Navigating the landscape of passwordless authentication

India's technological landscape is ripe for passwordless authentication, with a young and tech-savvy user base. However, regulatory guidelines in industries like BFSI may impact adoption.

In an era dominated by rapid technological advancements, the traditional paradigm of password-based authentication is undergoing a profound transformation. At the forefront of this evolution is the concept of password-less authentication, a shift that not only promises enhanced security but also strives to revolutionize the user experience.

In a recent interview, Anand Venkatraman, Partner at Deloitte India, provides invaluable insights into the challenges, opportunities, and future trajectory of password-less authentication. From the intricacies of user acceptance to the technological landscapes of emerging economies, this discourse navigates through the nuances of this authentication revolution. We delve into the multifaceted world of passwordless security, exploring its potential, addressing concerns, and envisioning a future where the traditional password takes a backseat to more innovative and secure authentication methods.

Challenges and Gaps in Passwordless Authentication Adoption

Adopting passwordless authentication needs to be reviewed from a user acceptance, security and technology support perspective to identify the challenges and gaps and mitigate them.

• A key challenge is inducing a mindset shift for the audit and compliance teams to understand that strong authentication is possible without passwords. All the controls that come with password such as strong password, password rotation, history, etc. have to be eliminated from the controls framework. It is going to be very challenging to make that leap of faith and say passwords are not required anymore, especially for auditors.
• User acceptance to move away from passwords will be a major deciding factor for passwordless adoption.The learning curve needs to be factored in, with proper communication and training. To enable faster adoption,the user should be allowed to choose an authentication method they are comfortable with, say fingerprint, facial recognition, PIN, etc.
• Scenarios wherethe user’s device used for authentication is stolen, malfunctions or is replaced, should be well designed, and should not become a backdoor for attackers by relying on password and secret question and answer-based recovery methods.
• From a technology perspective, it is important to evaluate support of FIDO2 across platforms, browsers, and applications in order to prepare the strategy for going passwordless.

India's Technological Landscape and Transition to Passwordless Authentication

India is considered as a fast-paced digital economy and smartphone penetration to rural areas is also high. India is well poised to adopt passwordless authentication for customers and workforce applications since it offers a secure and frictionless user experience. India’s user base is also significantly young and adapts to newer technology very fast. Passwordless authentication would be welcomed by a majority of the user base and would be successful as long as we have good awareness campaigns that cover the do’s and don’ts during the rollout.

For regulated industries like BFSI and FIDO2, passwordless authentication needs to be approved by the regulatory authority. As a result, the adoption in regulated industries will be limited to the extent that is allowed by the regulatory guidelines. Passwordless authentication can be evaluated to be used as an alternative to one time password or multifactor authentication.

Addressing Privacy Concerns in Passwordless Authentication

As indicated in Deloitte India’s latest report on passwordless authentication, passwordless authentication using FIDO supports privacy by design. The user’s biometrics or PIN is stored locally on the user’s device – it never leaves the user’s device and hence it incorporates the concept of privacy by design. FIDO2 uses public and private key cryptography and the private key is also stored locally on the device or on the user’s cloud platform, both of which are controlled by the user. Unlike the password, the biometric or the PIN is used to authenticate to the device only, it is never transmitted to another website or service the user is trying to access.

Furthermore, from a privacy perspective, user activity tracking is not possible since each service where the user uses FIDO2 passwordless authentication has a different FIDO credential.

Corporate Implementation of Passwordless Authentication

Moving to passwordless authentication is not yet anothertechnology project implementation. It is a mindset shift for the entire organisation, right from users, to security, business, and technology teams. To enable users to get accustomed to the new way of authentication, organisations can start by introducing passwordless as MFA or for desktop login and gradually phase out the legacy passwords as user adoption grows. Organisations should adopt a buy as against build approach since product vendors enhance their product as the protocol and technology advances.

The Road Ahead for Passwordless Authentication

Platform vendors have pledged support for PassKeys which is a discoverable FIDO2 authentication, and it allows users to login seamlessly to a service across devices. The user does not have to register each device separately to access the same service which will reduce the friction during registration process. FIDO Alliance is also working with global regulatory bodies to get FIDO recognised as an accepted authentication standard and is making progress which will pave the way for adoption even for regulated industries. The International Telecommunication Union’s Telecommunication Standardisation Sector (ITU-T) has recognised FIDO2 as official ITU standards. Now that there is a technology that leverages biometrics without compromising privacy, the applications are limitless in enhancing user experience across all walks of life and not just digital.

Evolution of Biometric Technologies in Passwordless Authentication

Biometric technologies have revolutionized passwordless authentication. Platforms support Trusted Platform Module (TPM), to securely store and process biometric templates, ensuring the confidentiality and integrity of sensitive biometric data. Advancements in biometric sensors, such as fingerprint scanners, iris scanners, facial recognition, and voice recognition, will continue to improve in accuracy and reliability. These advancements will enhance the overall user experience and reduce false positives/negatives, making biometric authentication more convenient and secure.

Strategies for User Education and Transition

Organisations should design intuitive user interface for passwordless registration and authentication. In addition to that, communication campaigns for creating user awareness, user training guidelines and surveys to gather feedback on end user acceptance of passwordless authentication will help in ensuring a smooth transition and increased adoption.

Balancing Security and User Experience in Multi-Factor Authentication

FIDO2 based passwordless authentication is a multi-factor authentication since it combines two factors – something you have i.e. device and something you know (PIN) or something you are (biometrics). Despite combining two factors, the user experience is frictionless, and it provides the right balance between security and user experience. The user can authenticate applications from their laptop, desktop, or mobile phone with a simple swipe on the fingerprint reader, a face nod to the camera or by entering a static PIN on their device. And it is phishing resistant since there are no passwords to compromise and the attacker will need physical access to the user’s device and access to biometrics or PIN.

Proactive Security with Passwordless Authentication

FIDO2 based passwordless authentication is phishing resistant and mitigates the risk of credential compromise. Passwordless authentication enables the organisation to achieve the zero trust goals of secure access by enabling user and device-based authentication.

Coexistence and Transition from Traditional Passwords

Moving to passwordless authentication is a journey. Support for passwordless authentication is growing as platforms, browsers, product vendors and applications build support. However, it is expected that traditional password-based systems will co-exist even as passwordless authentication gains wider acceptance. It is possible that some legacy applications will not support FIDO2 or for some applications it may not bring any business benefit in terms of user experience, agility, cost or security and hence for these applications the password-based systems will continue.

Anand Venkatraman, Partner, Deloitte India