Passwordless does not mean Multi-Factor Authentication

How does a machine authenticate a user? IT security professionals normally think of multi-factor authentication (MFA) with the factors being what you know, what you have, and what you are. The various factors strengthen the authentication and thus are recommended these days.

On a laptop, the machine would let you enter the password (what you know), insert a physical token (what you have), and check your fingerprint or face recognition (what you are).

What happens if the machine is a remote server? A remote server typically cannot check if a physical token is inserted, nor if the fingerprint matches. Server side biometrics matching is questionable due to many reasons, see among others The server can only authenticate a user via data, e.g. “what you know”, or as you can see below, “what the device knows, that you have”.

If “what you know” is something no one else knows, then the identification would be perfect. However, if the server must know it too (e.g. to compare) – then the identification is no longer ideal.  Asymmetric key cryptography offers the solution. The server uses the user’s public key to verify the authentication, without having the private key that only the user has – or more correctly, only the (authentication) device knows. It’s no longer “what you know”, but “what you have (a device) that knows the private key no one else knows”.

Note: Originally designed as a second factor, the use of asymmetric key-based authentication is making the “first factor” – the user password – mostly irrelevant. Given the strength of asymmetric key cryptography, compared to the unsuitable shared secret of passwords or biometrics, we can say that in practical terms, for remote authentication the only relevant “factor” is “what you have”, e.g. what the device (that you have) knows. MFA doesn’t matter here, as what you know, and what you are, don’t change the strength of the authentication.

“Passwordless Authentication” is taking the industry by storm. We believe it will substantially reduce identity theft and account take-over, which have been major pain points in recent years. We believe that some clear statements will help make the ideas clearer.

We believe:

  • The industry’s hot buzzword “Passwordless Authentication” is about authentication to a remote server, not to a local device (e.g. a laptop).
  • What matters most in this industry’s effort is that the remote authentication over the network uses a secure protocol that attackers on the network with their computers cannot break. Today, the protocol should be asymmetric key based; and this is performed by a device the user possesses.
  • At the time of the authentication the user might be using that device already – it can be his or her computer – and therefore the users’ action is rather some local gesture to confirm the “userness” or the user’s presence during  the authentication. These local gestures do not affect the remote authentication’s strength and thus are not considered MFA.
  • MFA applies to authentication to the local device, namely (local) OS logon or preboot authentication PBA, which decrypts and starts the OS.
  • We believe there are confusion and unclear definitions around passwordless authentication today. They will become clear as the industry makes progresses. Businesses should understand MFA is not necessarily related to passwordless (remote) authentication, or that the computer itself is an excellent choice to be the authentication device where applicable, and no extra token is needed.

Having said that, WinMagic offers the most extensive MFA for preboot authentication. We encourage security conscious customers to use MFA when applicable. And, we offer the option to use the computer as the 2FA as the most seamless way to ease into the passwordless journey.


Previous Post
Support during COVID
Next Post
The Right Approach to Data Encryption