Americas

  • United States

Asia

Oceania

tim_ferrill
Contributing Writer

10 passwordless authentication solutions

Feature
Aug 14, 20239 mins
Multi-factor AuthenticationPassword ManagersPasswords

Compromised user accounts are often the point of entry bad actors use to invade systems; this is why passwordless adoption is getting more attention. CSO lists 10 players to help CISOs make a decision on what works for their enterprise.

Passwords have long been the standard for authentication in computing systems, but they have been proven weak again and again by brute force or dictionary attacks, or their susceptibility to being compromised through increasingly sophisticated phishing campaigns. Passwordless--one of those buzzwords that leaves no doubt as to the meaning behind the term--is one of the solutions CISOs are looking into. Passwordless authentication offers features that help increase security for users while also easing the burden complex passwords bring to both users and helpdesk staff.

Axiad, a key player in facilitating passwordless authentication in the enterprise, recently published the results of their Passwordless Authentication survey. This survey includes feedback from over 375 respondents representing multiple disciplines and industry verticals in the US and Canada. In key findings from the survey, Axiad notes that 92% of respondents have concerns relating to credential compromise due to phishing or social engineering attacks. Additionally, 82% indicate that moving to passwordless authentication is among the top 5 priorities, and 85% expect to move to passwordless within the next one-to-two years.

What to know before adopting passwordless authentication

When starting down the road to enabling passwordless in your business you'll want to become familiar with the FIDO Alliance. FIDO (Fast Identity Online) is a set of standards surrounding passwordless authentication for both consumer and business use cases. The FIDO Alliance governs and contributes to several standards that offer strong security for different use cases, including FIDO2 and passkeys. FIDO's standards feature strong, cryptographically secured authentication with simple and convenient authentication workflows that make life easier on end users. For industries with compliance needs the FIDO Alliance can help narrow down the correct standards that meet applicable compliance concerns. FIDO further offers industry recommendations on maturing security posture when it comes to authentication: including highlighting areas of risk and planning to mitigate weaknesses.

One of the standards put forward by the FIDO Alliance that has been gaining traction rapidly is that of passkeys. Passkeys have already been adopted by both Apple and Google on their mobile operating systems and has broad support among web browsers as well. Passkeys offer multiple authentication workflows which can leverage device-bound passkeys or synced passkeys that can be used on multiple devices. The passkey standard shows a lot of promise, and in all likelihood will continue to gain industry support.

For many business use cases passkeys haven't quite reached critical mass in terms of services that support the standard, and administrative tooling around passkey management is still in its infancy. In addition, businesses with anything more than minimal assurance requirements will need to focus on device-bound passkeys, which come with their own limitations, costs, and management requirements.

10 passwordless services for enterprises

Given the fact that compromised credentials are a primary cause of security breaches across all manner of computing systems, passwordless is a compelling solution which solves a number of key information security and credential management problems facing modern businesses. The question then becomes one of implementation and making an educated decision on what services are the best fit for the organization: what features are required for regulatory or practical reasons, and which are simply nice to have.

There are numerous passwordless authentication solutions currently on the market, the majority of which are completely acceptable solutions for locking down authentication to corporate resources. Note that this list of vendors compiled below is not comprehensive: inclusion is not an endorsement, nor should exclusion be interpreted as an indictment against a particular offering.

AuthID Verified Workforce

AuthID Verified Workforce offers several key capabilities surrounding user authentication with a heavy focus on biometric certainty. AuthID's AI-backed biometric matching capabilities go beyond simple biometrics, ensuring the user is live and providing protection against spoofing attempts. AuthID supports the FIDO2 authentication standard, with crypto keys generated and retained on the device, not transmitted or stored in the cloud. AuthID also knows that passwordless authentication is of limited value without it being part of a larger ecosystem of authentication policies, anomaly detection, and monitoring, which is why AuthID offers integration with third party identity and access management (IAM) tools.

Axiad Cloud

Axiad Cloud is an authentication platform that takes a holistic approach to securing authentication attempts through passwordless orchestration. Axiad Cloud leverages the user existing IAM suite to facilitate the transition to passwordless, whether that's configuring authentication methods or provisioning new users. Axiad Cloud also offers both an admin portal and an end user portal, empowering security pros to customize authentication workflows and fine tune how user authentication is evaluated and confirmed.

