“Passwordless” authentication

With “the cloud”, many people are monetizing something-as-a-service and authentication as a service seems to be the latest big trend.  The picture from this article is a logo from one of these providers; anything that purports to be “magic” or send “magic links” just grates the sensibilities.  Computers aren’t magic – far from it – and authentication is something that can be systematically examined and assessed.

There are five factors of authentication:

• What you know
• What you have
• What you are (biometrics)
• Where you are
• When you are

Moving authentication to what you have allows “what you have” to be smarter – it knows where and when you are (so you can only log in from your home state and during the workday, for example)  and can unlock only with biometrics (your fingerprint).  It essentially can roll four factors into one app where before you only had the one – what you knew, your password.  This makes for a pretty strong tradeoff.

There are still vulnerabilities through.  Your fingerprint can be captured by law enforcement warrant (cops can make you unlock your cellphone with a fingerprint) or even by your spouse while you’re sleeping.  To wit:

https://nypost.com/2017/11/07/plane-makes-emergency-landing-after-wife-discovers-husbands-affair-mid-flight

What you know has value.  Your password can’t be (legally, by most interpretations though not all) compelled to be disclosed by warrant or court order, and it can’t be disclosed while you’re sleeping.  Relying on a single app to provide four factors of authentication means you have one attack surface: the app.  So, if you download a bad app, if the app provider has a bad employee or there is a warrant against your account served to that authentication provider, all four factors crumble to dust.

For many people and applications current “passwordless” authentication can be a pretty good tradeoff, but don’t give it more hype than it’s due.  You’re trading one method for another, and it’s not necessarily better.