When consulting the trade press, it’s difficult these days to escape the flood of articles about passwordless authentication. Unfortunately, not all passwordless solutions are born equal and many solutions either increase the administrative burden of the IT department, or rely heavily on expensive external devices. Deviceless authentication is the next step for organizations that want to combine user experience and airtight security.
The disadvantages of passwords are clear: they can easily be hacked or intercepted; by using the same passwords for different applications they are easier to detect or guess; they lead to insecure behavior like writing them down on Post-it notes or users storing all their passwords in one ‘secure’ file or a vault that acts as a honeypot; they can be a burden to the IT department when a helpdesk agent needs to reset passwords on Monday mornings or after holidays because customers or employees forgot them.
Eliminating passwords at the application level is the best passwordless solution
Passwordless systems involving one-time passwords (OTP) or mobile authenticators already form part of the solution, but they are still less secure than passwordless solutions that do away entirely with the password on the server end of an application. In the TrustBuilder.io Mobile Authenticator solution for instance, a dynamic secret key is exchanged in the background, which the user can generate by applying device biometrics or keying in their PIN. This eliminates man-in-the-middle and even man-in-the-browser attacks. Once you’ve combined TrustBuilder’s adaptive authentication and WYSIWYS (what you see is what you sign) you can also avoid social engineering hacks.
No extra hardware needed for deviceless authentication
The next step in passwordless authentication is going deviceless. Besides being even more secure, this solution has the added benefit that the user need not necessarily dispose of an external device such as a dongle or a smartphone. If an organization wants to roll out passwordless authentication for internal applications, it needs to either equip all employees with smartphones, or ask them to use their personal phones to authenticate for these applications. This can cause resistance in public services or give labor unions a reason to require company phones as an extra fringe benefit.
Deviceless authentication, as in the solution TrustBuilder proposes, does away with these disadvantages. Similar to integrating an MFA SDK into a mobile app, deviceless Multi-factor authentication (MFA) integrates the MFA into the web app itself. Deviceless MFA is a means for the end-user to strongly authenticate himself, in an ultra-secure way, just through their browser. There is no need for any specific hardware or software installation, as it is a registered web browser (Edge, Chrome, Firefox, Safari, IE, etc.) that takes the place of the trusted ‘device’ to securely authenticate to the applications. Developed and patented by TrustBuilder mobile authenticator, this solution uses dynamic and random keys. By changing the dynamic security keys randomly with each connection request, we ensure maximum security even in an unsecured environment. Our keys have a virtual lifetime of 0s: the key required for the connection is generated at the moment a request comes through and verified against an HSM (Hardware Security Module)-equipped backend server. Once it is used, it expires. Even if a hacker could get a hold of it, the key would not work since he cannot access the users’ registered browser at the moment the key is generated, thus eliminating man-in-the-middle and man-in-the-browser attacks.
Deviceless authentication benefits users, administrators and developers
Deviceless authentication, as described above, is beneficial to end-users, administrators as well as developers. To end-users, the enrollment process is completely transparent and authentication is seamless. What’s more: when users work on a shared computer, the same browser can be used by different users who each have their own authentication.
Administrators can use deviceless MFA to promote ‘Bring your own device’ (BYOD) while raising the security level. For once, administrators need not provide specific hardware to users. This means deviceless MFA is also a time saver, allowing new applications to be rolled out faster. As there is nothing to be installed, deployment is done in just a few clicks.
Developers, from their end, will be happy to see the end of user password management. To quickly implement MFA for their application, all they need is the browser token and the mobile authenticator’s development library.
And Management will be delighted too, as the solution constitutes cost savings: no extra hardware is required, you need fewer people on Customer Support, you avoid security breaches and potential fines for infringement of GDRP or PSD2. By simplifying onboarding and guaranteeing a secure and user-friendly environment for your customers, you will avoid churn and increase customer satisfaction.
Deviceless MFA is already used in different industry segments, such as e-health, banking, insurance, retail and government organizations. Contact us to offer your organization and your users better security and better user experience.