one of the weakest links in identity management and authentication. Phishing, breaches, and poor digital hygiene have made authentication challenging for cyber security. They have become the quintessential keys to our online kingdoms. As cyberattacks grow more sophisticated, there is an urgency to move beyond traditional passwords and that’s where passwordless authentication comes into play. In this article we will discuss passwordless authentication, its benefits, and how it fits our compliance requirement.

What is Passwordless Authentication?

Passwordless authentication is a method of identity verification that allows users to access their accounts without entering a password. Instead of relying on something the user “knows” (like a password), it leverages other authentication factors namely ownership (like a mobile device, email account, or another piece of hardware), inherence (biometric data), or even other factors like geolocation. Passwords are a weak spot in authentication security for various reasons:

  • Memory: People often need to remember passwords, especially if they don’t use them frequently. This can lead to issues with account lockouts or the need to reset passwords constantly.
  • Password Reuse: Many users employ the same password across multiple services. If one service is compromised and that password is leaked, all accounts using that password become vulnerable.
  • Simple Passwords: To remember passwords, users sometimes select easily guessable passwords, like “password123” or “123456.”. Such passwords can be quickly cracked using dictionary or brute-force attacks.
  • No Required User Presence: Because passwords are static, they don’t require the user to be present in any way. Unlike biometrics or even email verification, a password can be used by anyone, anywhere, without any verification that they are, in fact, the user.

These issues lead to a vulnerability against phishing and complex database attacks. The shift to passwordless eliminates these issues by removing the need for a password. This shift doesn’t just add another layer of security (like multi-factor authentication) but fundamentally changes the way authentication occurs by omitting a weaker factor. There are several methods that providers can use to support passwordless authentication, including:

  • Biometrics: This refers to unique physical or behavioural characteristics, such as fingerprints, facial patterns, or voice frequencies. Biometrics have become increasingly common with the proliferation of mobile devices and biometric sensors.
  • One-Time Passwords: These aren’t “passwords” in the traditional sense. Instead, they are randomly generated (often time-based) strings created and delivered via a server. OTPs can be delivered via communication technology (see below) or through authentication apps.
  • Hardware Tokens: These devices generate one-time-use codes, often small enough to fit on a keychain. They’re similar to the verification codes you might receive via text but are generated offline and immune to many online attacks.
  • SMS or Email Verification: Instead of a password, users receive a one-time code via text message or email, which they input to gain access. This ensures that only someone with access to the user’s phone or email can authenticate.
  • Magic Links: These are unique, time-sensitive links sent to users’ registered emails. Users are verified and logged in by simply clicking on them, bypassing the need to remember and input a password.

In each of these methods, the common denominator is eliminating the traditional static password, replacing it with a more dynamic and often more secure means of authentication.

HIPAA Compliant Password Strength Controls

Benefits of Passwordless Authentication

There are multiple ways to remove the need for passwords to benefit an organisation’s security needs. There are also several instances where eliminating passwords makes sense for usability and accessibility. Some of these benefits include:

  • User Experience: Forgetting passwords, juggling multiple ones, or the periodic need for resets becomes history. Users are introduced into a trouble free digital experience, reducing login times and the associated actions. Thus it can be concluded that one of the most evident perks of going passwordless is convenience.
  • Security: Password breaches are a nightmare for any organization. By eliminating the use of passwords, we can significantly reduce the impact of breaches due to compromised passwords. Additionally, dynamic authentication methods are tougher for cybercriminals to exploit than static passwords.
  • Reduced Costs: Businesses often struggle with the financial and time costs of handling password-related issues. These include support for forgotten passwords, locked accounts or using tools for securing passwords. Going passwordless can significantly reduce these overheads and costs.
  • Increased User Adoption: An effortless sign-in experience can make users choose and stick with a platform. The easier and safer you make it for them, the more likely they will engage and remain loyal.

