Password-Less Authentication: An Introduction
As many organisations strive to secure their infrastructure and adopt modern levels of authentication, we must also prepare for the next step in the authentication journey. In the previous posts of this series, we discussed “something the user knows” and “something the user has”. In this blog, we will focus on “something the user is”. This means that authentication will depend on the actual identity of the user. This concept is commonly known as password-less authentication.
A Password-Less Model
Passwords are still a prime target for attackers when compromising an organisation. Generally, from the perspective of password-less authentication, if a user can remember any password, then it is considered insecure. For example, a password as long and complex as “An@ppleADayk33p$th3D0ct0raway%@!” may be considered secure, but a 200-character string that is randomly generated and stored inside a digitally signed certificate or hardware key that can only be accessed by a specific user is more secure and likely more future proof. By not having a password, you don’t run the risk of that password being compromised. But what does this mean?
To clarify, having no password means that instead of a user typing in a password, the user will instead rely on a replacement authentication mechanism as opposed to a traditional password. By using “password-less” authentication, the password is substituted by a much stronger factor of authentication, namely a combination of hardware-based biometrics, modern hardware keys, digital certificates, etc, that is secured by the strength and intelligence of a security chip known as the TPM.
With the introduction of the TPM (Trusted platform module), a hardware-based cryptographic processor that enhances computer security and privacy, operating systems can now take advantage of advanced security features that are made available through multiple physical security mechanisms. An approach allowing for a standardised implementation of password-less authentication is possible. The TPM protects chosen data through encryption and decryption processes, protecting authentication credentials, and proving the authenticity of which software is running on a system. The TPM places hardware-based security deeper inside the operating system making it more tamper-resistant to malicious users or software.
How Does The Trusted Platform Module (TPM) Work?
Software that manages cryptographic keys, such as Microsoft’s Platform Crypto Provider in Windows, can create keys in a TPM with restrictions on their use. The operating system can load and use the keys in the TPM without copying them to insecure areas, such as the system memory (RAM), where they would be vulnerable to traditional memory-based attacks. Cryptographic key management software can also be used to configure keys that a TPM protects in such a way that they are not removable from within the hardware-backed protected environment. If a TPM creates a key, the created key is unique and resides only in that TPM. If the TPM imports a key, the cryptographic key management software can use the key in that TPM. However, the TPM does not become a source for creating copies of the imported key or enabling the use of these copies elsewhere. In sharp contrast, similar software-based solutions that protect keys from copying are subject to reverse-engineering attacks, in which an attacker reverse engineers how the solution stores keys, makes copies of keys, or targets the keys while they are in memory during use.
Making use of keys that a TPM protects can require authorization values such as a PIN (including alphanumeric PINs), infrared facial recognition, or a fingerprint reader. These biometrics authorization values make “something you are” a strong and viable authentication mechanism because of its underlying technology. With dictionary attack protection, the TPM can implement a lockout to prevent attacks that make too many guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they struggle to provide the same level of protection due to the limitations of their operating space, such as when the system restarts, the system clock changes, or the attacker changes the files on the hard disk responsible for counting failed guesses. In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. These TPM features provide distinct advantages over software-based solutions.
As a practical example of password-less approaches to authentication, Windows Hello deserves a mention. Windows Hello has become one of the benchmarks for password-less authentication. Microsoft works closely with device manufacturers ensuring that devices are shipped with the latest TPM and Microsoft-approved biometric devices that meet the Windows Hello standard. Using all the available technology, the Windows Hello solution has proven itself to be more secure than traditional password mechanisms. As a simple summary of the process, the user authenticates themselves to an identity provider, such as Active Directory. Once authenticated, the user can enroll themselves for Windows Hello, assuming the organisation supports it. Upon enrolment, a public and private key pair are created, with the public key being associated with the user account on the identity provider (eg. Active Directory). In conjunction, the private key is stored within a suitable TPM on the user’s device. Using the TPM with a suitable biometric or PIN-based unlock, the user can cryptographically sign data sent to the identity provider to verify the user’s identity, and thereby authenticate the user to the required system or platform. Throughout this process, the interaction with the private key is governed by the TPM, thus protecting this authentication material.
Password-Less Model Adoption & Considerations
With all the new technologies in the industry, promoting awareness around the benefits and value of a solution will more likely lead to an organisation’s Management and Financial teams buying into a suggested change. Modifying the daily routine of all users in an organisation can be a costly and disruptive affair if it’s not approached carefully. Any proposed new solution must therefore be better, less complicated, and require less effort when aiming for a seamless adoption. Password-less authentication can, when implemented properly, strengthen the security posture of an organisation without causing huge disruptions to existing routines and processes and in some cases can improve the authentication experience of users.
Going password-less has practical advantages and enhances user experience. For example, consider a user that powers on their laptop and enters in their long, randomly generated secure password. This user also enters the same password every time the laptop is locked and unlocked. Now consider a different user that powers on their laptop, suitable infrared camera sensors verify their identity, unlock the securely stored authentication material, and subsequently log the user in. Every time this user’s laptop is locked, the user unlocks the laptop just by looking at it, much the same as with biometric authentication on our mobile devices. This kind of authentication approach is more favourable and efficient because authentication secrets are stored in the secure TPM resulting in the user requiring no effort nor having to remember anything to be able to successfully authenticate.
There has been a slow uptake of password-less authentication in the industry thus far. This is mainly due to this model requiring specific operating system support, combined with special hardware requirements such as the TPM and biometric sensors. Some organisations or administrators also don’t fully understand the technology yet, and it is therefore overlooked. For example, it is easy to confuse a traditional Windows PIN with a TPM PIN. Both PINs unlock the operating system, but function in two completely different ways. Possessing the correct hardware enforces the security and reliability of the solution. For example, some software-based solutions use devices’ selfie cameras to verify a user. Using a regular camera without the proper infrared technology and liveness checks may result in the system successfully authenticating a malicious user that holds up a photograph of the device owner. Overlooking critical elements like these may severely degrade the security of the solution.
The discussion around a password-less authentication model and solutions such as Windows Hello introduces a relatively new approach to authentication and naturally, organisations will view these approaches with some concern. Understanding the steps along the authentication journey can provide some much-needed context to organisations for them to get familiar and comfortable with a new approach. A good place to start on an authentication model improvement journey is for organisations to identify their own current state. Using the CASM Model, as shown below, an organisation can benchmark its current solution and plan a roadmap to successfully build upon it from there.
Figure 1: https://danielmiessler.com/blog/casmm-consumer-authentication-security-maturity-model/
Reflecting on this series of articles, we now understand the journey of authentication. We understand that there are advantages and disadvantages across the spectrum of various authentication models from the perspective of security. While the authentication model has adapted and evolved over the years to meet new requirements and ensure relevancy with ever-changing technology, there are always security considerations that need to be considered, regardless of the chosen solution, to ensure a secure implementation. It takes only a single mistake for a compromise to occur.
We also know that the IT industry evolves year to year at a rapid pace. Therefore, it is important for organisations to modernise their infrastructure and processes and keep their team’s competency and skillset up to date. Although securing infrastructure is vital, protecting, and guiding end users on the front line is equally important. End users are common targets for attackers, and we must arm them with as much knowledge and awareness as we can, to limit any possibility of a breach. The sooner an organisation advances and upgrades its security, the more difficult it is for an attacker to succeed.