The Life and Death of Passwords: Driving Passwordless Forward With WebAuthn
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With this interview series, we take a deeper dive into their insights and share bonus footage.
Today: Nick Steele, research lead at Superlunar, weighs in on the weaknesses of password-based systems, the difference between a traditional login versus a passwordless one, and how WebAuthn is driving passwordless forward.
The problems with passwords
Chrysta: Why was passwordless needed in the first place? What sort of problem does it solve?
Nick: Humans are really bad at creating randomness. So when it comes to creating passwords and remembering passwords, the passwords are generally, if they’re made by humans, not very strong. And humans also tend to use heuristics and elements that they can reuse over and over. So even passwords that are created by humans that are slightly different, still tend to be pretty easy to crack.
Passwordless is this next paradigm in authentication where we don’t have to rely on human-created passwords and credentials. We can rely on credentials that are created by the computer, controlled by the computer, and controlled in a secure manner. And then passed on or really authorized to be released to a website or a service via biometric or a local PIN, something that doesn’t have to leave the device, and that the user has on them or in their brain.
What are the main weaknesses of password-based auth systems that attackers will exploit?
The primary weakness in a lot of these passwords is the amount of randomness and really the length and the amount that a human can really remember in a password. Your average eight-character password can be cracked in fractions of a fractions of a second by machines nowadays. Your average at-home PC desktop could go through creating and trying millions of passwords in seconds. So if your password is something like ABC123, it can be almost instantly uncovered.
Now that being said, the second probably most common way is through phishing and credential stuffing. So once a user has had their password stolen, an attacker could come along and start trying that password on different websites with maybe the user’s email address or username. And start going through different websites, trying to crack those accounts as well.
So the weakness comes from this fact that we have a shared key that can be shared across multiple systems, and with multiple people without tying it physically or even biometrically to the user.
Securing passwordless with WebAuthn
Chrysta: How does the process of a passwordless login differ from a traditional password-based one from the user’s perspective? What changes?
Nick: Generally in modern websites where you have a second factor activated, you’re going to first navigate to your password login where you enter your password. And then you’re going to follow up with that second or third factor.
In the passwordless flow, we’re eliminating that first factor where you’re entering the password. I’m going straight to that second factor where you interact with a key or a biometric device in order to log into the site. So for most users on more of these modern systems, it’s still pretty much the same. People have already gotten pretty comfortable with these flows because of mobile devices having biometric support over the past five, almost 10 years now, at this point. So being able to acclimate users and get users comfortable with it is already something that’s really well underway because these passwordless flows are going to look a lot like logging into your phone now.
What got you interested in auth systems and involved with development of the WebAuthn spec?
I got interested in authentication systems pretty early on in my career, actually when I was still working at Etsy, which was a sort of craft marketplace website that helps connect buyers and sellers while selling mostly craft goods. But when I was there, one of the first projects I worked on was auth systems for mostly DNS. And figuring out how we could route sellers’ custom websites to our website, and have the DNS records match up, and handle SSL.
Where it gets more interesting and more complex is once you start adding the human element, which is honestly probably the more interesting side of most computer systems is once they kind of come out of the screen.
So when I moved over to Duo Security, before they were acquired by Cisco Systems, I was working in a research lab there. And one of the first projects that I was asked to work on was to figure out what was next for second factor, because Duo is a pretty heavy second factor company. So I went out trying to look at all these projects that were focused on what the next steps in authentication were. And I finally came across WebAuthn, which kind of started in 2016 off the back of a different spec called UAF, which is the universal authentication factor being worked on by the FIDO Alliance.
What really differentiated WebAuthn as a standard and it made it seem really promising was that it was the simplest form of passwordless authentication that I’d seen. It was the most straightforward. A lot of different standards required specialized hardware, required using QR codes, or had elements within their construction that were potentially insecure.
In fact, when compared to just about any other form of authentication, including first factor authentication with passwords, it’s extremely secure.
Why was WebAuthn such a major technological step in the feasibility of widespread passwordless use?
In terms of providing passwordless to the masses, WebAuthn was a framework that was transparent. It was open source. Everyone was allowed to collaborate on the standard. And on top of that, you had the browsers agreeing on a lot of the elements of how the standard should be an interface in their browsers, which is just really unheard of.
