What is passwordless authentication in 2020, where biometrics are quickly becoming a mainstream technology and AIML (artificial intelligence / machine learning) approaches are on the horizon? In this article we explore the passwordless authentication fully from a generic perspective (not specific to an enterprise or consumer use case), and provide a view of where the market stands today and what it will take to be successful in the future.
First let’s be clear about what it is… passwordless authentication is the process of gaining access to a digital or logical resource when not providing a password or a user's secret to verify a user’s identity. Authentication is established via a factor, and several things can constitute that, for example a password (something you know) or something you have. Within the passwordless moniker there are many industry terms that are thrown around including biometrics, behavioral biometrics (or behavioral identity), the resultant “continuous identity” and others. In addition, in some cases the 2nd factor of a password-based approach can be sufficient for a single factor (and thus passwordless) authentication such as a link in an email (magic link), a hardware token or a one-time password (OTP) hardware or software token.
What’s the Problem with Passwords?
Passwords have been around for a long time. In fact, they came on the scene back when we were trying to get to the moon. When you think about progress in most areas of society since then, it’s remarkable that they’re still the mainstay of our computing resource access.
- Passwords don’t work. But that’s not the main reason to change them. They simply do not work. According to Verizon, 80% of hacking-related breaches in 2019 were a result of misused credentials. On the other hand, “123456” and “123456789” continue their reign on the most-used passwords list. These eye-opening trends clearly indicate: Passwords are a gold-mine for bad actors.
- Humans are still the weakest link. But why are passwords the root cause of breaches? It’s because they provide an easy-to-bypass, vulnerable attack surface. Take the example of password spraying, which is a type of cyber attack that tries to unlock hundreds and thousands of accounts (usernames) through commonly used passwords. By simply applying “123456” as a password to lists of usernames, an attacker can have access to more than 20 million people worldwide.
What makes the situation worse is that according to research by NordPass, an average person has 70-80 passwords (some estimates go as high as 140/150). In an increasingly digital world, it’s not a surprise to see 65% reuse passwords for multiple accounts (according to a 2019 survey by Google). More recent research by the FIDO Alliance suggests consumers have essentially 5 passwords for nearly 100 user accounts, suggesting a lot of reuse. To prevent the cognitive burden and frustration of remembering complex passwords for separate accounts, most people are using weak passwords over multiple accounts. Humans remain the weakest link.
- Maintenance costs and lost productivity is high. For enterprises, passwords provide another headache: Research by Forrester shows that several large organizations allocate almost $1 million to passwords-related support costs such as staffing and infrastructure. In fact, it is estimated that each password reset costs a staggering $70, as 20-30% of help desk calls are for password resets. We’ve actually seen customers tell us that number can be as high as 40-50%.
The problem with passwords is crystal clear. Luckily, passwordless authentication options are increasingly available for both consumers and corporate enterprises.
How Does Passwordless Authentication Work Today?
There are multiple ways to prove user verification without a password. Users can utilize a “possession factor” or a one-time password generator, a registered mobile device, or a hardware token to name a few options. Another tool for authentication is a user's “inherent factor” or biometrics (fingerprint, face, retina, etc.). These methods show another avenue of reliable and secure authentication over the unsecure approach of a password, passphrase, or PIN alone, and they have increasingly been added to hardware such as consumer and end user PCs. That said, many of these hardware bound biometrics still require a password to be present under the covers and do not provide a path to a full passwordless elimination for the device in question.
Lastly, there is also a move to more “passive” or implicit forms of inherent authentication, which means there is less proactive effort on the part of the user.
In terms of how passwordless auth works today, there are 3 major architectural approaches to passwordless authentication today in 2020:
- Public Key Cryptography -- One major method of passwordless authentication works using Public Key cryptography. This refers to cryptographic key pairs which include a public key and a private key. The FIDO standard is a big proponent of this method. Whenever a user tries to initiate an authentication action, a unique public-private key pair is generated (using a smartphone, for example). The private key is locally stored on the user’s device, and linked to an authentication factor such as facial recognition. The public key is stored centrally in the cloud. What makes passwordless authentication secure is that even if an attacker gains access to the public key, the information is of no use without the private key, which is stored secretly on the hardware level of the user’s device. This means authentication is based on local roots of trust, and the proverbial data breach of a centralized database of passwords becomes a thing of the past. The FIDO Alliance sets its protocols for passwordless authentication via a joint project with the W3C (World Wide Web Consortium).
- Certificate-Based Approach -- Certificates are an offshoot of the public key cryptographic approach because they generally work in tandem with public key cryptography. However, a passwordless solution can be architected purely on signed certificates (generally PKI-based for maximum trust and security) alone. Like public-private key pairs used for authentication, a certificate based passwordless system can create a local root of trust. And like a FIDO-based architecture that utilizes a “relying party”, a certificate-based architecture also utilizes a Certificate Authority, and that component manages revocation and the lifecycle of the certificate. The use of a purely certificate-based approach is quite new in passwordless authentication, and the major proponent of this approach pins their implementation to the Internet’s standard TLS form of certificate exchange (whereas FIDO has defined webauthn for authentication-based public-private key exchange). So there are differences in the approaches and a full consideration of applicability to all required use cases must be considered.
