The Microsoft identity team recently launched a series explaining why they love passwordlessauthentication (and why you should too!).The series kicked off with posts on FIDO and NIST compliance. Alex Weinert continues the series with this post speaking to biometric authentication.
My turn! Pam and Sue are tough acts to follow, but here goes! I love passwordless for so many reasons (I really dislike passwords) – but one of the top things I love about passwordless is that we can use biometrics to make authentication so much easier and more secure. Rather than having to memorize a password (you can’t) or security answers (quick! What was your 6th grade teacher’s best friend’s pet’s maiden name when you had your first crush?), you can use what’s always with you – you! Biometrics let you use your face, fingerprint, or even heartbeat on some devices.
Biometrics also provide terrific accessibility benefits, making it possible to sign in when typing in a password is not viable. It is really exciting to think about the technology in use by people or in situations where secure digital identity was previously out of reach. With biometrics, once a device is “bound”, almost any gesture can be used to authenticate. Think about the implications for folks who interact with technology in non-conventional ways, or whose job requirements make manual interactions impossible (e.g. a surgeon after scrubbing in) – with NFC and FIDO2, a tap of the token can sign you in securely.
There can be challenges with centrally managed biometrics, but properly implemented solutions like FIDO2, Windows Hello, and the Microsoft Authenticator use the biometrics as a way to access a locally stored cryptographic secret. The templates are used only to access cryptographic operations by the secure hardware (e.g. TPM). This hardware uses the template to protect operations such as by creating keypairs, releasing public keys, or signing messages with the private key. This approach is super secure, inherently multifactor and defeats many conventional attacks on MFA. And because you’re thinking it, most biometric systems are implemented with liveness detection to validate any biometrics presented, so just a picture wouldn’t work.
In a typical deployment of FIDO2 and Windows Hello, a person swipes their finger, says a phrase, or looks at a camera on their device to enroll that device for authentication. Behind the scenes, the biometric data is used as an initial factor to generate a cryptographic keypair (private and public) in the hardware on that device. The private key will be used by the hardware to sign subsequent authentication requests only when the same biometric template that was used to generate it is provided again.
Even if a hacker were to try to spoof my fingerprint (or face, or try to do my super-secret disco moves) with the goal of tricking the system into thinking it's me, they’d have to steal the device where the keypair resides first. That alone is costly, time-consuming, and rare – and even then, they’d have access only from that device, and I could quickly revoke trust in that device.
So there you have it – I love passwordless because swiping my finger, tapping my watch or grinning goofily at my PC’s camera is easier, more secure and more FUN than remembering what the darn password I used on that service, this time was. (True confessions time – I scrambled my Microsoft account and work passwords over a year ago – I am a dyed in the wool, full-time, passwordless-only authentication addict!)
Stay tuned for more in the series! We’ll share how passwordless credentials can protect you from top attacks and we’ll dive into different types of credentials that use biometrics, NFC, and USB to verify explicitly.