The woes of Password-less authentication

Password-less authentication is actively pushed as the future of authentication. Where's the catch?

Björn Weström

8 minute read

Secure tokens

I have followed the development of secure tokens with great interest. In the early days tokens such as RSA SecurID couldn’t do much more than give you six digits once per minute. But since those six digits were generated in a very secure manner thanks to cryptographic algorithms, they were an effective additional authentication token. This authentication token is referred to as a one time password (OTP), since the token only exists for a limited time and will not be accepted for logins after this time expires. The OTP provided the user with two factor authentication (2FA) when combining the login, password and those six digits.

The OTP generators then migrated into the smart phones. Google Authenticator is still generating six digits, but you no longer needed to bring any additional token - it was all in the smart phone.

Nowadays, modern secure tokens such as YubiKey host a range of features. They are generally used through the USB port of your computer, but several also support NFC for use with smart phones. Through USB they can emulate a keyboard and automatically input a OTP into a visible login form. These OTPs are not just six digits any more, but rather 44 characters (of which 12 are a (modifiable) serial number). They also support non-keyboard methods such as U2F, which is a direct communication between the client program (often a web browser) and the token. In addition to login methods, they can encrypt/decrypt emails and store private keys.

Yubico, the company behind YubiKey, has taken some heat for moving from open source to closed source. There are other alternatives on the market with open source. The rise of crypto currencies has generated a surge in demand for secure storage of private keys for crypto wallets, Trezor is a popular one. But YubiKey still has a strong position on the market, being required for all employees by giants such as Google and Facebook.

YubiKeys has a button (or a touch sensor), the user must activate the token by pressing the button (or touching the sensor). This is an effective safeguard against software only attack vectors - an attacker cannot activate the token without physical interaction.

Password-less authentication

Along comes FIDO2, adding more fancy protocols into the mix. Now Microsoft (and others) believes that FIDO2 is sufficient to get rid of passwords once and for all. But not only passwords! The marketing message pushed in media recently favours the approach of using only a FIDO2 secure token as a strong single factor, meaning that it replaces both login and password. I recently participated in Microsoft TechDays in Kista, Sweden, and password-less authentication was the main topic of numerous sessions.

It sure sounds really convenient: just plug in your token, activate with a button click and you are super duper securely authenticated. Right? Yes, according to theory this is secure as long as you are in possession of your token. And since your token is so incredibly secure and convenient, you will likely use it for everything you possibly can - in essence, it will be the key to your whole digital kingdom.

What to worry about

Lost token

Say that you misplace your token. We can safely assume that this will eventually happen. To guard against this the manufacturers of secure tokens recommend that you purchase multiple secure tokens. This way you can register multiple secure tokens in the services you use, and thereby keep your access. You should also de-register the lost token when you have learned that it is lost to prevent unauthorized use.

Stolen token

A lost token may very well be a stolen token. For all services where your token is registered for password-less authentication, it will give the clever crook direct access to those from virtually any computer. The crook doesn’t even have to know who you are, since your fantastic token provides your account names too. Sure, the crook needs to know which services you are actually using to know where to login. But a clever crook will likely get quite far with a few guesses: after trying Google, Microsoft, popular Password Managers and LinkedIn the crook gains access to at least one and thereby knows your full identity. The crook then starts signing over access to a token the crook owns while removing all of your backups. Through your password manager the crook also takes over all accounts that were not connected to the token. GAME OVER!

Unexpected user

This is the reason for the title picture for this post. Now that you have simplified your login experience tremendously, you have also lowered the barrier for an unexpected user to utilize it. This may be a clever crook who passed by your unguarded laptop, a mischievous colleague or even your own child. Anyone with physical access to your laptop can touch your token to unlock your computer and login to anywhere they like. Your browsing history will provide good hints for which services you use regularly in case the unexpected user isn’t familiar with you. This should make you think twice before you make it a practice to keep your token in your laptop all the time. There are nano models of the YubiKey tokens that seems to be designed to be fitted in the laptop constantly (otherwise you will lose them). If your laptop is in a very secure place, this might make sense, but otherwise I think you are putting your token at high risk by keeping it in the laptop even when you aren’t there. At the very least, lock the laptop when you leave it and don’t allow unlocking by simply touching the token…

Mitigations

So what options do you have to protect your token?

1. De-register lost token

If you follow the best practice you will de-register your lost token. But how fast can you presume to be able to do that?

  1. You need to realize that the token is lost, which will take some time.
  2. You need to go to a location where you store a backup token, likely your home.
  3. You need to go through ALL services where the token is registered and remove it. There is no centralized service for handling this, so there is nowhere to call to have everything take care of quickly, like blocking your credit card.

I would argue that before you can even hope to reach step 3, hours have passed. The clever crook has already taken over most of your accounts by this time.

2. Require login name

You will likely be able to configure most services to require that the login name is entered before using the token. This means the crook must figure out who you are and what your login name is. OK, slightly better, but now consider how you are carrying the token around. Some use their key chain, but it is quite clumsy if you have to put your whole key chain on the desk to connect the token to your laptop. A more likely scenario is that the token is carried on a neck strap together with your company badge, or maybe in your wallet/purse. But wait! If someone just stole your token, they stole your neck strap or your wallet/purse too. Pretty easy to find your identity from those items, and unless you are John Doe the clever crook can find you through social media and start guessing login names based on that. So this will only delay the crook a little.

You say you are keeping your token in your laptop all the time? So it won’t be stolen? Sorry, you now need to consider the unexpected user!

3. Require additional authentication

To prevent the crook from signing in with just the stolen token, the services can be configured to require additional authentication. This could be a password, PIN code or some biometric measure like fingerprints or facial scan. But hey, didn’t we just say password-less authentication? When we add additional authentication, I don’t think you can claim that you are using password-less authentication anymore.

In the best of worlds, biometric measures are fast and secure. But I think we have all experienced that fingerprint sensors don’t work all the time (your fingertips change with temperature and moisture). Facial scan seems more promising, but there are reports of issues also with this technology. The biometric methods shouldn’t take more time than typing a password, but every time you have to repeat your login attempt they do.

4. Require device presence

I am unsure if any tokens support this today, but let’s say that the token can be configured to only function if your smart phone is nearby. This would reduce the risk of unexpected users dramatically, and a lost or stolen token will in most cases be useless.

On the other hand, you now have to have the smart phone at hand to use the token yourself. You likely do most of the time, but that day you forgot your phone at home? No laptop access would likely mean you have to go back home and get your phone. The phone is out of battery? No laptop for you! Even worse, if your phone is lost or stolen, it will take some time to arrange with a replacement and during that time you would have to rely on less secure authentication.

Summary

My own conclusion after putting this all together is that there is no such thing as secure password-less authentication based on personal secure tokens. Agreed, you can definitely improve your authentication strength dramatically by using a secure token, but putting too much trust in only the token is not rational. I find it unfortunate and misleading that this is the marketing message from token manufacturers and large IT companies.

If you are using or planning to use a secure token, make sure you follow at least mitigation 3 or 4. Your login experience will not be simplified compared to the traditional login/password method, but it will be much more secure.