In this video, Brandon Krieger of Daily Cyber and CEO of LoginID, Simon Law discuss what passwordless authentication really means and how it is far more secure than using a traditional password. They also discuss the vulnerabilities of passwordless authentication and how with FIDO/FIDO2 certified strong customer authentication can eliminate them.
LoginID offers a FIDO/FIDO2 certified easy to integrate and free to get started with open SaaS strong customer authentication platform. By utilizing the biometrics (or PIN) on the end user's device any website or app can offer passwordless authentication to their user base and increase their retention and conversion rates.
Simon Law: Passwordless can mean a lot of things, how we define passwordless is strong two-factor authentication. We use the two factors, one is something you are, which is your biometric. Think touch id when you unlock your phone or face id. Now you don’t only just use this to unlock your phone, you use this to unlock applications as well. That’s one factor, who you are.
The second factor is what you have, which is actually your mobile device or your desktop. So what happens here is that it's really secure. It actually stores what they call a security encryption key, that’s stored inside the chip of your mobile device or your desktop.
So that’s how the two factors work. It’s something that you have, which is the security key inside your chip and then something that you are, which is your biometric.
So now instead of typing in your username and password, it's basically a one click experience. You click on a button, your mobile phone's biometric comes up, it says scan your face or your fingerprint, then you're logged in or authenticated to any application.
The applications are endless right now, which is why it’s so exciting. It’s not just about logging in, you can process transactions, you can sign documents, you can execute something, make something start. So there’s a lot of applications that spawn from this strong authentication, which is very exciting.
Brandon Krieger: I have a question from the community. What are the biggest security risks with passwordless authentication? I’ve been reading that these can be bypassed at times.
SL: With security, it’s a game of cat and mouse. But as of right now, FIDO2 and Webauthn are very secure. The reason why is the encryption key, what they call the private key, exists in the hardware which in an apple device is what they call the secure enclave. It's similar to what you have in your credit card, with the chip, which is pretty secure.
There are ways to hack these, obviously, but it's pretty hard to. It’s not someone you can find easily to do it, a hacker can’t do it, it’s pretty sophisticated. Banking and governments (especially in Europe) have recognized FIDO2 as very strong authentication. There’s always ways to hack, but as a solution, this is considered really secure.
BK: Another question we’re getting is, besides face and touch id, what other good alternatives are there?
SL: It’s really dependent. This FIDO2 protocol is really a way of signing and storing transactions. In terms of the hardware, there’s actually several different ways in which you can use it. Right now on mobile devices, Apple supports face id and touch id. For Samsung, some of their older devices use Iris, which FIDO2 supports. On desktop, you have a fingerprint scanner and an infrared scan of your face as well.
Those are the ways right now, to do the FIDO2 biometric passwordless authentication.