than two years ago – yet, it is still widely used. These man-in-the-middle attacks, where second and third
authentication factors are sent to the hacker’s device instead of the user’s, have proven to be so
successful for hackers that they common even among non-SMS based 2FA and MFA.
As much as the technology itself has security concerns, the other factor that must be considered is the
user experience. Most 2FA and MFA implementations are clunky and are built without any kind of user
experience considerations, which further stalls their adoption by consumers. This means that even if the
security is better, consumers simply don’t to use it. In today’s efficiency-based world, truly effective
security measures must be both effective and seamless fit into a consumer’s existing workflow.
By this point you may be thinking that the situation is rather dire and you’re about ready to give up hope.
Well, I’m happy to say that there is good news because over the last few years there have been several
trends coming to maturity and pushing the world toward a new type of authentication that doesn’t rely on
shared secrets at all – a model called “true password-less security.” As opposed to the other models
we’ve examined, password-less security leverages decentralized authentication and biometrics directly
on a user’s personal trusted device. This means passwords, shared secrets and OTPs are replaced with
public-key cryptography. For example, rather than using a password to login to your bank, you would use
your thumbprint through an authentication portal sent directly to your mobile phone, thereby removing
the need to ever enter a password or shared secret. This is an innovative solution that wouldn’t be
possible if it weren’t for some key trends all coming together.
One of these trends is the mass adoption of biometric sensors by phone manufactures as they have
begun to use biometrics to allow users to unlock mobile devices and make online purchases. Because
of this adoption the sensors running these biometrics-enabled features have also grown is precision and
sophistication. Since true password-less security is built on the foundation of biometrics, this is a critical
advancement. Going hand-in-hand with this is the adoption of authentication standards, such as FIDO
by enterprises, to govern their use. These standards provide organizations with a standard set of best
practices and processes to ensure authentication models are as secure as possible.
Whereas biometrics technology and FIDO standards provide the basis for password-less security,
widespread adoption has been significantly spurred as the largest technology companies in the world
have jumped aboard the password-less train. Tech leaders like Google and Microsoft have been pushing
companies to go password-less even to the point of Microsoft requiring it for organizations moving to
Azure. Additionally, the three major web browsers (Chrome, FireFox and Safari) have all enabled support
for password-less authentication, paving the way for widespread adoption and seamless usability. Finally,
even governments are beginning to recognize the potential as Europe signed the Payment Services
Directive (PSD2) which is focused on driving strong customer authentication and pushing companies to
reduce their reliance on traditional passwords.
With the technology basis well-established and world-leading governments and companies recognizing
the potential of password-less security there is a perfect storm for eliminating the problems caused by
shared secrets. As more companies adopt the password-less approach, we'll see account takeover
(ATO) fraud rates go down, and fewer “massive data breach” headlines will flood our everyday news
cycle. It is time we took back our online security from the hackers who have been winning the war for far
too long.