In today’s world, old security paradigms don’t apply anymore. Our approach towards security needs to change and one of the better ways to start is with passwords. Hackers love passwords – hard for humans to remember but easy for hackers to guess. Hence, organizations tried enforcing complex password policies. But it turned out to be time-consuming and costly to implement. This system did not produce desired output.
Then came multifactor authentication, where the user enters password and receives a ‘unique passcode’. This unique passcode has a limited lifetime, making it valid for one time use only. This system proved to reduce the risk by 99.9 %. But was again costly to implement and time-consuming for the user.
Organizations then moved on to password-less authentication (biometrics, USB keys, badges, wearables etc.). This proved to be safer than the older authentication techniques and cheaper on a long run. Some of the widely used Passwordless solutions are Ping Identity, Windows Hello, Authentiq, etc.
How does Passwordless Authentication work?
Windows Hello
A biometrics-based technology, Windows Hello enables Windows 10 users to authenticate secure access to their devices and online services with just a fingerprint or facial recognition. The sign-in mechanism is user-friendly and a more reliable method to access critical devices, services, and data than traditional logins. It limits the attack surface for Windows 10 by eliminating the password needs and other methods under which identities are likely to be stolen.
“The password remains the frequently used sign-in mechanism, but also a source of frustration for end users…” Raul Castañon-Martinez, senior analyst, 451 Research.
Moving from traditional passwords to stronger authentication forms is said to be a great challenge in online computing.
TPM Chips
The Trusted Platform Module (TPM) technology provides hardware-based, security-related functions. A TPM chip is a crypto processor that carries out cryptographic operations in a secured manner. It is a chip that includes multiple physical security mechanisms making it tamper-resistant so that malicious software does not affect the security functions. The advantages of using TPM technology are:
- Generate, limit, and store the use of cryptographic keys
- Ensure platform integrity by storing security measurements
- For platform device authentication, the TPM’s unique RSA key is burned into itself
Common TPM functions are that it is used for system integrity measurements and for creating and using cryptographic key. When a system is booted, the boot code (firmware and the operating system components) can be measured and stored in the TPM. The integrity measurements are records for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
One of the commonly used configuration options is to make a TPM-based key unavailable outside the TPM. This is useful in mitigating phishing attacks. Another way is for it to require an authorization value for it to be used. In case of multiple incorrect authorization guesses, the TPM activates the in-built dictionary attack logic, thus preventing further authorization value guesses.
Microsoft Authenticator
This can be used to sign-in to any Azure AD account without a password. It uses key-based authentication to enable a user credential that is tied to a device and uses a biometric or PIN. This can be used on any device platform, including mobile, and any app or website that integrates with Microsoft authentication libraries. The prerequisite being Azure Multi-Factor Authentication with push notifications is allowed as a verification method.
Steps:
- User provides credentials
- Azure AD starts the Strong Credential flow
- Notification is sent to app via Firebase Cloud Messaging on Android devices
- The user receives notification and opens the app
- The application calls Azure AD and receives a proof-of-presence challenge and nonce
- The user completes the challenge by entering their biometric/PIN to unlock private key
- The nonce is signed with private key and sent back to Azure AD
- Azure AD performs the key validation and returns token
FIDO2 Security keys
FIDO2 (Fast Identity Online) is an evolution of the U2F (Universal 2nd Factor) authentication standard based on public key cryptography using hardware. This is a standard which is intended for solving multiple user scenarios which includes strong first factor (password-less) and multi-factor authentication. FIDO allows users and organizations to sign-in to their resources without a username or password using an external security key or a platform key built into a device.
FIDO2 security keys are for those who are unable to use their phone as a second factor.
How it works
Microsoft has been working on Windows, Edge browser, and online Microsoft accounts, to enable strong passwordless authentication with partners. Security keys allow you to safely authenticate to an Azure AD enabled Windows 10 device of your organization. One can use any shared Windows device belonging to their organization and authenticate securely — without needing to enter username and password or set up Windows Hello beforehand. These keys have all the benefits of a secured enclave to store credentials being portable thus enabling more use cases for deskless and remote workers.
Steps:
1. The user plugs the FIDO2 security key into their computer
2. Windows detects the security key
3. Windows sends an authentication request
4. Azure AD sends back a nonce
5. The user completes the gesture to unlock the private key stored in the FIDO2’s secure enclave
6. The FIDO2 key signs the nonce with the private key.
7. The primary refresh token request with signed nonce is sent to Azure AD.
8. Azure AD verifies the signed nonce using the FIDO2 public key.
9. Azure AD returns PRT to enable access to on-premises resources.
The Future is Passwordless
After decades of service, the password is about to become redundant. Passwordless authentication makes life easier for the users and customers – which is extremely valuable as user-experience is one of the major differentiators between brands.
Do we still need passwords? Think about it.
References
- https://bit.ly/31cP9JC
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2KEup
- https://bit.ly/3dAHB8y
- https://bit.ly/3dyXyMw
- https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-download-install
- https://cloud.addictivetips.com/wp-content/uploads/2018/03/windows-hello-devices.jpg
- https://www.altitude365.com/wp-content/uploads/2019/03/1.jpg
About the Author –
Anjana K
Anjana is part of red team wing of the security practice and is involved in mobile hacking, web application penetration testing and cryptography.
Ashwin Balaji
Ashwin Balaji is part of the Red Team wing of the security practice. His interests include Machine Learning and Artificial intelligence and in harnessing ML and AI in cybersecurity practices.
Nagalakshmi VJ
Nagalakshmi is a python developer. Her interests include application penetration testing and learning new hacks. She is currently involved in GVAS product development.
SHARE