Potential Challenges and Concerns

As promising as passwordless authentication sounds, it has challenges and potential drawbacks. Many of these issues branch out from more advanced privacy, adoption, and accessibility concerns that, unfortunately, aren’t present with vanilla passwords. Passwordless authentication challenges include:

  • Privacy Concerns: Users may feel uneasy about businesses storing their personal data, even if it’s just a fingerprint or facial scan, especially with biometrics. Ensuring data privacy and transparency in how the data is used becomes paramount.

==> This adds another layer of data under data protection controls for Security Teams and it has it’s own concerns

  • Device Dependency: Passwordless methods often rely on user devices. What if the device is lost, stolen, or compromised? This creates potential bottlenecks for users accessing their accounts and can introduce new security concerns.

==> Mobile Device Management (MDM) softwares offers a solution but a lot depends on their efficient governance.

  • Adoption Barriers: Transitioning from a familiar system (passwords) to something new can meet resistance internally and externally from users. Proper training and clear communication are essential.

==> SSO, MFA are favoured so adoption shall be persuasive rather foced

  • Potential Vulnerabilities: While passwordless approaches minimize many traditional risks, new vulnerabilities might emerge. It’s a race with cybercriminals constantly evolving new tactics.

==> CVEs with passwordless softwares of vulnerability in the enforcing medium (Browser, Laptop, etc.) are to be tackled in a much smarter way

Can Organisations Maintain Compliance with Passwordless Solutions?

Passwordless authentication can be utilised while maintaining compliance with most regulations. When implemented correctly, passwordless authentication can enhance an organisation’s security posture and help meet certain regulatory requirements for secure access and data protection. The specific manner of implementation and the solution details can impact your compliance depending on the industry and associated regulations. However, there are certain regulations that have stringent requirements for authentication methods, and any solution, passwordless or otherwise, must align with these criteria. Here’s how passwordless authentication interacts with a few notable regulations:

  • General Data Protection Regulation (GDPR): Passwordless authentication using biometric data must protect personal information. You still must explicitly gain consent, and data processing principles must be adhered to. There’s no prohibition, but implementation must be GDPR-compliant.
  • Payment Card Industry Data Security Standard (PCI DSS): PCI DSS requires multi-factor authentication for specific scenarios. It can be compliant if a passwordless solution offers multi-factor authentication (like a hardware token combined with biometrics).
  • Health Insurance Portability and Accountability Act (HIPAA): HIPAA doesn’t prescribe specific authentication methods but emphasizes ensuring only authorized access to ePHI. A passwordless method can comply with HIPAA if it provides robust and secure access controls.
  • National Institute of Standards and Technology (NIST): NIST has published 4 volumes for Digital Identity Guidelines as follows:

SP 800–63–3: Digital Identity Guidelines

SP 800–63A: Enrollment and Identity Proofing

SP 800–63B: Authentication and Lifecycle Management

SP 800–63C: Federation and Assertions

Best Practices to Maintain Compliance with HIPAA Password Requirements

Here are some credential security practices that align with NIST’s guidance on HIPAA password requirements:

  • Password complexity: While HIPAA has no specific password complexity requirements, NIST recommends that employees be trained on how to select strong, unique passwords, as well as how to secure them.
  • Offboarding procedures: Organisations should have specific offboarding procedures to disable user passwords/access to PHI when employees or contractors leave the company or change positions. NIST recommends having different procedures for voluntary and involuntary terminations.
  • Password rotation/expiration: Password rotation is a best practice and shall be part of every organisation Security hygiene. However, passwords should be changed immediately if there is evidence that they may have been compromised.
  • Multi-factor authentication: NIST recommends that Multi-Factor Authentication (MFA) be enabled whenever it is available. This ensures that even if a threat actor gets hold of a working password, they’ll be unable to use it without the additional authentication factor(s).
  • Prohibit password-sharing: While HIPAA doesn’t address password-sharing specifically, NIST recommends prohibiting users from sharing passwords to systems and data that contain ePHI.
  • Monitoring and logging: Healthcare IT admins and security personnel should monitor user login activity and investigate anomalous activity, such as a user trying to log in from an unusual location or attempting to access records or systems that aren’t relevant to their jobs.

--

--