Local Authentication vs Keyless pt. 1: FaceID and YubiKey
In this two part series we compare Keyless’ biometric authentication platform with two popular password-free authentication technologies, FaceID and YubiKey.
As data breaches that compromise user login credentials continue to rise, password-free authentication solutions that leverage local authentication are becoming increasingly popular to mitigate the risk of identity theft and fraud.
In this piece we introduce some of the core security, privacy and usability issues with local authentication by looking at two well-known solutions that leverage the hardware-reliant authentication tech — FaceID and YubiKey.
What is local authentication?
Local authentication utilises trusted hardware devices to authenticate users. The area within the hardware device where a user’s secret is stored is why this method of authentication is named ‘local’. A “secret” can be anything, from passwords to private cryptographic keys, to biometric samples.
All kinds of hardware devices can be turned into instruments for local authentication. For example smartphones, laptops, swipe cards and portable USB sticks can all be used as a form of authentication.
Local authentication solutions that require users to login using a trusted device are much more secure than those that don’t. Those that don’t make it easier for malicious attackers to break into a user’s accounts, either by stealing the hardware device itself and using it on another device, or stealing information about the hardware device and replicating it to create an unauthorized duplicate.
Systems that use local authentication usually combine another method of authentication, like passwords, PINS or biometrics to provide strong MFA.
Security issues with local authentication
Local authentication systems store private information in a secure part of the hardware device. The security issue with storing private information on portable hardware devices is that they can easily be stolen or lost. In that case, to bypass local authentication, the only security barrier a hacker needs to break into is the hardware device’s internal system.
While this is generally enough to deter non-professional hackers, strategies and technology used by professional cybercriminals are evolving to keep apace with the most sophisticated security systems. Generally the longer an attacker has with the hardware device, whether that be someone’s phone or USB, the more chances they have of breaking into it to steal private information.
User experience issues with local authentication
Reliance on hardware devices for authentication can pose significant disruptions to the user experience, which can easily frustrate users. For example, if a USB authenticator or smart phone is accidentally left at home, a user can be locked out of all their accounts.
Other issues with user experience are when the user has to jump between multiple devices in order to authenticate themselves; this can be extremely tiresome for users when they need to repeatedly do this throughout the day.
Privacy issues with local authentication
Besides the security risks of storing private data within the hardware device’s internal systems, many local authentication systems also use centralized storage systems to store user login credentials, or “secrets”, so that they can verify a match at the time of authentication.
Centralized storage systems are frequently targeted in sophisticated cyber attacks — putting user accounts at higher risk of being compromised.
Examples of local authentication: FaceID and YubiKey
There are a number of different security systems that leverage local authentication. Some of the most well known are Apple’s Face ID — which is used to access and make payments with compatible iOS devices and third party apps.
Another example is YubiKey, a portable USB stick that provides a second factor of authentication by giving user’s a one-time password (OTP) that they use along with their usual password, adding a layer of security when accessing their private keys and digital wallets.
— a user’s phone or tablet is the hardware device used for local authentication.
Apple’s FaceID utilises local authentication to provide a biometric MFA solution that combines a user’s biometrics with their registered — or “trusted” — device. Apple securely stores a user’s biometric data within the “Secure Enclave”. This encrypted part of the iOS chip is designed to securely store sensitive user data, including a user’s sensitive biometric templates.
Security Issues with Face ID
While Face ID offers a high degree of security, it’s actually possible for an attacker to bypass the secure enclave.
The more sophisticated the attack, the greater the likelihood they’ll break into a user’s accounts. The FBI famously worked out how to bypass Apple’s internal security systems, breaking into suspects’ phones and accounts — all without any cooperation from the suspects or Apple.
Since users often delay reporting lost and stolen devices in the hopes that they will be returned, cybercriminals may have the luxury to perform sophisticated attacks, similar to those launched by the FBI, in order to breach a user’s accounts.
Privacy issues with Face ID
This security flaw jeopardizes user privacy — as private information stored within the internal systems of an Apple device, or in the Secure Enclave, is vulnerable to malicious attacks performed by hackers.
If Apple didn’t store sensitive information locally on the device, then losing access to one’s device would not be a privacy or security threat.
Interoperability issues with Face ID
Another common issue with local authentication, and in particular with Face ID, is that these solutions are developed to only work with specific systems. For example, Face ID is only compatible with iOS devices — which means that it discludes those who do not have an Apple device, and cannot be used at large scale for organizations and governments that rely on other software systems.
— a USB key is the hardware device used for local authentication.
YubiKey is another example of local authentication. YubiKeys are USB sticks that act like physical keys that users plug into their computer when they want to login to their accounts. They then present a one time password that can be used with a normal password to unlock access to the user’s accounts.
Security Issues with YubiKey
As an external hardware device, YubiKeys are at risk of being lost, stolen or misplaced. One of the biggest risks with YubiKeys are that they can easily fall into the wrong hands without the original owner realizing for an extended period of time.
To make things more complicated, YubiKeys do not need to be registered to a user’s trusted devices. Without this layer of protection, an intelligent attacker who came upon a user’s YubiKey could potentially use it to break into the owner’s accounts through another device.
Not requiring trusted devices also allows malicious attackers the opportunity to execute more sophisticated attacks. For example, a clever attacker could supply an unsuspecting user with a fake or tampered YubiKey. Once the victim registered their online services using the tampered device, the attacker could impersonate them and gain access to their accounts from an unregistered device.
This means that a user must completely trust the person or business they purchase the YubiKey from, as well as any other centralized systems that they may share their YubiKey password with — like centralized cryptocurrency exchanges.
User Experience Issues with YubiKey
YubiKeys are disruptive to the user experience as they require the user to plug in a secondary USB device to unlock their accounts. While the user may not mind doing this to unlock access to certain accounts, using a YubiKey to access every single account would be too disruptive to the daily user experience.
The YubiKeys size and portability means they are also at greater risk of being lost. Misplacing a YubiKey can cause frustrating disruptions to the user experience — especially when a user may have just left the device at home.
For the enterprise, the YubiKey is an expensive MFA solution; not only must YubiKeys be purchased upfront and distributed to all users or employees, these small devices must also be continually replaced, placing unnecessary financial burden on either the user or the organization.
Today’s standard of authentication: FIDO (Fast Identity Online)
Fast Identification Online (FIDO) is a best-practices protocol for local authentication, in particular for biometric authentication.
With FIDO a user’s “secrets” are stored on registered devices. To unlock access to their accounts, a user must present a biometric sample that matches those stored within the device — if it’s a match, the user will gain access to their accounts and personal information.
FIDO’s framework reduces instances of phishing and man in the middle attacks, however it cannot guarantee that breaches won’t occur; since a user’s “secrets” or private information is always stored on a hardware device with local authentication, they are always at risk of being compromised.
Is there an alternative?
By leveraging a distributed network — rather than hardware devices or centralized storage systems — to store a user’s private authentication data, Keyless makes it much easier to guarantee privacy and security than local authentication solutions.
In the next part of this series we explain in further detail how Keyless’ platform greatly improves security, privacy and usability standards in authentication — in particular with safeguarding sensitive biometric data — which should be protected with much more robust security technology than what local authentication solutions can offer today.