Passwordless Authentication

Passwordless authentication is any method of verifying the identity of a user that does not require the user to provide a password.

Instead of passwords, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, face, retina, etc.). It is also possible to authenticate based on something the user knows (e.g. knowledge-based authentication), so long as that something is not a password.a

What are the benefits of Passwordless Authentication?

  • User Experience (UX): passwordless authentication means no more user memorized secrets, streamline the authentication process
  • Better Security: User controlled passwords are a major vulnerability, users reuse passwords, are able to share them with others. Passwords are the biggest attack vector and are responsible for %81 of breaches, they also lead to attacks such as credentials stuffing, corporate account takeover (CATO)  Password Spraying, brute force attack
  • Reduction in Total Cost of Ownership (TCO) : Passwords are expensive, they require constant maintenance from IT staffs, removing passwords will reduce support tickets and free IT to deal with real problems
  • IT Gains Control and Visibility: Phishing, reuse, and sharing are common issues when relying on passwords, with passwordless authentication IT reclaims its purpose of having complete visibility over identity and access management – Nothing to phish, share or reuse, the user is no longer the wild card in the organization identity scheme.

passwordless authentication - Secret Double Octopus

With passwords out of the picture, both user experience and security improve.

The security of passwordless authentication systems depends on the proof(s) of identity required in lieu of passwords and their implementation. For example, using secure push notifications to the account holder’s mobile device is generally considered more secure than passwords. SMS codes to the account holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.

See how Secret Double Octopus implements passwordless authentication:

Learn more about passwordless authentication 

 

What does Passwordless Authentication Prevent?

Password spraying

What is Password spraying?

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Learn More

Well known instances of Password Spraying attacks:

The Citrix Breach
Dubai School Network

How Do we prevent Password Spraying?

Password spraying relies on the use of common and generic passwords–unfortunately a practice that remains widespread till today. By removing the use of passwords, Secret Double Octopus renders an account immune to this hack.

Credentials stuffing

What is Credential stuffing?

Credential stuffing is a type of cyberattack where stolen account credentials, typically consisting of lists of usernames and/or email addresses and their corresponding passwords are used to gain unauthorized access to user accounts. Using a program called an ‘account checker’, hackers activate large-scale automated login requests directed against a slew of web application. Learn more here and here. Learn more Learn More 2

Well known instances of Credential Stuffing attacks:

HSBC Breach
Collection 1
Spotify

How do we prevent Credential Stuffing?

Password spraying typically relies on user generated passwords that were obtained from large breaches. Secret Double Octopus removes user generated passwords, and in turn, the risk of credential stuffing.

Passwordless authentication Banner - Secret Double Octopus

Spear Phishing

What is Spear Phishing?

Phishing hacks are a form of cyberattacks designed with the aim of getting a user to divulge compromising information. As its name would imply, Spear Phishing is a targeted attack against a particular user or set of users, based on their unique profile. Spear phishing messages are tailored to the targets in an effort to convince them the communications are legit. This is usually done by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequently visit, or what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity and attempt to extract sensitive information, typically through email or other online messaging.

To date, Spear phishing is the most successful form of acquiring credentials and other sensitive data via the internet, accounting for 91% of all attacksLearn More

Well known instances of Spear Phishing attacks:

Anthem

Ubiquiti Networks

Crelan

Soula

How does Secret Double Octopus prevent Spear Phishing?

Spear phishing attacks rely on fraudulent communications, usually in the form of emails following a Business email compromise (BEC) incident. When using Secret Double Octopus, users are never prompted to reset or update passwords, meaning users will know that any such request is an attempt by a cybercriminal. Secret Double Octopus both removes the credentials target and negates the mechanism by which Spear Phishing works.

Brute Force Attack and Offline Cracking

What is a Brute Force Attack?

Brute force attacks involves repeated login attempts using every possible letter, number, and character combination to guess a password.

An attacker using brute force is typically trying to guess a user, or an administrator password or a password hash key.. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer passwords or encryption keys—the difficulty of brute force attacks grows exponentially the longer the password or key is.

What are some examples of Brute Force attack?

Georgia Tech

IBM Research

What is Offline Cracking?

Offline Password Cracking is an attempt to extract one or more passwords from a password storage file that has been recovered from a target system.  Typically, this form of cracking will require that an attacker has already attained a high level of access to a system, in order to gain access to the necessary file. Once the hackers gain access to the stored passwords, they are able to move freely through the a wide range of network accounts.

