In the last three years, the world saw numerous data breaches resulting in millions of compromised accounts: Equifax, Yahoo, MyFitnessPal. Traditional passwords aren’t safe enough and their use isn’t that comfortable for users.
Understanding the lack of security behind traditional passwords, people started to look for an alternative solution. One of these solutions is an innovative approach to the authentication process – zero login.
But what are zero login techniques, how are they used these days, and what are their main pros and cons versus traditional methods of authorization?
What is zero login authentication?
Zero login is a common term for innovative authentication techniques allowing for a fast, easy, and highly secure method of user identification. This term refers to the idea of our devices and applications being smart enough to ‘recognize’ a particular user without requiring any passwords or codes.
Traditional passwords are most commonly used as part of the so-called knowledge-based authentication process. The main idea behind this process is that a particular user possesses very particular knowledge. It may be a password, a Social Security number, or your mother’s maiden name. Unfortunately, knowledge-based authentication methods aren’t safe enough.
The more popular and safe authentication approach used these days is multi-factor authentication (MFA) which relies on two out of three factors: knowledge of some secret information (password), possession of a unique feature (a device), or a user’s biometrics (fingerprints). MFA is widely deployed across different areas: from large enterprises to small businesses, from regular websites to the newest smart devices.
Biometric authentication is one of the most commonly used MFA factors. Some smartphones and tablets, for instance, allow authentication via biometrics by using fingerprints to identify the device owner. Enterprise security systems can use a combination of several biometric identifiers such as fingerprints, retina scans, or voice recognition to identify employees and grant privileged access to critical data.
Instead of traditional passwords and MFA, zero login technologies pay attention not only to the fact of who you are, they also pay attention to what are you trying to do. These technologies build a complex user profile based on two categories of authentication data:
- Biometrics – This category includes factors that determine who you are on a biological level: fingerprints, facial recognition, voice recognition, heartbeat recognition, retina scans, and so on.
- Behavior patterns – This category includes factors that identify you based on your actions, such as your walk, typing speed, usual hours for accessing particular accounts and devices, geographical location, and so on.
A device that uses zero login technologies collects enough data to be able to ‘recognize’ normal, ordinary behavior or a particular user and effectively distinguish them from what may look like an attacker’s behavior.
Zero login technologies in use
When talking about biometric versus password security, the former looks quite promising. And even though the zero login approach to authentication is quite new, there are several companies that are already moving towards either eradicating passwords completely or at least changing their role in user authentication.
For instance, a startup called TypingDNA offers what they call Keystroke dynamics as a service. They claim to be able to confirm the identity of a user by analyzing their typing speed. TypingDNA developers created an authenticator Chrome extension that analyzes two main factors: how fast you type and how hard you press the keys on your keyboard or device screen. The basic principle remains the same: in order to verify your identity, secure login with username and password for a particular account is required. But next, instead of asking you to enter a security code sent to your phone or perform any other action usually required for verifying your identity in MFA, TypingDNA determines where you are a legitimate user by analyzing your typing manner.
This new authentication method acts as an alternative to the traditional two-factor authentication where you need to first enter a password and then prove the fact of possessing a particular device remembered by the system. With technologies similar to the one invented by TypingDNA, you are no longer dependent on particular devices for verifying your identity – your unique behavior patterns will do the job.
Another innovative solution meant to make the authorization process easier and more secure is the new technology standard announced by the FIDO Alliance and W3C in April 2018. Their new solution will use two types of authenticators for logging into online accounts:
- Internal authentication tools built into PCs, laptops, and mobile devices. This category mostly relies on biometrics such as fingerprints or facial recognition.
- External authenticators such as mobile devices or security keys. These authenticators will be used for a device-to-device authentication.
With these additional authenticators, FIDO and W3C hope to create a phishing-resistant authentication solution that will allow users to log into their accounts across different browsers, websites, and devices in a faster and safer manner.
The pros of zero logins
So what are the main advantages of biometrics over passwords? Does the zero login approach have any drawbacks? Let’s look closer at some characteristics.
The main goal of zero login technologies is to ensure a higher level of authorization security by using biometric identification factors that are harder to compromise or steal. Pretty similar to MFA, the zero login approach to user identity verification uses a set of authentication methods and techniques. Of course, hackers can fool some of these technologies by stealing the scans of your fingerprints or recording your voice. Fooling several biometrics, and behavior-based authentication technologies, however, is challenging task.
Easy for users
Zero login technologies are meant to make it much easier for users to log into any account. Unique personal biometrics and certain behavior patterns act as an alternative to complex passwords that are difficult to remember. Plus, certain authentication methods may eliminate the need to verify a user’s identity when logging in from a new device.
The cons of zero logins
At the same time, the zero login approach has several significant issues and concerns to consider:
One of the main concerns regarding this new technology is the thin line between collecting one’s data to ensure the safety of their personal accounts and violating that person’s privacy. For instance, geolocation is widely used to distinguish normal authorization sessions from abnormal ones. However, there are people who feel very uncomfortable knowing their location is constantly tracked by someone.
Personal data protection
In order to be able to build that complex profile of a particular user, zero login technologies would need to collect tons of sensitive personal information. All that information needs to be stored and processed in a safe manner so that attackers won’t be able to get access to it. There is an opinion that it’s much safer to store personal biometric information such as fingerprints locally on a user’s device. Storing this kind of data in the cloud increases the risk of data breach.
Lack of standardization
The development of new rules and standards can help partially solve the two first issues. Each step of the process must be well-thought-through and strictly regulated. But since the zero login approach is quite new, there are no common rules developed specifically for this technology.
As you can see, zero login technologies are not a silver bullet to the authentication problem and there are still a lot of challenging tasks to accomplish. However, the combination of biometrics and behavioral analysis does offer an exciting way of improving personal security in the digital era.
At the same time, let’s not forget that many modern MFA solutions already use biometrics as one of the identification features. Plus, you can always look for an efficient identity and access management solution to make sure you have zero identity management issues to worry about and get full visibility on who accesses what in your company.
Zero login technologies offer an innovative approach to identifying users of devices, applications, websites, or local networks with the help of two main factors: biometric data and behavior patterns. The use of biometric versus passwords has a lot of potential: the authentication features used in zero login are much harder to steal or compromise than traditional passwords and security codes. However, there are a lot of concerns regarding the safety and protection of the personal data required by this approach. Therefore, quality MFA tools appear to be a much safer alternative to zero login technologies so far.