Passwordless Authentication is Here at Last
By James Leslie, Chief Information Officer, Cambridge Housing Authority
Growing up in the 1970s and 1980s, “don’t talk to strangers” was a common admonition. Both my parents worked away from home and anticipated they might need to ask an adult I didn’t know to pick me up from school, so they had me remember a password that I was to keep a secret. If an adult knew the password, I was to understand I could trust them. But kids aren’t the best keepers of secrets. They may fall prey to a manipulative stranger who gains their trust in a way that doesn’t include the shared secret.
Passwords remained ubiquitous from childhood through my now middle age. Until very recently, a password-free world- like electrical grids powered by nuclear fusion- seemed a fantasy perpetually just ten years away.
But over the past several years, most smartphone users have grown accustomed to passwordless login. Most newer computer hardware and modern versions of Mac and Windows provide passwordless login options. It’s now making inroads into the enterprise, but why now? And what exactly is “passwordless authentication”?
Some define passwordless authentication simply as multifactor authentication where a password isn’t a factor because it replaces passwords—the least secure factor of authentication—with a combination of more secure factors.
A passwordless authentication process could include:
- Possession of a pre-authorized device—something you have, along with
- A device-based PIN—something you know, which proves you are an authorized user of that pre-authorized device, and/or
- Presentation of a fingerprint or face—something you are—associated with the pre-registered device.
- Presentation of a username to assert identity, along with
- A pre-authorized hardware security key, and
- Entry of the correct PIN to prove ownership of that hardware security key
These authentication scenarios are phish-resistant and thus more secure because they require possession of a preauthorized device rather than possession of a phishable password. A device-based PIN, at first glance, may seem as problematic as a password. But unlike traditional passwords, a phished PIN is useless without the pre-authorized device to which it is registered.
That answers the “what”, but why is passwordless authentication now an option for the enterprise?
Passwordless login options and user experience can feel very similar across systems and devices, and this is no accident. The FIDO Alliance—a consortium of hardware and software companies—recognized an opportunity both to increase cybersecurity and improve the user experience by getting rid of passwords.
Launched publicly in 2013, the FIDO Alliance introduced standards, such as the Universal Authentication Framework (UAF) and Client to Authenticator Protocol (CTAP) to provide. These standards allowed hardware and software vendors to enable password authentication methods for users that are both secure and seamless.
Ease of Use
Why bother typing a strong password when you can log in by looking at or touching the screen?
For those leery of biometrics, a device-based PIN can let users login with a numeric code, typically six-digits long. As with the venerable ATM card, a stolen device-based PIN is useless without access to the device, and it’s far easier to type in a 6 digit code than a 16 digit password consisting of upper and lower case letters, numbers, and special characters.
While biometrics and PINs are easy and secure, users who demand the most secure passwordless login method can turn to external hardware security keys, like Yubikey, that connects to a computer’s USB port. Sometimes referred to as mobile authenticators, these security keys can be convenient for people—such as IT support staff—who often need to login to multiple computers.
Passwords Are a Liability
The annual Verizon Data Breach Investigations Report consistently finds stolen credentials to be at the heart of 50% to 80% of cybersecurity breaches.
Phishing is an easy way to steal passwords. Frequent phish testing is effective, but few organizations achieve a 100% phish-resistant workforce, and it only takes one successful phish to place an organization at risk of a serious breach.
Depending on system settings and password hygiene, cybercriminals can sometimes simply guess passwords. QWERTY, Password, and 12345 regularly top the list of most common passwords. Spray many accounts with the top 1000 passwords and some of them are bound to work. Since people often reuse passwords, gaining access to their personal email account might just open up the digital front door to their corporate network.
Multifactor Authentication (MFA) is a must-use technology that it puts up a serious roadblock to malicious account access. Research on the use of multifactor challenges in addition to passwords on Google accounts showed MFA prevented 92% of phishing-based account take-over attempts. That leaves a small but critical gap.
Attackers have developed sophisticated ways to bypass MFA, but simple social engineering can be very effective. An attacker who uncovers a valid username and password combination can generate repeated MFA approval requests in hopes that the target eventually will be annoyed into complying.
MFA is a crucial security control, but the clearest way to mitigate the risk passwords pose is to eliminate passwords completely.
Eliminating users’ reliance on passwords is a huge step in the right direction. A successful phish is hard when the target knows no password to divulge, but phishing is only one threat passwords face.
Many passwordless solutions allow users to fall back to passwords when other authentication factors are impossible. This means the password is stored somewhere, and what’s stored can be stolen by attackers. Hashed password storage offers some protection here, but once a password cache is stolen, it can be subjected offline to brute force attacks.
To reap all the benefits of passwordless, organizations must plan not just to remove passwords from the authentication process but remove them from the environment altogether. This is not easy, but the cybersecurity payoff can be tremendous.
 Periwinkle Doerfler, Maija Marincenko, Juri Ranieri, Yu Jiang, Angelika
Moscicki, Damon McCoy, Kurt Thomas. 2019. Evaluating Login Challenges as a Defense Against Account Takeover.