The Secret Security Wiki

Categories
Categories

What Is Passwordless Authentication?

What Is Passwordless Authentication–and Why Does the Workforce Need It?

Passwordless authentication is a type of MFA that verifies user identity without relying on passwords or other memorized secrets. Passwordless generally means a form of multi-factor authentication or MFA, though simpler forms of passwordless authentication exist such as email-delivered magic links.

Instead of using passwords, identity can be verified based on a “possession factor.” For example, possession of an object that uniquely identifies the user because no other user would be expected to have the object (e.g. a registered mobile device or an issued hardware token). Identity can also be confirmed using “inherent factors” such as a person’s biometric signature (e.g. fingerprint, voice, face or retinal scan).

Why is it needed?

There are three types of factors that can be used in an MFA solution – something you are (biometric authentication), something you know (password), or something you have (mobile device). An authentication method based on secrets the user knows (such as a password, passphrase, or PIN code) remains susceptible to theft, sharing, and reuse by users, and requires constant management and handling by both IT and your workforce. 

Even with added factors, traditional MFA falls into this category. In eliminating “what users know” from the login workflow, nearly all passwordless MFA solutions stipulate at least one factor based on ‘something users own or have’ to strengthen authentication, and many add elements of ‘something users are,’ typically verified with biometrics. The end-of-the-day reason the modern workforce needs passwordless MFA is, in a word, phishing. Traditional MFA remains vulnerable to phishing–as evidenced by the fact that 80% of breaches still start with compromised credentials–and modern man-in-the-middle (MITM) and MFA Fatigue attacks. (Learn more about phishing-resistance in our other blog).

How Does Passwordless Authentication Work?

One framework that guides most journeys towards passwordless authentication comes from FIDO, a group consisting of tech giants that got together to define specifications for how online security should work. Ultimately, the expectation is that most if not all methods will also support or be built on Public Key Infrastructure or PKI architectures.

Octopus Authentication Server

Benefits of Passwordless Authentication

AuthN and AuthZ, or authentication and authorization, are the two steps taken to provide users access to classified information and privileged assets. With traditional password-based authentication, user experience dictates that a user only needs to log in once with a password to authorize their credentials, since entering a password multiple times can be cumbersome. 

With passwordless, users can authenticate multiple times per session to ensure they are authorized to view the information they’re trying to access. Other benefits of a passwordless approach can be broken into two main categories: business and technical.

Business:

  • User Experience (UX): Passwordless authentication means no more user-memorized secrets; this streamlines the authentication process.
  • ROI: Passwords are expensive, and they require constant maintenance from your IT staff. Removing them reduces support tickets and frees IT to deal with real problems, all while contributing to your ROI.
  • Better security: User-controlled passwords are a major vulnerability because employees reuse passwords and are able to share them with others. Passwords are one of the biggest cyberattack vectors and have been responsible for 81% of breaches (According to Verizon DBIR). They also lead to attacks such as credential stuffing, corporate account takeover (CATO), password spraying, and brute force attacks.
  • Invalidates already compromised credentials: Companies may have compromised credentials floating around on the dark web and not even know it. Going passwordless invalidates all these.

Technical:

  • Supported on a variety of systems: Passwordless does a good job of integrating with whatever platform you’re already using.
  • Decentralized: Because passwordless doesn’t require a master list of passwords or a password manager, it’s decentralized, meaning a breach doesn’t compromise the security of your entire system.
  • Advances Zero Trust security posture: Zero Trust is exactly what it sounds like – never trust any user at any time. Maximum security is achieved by constantly authenticating, all without the user even knowing it.

What Is the Difference Between Passwordless and “Regular” MFA?

Passwordless is a form of MFA, but traditional MFA is significantly less secure. So, how exactly do they stack up against each other?

As we said earlier, when someone talks about MFA, they usually mean a traditional authentication solution that includes “something you have” (e.g. a mobile phone that receives one-time verification codes. You can enter to complete authentication). The problem lies, however, in the first authentication factor – the user password that can be easily compromised leading to bad actors gaining access to information they shouldn’t have – which traditional solutions still contain.

