‘Password + 2FA’ approach more likely to become preferred method of authentication, one expert argues

PasswordsCon 2020: Authentication expert expresses skepticism about passwordless future

Internet technologist Jim Fenton has questioned the assertion that the future is necessarily ‘passwordless’.

Many new authentication technologies are advertising themselves as passwordless. This an attractive promise to many who would like to avoid the cognitive effort of remembering passwords.

But during a presentation at the PasswordsCon conference yesterday (November 24), Fenton pointed out that users will be obliged to remember something like a PIN even while using passwordless authentication.

Fenton, one of the authors of the IS NIST SP800-63B authentication standard, released in 2017, argued that biometrics alone are not really a ‘secret’. For example, we leave fingerprints everywhere, and these can be lifted and cloned.

Recent research has revealed that high resolution photos reveal iris patterns, particularly if the subject is blue-eyed.

Reliance on biometrics is doubly problematic because, unlike a password, a fingerprint pattern tied to an individual is permanent and cannot be revoked even if it becomes compromised.

PIN it down

Another passwordless approach involves the use of a physical authenticator with a biometric element. Many smartphones come with fingerprint or facial ID recognition built in.

But fingerprints can fail when hands or dry or wet. And facial recognition fails when wearing a mask – a potential problem when paying for groceries in a supermarket in a post-Coronavirus era.

“When I go work in my vegetable garden my fingers get all dry and dirty,” Fenton said. “I can’t use the fingerprint sensor on my phone then. I need to use the PIN to unlock the phone.”


RELATED Apple provides technical steer on Face ID, Touch ID authentication for websites


In addition, biometrics are subject to a significant false acceptance or false failure rate.

“In a lot of ways all biometrics offer is a convenience factor,” Fenton said. “The security is limited by whichever is the weaker the biometric or the PIN”.

“PINs are really just low entropy passwords.” Fenton added.

Fenton noted that users are entitled to feel disappointed if they still have to remember a PIN when using passwordless authentication. “This is a marketing pitch we’re talking about here,” he said.


The future is more likely to be ‘password plus multi-factor authentication’, technology expert Jim Fenton argues

Oh, auth

Devices that use two physical authenticators are not as safe as their proponents might suggest because if an attacker can steal one physical authenticator, they can probably steal two.

“When we say two-factor authentication, we mean two different factors and not two of the same factor,” Fenton said.

Similar doubts exist about authentication based on two biometrics.

Fenton is even more scathing about combining email with a physical authenticator.


Read more of the latest authentication news


“I know it’s very widely used but email is a terrible authenticator is so many ways because it’s very often not secure in transit, and there are various threats when you have email stored on a server,” he said.

“And how do you access your email anyway? Probably with a password, so it’s not really passwordless anymore. Don’t use email as an authentication method if you can possibly avoid it.”

The numerous security issues of passwords including offline cracking, password spraying, and credential stuffing but the approach has proved more resilient than many expected.

Fenton’s argument is that the future is more likely to be password plus multi-factor authentication, rather than purely ‘passwordless’.

PasswordsCon 2020

The 2020 edition of PasswordsCon took place entirely online this week, with 14 presentation covering a range of topic tied to passwords, password cracking and authentication.

A diverse range of speakers from academia, the voluntary sector, and technology vendors presented at the event.

Academic Stephan Wiefling opened the conference on Monday (November 23) with a presentation on the usability of risk-based authentication.

The talk was based on a paper on the same subject, released last months and the fruits of a two-year long study.

Apple’s password compatibility project

During the closing presentation on Tuesday, Ricky Mondello, a software engineer at Apple, talked about an open source project to help improve generated password compatibility with websites.

Many websites have their own rules in terms of the length of password users need to use, the mix of letters, numbers and (most of all) special characters allowed or the length of a password required.


READ MORE Behind the botnet: Akamai’s Tony Lauro on tackling real-world credential stuffing attacks


These quirks can create problem when a user uses a password manager to generic a random password because the mix of characters it contains might be unsupported by a particular site.

In these circumstances, users might revert to using a password they make up themselves, which is likely to far easier to guess than a machine-generated credential.

Apple’s iCloud Keychain password manager uses curated website-specific data to improve generated password compatibility in order to get around this problem.

The tech company recently open-sourced this data for everyone, including other password managers, to use and help curate, as explained during Mondello’s talk.

PasswordsCon 2020 was held as a separate track at Internetdagarna (The Internet Days) on November 23-24. The Internet Days are organized by The Internet Foundation in Sweden, an independent organization that is responsible for .se, the Swedish top-level domain.


READ MORE Minor controversy erupts over chained iOS exploit that harvests researchers’ crash dumps