Well known instances of Offline Cracking

LastPass Breach

How does Secret Double Octopus prevent Brute Force Attacks and Offline Cracking?  

Both of these attacks rely on breaching access to credentials. Hackers target systems that rely on passwords as a first factor. There are many cases in which hackers capitalize on weak communication protocols connecting networks to servers and use these methods to bypass MFA. Secret Double Octopus does not use passwords as a first factor of authentication, thereby preventing brute force attacks.

Passwordless Authentication

Rainbow table attacks

What is a Rainbow Table Attack?

A Rainbow Table attack is designed to recover passwords from their cryptographic hashes. They are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The proper application of a Rainbow Table can allow a hacker to break passwords with relatively high complexity.

Well known instances of Rainbow Attacks:

WikiLeaks breaches

How does Secret Double Octopus prevent Dictionary Attacks?

Rainbow attacks can only be successful against an account that uses passwords as the primary factor. Once passwords are gone, the most sophisticated Rainbow Table is useless.

Social Engineering

What is Social Engineering?

Social engineer covers a very broad range of attacks by which cybercriminals manipulate individuals into divulging login credentials. Social media platforms often provide the perfect venue for hackers to reach out to potential victims under a guise and extract information.

Some social engineering methods don’t even require attackers to engage directly with victims. Criminals can go directly to a user’s service provider such as a cell phone or internet company and deceive a representative into delivering new passwords to the phone or device of their choice.

Well Known instances of Social Engineering attacks:

Hack of Black Lives Matter activist DeRay Mckesson

How does Secret Double Octopus prevent Social Engineering Attacks?

Regardless of what method hackers deploy, the goal of any social engineering attack is to extract login credential to a victim’s account. By eliminating credentials from the authentication equation, there is no longer a target for a social engineering campaign.

Keylogger Malware

What is Keylogger Malware?

A Keylogger Attack involves the illicit use of a keystroke logging program to record and capture passwords. Hackers can infect a machine with a keylogger by planting them in legitimate websites or in phishing messages. The seemingly innocuous content of the web page or message contains commands to download a keylogger file that a user can activate with a simple click.

Well Known Instance of Keylogger Attacks:   

VSDC Hack

2019 Chinese Intelligence Campaign Against U.S. Tech

How does Secret Double Octopus prevent Keylogger Attacks?

Even after successfully getting a user to download a keylogger, hackers still need the victim to type in his or hers passwords so they can be recorded. If passwords are not being entered, nothing captured by the keylogger will grant an attacker access to accounts.

Shoulder Surfing

What is Shoulder Surfing

More aptly categorized as a form of tradecraft then a cyberattack, Shoulder Surfing is simply the stealing of a user’s credentials by literally peering over their shoulders while he or she is typing them in. While this may seem like an overly-simple method, research has shownShoulder Surfing to have a pretty substantial success track.

Well Known Instances of Shoulder Surfing:

2016 California Shoulder Surfing Spree

How does Secret Double Octopus prevent Shoulder Surfing Attacks?

Any ‘Shoulder Surfer’ is looking to identify user’s passwords as they type them into a device. When users are no longer entering passwords, there is no longer any information being exposed that would potentially give a peeping hacker illicit access.

Passwordless Authentication

Corporate Account Takeover (CATO)

What is Corporate Account Takeover (CATO)

Corporate account takeover occurs when an attacker manages to gain unauthorized access to a legitimate business account. Control of the account is then used for nefarious activities such as to initiate a fraudulent payment, or wire transfer or steal sensitive data.

Learn More

Well known instances of Corporate Account Takeover (CATO)

BancorpSouth Breach

Ocean Bank Breach

Leaving the Password Threat Behind

The above list of techniques for breaking password-based authentication schemes is just a small sampling of the dangers posed by passwords– an outdated method of authentication which is still the method of choice for most applications.

Secret Double Octopus is helping customers evolve to the next stage of digital authentication–passwordless authentication. Its Octopus Authenticator neutralizes all of the attacks that target users passwords by simply getting rid of them.

Frequently Asked Questions
How does passwordless authentication work?

Passwordless authentication is any method of verifying the identity of a user that does not require the user to provide a password.

Instead of passwords, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, face, retina, etc.). It is also possible to authenticate based on something the user knows (e.g. knowledge-based authentication), so long as that something is not a password.a

Which authentication methods are used for passwordless authentication?

