‘Authenticators’ and ‘Deployment of Authenticators’
There are not a few security professionals who wrongly mix up the layer of ‘authenticators’ with that of ‘deployment of authenticators’, talking as though the former and the latter were competing each other, for example, ‘Multi-Factor Authentication is better than a password’ and ‘ID federation is better than a password’.
The password is an ‘authenticator’. So are the token and biometrics. Whereas MFA and ID federation like FIDO and Open ID are ‘deployment of the authenticators’
Expanded Password System is to be found on the layer of 'authenticator', while the likes of Open ID and FIDO are all to be found on the upper layer of 'deployment of authenticators' and, as such, the likes of Open ID and FIDO could naturally be our down-stream partners.
There are also some people who wrongly allege that removing an authenticator should increase security. They are plainly misguided as examined here – “Removal of Passwords and Its Security Effect”
What does not exist will never be stolen
Removing what can be stolen from the picture can indeed ensure that what can be stolen will never be stolen and abused.
Removing the password from digital identity can obviously ensure that the password will never be stolen and abused. Then, exactly by the same logic, removing the cryptographic-enabled physical token can also ensure that the cryptographic-enabled physical token will never be stolen and abused.
This cartoon produced 15 years ago will hopefully help to unravel this seemingly complicated but actually simple problem.
I am very curious to know what the promoters of 'token-based password-less authentication' have to say.
What you ignore does not exist
Ignore it and it does not exist.
Two factors used together in a security-lowering ‘multi-entrance’ deployment and the two factors used together in a security-enhancing ‘multi-layer’ deployment have exactly the opposite security effects?
Ignore it and it does not exist. You will have the security-enhancing biometrics used with a default/fallback password in a security-lowering ‘multi-entrance’ deployment.
Being insufficient is different to being harmful?
Ignore it and it does not exist. You will see a password-removed authentication that is more secure than a password authentication. By the same logic, you will also see a token-removed authentication that is more secure than a token-based authentication.
PIN is no more than a weak form of numbers-only password?
Ignore it and it does not exist. You will have a ‘PIN-based Password-less authentication’.