Beyond passwords

The future of web authentication is complex and exciting.

Sign Up

Get the New Statesman's Morning Call email.

The University of Surrey’s Mark Manulis, Helen Treharne and Chris Newton, and Matthew Casey from Pervasive Intelligence, discuss the new mechanisms being developed for keeping data secure.

What are the main issues with password insecurity?
Much has been said about password insecurity. Users are known for making poor password choices, with passwords often being written down, reused across multiple websites, or revealed through phishing attacks. Deployed policies requiring users to frequently change and memorise new passwords are unusable and magnify the problem. The need to adhere to legacy systems in password management and provide for alternative reset mechanisms introduce further risks and high costs. The UK’s NCSC has issued numerous guidelines on how to improve password authentication. But in the coming years passwords will no longer be used as a main authentication factor. This is foreseeable, given new regulations such as the revised EU Directive on Payment Services (PSD2) on stronger customer authentication and recommendations by the World Economic Forum on adopting passwordless authentication.

What does the future of authentication look like?
The need to strengthen user authentication has already been recognised and many competing solutions are currently being deployed. Collectively known as 2FA/MFA, they still widely rely on passwords, strengthened by additional measures such as one-time passcodes. There are less secure solutions with short time-limited codes sent through out-of-band channels, eg email or SMS, and solutions requiring additional software/hardware authenticators on the user side to locally generate and verify the codes. They must be securely configured for each web service and cannot be reused, limiting portability and requiring complicated, often manual reset mechanisms. As with passwords, using passcodes bears the risks of guessing and phishing attacks.

The game changer is the open FIDO Alliance specifications for completely passwordless user authentication. On track to become a new standard, WebAuthn, developed by the W3C Web Authentication Group, relies on public-key cryptography to improve the security and privacy of web users. While commodity smartphones and various USB/NFC/Bluetooth tokens will serve as WebAuthn authenticators, there are still usability limitations with regards to their portability, back-up and reset mechanisms.

How is the University of Surrey involved in shaping that future?
The Surrey Centre for Cyber Security (SCCS) is working with leading WebAuthn industries on back-up/recovery mechanisms for future web authenticators and is also exploring new cloud-based architectures with hardware-based roots of trust to support delegation of WebAuthn credentials. SCCS has experience in the design and analysis of (multi-factor) authentication and identity management protocols, grounded in modern cryptography and formal protocol analysis. In our recent projects we developed privacy-preserving authentication and attestation protocols for users and machine-to-machine communications, with applications for future transport and rail systems. SCCS is also working on authentication protocols for distributed systems involving IoT and blockchain technologies.

Free trial CSS