You mentioned that typical WebAuthn implementation is going to be a lot more secure than a traditional first factor, like a password. But is passwordless auth less secure because it removes the password from that flow? Isn’t removing any password going to be some reduction in security versus that same method with a password as well?
TL;DR [too long; didn’t read] is no.
To interact with your Touch ID means that you physically need to be next to your computer. You touch your YubiKey, to touch your FEITIAN token, to interact with this hardware key that releases the credential. You need to be next to your computer.
So in the case where you actually have to enter a password, anyone can enter your password from anywhere. This is why it’s so great for attackers. You or anyone else can enter it from anywhere in the world.
Once you add that WebAuthn layer, once you add the second factor, you need to be within proximity of the device that is in charge of your credential.
Aside from the biometric methods that we talked about, what other ways do you see a user being verified through a WebAuthn prompt without being challenged for that password?
If your password is not leaving your local device, generally that’s going to mitigate the vast majority of attacks, right? Where passwords really get weak is when they’re being shared or stored across someone else...once it leaves your device and it’s on someone else’s device. If an attacker breaches their database, which has your password in it, well, now it could be used in a lot of other places.
The journey towards passwordless adoption
Chrysta: What are the top three misconceptions or myths that you run into about WebAuthn, or passwordless authentication more generally, and what do they get wrong?
Nick: I would say actually that the top myth isn’t directly related to WebAuthn or passwordless authentication outright, but it’s kind of related to biometrics. People always really assume that the biometrics that are being used to unlock their device or being used to log into their website via WebAuthn, or other passwordless services, they tend to think the biometrics are being sent elsewhere. And in the vast majority of cases, your biometrics are never sent anywhere. They’re only being used by the local authenticator to release a credential.
The second biggest misconception around WebAuthn is it’s more complex than it really is. It’s really just a set of guidelines around this API that allows your browser to access secure hardware on your device, or potentially just go grab credentials or make credentials on your behalf.
The other big misconception with passwordless is that credentials can still be stolen, which is totally outside of biometrics. I feel like this it’s two separate things, right? Because if people think if their biometrics can be stolen, then their biometrics can be used on multiple websites. This is really not how that kind of cryptography can work. And in a similar way, the credentials that you produce for passwordless services also can’t be reproduced and reused across multiple sites.
What’s the biggest speed bump or headwind today preventing wider adoption of passwordless methods?
The biggest thing right now is there really isn’t a great story or experience that allows users to really understand what’s going on.
While this is easy to talk about, users will probably be pretty confused by this change. So being able to socialize and normalize this process of not providing passwords on websites is a really hard process. Creating a coherent story and creating an ergonomic experience for the user around these security properties and principles is going to be a little difficult.
Ultimately, do you think that passwordless authentication is going to have a greater impact on large organizations, like corporations, schools, government, or the individual user in the consumer-level services that they use daily?
I think it’s going to affect organizations first, and then consumers second. A lot of new technology seems to go this way. But organizations are already making use of WebAuthn, and there’s already a lot of use in the consumer space. If you use login.gov, which is one of the biggest login portals for the US government right now, they’ve actually begun to use WebAuthn for handling second factor authentication. And more and more consumer-side companies are making it available, because it doesn’t only help the user to have passwordless authentication.
It also is compelling for your bank to have better authentications. It’s compelling for services where losing money will erode trust or prevent you from using their service again. So it’s really a two-way street, right? It doesn’t just benefit the user to have no passwords. It benefits the organization that they’re doing business with to provide better security as well.
When do you think we’ll be completely rid of passwords? Or will we ever?
I think passwords are always going to have some use cases. I mentioned that local passwords are still fairly secure. And there’s a lot of use cases where having a shared key is actually pretty useful. I don’t see them really going away anytime soon, especially given the long tail of technology on the internet. But I definitely see more and more people and organizations getting comfortable with the adoption and inclusion of passwordless.
For users that still do have to rely on passwords for a lot of their important accounts, what do you recommend as some of the best practices to keep themselves safe?
I would say use a password manager. Definitely don’t reuse passwords. When a second factor or WebAuthn is available, you should definitely be using that on top of a password. But really the biggest thing that you could do with passwords is keep them secret and keep them safe.
Next in our extended interview series: Ted Kietzman, a former product marketing manager for Duo Security at Cisco Secure, ponders passwords as a lost cause, the value of feedback for usability, and how passwordless technology is evolving.