A passwordless login solves problems traditional MFA may cause (or at least not fix), from a choppy user experience and “MFA fatigue” to serious problems like compromised credentials showing up on the dark web.

Why Secret Double Octopus for Passwordless?

Secret Double Octopus is the industry leader for workforce passwordless authentication having won numerous awards for our proven enterprise-level solutions. More than 150K users authenticate with the Octopus platform with no compromising data breaches having occurred.

Our passwordless solution is a complete one, known as “full passwordless.” Some companies sell passwordless solutions that are not truly passwordless as they require passwords behind the scenes, or when using single sign-on (SSO). 

The Octopus platform offers the broadest enterprise use case coverage and is ideal for industries such as higher education and critical infrastructure. Mandates from the Biden administration and other governments call for critical infrastructures and other industries to move toward Zero Trust security postures and phishing-resistant MFA. 

Passwordless MFA represents the best approach for phishing-resistance but making the transition can be a big job. SDO offers the ability to slowly transition from password-based to passwordless, with milestones along the way to becoming a fully passwordless organization. We focus on adding passwordless to your existing infrastructure, instead of forcing you to restructure to make our solution fit.

Learn more about passwordless authentication

  • How does passwordless authentication work?

    There are three types of factors that can be used in an MFA solution – something you are (biometric authentication), something you know (password), or something you have (mobile device). The one factor that is often changed from 2FA and MFA is the weakest factor of the three; namely, ‘something you know,’ such as a password.

    Nearly all passwordless MFA solutions stipulate a factor based on ‘something you own or have.’ To further strengthen authentication, many add or substitute ‘something you are,’ typically verified with biometrics.

    One framework that guides most journeys towards passwordless authentication comes from FIDO, a group consisting of tech giants that have laid out specifications for how online security should work. Ultimately, the expectation is that most if not all methods will also support or be built on Public Key Infrastructure or PKI architectures.

  • WILL THE MOVE TO A PASSWORDLESS SOLUTION BE COSTLY TO MY ORGANIZATION? DOES MORE SECURE MEAN MORE EXPENSIVE?

    One of the most commonly misunderstood points on going passwordless is the cost of implementing such a platform.

    This is most often because users look at the expense of an actual platform without comparing it to the total cost (TCO) of maintaining a password-based scheme.

    The truth is, these systems overall can drastically cut IT costs for an enterprise. There is a broad spectrum of costs associated with keeping password-based authentication. These include managing, setting policies, and encrypting passwords. Additionally, going passwordless means eliminating help desk tickets and password resets, which according to Forester, can run anywhere between $25 to $70 a call.

    For a clearer picture of TCO and ROI with a passwordless MFA solution, you can run your own ROI calculation to see how much you can save within the first year and watch this short video to learn how you can get started in about an hour.

  • IS PASSWORDLESS AUTHENTICATION USER-FRIENDLY? WHAT TYPE OF PUSHBACK SHOULD I EXPECT?

    For many companies, the obstacle in front of leaving a password-based system is simply lack of familiarity .

    Passwords have been around forever. People know how to use them. Managers often think that moving to a new, passwordless platform will take a serious toll on user experience and disrupt workflow.

    In reality, the overwhelming majority of corporate employees today prefer passwordless technologies because of the ease of use they provide. Solutions such as push notifications, for instance, are revolutionizing authentication by providing not just a substantial increase in security, but also by relieving users of the burdens of remembering and securing passwords.

  • WHICH IS THE FASTEST PASSWORDLESS SOLUTION TO IMPLEMENT? (FOR 500 USERS)

    The vast proliferation of personal smart devices has made passwordless solutions highly scalable, even for large company workforces.

    The fastest platforms for an enterprise to switch to will be the ones that harness employee mobile devices and turn them into mobile authenticators.

