Passwordless for Government Services
Passwords are the root cause of data breaches. According to Verizon's 2020 Data Breach Investigation Report, 80% of web application breaches happened due to stolen or brute-forced credentials. Out of 3,950 breaches, 58% of them involved personal data. Traditionally, services and applications are defining and enforcing policies such as lock-out, password-age, common password-age, and minimum length password policies to improve security. Inadvertently, they have increased the threat surface simply because the burden password policies have put upon the user was not well understood. Users having to deal with at least 50 online accounts on average, and with increasing password complexity requirement, it encouraged them to reuse passwords that surged credential stuffing attack, save passwords in an insecure manner, and to meet password policies predictably.
Passwords are inherently insecure because they are being shared with the services during authentication, consequently making the user vulnerable to phishing attacks. Securing passwords at rest is the first step, but addressing password specification alone is not enough. Rethinking and improving overall authentication schemes is required to minimize the sharing of passwords during authentication and empower the American public in securing their online credentials by design.
NIST 800-63B publication discourages complex password requirements and emphasizes multi-factor authentication to supplement memorized secret authenticators. By factor-sequencing something you know, something you have, and something you are to authenticate users, organizations can significantly combat data breaches and gain the trust and confidence of the public. Having said that, knowledge-based authentication schemes and TOTPs through SMS and Email are still not phishing proof.
Google rolled out a public-key based authentication factor for 85,000 employees and has eliminated phishing attacks, 100%. Public-key cryptography has been around since the 1970s. However, the adoption of asymmetric keys for client authentication for public-facing web applications has been slow, mainly due to a lack of standards and readily available hardware that supports seamless public-key registration and private-key protection. Public-key cryptography with WebAuthn, a new web authentication specification written by W3C and FIDO, makes it possible to eliminate the human factor and rely on machines to establish mutual identity verification.
It would be naive to think that passwords are going away anytime soon. But public-key based USB devices such as YubiKey, SoloKey are becoming more popular roaming authenticators replacing passwords. Chrome, Firefox, Edge, Android, iOS, and Windows support WebAuthn by implementing platform authenticators making the adoption of a passwordless world closer to reality.
Passwords are easy to steal remotely and hard to remember. Mitigating the risk of passwords by implementing multi-factor authentication will better secure government services and improve the public's privacy. As OMB Memorandum M-19-17 encourages the use of federally provided shared services, agencies should save time and money by leveraging login.gov as a means to deliver identity assurance and multi-factor authentication services. The recent support of WebAuthn by login.gov makes it possible to keep up with evolving standards and technologies and transition to better factors without agencies' additional effort and set themselves up to a passwordless world.
References
