Stuck with Passwords:
The Challenges of Migrating to Better Authentication
Nowadays, it’s a well-accepted fact that passwords are a very problematic method of user authentication: they have both poor usability and a low level of security. The fact is that not only are passwords vulnerable on the user side, they are even more vulnerable on the server side. The past few years have seen countless server breaches that leaked millions of passwords.
And yet, passwords are still the most common use of authentication today – for both low and high security applications.
But why is that?
Consider an organization, for example, who wishes to replace password authentication with PIN code on their mobile application. Making the change to the authentication server will not only affect the mobile app, but also other service that use it such as the organization’s website.
To go password-free on mobile, today’s organizations need to able to replace the user authentication on the mobile without making backend changes to the application server.
Secure Password-Free User Authentication on Mobile Devices
Unbound Crypto-of-Things (CoT) is a tech enabler, allowing your existing applications to support password-free authentication on the user side while still working within the framework of a password-based backend infrastructure. The CoT method greatly reduces costs and accelerates time to market.
Based on Unbound vHSM technology, CoT hides the password from the end-user while still using it to authenticate to the app server behind the scenes. The user’s password exists as two separate, random shares: one share stored on the user’s mobile and the other on a CoT server. The shares are completely isolated from each other, and are never combined at any time. The password never appears in clear-text, even while in use. Moreover, the password is never cached (which would make it vulnerable to the theft.
To login, the user first authenticates using whatever method desired, such as native biometric (like TouchID), face recognition, a PIN, swipe and so on. If the authentication is accepted by the CoT server, then the mobile and CoT server run a distributed MPC process to authenticate to the existing authentication server using the password.
Solution implemented directly on the mobile app with no changes to the backend
Excellent user experience without compromising security
Short time to market
Support your choice of authentication: biometrics, PIN, Swipe and more
An Example Implementation:
A bank would like to improve the login process for their mobile app users who would like to log into the app without entering a password every time.
By integrating the Unbound Crypto-of-Things SDK into the mobile app, the bank can quickly move to a secure and password-less experience. No need to touch the backend servers of the application and no need to develop different versions of the app for different models of devices.
- User accesses the mobile banking app and authenticates using native device biometrics (e.g. Touch ID)
- The app is using the Unbound CoT SDK to decrypt the strong password using one key part from the device and one key part from the CoT server. The password is decrypted on the mobile device.
- The application automatically sends the strong password to the application server – without requiring the end-user to type it.