     

  • CAN PASSWORDLESS SOLUTIONS BE IMPLEMENTED IN A HYBRID ENTERPRISE (CLOUD/ON-PREMISES) ?

    Yes. Due to the increase in the integration of on-premises and cloud-based identity management systems, many authentication solutions have adapted themselves to this model.

    The Octopus Authenticator has full integration capabilities with network services such as Microsoft’s Active Directory and other cloud platforms making it a suitable solution for the hybrid enterprise.

  • IS PASSWORDLESS AUTHENTICATION AN ENFORCEABLE COMPANY POLICY?

    The use of passwordless authentication methods like biometric and facial recognition has become a norm on mobile devices, but many organizations still struggle to deploy the technology on their corporate networks.

    Whether you can deploy passwordless authentication on your network depends on the infrastructure that supports it. Fortunately, the developers of most prominent operating systems and authentication standards acknowledge the need to integrate the option of passwordless authentication into their software. Microsoft recently announced the support for passwordless sign-in on both its individual Windows products and networks running on the Microsoft Active Directory . Users will be able to use FIDO2 keys equipped with fingerprint scanners or fingerprint scanners integrated onto their laptops to log in to their Microsoft and AD accounts instead of passwords.

    Linux has also supported passwordless SSH logins for several years now. Network administrators can configure their servers to use software keys in addition to or instead of passwords.

    This means that both systems can enforce a policy where users can only log in with passwordless authentication technology.

    Both directory services on Windows and Linux also support SAML authentication, an open standard that enables network administrators to implement their own authentication mechanism. This means you can integrate a mobile-based out-of-band authentication technology like Secret Double Octopus into your network.

  • CAN I USE PASSWORDLESS SOLUTIONS WITH MY CURRENT SSO?

    Single sign on (SSO) authentication is a good way to reduce the authentication attack surface, simplify the management of passwords, and provide a better user experience. The idea is to use one service (Google, Microsoft Azure, Active Directory, Amazon AWS…) to sign in to multiple accounts.

    However, many organizations would also want to be able to integrate the convenience of SSO with the added security of passwordless authentication. Most prominent SSO technologies are based on SAML, which is flexible in authentication technology.

    Secret Double Octopus provides a passwordless SSO technology based on SAML that organizations can implement into their online services. It also has a passwordless implementation for several popular SSO technologies, including Google’s G-Suite and Amazon’s AWS.

  • WILL I BE ABLE TO REPLACE “SERVICE ACCOUNTS” WITH PASSWORDLESS AUTHENTICATION?

    No–in Microsoft Windows, service accounts are accounts that are explicitly used to run services in the background. All versions of Windows come with a few default service accounts such as Local Service, Network Service, and Local System, which have different levels of access to local and network resources. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.

    For organizations and users that want to customize the security of various services and applications, they can use Managed Service Accounts like CyberArk, which provides better administration and password management.

    You can further enhance the security and ease of use of your Managed Service Accounts by integrating a passwordless authentication technology with your Active Directory (AD) installation. This gives you the flexibility of managed service accounts plus the convenience of passwordless authentication.

  • IS PASSWORDLESS AUTHENTICATION COMPLIANT WITH REGULATORY STANDARDS?

    In the past years, regulatory bodies have come to understand and acknowledge the weaknesses and security threats associated with the storage and use of passwords. That’s why they’re constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles) and making it mandatory to add two-factor authentication in many settings.

    The NIST, the body that sets technology standards in the U.S. and acts as a point of reference for many other countries, requires that in many settings services secure user identities through multi-factor authentication (MFA) . This means the service must support at least two of the following:

    • Something you know (passwords)
    • Something you have (mobile device or FIDO key)
    • Something you are (biometric data)

    In some settings, such as financial services, the standards body explicitly requires the use of biometric data as one of the authentication factors. This means that a technology such as Secret Double Octopus, which combines out-of-band mobile and biometric authentication, is a good choice to make sure your organization is compliant with security standards and regulations while also using convenient, user-friendly technology.