- Blockchain-Based Approach -- On the consumer and government side of the equation (less so in the enterprise), we see several BYOI (Bring Your Own Identity) or Decentralized Identity plays based on blockchain emerging. These contend that blockchains decentralized ledger-based architecture create a non-repudiable and transparent means of federating identity and authorization amongst parties in a network. Like the other 2 architectural approaches, concepts such as privacy and self-sovereignty vary slightly with this method. Like any network or marketplace, these initiatives require buy-in from enough stakeholders for the network to work and are worth monitoring closely. Unfortunately, the effort to create a “digital wallet” has a long history of dead proponents, but as a society we may be more ready than ever to embrace decentralized digital identity plays today.
Despite the availability of passwordless authentication solutions available, a majority of enterprises still rely on legacy authentication infrastructure, centered around passwords. This is because of several reasons: switching costs, concerns regarding deployment, and the fundamental inertia to stick with a widely adopted solution. To change this dynamic, It is important to understand that the implementation of passwordless authentication is not a nightmare. In fact, it is relatively straightforward.
How to Implement Passwordless Authentication in an Enterprise?
Obviously each passwordless authentication platform or solution will have different requirements for how to achieve the Holy Grail of being fully passwordless, but there are some considerations that are common across all options. Here, we present an introductory set of considerations when implementing passwordless authentication for traditional corporate structured organizations or enterprises (those with workforces that include employees, partners, contractors and visiting guests).
- Define the Scope. Defining the use case scope of passwordless in your enterprise is extremely important upfront. In addition to narrowing down the field of possible solutions (not all of them offer the same coverage), it can help set expectations across internal stakeholders ahead of time. This includes looking at your organization’s desire around passwordless enablement for end-user workstations/PCs, just application access, cloud-only or on-premises apps as well, remote worker use cases such as VPN and VDI, shared kiosk/PC scenarios and finally privilege user/admin use cases.
- Be Clear about the Why and Goals. As alluded to above, there may be many reasons why an organization wants or needs to move to passwordless authentication, from saving costs to improving end user satisfaction, to eliminating data breach risk. Generally, we see companies say they want all of the above, but it is important to prioritize these needs at more granular levels in relation to trade-offs between frictionless user experience, acceptable security risk and end-to-end completeness of solution that can achieve an acceptable ROI. Clear metrics should be established upfront that will enable your organization to know if the original goals have been met and if the project is a success.
- Hard Switch or Soft Landing? Removing the password from an organization’s directories and networks can be intimidating (which is why we’ve invested heavily in our Customer and Professional Service teams), but it doesn’t mean it’s a step that needs to be taken day one. Optimally, the journey to full passwordless authentication needs to be a well thought plan that incorporates phases of new segments of the workforce and coverage of corner use cases. At TruU, we make it easy for our customers to have a passwordless solution that can co-exist with a network-based password and still lower credential theft risk substantially.
- End User Training and Onboarding. In general, the user experience of passwordless authentication should be less intrusive than that of passwords and multi-factor authentication solutions. That said, end users need a basic level of understanding of how passwordless authentication will change the way they impact computing resources, particularly when it’s tied to a smartphone.
Benefits of Passwordless Authentication
Knowing the exact benefits and payoffs of moving to passwordless authentication are important for initial decision-making, managing expectations and establishing measures of success. While some of these have been referenced or suggested above, we enumerate the full list of benefits of passwordless authentication below.
- Passwordless can lower the costs of authentication. Many companies have already put Identity Governance and Administration solutions in place or other password reset self-service facilities in place, but many organizations have not. For those companies, passwordless authentication could offer significant savings in help desk password maintenance costs so long as the passwordless solution meets the key features of a full lifecycle passwordless authentication solution. According to Forrester, the average cost of one password reset for a company is $70. For large enterprises, the total annual cost can easily reach over $1 million USD each year.
In addition, pursuing a passwordless authentication solution also could eliminate costs from the use of and provisioning of expensive hardware tokens for authentication. Many passwordless solutions can work in concert with “authenticators” which are software clients that run on endpoints or mobile devices that can aid in multi-factor authentication. In most passwordless solutions, the solution’s own mobile application or client is the primary endpoint “authenticator” for the solution.
- Going passwordless will increase an enterprise's security. As discussed above, humans are the weakest link in security. Password reuse, picking simplistic, derivable passwords for easier recall, or writing down passwords in retrievable places all serve to undermine the effectiveness of passwords. From any adversary’s standpoint, phishing for compromised credentials (for credentials stuffing and the like) and brute force attacks are just some of the ways in which passwords can be exploited. Going passwordless immediately reduces the surface areas of attack for malicious actors and lower risk across an enterprise.
- Going passwordless should result in more frictionless UX for end users. We find that the UX benefits of going passwordless are as significant a driver as better security in buying decisions around passwordless authentication. The caveat is that not all passwordless solutions work alike and especially across different use cases. It’s important that the passwordless solution chosen truly eliminates any MFA fatigue that exists in the organization and offers a truly differentiated experience for the employee and other stakeholders.
Summary
Passwordless authentication is an emerging field of identity and access management that will revolutionize the way we as users experience the logical computing systems we depend on today. With the rapid advancements in biometrics and AIML, and the ubiquitous nature of smart mobile devices, we are well within grasp of a new world that will resolve one of the biggest security challenges in the world today, identity theft and impersonation. Now that we’ve convinced you to undertake the journey to passwordless, it’s time to take a read about Why TruU should be your passwordless authentication choice of solution.