Over the past several years, experts have recognized that perhaps the best password strategy for your application logins is to have no password at all, what has been often labeled as “passwordless.” It is a bit of a misnomer, as you’ll see as we investigate the commercial options. The passwordless concept has seen various innovations, including Windows 10 Hello and Okta Verify. Vendors such as SecretDoubleOctopus, Auth0 and HYPR have their solutions.
Reasons to try a passwordless approach
Let’s step back and understand the benefits of passwordless. Are you trying to truly eliminate passwords for all (or some subset) of your users, or just reduce their penchant for duplicating memorable passwords across multiple logins? Do you currently use hardware keys such as RSA SecurID and want something more convenient? Are you trying to boost multi-factor authentication (MFA) usage to better protect your logins?
These are all good reasons to examine passwordless options. The devil is in the details, though. For example, not every application supports every passwordless option, or even many MFA options. If you have deployed your own custom apps, your developers will need to add these methods or make use of a software development kit that can make the job easier. (Both Auth0 and HYPR have tools to help with your own apps, for example.)
If you have deployed a single sign-on (SSO) product or use an enterprise-wide password manager, you probably should continue to use these tools in combination with one of the passwordless methods to make them more palatable for your users. If you don’t have a solid identity management system in place, check out what RSA, OneLogin and Okta have to offer here and what it would take to implement one of them – all three have made efforts towards passwordless or at least better MFA integration with their tools. Or consider using Auth0’s SSO and start with their passwordless options firmly in mind.
How passwordless methods work
The overall passwordless approaches cover several different methods: a combination of device firmware and software fingerprinting, biometrics and support for the latest Federated Identity Alliance FIDO standards. Each approach involves using MFA but without having to type in a one-time PIN. That is the point: You still need something else to complete the authentication dialog. That means a trade-off, and it could result in significant user retraining to deploy across your corporation.
Biometric passwordless methods
Since most smartphones now come with fingerprint readers, using fingerprints (or facial recognition for the latest phones) as another MFA method has become popular. The major authentication smartphone apps, including Authy, Lastpass and Dashlane have implemented support for fingerprints or Apple’s Face ID and Touch ID authentications with their smartphone apps. This is perhaps the easiest way to move toward passwordless, provided your users are comfortable with one of these apps.
On the downside, setting the added biometric authentication requirement for each of your corporate apps can be a support nightmare, and there is no way to ease into this situation if users haven’t had any experience with the smartphone authentication apps. The better alternative might be to start with the smartphone authenticators until there is better biometric integration with your SSO or identity management provider.
Device fingerprinting
According to one whitepaper, the security of the passwordless approach “can be achieved in any number of different ways by leveraging public-key cryptography, which uses a public key that may be shared with anyone safely, and a private key that stays on the local device so that—unlike a password—it isn’t susceptible to eavesdropping attacks.” In that respect, passwordless isn’t much different from the split key methods that have been in use for decades and is akin to how most encryption routines work for the basic internet protocols.
Probably the best way to do this is by incorporating some piece of firmware, either embedded in your existing smartphone or with another fob-like device, that carries with it a unique code that can substitute for your password. The most recent adherent to the passwordless world is from SSO vendor Okta, which announced its Verify MFA app. This will eventually include device fingerprinting to make it passwordless.
Going with Okta is a big commitment and will require significant implementation, and if you are using another SSO tool it probably isn’t enough of a reason to switch right now. However, Okta has one of the wider collections for supported corporate SaaS applications, which will make it easier to roll out than some of the other fingerprinting technologies that are still very much in their infancy.
A second technology uses open-source methods with the Tidas project. It began in 2016 but hasn’t really taken off. It uses the private encryption keys inside the more recent iPhones (no Android support has been created yet) to sign and encrypt your data. The logins are handled by the software development kit, so that users don’t have to construct any passwords, and just use their finger to press the Touch ID button on the phone (or on the main screen itself).
A third choice is Iovation, which credit agency Transunion has purchased and markets under its ClearKey product and its adaptive authentication tool LaunchKey. It registers the physical smartphone using its firmware fingerprint as an additional authentication factor.
Finally, Trusona has an interesting approach. When you sign up for its service, they send you via a courier a device that fits on the end of your smartphone and looks like a payment-card reader like Square. Instead, this device (and the chain of custody tracking its delivery from their factory to your hands) associates your credit card or other magnetically endowed items with your identity. In essence, it is another form of a hardware MFA security token like the Google Titan and RSA SecurID. Rolling this out across an enterprise might take some effort.
FIDO2
The idea behind FIDO is to have a set of standards so that you can use the same authentication method – whether it be a hardware one-time fob or the firmware in your phone – across all your enterprise applications. FIDO’s traction has been slower than anticipated but it is now implemented by enough vendors to make it useful. The latest spec, FIDO2, has hundreds of supporters – including security vendors, major banks and other large IT organizations -- and is now supported by Microsoft, Google, Apple and others.
If you have been reluctant to dip your toe into the FIDO waters, now might be a good time to get its software tools and experiment with a pilot project to test the implementation. The two most visible FIDO2 instances are Google’s Titan and Yubico’s Yubikey security keys. Unlike the RSA SecurID fobs of yore, there are no PINs to transfer. You merely press an embedded button on the key to indicate your acceptance during the login dialogue. The keys are available in various form factors, with different generations of USB connectors and via Bluetooth.