The Secret Security Wiki

categories
categories

Passwordless Authentication

Passwordless authentication is a method of verifying users’ identities without the use of passwords or any other memorized secret. It is generally a form of multi-factor authentication or MFA, however, simpler forms of passwordless authentication exist such as email-delivered magic links. 

Instead of passwords, identity can be verified based on a “possession factor”, possession of an object that uniquely identifies the user because no other user would be expected to have the object (e.g. a registered mobile device or an issued hardware token). Identity can also be verified based on an “inherent factor”, like a person’s biometric signature (e.g. fingerprint, face, retina, etc.). Unlike possession or inherent factors, authentication that is based on something the user knows (such as a password, passphrase, or PIN code) is susceptible to easy theft, sharing or reuse by users, and requires constant management and handling by both users and IT managers.

Passwordless Authentication Benefits

Phishing, reuse, and sharing are common issues when relying on passwords. With passwordless authentication, IT reclaims its purpose of having complete visibility over identity and access management – Nothing to phish, share or reuse, the user is no longer the wild card in the organization’s identity scheme.

  • Reduction in Total Cost of Ownership (TCO): Passwords are expensive, and they require constant maintenance from your IT staff. Removing passwords will reduce support tickets and free IT to deal with real problems.
Octopus Authentication Server

With passwords out of the picture, both user experience and security improve, and potentially overall costs of authentication related to passwords or password-based MFA decrease.

The security of passwordless authentication systems depends on the proof(s) of identity required in lieu of passwords and their implementation. For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. SMS codes to the account holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.

See how Secret Double Octopus implements passwordless authentication:

Learn more about passwordless authentication 

Passwordless MFA ROI Calculator:

Find your ROI from adopting Passwordless Authentication

Try Now
  • How does passwordless authentication work?

    All three solution types are multi-factor, however the factors used vary greatly.

    2FA (two-factor authentication) is a more specific form of the generic MFA (multi-factor authentication). 2FA requires at least two factors to complete an authentication. Multi-factor authentication solutions may require more than 2 factors, or have a higher degree of available factors, but generally, both 2FA and MFA are built on a password factor plus additional factors.

    Passwordless authentication solutions are generally MFA by definition given the double factor requirement generally still stands. The one factor that is often changed from 2FA and MFA is the factor of ‘something you know’, such as a password. Instead, passwordless authentication solutions substitute ‘something you are’ such as biometric instead. Nearly all the solutions mandate a factor based on ‘something you own or have’ such as a smartphone.

  • How does passwordless authentication compare with 2FA or MFA?

    All three solution types are multi-factor, however the factors used vary greatly.

    2FA (two-factor authentication) is a more specific form of the generic MFA (multi-factor authentication). 2FA requires at least two factors to complete an authentication. Multi-factor authentication solutions may require more than 2 factors, or have a higher degree of available factors, but generally, both 2FA and MFA are built on a password factor plus additional factors.

    Passwordless authentication solutions are generally MFA by definition given the double factor requirement generally still stands. The one factor that is often changed from 2FA and MFA is the factor of ‘something you know’, such as a password. Instead, passwordless authentication solutions substitute ‘something you are’ such as biometric instead. Nearly all the solutions mandate a factor based on ‘something you own or have’ such as a smartphone.

  • Is passwordless authentication more secure than password authentication?

    The security of passwordless authentication depends on how it is implemented and what sort of proof of identity is deployed. For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. SMS codes to the account holder’s mobile device can be considered less secure because SMS is an unsecured communication channel and there are multiple documented attacks against SMS authentication systems.

  • Is passwordless authentication more secure than MFA?

    Passwordless authentication solutions can incorporate multiple factors of authentication and therefore are considered to be multi-factor authentication (MFA) . For example, authenticating users via secure push notification to an application on a registered mobile device that is also protected by fingerprint authentication is an example of how passwordless authentication can also be MFA.

  • Will the move to a passwordless solution be costly to my organization? Does more secure mean more expensive?

    One of the most commonly misunderstood points on going passwordless is the cost of implementing such a platform.

    This is most often because users look at the expense of an actual platform without comparing it to the total cost (TCO) of maintaining a password-based scheme.

    The truth is, these systems overall can drastically cut IT costs for an enterprise. There is a broad spectrum of costs associated with keeping password-based authentication. These include managing, setting policies, and encrypting passwords. Additionally, going passwordless means eliminating help desk tickets and password resets, which according to Forester, can run anywhere between $25 to $70 a call.

  • Is passwordless authentication user-friendly? What type of pushback should I expect?

    For many companies, the obstacle in front of leaving a password-based system is simply lack of familiarity .

    Passwords have been around forever. People know how to use them. Managers often think that moving to a new, passwordless platform will take a serious toll on user experience and disrupt workflow.

    In reality, the overwhelming majority of corporate employees today prefer passwordless technologies because of the ease of use they provide. Solutions such as push notifications, for instance, are revolutionizing authentication by providing not just a substantial increase in security, but also by relieving users of the burdens of remembering and securing passwords.