Beyond Identity

Beyond Identity couples passwordless authentication with continuous risk-based authentication. This means authentication attempts are evaluated based on rich context such as the device being used, the user and their current location, the resource being accessed, and other key factors necessary to evaluating trust. Beyond Identity also uses existing device hardware such as biometrics and Trusted Platform Module (TPM) chips to further secure authentication attempts and cryptographic keys. Beyond Identity supports integration with IAM suites as well as Active Directory Federation Services (ADFS) for passwordless authentication to on-prem apps.

CyberArk Workforce Identity

CyberArk's Workforce Identity product was formerly operated under the Idaptive brand. CyberArk supports all passwordless use cases including endpoint authentication using their deployable software agent. CyberArk also offers an application gateway, a service which facilitates securing authentication to on-prem applications by funneling user traffic through the application gateway to the application, allowing CyberArk to authenticate users prior to the application. CyberArk also offers adaptive authentication capabilities, allowing CyberArk to dynamically choose what authentication factors are appropriate given the context of the authentication attempt.

Duo

Duo is a hugely popular MFA service from networking superpower Cisco. Duo's services make it a strong choice for your business' passwordless journey. Duo supports every authentication use case imaginable: including desktop, web applications, VPN, and remote desktop. Duo offers the tools to bring other key aspects of authentication security to the table as well: contextual risk-based authentication, monitoring authentication attempts, and integrations with effectively every IAM suite on the market.

HYPR

HYPR's authentication platform fully embraces the passkey standard, but only as the starting point for being authenticated. HYPR supports both synced and device-bound passkeys for authentication into your business apps, and further supports passwordless authentication into everything from desktop to remote access solutions. The HYPR Control Center brings an intuitive administration console for managing authenticators across the enterprise and customizing policies relating to both enrollment and authentication. HYPR also utilizes existing IAM infrastructure by supporting integration into identity tools already implemented.

Okta

Okta is one of the big fish in the world of cloud identity and authentication and has a comprehensive set of services to meet all manner of requirements. Okta offers full-featured IAM capabilities, MFA, and all the components necessary to make up a full passwordless solution. Okta also offers incredible flexibility with customizable workflows, fully dynamic authentication policies, and all manner of authentication factors. Okta Fastpass enables users to quickly and easily enroll mobile devices as authenticators, and email magic links allow for passwordless authentication to infrequently used applications or when using a guest device. Okta even supports chaining authentication factors together with factor sequencing, a technique that can be paired with authentication policies to require one or more high-assurance authentication factors when the attempt warrants.

Ping Identity

Ping Identity is another industry leader when it comes to identity and authentication, and their full suite of tools covers all aspects of the authentication process. Risk-based authentication policies incorporate all of Ping Identity's threat intelligence and AI-based analysis to leverage the appropriate authentication factors. PingOne Davinci brings identity orchestration in the form of visual authentication workflows (with templates available to get it running on day one). Finally, Ping Identity doesn't expect you to go passwordless overnight, rather they encourage you to progressively make progress on securing authentication attempts as it makes sense.

Secret Double Octopus

Secret Double Octopus certainly earns any extra credit due for concocting an incredible company name. The Israeli company has a focus in MFA and passwordless, and has the capabilities to enable passwordless at scale across all key use cases with minimal change to existing infrastructure. Secret Double Octopus even supports passwordless authentication to RDP and SSH, on-prem legacy apps, and other less common use cases. Even air gapped networks are fair game, as Secret Double Octopus supports passwordless authentication in network environments that are complete offline with no connectivity to the cloud.

Yubico

We would be remiss if we left Yubico and their Yubikey hardware tokens off this list. Yubikeys are a de-facto standard when it comes to hardware authentication tokens, and support for Yubikeys is a listed feature of most of the solutions on this list. Yubikeys come in a variety of form factors: offering connectivity to computers and mobile devices using standards such as USB-A, USB-C, and NFC. Yubico also offers services for businesses looking to deploy and manage hardware tokens in bulk, which becomes critical when leveraging the little devices as keys to your accounts.