Securing Passwordless Credentials with Identity Verification
When an enterprise is offering passwordless authentication, they are offering convenience and usability without sacrificing security. The user’s phone becomes the user’s identity — this is smart because users protect their phone and protect its contents. It really is the user’s identity.
Think about the three main authentication factors (what you know, what you have and what you are)….a password is usually the “what you know” factor, which is inherently the weakest. Passwords are re-used, written down, phished, stolen, and overly complicated or otherwise painfully easy to guess. Furthermore, with the growth of single sign-on (SSO), oftentimes, if the password is stolen, all systems are compromised.
By utilizing the other two factors and going passwordless, security is increased while simultaneously increasing security. Win-win doesn’t even begin to describe this situation, it’s WIN-WIN. To steal the other factors requires levels of felony that most hackers don’t want to do, stealing personal property and/or body parts. Tying the authentication to possession of a phone verified to be the user’s or a verified face biometric solves all of this.
Vulnerability at Time of Passwordless Credential Issuance
But there is a fundamental vulnerability early in this process when pairing the phone with the user. It is during this critical phase that you NEED to ensure that the user pairing the device with the identity is the correct user. Identity verification during this phase ensures that the user pairing the phone is the correct user.
Depending on the security needs, this can be a simple mobile match (the identity is the user who owns this phone) or KBA challenge (does the user pairing know what they should) or a government ID match (does the user pairing have an ID and matching biometrics for the identity). Ideally, a solution will step up a policy that checks each more secure method depending on the profile of the user or the ability to pass the earlier stages.
When to Apply Identity Verification to Passwordless Credential Process
This verification process to pair the credential to the user happens during two lifecycle events: zero day onboarding and credential recovery. During zero day onboarding, the most stringent identity verification template should be used – MobileMatch and BioGovID Verify the user’s possession and ownership of the mobile device being used for the credential, then verify their identity with a government issued identification and matching selfie – you hit the two most secure factors in one flow.
During credential recovery, you have already established the identity of the user during onboarding, now you can use a more streamlined template and just check MobileMatch. Determine that the user is indeed the legal owner of the phone, that it hasn’t been used for fraud, and that the user has actual possession of that phone. Then you can re-issue the credential.
Passwordless is the wave of the future both for workforce and consumers. It is easier for the user, more secure for the enterprise, and intuitive and fast for authentication. The important part is that you establish the match between the physical identity, the digital identity and the mobile device being used as an authenticator at the initial point of vulnerability.