  • Which is the fastest passwordless solution to implement? (for 500 users)

    The vast proliferation of personal smart devices has made passwordless solutions highly scalable, even for large company workforces.

    The fastest platforms for an enterprise to switch to will be the ones that harness employee mobile devices and turn them into mobile authenticators.

    The Passwordless Push notification method utilizes Phone-as-a-Token and supports a Bring Your Own Device (BYOD) approach that has proven cost-effective and better serves cases of legacy software and remote workforce.

    The high penetration rate of smartphones, when combined with a passwordless user experience (UX), is making adoption easier and resulting in a reduction in password-related costs, making passwordless push authentication an easy decision for IT professionals from cost, user experience, and security perspectives.

  • Can passwordless solutions be implemented in a hybrid enterprise (Cloud/on-premises) ?

    Yes. Due to the increase in the integration of on-premises and cloud-based identity management systems, many authentication solutions have adapted themselves to this model.

    The Octopus Authenticator has full integration capabilities with network services such as Microsoft’s Active Directory and other cloud platforms making it a suitable solution for the hybrid enterprise.

  • Is passwordless authentication an enforceable company policy?

    The use of passwordless authentication methods like biometric and facial recognition has become a norm on mobile devices, but many organizations still struggle to deploy the technology on their corporate networks.

    Whether you can deploy passwordless authentication on your network depends on the infrastructure that supports it. Fortunately, the developers of most prominent operating systems and authentication standards acknowledge the need to integrate the option of passwordless authentication into their software. Microsoft recently announced the support for passwordless sign-in on both its individual Windows products and networks running on the Microsoft Active Directory . Users will be able to use FIDO2 keys equipped with fingerprint scanners or fingerprint scanners integrated onto their laptops to log in to their Microsoft and AD accounts instead of passwords.

    Linux has also supported passwordless SSH logins for several years now. Network administrators can configure their servers to use software keys in addition to or instead of passwords.

    This means that both systems can enforce a policy where users can only log in with passwordless authentication technology.

    Both directory services on Windows and Linux also support SAML authentication, an open standard that enables network administrators to implement their own authentication mechanism. This means you can integrate a mobile-based out-of-band authentication technology like Secret Double Octopus into your network.

  • Can I use a passwordless solutions with my current SSO?

    Single sign on (SSO) authentication is a good way to reduce the authentication attack surface, simplify the management of passwords, and provide a better user experience. The idea is to use one service (Google, Microsoft Azure, Active Directory, Amazon AWS…) to sign in to multiple accounts.

    However, many organizations would also want to be able to integrate the convenience of SSO with the added security of passwordless authentication. Most prominent SSO technologies are based on SAML, which is flexible in authentication technology.

    Secret Double Octopus provides a passwordless SSO technology based on SAML that organizations can implement into their online services. It also has a passwordless implementation for several popular SSO technologies, including Google’s G-Suite and Amazon’s AWS .

  • Will I be able to replace “service accounts” with passwordless authentication?

    No–in Microsoft Windows, service accounts are accounts that are explicitly used to run services in the background. All versions of Windows come with a few default service accounts such as Local Service, Network Service, and Local System, which have different levels of access to local and network resources. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.

    For organizations and users that want to customize the security of various services and applications, they can use Managed Service Accounts like CyberArk, which provides better administration and password management.

    You can further enhance the security and ease of use of your Managed Service Accounts by integrating a passwordless authentication technology with your Active Directory (AD) installation. This gives you the flexibility of managed service accounts plus the convenience of passwordless authentication.

  • Is passwordless authentication compliant with regulatory standards?

    In the past years, regulatory bodies have come to understand and acknowledge the weaknesses and security threats associated with the storage and use of passwords. That’s why they’re constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles) and making it mandatory to add two-factor authentication in many settings.

    The NIST, the body that sets technology standards in the U.S. and acts as a point of reference for many other countries, requires that in many settings services secure user identities through multi-factor authentication (MFA) . This means the service must support at least two of the following:

    • Something you know (passwords)
    • Something you have (mobile device or FIDO key)
    • Something you are (biometric data)

    In some settings, such as financial services, the standards body explicitly requires the use of biometric data as one of the authentication factors. This means that a technology such as Secret Double Octopus, which combines out-of-band mobile and biometric authentication, is a good choice to make sure your organization is compliant with security standards and regulations while also using convenient, user-friendly technology.

  • Can I implement a passwordless solution in the server level?

    Both Windows and Linux support passwordless authentication. In a 2018 update to its Active Directory LDAP service, Microsoft added native support for passwordless authentication through FIDO2 keys. This means that with the proper server-level configurations, AD users can walk up to any domain-connected workstation and insert their key to log in to their accounts without making changes at the machine level.

    Linux also has native support for software keys, which can replace passwords. When passwordless authentication is implemented on a Linux server, users can remotely log in to their SSH consoles by presenting their software key instead of typing in their password.

    Also, organizations that want to use security solutions like Secret Double Octopus can use the SAML implementation of the technology which integrates with their respective server technology. This enables organizations to use the added benefit and security of Single Sign-On (SSO) and mobile authentication on their networks.