Web service providers encourage end users to create an account when they come to browse and shop that requires providing personal information: date of birth, address, credit card information and more. For convenience sake, many users will use the same account username and password they use for other services when they create a new account. This potentially exposes them to the theft of information that could be sold.
Recent high-profile cyberattacks have targeted the theft of personal information that the hackers hold for ransom, creating serious threats for both companies and end users. Below is a sample of some recent headlines from The Hacker News.
Protecting personal information from hackers requires vigilance in managing the security of personal information, which goes beyond simple usernames and passwords.
How password-less authentication works
Secure biometric authentication requires developing user credentials that can be physically verified by the end user. For instance, fingerprint scanners are used today to authenticate the user without the worry of password theft. This authentication process is being extended to other biometric parameters such as face recognition and iris scanning. Figure 1 below details the nine-step process for managing a password-less authentication process.
A password-less authentication process
The seven steps in the secure password-less authentication process:
1. End users create their account with Secured Authentication Provider (SecAP) by providing a unique username and other mandatory information for password-less authentication using fingerprint confirmation. Communication between the SecAP and the SecAP mobile application are highly secure.
2. The web service provider offers the user the option of logging in with password-less authentication or through a Facebook or Google accounts.
3. A user logging in with password-less authentication is required to enter their username. The web service provider authenticates the user by communicating with the secured authentication provider using the username provided and a One-Time Password (OTP) for the request. Communication between the web service provider and the SecAP provider is highly secured.
4. In turn, the SecAP provider sends the request to the user with details of the website access request and authenticates the request by using the user’s fingerprint from the SecAP mobile application to provide website access.
5. With a successful fingerprint verification, the user is prompted with an OTP sent by the website provider. The user must authorize the request by pressing the “authorize access” button.
6. The website provider receives an authentication/authorization response through the SecAP.
7. On successful authentication, the web page will be prompted for the user to enter OTP. On successful verification of the OTP, the user will be provided access to the web service.
Key Features of the SecAP process:
- The user doesn’t have to remember multiple passwords.
- Passwords are not stored anywhere in the database, which enhances security.
- A user’s fingerprint-or any other biometric parameter-is unique.
- Password-less login avoids the tedious process of entering-and reentering-passwords.
Use Case: Password-less authentication for secure corporate email
The current model
An employee needs to be able to access corporate email either by using Webmail or by configuring a Mail Client. The requirements for accessing email require a user ID and password.
The security threat
If an employee’s password is compromised, hackers could retrieve their complete mail history by either using any Mail Client, Webmail or by writing scripts that read complete mail information.
With password-less authentication, an employee trying to setup an email account or access email would first be notified to authenticate using their mobile device for secure authentication using their fingerprint. After successful verification, the employee would be provided with an OTP generated by the Mail Server. The employee enters the OTP and clicks on the authorize access button. The authentication response is sent back to the Mail Server and the Outlook application prompts the user to enter their OTP. Once the employee enters correct OTP, email access is granted by the Mail Server.
- The Forge Rock Identity Platform https://www.forgerock.com/platform/
- The Hacker News. Select article headlines August 30, 2016, through January 11, 2017 http://thehackernews.com/