By Tom Danner

Hey, when was the last time you forgot a password? Had to do a password reset? Received an unwelcome phishing message? Well, Passwordless Authentication might just have something for you. That’s not just the view of the team here at Equideum Health – recent news from tech powerhouses Apple, Google and Microsoft that they are actually collaborating to implement a Passwordless Authentication standard called FIDO makes it very likely that this important functionality will become mainstream sooner than later. In this blog, we discuss this technical innovation: what it is, how it works, and what’s in it for you (and for healthcare in general). So enjoy, and we’d love comments from you. 

What is it?

Passwordless Authentication is a set of new technologies that eliminates the need for users to have to remember and provide (on demand) a password for them to access an application.   Instead, advanced cryptography is used to prove the authenticity of a user.

What’s the advantage?

Compared to traditional password access to applications, Passwordless Authentication has a number of advantages for users and organizations alike.    

It’s more convenient for users as  they no longer have to remember multiple, complex passwords to gain application access. Additionally, password resets will become a thing of the past. Depending on the implementation of Passwordless Authentication, authentication can be performed in just a couple of mouse clicks. 

From an organizational perspective, a major “attack surface” is eliminated – no longer can the bad guys “phish” the user community for passwords (because they no longer exist). Likewise, bad guys can no longer exploit weak passwords. Unfortunately, legitimate users will sometimes share credentials. With Passwordless Authentication, users can no longer inappropriately share issued credentials. The organization’s critical systems and data remain secure.    

How does it work?

Passwordless Authentication is based on modern private-key cryptography and comprises two steps: Registration (performed one time) and Authentication (performed each time a user wants to access an application).  

In the registration step, a user’s device will calculate a cryptographic key pair, comprising a public, shareable key and a private key (which, as the name implies, must be kept secure).  We use the term “key pair” to indicate that the public and private keys are mathematically intertwined.

Typical Passwordless Authentication implementations will securely store private keys in some form of “hardened” hardware, sometimes referred to as a hardware security module (HSM). Vendors of HSMs include Gemalto, nCipher and Ultimaco. HSM facilities are also available as cloud services, from the likes of Microsoft and IBM. Also, various mobile device manufacturers also include such hardened hardware integral to their devices.

The public key is then shared with the organization’s Identity Provider (typically Microsoft Azure Active Directory, OKTA, or something similar), in a secured manner such that the public key can be trusted to belong to a specific user’s online account.

With this registration process, the organization can rely on the fact that a particular public key is in fact owned by a specific user. You can read more on key pairs here.

Authentication – Passwordless Authentication in practice

When a user decides to authenticate with the organization, they initiate an authentication process by sending a Request Message to the Identity Provider, containing the user’s “alleged” identity (we say alleged here, since from the perspective of the Identity Provider, we do not yet know whether the user is in fact who they claim to be or an imposter). Upon receipt of the request, the Identity Provider will calculate a random challenge, and share that with the user’s device.   

Typically, the device will interact with the human user, asking them to approve the authentication request by using some biometric method (facial recognition, thumbprint, etc) or entering some pin number known by the user (albeit less secure and not considered a current best practice).

If approved by the user, the device will then retrieve the private key from secure storage, and use it to sign the random challenge received from the Identity Provider. The signed message is then returned to the Identity Provider. Upon receiving the message, the Identity Provider retrieves the public key associated with the “alleged” user, and determines whether the signature is in fact valid.    

If the signature is valid, then the Identity Provider has cryptographic assurance that the user is in fact who he claimed to be. Conversely, invalid signatures indicate that some malicious user is attempting to fraudulently masquerade as some other user, and is thus rejected. 

What this could mean for healthcare – and you

Imagine having your very own digital identity managed by your digital wallet and secured by Passwordless Authentication. This same identity can be used to interact with all of your health providers, and only as you see fit. Privacy First, by design – protecting you against the increasing number of cyberattacks directed at centralized EHR systems. This secure patient-centric architecture provides your care team with the information they need, when they need it, to take care of you. That’s the power of Equideum Health. 

To learn more about how Equideum Health is incorporating Passwordless Authentication into its offerings, please contact us.