Security, as the saying goes, is not convenient. Security is meant to make it as hard as possible for the bad guys to gain access to things they shouldn’t. But as a result it makes end users life difficult, especially with the advent of multi-factor methods of authentication. Sometimes, this can make your users frustrated with having to use several different forms of authentication or having to enter their passwords multiple times for each application. Walking away to, for instance, refill their coffee only to come back to a locked screen and having to go through the whole process all over again can make users feel like they are wasting time and limiting productivity. In fact, they are.
There has to be a better way….Enter Passwordless Authentication!
Passwords were a great idea, but they are inherently insecure.
Users tend to cheat when creating passwords. They will write them down on sticky notes, they will use easy to guess passwords, and when forced to use complex long passwords they will resort to saving those passwords in their browsers or in password vaults that can be compromised. It’s not that any of our users want to invite attack. In fact, people generally want to do the right thing. In most cases, they just think their deviation won’t matter in the bigger scheme of things. So, you can invite or even require them to use a password manager or follow other security protocols, but the reality is that someone will still get busy and deviate from the policy somewhere – inadvertently putting your systems at risk for unauthorized access. You are left with a decision to make at this point – should you keep shouting password policies from the rooftops and get frustrated or just work around this reality? That’s up to you, but there are some options here.
What if we did away with passwords altogether, replacing them with something you have, something you are,and something you know? Some innovative companies out there have been busy developing passwordless products in recent years for the next generation of security. These take the form of devices and methods that tie a user to their applications by using such things as Biometrics, FIDO security keys, and smart device authenticators. Microsoft has developed a passwordless product for Azure that uses a special build of Windows 10 which employs Windows Hello for Business. That, however, presupposes that you will use the same workstation every day. It is tied to you by both biometrics and an MFA option of either Windows Authenticator (smart device app), or FIDO2 USB secure keys that you insert into the workstation to gain access.
But, what if you don’t use a physical workstation? And what about other applications?
SSO with SAML-based Authentication
Some of these vendors use other methods to achieve passwordless authentication for applications and resources, like SSO with SAML-based authentication to a secure backend authentication platform. FIDO2 platforms that use FIDO2 encrypted smart cards, FIDO2 enabled tablets/smart phones, and even ‘gestures’ (Face and hand movements preprogrammed into a camera enabled device). This can be used in many use case scenarios, such as Retail, where cashiers change often and need secure quick logons, and Healthcare, where security of PHI is required by HIPPA regulations.
Duo is a proponent of an emerging standard W3C using WEBAUTHN, which is being developed for Web based applications and is mostly geared towards SaaS providers and Web enabled authentication. All are moving towards a “Zero Trust” methodology in securing the environment. With identity as the new perimeter, enterprises need to secure the workforce: the users and the devices accessing applications are assumed to be untrusted, regardless of whether they are internal or external to the corporate network. Therefore, users need to be securely authenticated using technologies deemed to be inherently secure.
While it’s still a fairly young emerging standard, passwordless authentication is a key building block to enabling zero-trust security for the workforce. There are, today, some deployments of various aspects of it (Microsoft Azure AD), but full deployments of Zero Trust passwordless authentication are still a work in progress. Regardless, this one is worth approaching with an early adopter’s mentality. Most people are not winning the password game anyway, and the technology is sound.
In conclusion, although passwordless authentication is relatively early in its development and implementation cycle, it has the backing of some of the powerhouses of the tech sector, as well as the National Cyber Security Center. In concert with the Zero Trust security model, we can make platforms and applications more secure and less cumbersome to the end user and thereby eliminating a large security problem and productivity waster.