In passwordless authentication, proof of identity can be done based on possession of something that uniquely identifies the user (e.g. a one-time password generator, a registered mobile device, or a hardware token) or the user’s biometric signature (e.g. fingerprint, face, retina, etc.). It is also possible to authenticate based on something the user knows (e.g. knowledge-based authentication), so long as that something is not a password.

The password alternatives available on the market today cover a pretty broad spectrum.

These system types include:

• Software tokens

• Biometrics

• SMS delivered codes

• Hardware authentication devices (“hard” tokens)

While all of these systems offer a leg up on security relative to passwords, each one of them has been shown to possess serious vulnerabilities. From a security perspective, the strongest passwordless solutions consist of multi-channel and out-of-band authentication mechanisms.

This feature is what makes Secret Double Octopus’s technology resilient to the full range of known attacks.

Authentication methods compared - Secret Double Octopus

Is passwordless authentication more secure than password authentication?

The security of passwordless authentication depends on how it is implemented and what sort of proof-of-identity is deployed. For example, using secure push notifications to the account-holder’s mobile device is generally considered more secure than passwords. SMS codes to the account-holder’s mobile device can be considered less secure because SMS is an insecure communication channel and there are multiple documented attacks against SMS authentication systems.

Is passwordless authentication more secure than MFA?

Passwordless authentication solutions can incorporate multiple factors of authentication and therefore be considered multi-factor authentication (MFA). For example, authenticating users via secure push notification to an application on a registered mobile device that is also protected by fingerprint authentication is an example for how passwordless authentication can also be MFA.

How does passwordless authentication work?

What makes passwordless platforms unique is that authentication credentials are never fixed within the system.

Every time a user sends a request for access, a new authenticating message has to be generated.

This is what occurs for instance when a system sends you a confirmation link (magic link) to your email address. When you click on the link, it indicates to the server that the user has been verified. A similar process occurs with one time passwords send via email or SMS. Once the code is entered, the application confirms it’s in fact the one it generated shortly before and delivered to you. This allows the requested session to start.

Will the move to a passwordless solution be costly to my organization? Does more secure means more expensive?

One of the most commonly misunderstood points on going passwordless is the cost of implementing such a platform.

This is most often because users look at the expense of an actual platform, without comparing it to the total cost (TCO) of maintaining a password-based scheme.

The truth is, passwordless systems overall can drastically cut IT costs for an enterprise. There is a broad spectrum of costs associated with keeping password-based authentication. These include managing, setting policies and encrypting passwords. Additionally, going passwordless means eliminating helpdesk tickets and password resets, which according to Forester, can run anywhere between $25 to $70 a call.

Will enrollment require IT involvement? If so what type of maintenance will be required from IT?

The degree to which IT will be involved in your passwordless authentication scheme depends on the type of platform you choose.

On-premises solutions usually require on-site hardware and designated servers. This means that the company will be responsible for maintaining these machines and repairing them if need be. Additionally, going with an on-site system may put the onus on company IT to address any malfunction that may arise with the system itself.

Solutions that offer identity as a service (IdaaS)on the other hand, come with their own virtual architecture, eliminating the need for in-house servers. Part of subscribing to these services means the solution provider will address malfunctions and other troubleshooting issues. These benefits will, of course, have to be weighed against monthly or yearly subscription payments and security considerations.

Is passwordless authentication user-friendly? What type of pushback should I expect?

For many companies, the obstacle in front of leaving a password-based system is simply lack of familiarity.
Passwords have been around forever. People know how to use them. Managers often think that moving to a new platform will take a serious toll on user experience and disrupt workflow.

In reality, the overwhelming majority of corporate employees today prefer passwordless technologies specifically because of the ease of use they provide. Solutions such as push notifications, for instance, are revolutionizing authentication by providing not just a substantial increase in security, but also relieving users of the burdens of remembering and securing passwords.

Which is the fastest passwordless solution to implement? (for 500 users)

The vast proliferation of personal smart devices has made passwordless solutions highly scalable, even for large company workforces.

The fastest platforms for an enterprise to switch to will be the ones that harness employee mobile devices and turn them into mobile authenticators.

The Passwordless Push notification method utilizes Phone-as-a-Token and supports a Bring Your Own Device (BYOD) approach has proven cost-effective and better serves cases of legacy software and remote workforce.

The high penetration rate of smartphones, combined with a passwordless user experience (UX) is making adoption easier and results in a reduction to password related cost, making passwordless push authentication an easy decision for IT professionals from cost, user experience, and security perspective.

