Is Your Passwordless Authentication Solution Truly Passwordless?
In a world where many different users, mobile devices, and automated processes need to access networked resources, passwords are no longer an effective method to authenticate every single identity in an organization. Sophisticated attacks like phishing, keyloggers, and brute force cracking are highly capable of stealing passwords. Overall, this creates a very real scenario where passwords have become an outdated form of authentication with weak security, bad user experience, and added helpdesk burden all rolled into one.
Not surprisingly, organizations are actively looking to change their approach to authentication by switching to passwordless. Microsoft recently made headlines with its plans to enable passwordless authentication solutions for users signing into the likes of Microsoft 365, Microsoft Teams, Outlook, OneDrive, and Microsoft Edge.
“Going passwordless” has become a trendy term among security reporters, industry analysts, and influencers alike. But what it actually means varies greatly by who is using the term. Multi-factor authentication, one-time passwords, single sign-on, and biometrics are among those technologies that are part of today’s “passwordless” conversation. They may increase security and/or streamline the user experience, but they are not in themselves “passwordless” solutions.
Consider biometric authentication such as fingerprint scanning or facial recognition. These technologies can verify that the device used is in control of its intended user, which makes them substitutes for a PIN (which controls access to a device) and not a password (which controls access to another machine across a network). An authentication system could simply mask underlying passwords under biometrics or similar device-based authentication schemes. This approach is not truly passwordless, even though end users neither assign, manage, or put in passwords known to them. A password is still traveling across the network and controlling access at the machine on the other end.
This is a critical distinction. Password-masking approaches have some of the same benefits as true passwordless technology. They offer a better user experience as employees don’t need to remember and manage passwords or type them in. Plus, they reduce help desk tickets because they’re easier to use. However, there still exists a shared secret—in this case a password—that travels across a potentially hostile network and unlocks access and privileges in the server system. That leaves the shared secret subject to possible theft.
Another pseudo-passwordless approach is to somehow exchange public keys in a walled-garden system deployed on both ends. While such an approach is cryptographically secure from theft, it is difficult to develop, maintain and install and prone to errors and bugs. Oftentimes the process of creating a crypto key in this approach will still commence with a user name-password combination. And finally, these bare crypto keys have the downside that they lack lifecycle policies like expiration and revocation. The lack of these capabilities means these keys can simply hang around forever, including beyond their expected lifespan of usefulness or even after computing advances have rendered them cryptographically insecure.
PKI’s Role in True Passwordless Authentication Solutions
True passwordless authentication does not use a symmetrical shared secret or password anywhere in the authentication process. The gold standard in authentication and encryption, public key infrastructure (PKI) is a foundational technology for passwordless identity authentication and the only technology that can offer true passwordless authentication at scale.
Digital identity policies centered around PKI automation provide a fundamentally more usable and more secure authentication model. Digital certificates do all the work behind the scenes using private keys embedded in authenticating devices and PIN or biometric checks to ensure devices are in the correct users’ hands. Users have a better and more understandable experience, and a host of well-known password-stealing attacks are no longer a threat. It’s better for the user, and better for IT.
Though PKI can be used in a variety of scenarios, it is particularly well suited for passwordless authentication solutions in centralized enterprise environments. With PKI, enterprises can enjoy the benefits of passwordless authentication while still maintaining control over their infrastructure. PKI also provides fallback options in case of emergencies. If a certificate needs to be revoked, the administrator can do so at any time. Additionally, all certificates have set lifespans and will expire after the designated period of time has elapsed.
When you look to replace passwords and adopt a passwordless authentication solution, challenge your vendors. You might think you are getting away from passwords in your environment, but there may still be underlying passwords. To learn more, listen to Root Causes, episode 204, "PKIs Role in Passwordless."