There’s no time like the present for passwordless authentication

In this blog, I will be discussing that, even though passwords help keep data and organisations safe and secure, they have their limitations. This is where the ThinC-AUTH USB security key comes in, with its biometric login capabilities.

Password-based login has existed for almost as long as computers. So have attempts to break passwords. With every iteration of a new password standard, the crackers, hackers and phishers have become more sophisticated. Even if you’re using a randomised pattern of numbers, symbols and letters (both upper and lower case, of course), a bot can crack it. Sure, every time you add a character you increase the cracking time, but still, I repeat, a bot can crack it. Or you can be keylogged. Or a password data set can be leaked, or stolen…….

What we need is to get away from the whole idea of passwords.

That’s exactly what the ThinC-AUTH USB security key does. It gets away from passwords. In fact, it completely changes the nature of login.

The ThinC-AUTH is a security key you can carry with you which provides secure, password-free, biometric login. It is compatible with both Windows and Mac (and is a Microsoft approved Security Key for passwordless login). You just pop it into a USB 2.0 port and use its fingerprint scanner to authenticate yourself. It’s quick, easy, and reliable.

So how does it work?

In traditional password-based authentication you’ll type out a password on your device or in a web browser, and that password is sent off to a server to be verified. Software on the server takes a look, and if it decides that the password is OK it lets you in.

ThinC-AUTH does things very differently. To understand this you have to forget about passwords. The key itself stores biometric information gained from its onboard fingerprint reader. The biometric data is encrypted, and securely stored on the key. I can’t emphasise this strongly enough – the biometric data never leaves the ThinC-AUTH. It is used to unlock a private key on the device, and that is then used for authentication. There’s no need to remember a password. The private key, which can only be revealed through your fingerprint, does the job.

Should anyone acquire a ThinC-AUTH in the hope of accessing fingerprint data, they’ll find that it’s not possible to reverse engineer the encryption.

Using this approach means ThinC-AUTH is more secure than other types of token that rely on PIN data. People might get hold of the PIN, but they can’t get hold of your fingerprint. Well, they can, but doing so would require some drastic action that’s the stuff of spy thrillers rather than real life.

ThinC-AUTH is compliant with the strongest algorithms – AES, HMAC and ECDH. And it is compliant with FIDO2, a phishing proof, password-less authentication protocol developed as a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) to create a strong authentication standard for the web.

Enterprises should always look to implement the most secure remote sign-on systems that they can. It just makes good economic sense to protect all the valuable data they work with.

But now, more than ever, this is something organisations should be looking at seriously. The Covid-19 pandemic has meant many more people working from home than is the norm. Right now, as I write, there is every expectation that some organisations, having been forced to explore working from home to a greater extent than in the pre-pandemic time, or maybe having had to implement working from home for the very first time, will consider whether it is a model that can work for them in the future.

There are certainly multiple benefits to using a working from home strategy where that’s possible. These extend from financial savings on office space to enhancing the wellbeing of staff whose commuting time is reduced and who may well be more productive working from home.

If more working from home is to become one aspect of the much talked about ‘new normal’, then those crackers, hackers and phishers will already be looking forward to taking advantage of lax security. Why let them? Why not instead use a secure, passwordless authentication system? Why not use ThinC-AUTH?