Can passwordless solution be implemented in a hybrid enterprise (Cloud/on-premises) ?

Yes. Due to the increase in the integration of on-premises and cloud-based identity management systems, many authentication solutions have adapted themselves to this model.

The Octopus Authenticator is fully integratable with network services such as Microsoft’s Active Directory and other cloud platforms making it a suitable solution for hybrid enterprise.

Is passwordless authentication an enforceable company policy?

he use of passwordless authentication methods like biometric and facial recognition has become a norm on mobile devices. But many organizations still struggle on deploying the technology on their corporate networks.

Whether you can deploy passwordless authentication on your network depends on the infrastructure that supports it. Fortunately, the developers of most prominent operating systems and authentication standards acknowledge the need to integrate the option of passwordless authentication into their software. Microsoft recently announced the support for passwordless sign-in on both its individual Windows products and networks running on the Microsoft Active Directory. Users will be able to use FIDO2 keys equipped with fingerprint scanners or fingerprint scanners integrated on their laptops to login to their Microsoft and AD accounts instead of passwords.

Linux also supports passwordless SSH logins for several years now. Network administrators can configure their servers to use software keys in addition or instead of passwords.

This means that both systems can enforce a policy where users can only login with passwordless authentication technology.

Both directory services on Windows and Linux also support SAML authentication, an open standard that enables network administrators to implement their own authentication mechanism. This means you can integrate a mobile-based out-of-band authentication technology like Secret Double Octopus into your network.

Can I use a passwordless solution with my current SSO?

Single sign on (SSO) authentication is a good way to reduce the authentication attack surface, simplify the management of passwords and provide a better user experience. The idea is to use one service (Google, Microsoft Azure, Active Directory, Amazon AWS…) to sign in to multiple accounts.

However, many organizations would also want to be able to integrate the convenience of SSO with the added security of passwordless authentication. Most prominent SSO technologies are based on SAML, which is flexible on the authentication technology.

Secret Double Octopus provides a passwordless SSO technology based on SAML that organizations can implement into their online services. It also has a passwordless implementation for several popular SSO technologies, including Google’s G-Suite and Amazon’s AWS.

Will I be able to replace “service accounts” with passwordless authentication?

No, In Microsoft Windows, service accounts are accounts that are explicitly used to run services in the background. All versions of Windows come with a few default service accounts such as Local Service, Network Service, and Local System, which have different levels of access to local and network resources. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.

For organizations and users that want to customize the security of various services and applications, they can use Managed Service Accounts like CyberArk, which provides better administration and password management.

You can further enhance the security and ease of use of your Managed Service Accounts by integrating a passwordless authentication technology with your Active Directory (AD) installation. This gives you the flexibility of managed service accounts plus the convenience of passwordless authentication.

Is passwordless authentication compliant with regulatory standards?

In the past years, regulatory bodies have come to understand and acknowledge the weaknesses and security threats associated with the storage and use of passwords. That’s why they’re constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles) as well as making it mandatory to add two-factor authentication in many settings.

The NIST, the body that sets technology standards in the U.S. and acts as a point of reference for many other countries, requires that in many settings services secure user identities through multi-factor authentication (MFA). This means the service must support at least two of the following:

  • Something you know (passwords)
  • Something you have (mobile device or FIDO key)
  • Something you are (biometric data)

In some settings, such as financial service, the standards body explicitly requires the use of biometric data as one of the authentication factors. This means that a technology such as Secret Double Octopus, which combines out-of-band mobile and biometric authentication, is a good choice to make sure your organization is compliant with security standards and regulations while also using convenient, user-friendly technology.

Can I implement a passwordless solution in the server level?

both Windows and Linux support passwordless authentication. In a 2018 update to its Active Directory LDAP service, Microsoft added native support for passwordless authentication through FIDO2 keys. This means that with the proper server-level configurations, AD users can walk up to any domain-connected workstation and insert their key to login to their accounts without making changes at the machine level.

Linux also has native support for software keys, which can replace passwords. When passwordless authentication is implemented on a Linux server, users can remotely login to their SSH consoles by presenting their software key instead of typing in their password.

Also, organizations that want to use security solutions like Secret Double Octopus can use the SAML implementation of the technology which integrates with their respective server technology. This enables organizations to use the added benefit and security of Single Sign-On (SSO) and mobile authentication on their networks.