From Passwords to Passwordless: A Primer
Posted by: Terry Garbo
Published 3/3/22, 4:00pm
For years, passwords have been a vital, yet somewhat cumbersome, necessity to ensure the security of a network, a computer, or even your bank accounts. And with each new device, service, or application comes complexity. Different sites and applications have unique requirements for password length, special characters, numbers, etc., but remembering each of these unique passwords (you do use a different one for each application, don’t you?) can be a real challenge. However, with the advent of Apple Touch ID and Face ID, and Microsoft’s Hello Authentication, passwords are slowly becoming a thing of the past.
What exactly is “going passwordless”? It’s simply verifying someone’s identity without the use of a traditional password. Instead, this technology leverages more secure methods such as fingerprints, facial recognition, unique PINs, or one-time codes to positively validate a user’s identity. You are likely using this type of technology now if you are using an Apple iPhone /iPad or using a Microsoft device leveraging Windows Hello.
Some advantages of going passwordless include:
- more secure logon
- the end of constantly updating and trying to remember a traditional password
- reduced attack vectors (like storing your “new” password on a sticky note under your keyboard)
It’s an unfortunate fact that passwords are compromised every day. People recycle the same password on multiple sites, use easily guessable passwords that only just meet requirements, or–horror of horrors–system default passwords are simply not changed. How then do we get to a “passwordless nirvana”? One that makes life easier for end-users but maintains and enhances the security of devices and networks? Please read on.
Numerous vendors have methods to get to a passwordless state, but at the very heart of any solution is the requirement to build on a foundation of Multi-Factor Authentication (MFA).
MFA is defined as having at least two out of three categories of knowledge, possession and inherence factors. For example, I have an RSA-token, and I know the corresponding PIN…Under MFA, this is something I possess–the token–and something I know–the PIN. To almost anyone in cybersecurity, this is a well-recognized setup. But there is another factor that doesn’t get nearly as much attention: inherence factors, or what can be called “implicit categories.” Loosely defined, these are the factors that the user is. These can be factors like genetic baselines such as retinal data or fingerprints, but they can also be factors that the end-users won’t see but will nevertheless affect the decision to allow or deny access. For instance, if the login attempt comes from a new device or location, that would be an implicit factor based on the user’s profile in your access system. In this case, we want to strengthen the security to ensure it’s a user or computer with a valid need to log on.
As we discuss this, it’s essential to remember that MFA and passwordless authentication are not one and the same. The easy way to keep things straight is that MFA is used as an additional layer of security on top of password-based authentication. A passwordless authentication doesn’t need or require a memorized secret (like a PIN, phrase, or code), and typically one secure factor will be used to authenticate an identity. This all means a faster, easier, and more secure login process for the end-user.
Identifying the need to go passwordless should be tailored to the risk in your environment. For example, low-risk activities–such as logging onto “normal” workstations–are prime targets for passwordless authentication, while higher-risk items (file servers and the like) should require stronger authentication methods or a combination of techniques to maintain the necessary level of security.
As with anything in IT, one finds many protocols, applications, and acronyms when embarking on the passwordless journey. I’ve included a few common standards below, but I have purposely not included any vendor-specific terminology. A few of the more common, vendor-neutral ones are listed here, but you can always reach out to GuidePoint if you have questions or need more information.
Fast Identity Online 2: Known by its acronym, FIDO2, this is a set of cryptographic logon credentials standards and specifications that enable any user to use “common devices to easily authenticate to online services in both mobile and desktop environments.” Google, Microsoft, Okta, Duo and other security providers build their products to meet FIDO2’s standards.
WebAuthn: this is a web standard published by the W3C, and is a core component of FIDO2. WebAuthn is an API that allows servers to register and authenticate users with a public key. WebAuthn secures user authentication by using a registered device (phone, laptop, tablet) as a secure factor. Currently, WebAuthn is the only factor that is phishing-proof.
Client to Authenticator Protocol (CTAP): CTAP enables external devices such as mobile handsets or FIDO security keys to both work with browsers that support WebAuthn, and to serve as authenticators for desktop applications and web services.
With the availability of programs such as FIDO2.0, WebAuthn, and mobile authentication applications that support biometrics, the time is right to start the transition to passwordless, and the professionals at GuidePoint Security can make this a reality.
The move to a passwordless state does not have to be complicated. But as with any endeavor, proper planning is necessary to ensure a successful outcome, balancing the ease of use features desired by the end-users with the security requirements that organizations demand.
Terry A. Garbo, CISSP
Senior Identity Governance Architect,
GuidePoint Security
Terry Garbo is a Senior Identity Governance Architect at GuidePoint Security. With over 20 years of experience, he has worked with Fortune 500 companies, the banking industry, and the Federal Government. In his current position, he designs, configures and ensures the successful delivery to his customers.
Terry is certified in SailPoint, Okta, Cyberark, Azure, AWS and also possesses his CISSP, and two SANS certifications.
Terry lives with his family and motorcycle in central Pennsylvania.