The Tuesday LinkedIn poll for 20th September 2022, focused on the growing rise of password-free authentication. As end users we hate passwords. As application owners we hate storing passwords. As CISOs we hate having to apply controls to reduce the impact of a password breach – note the focus on reduce impact, as it seems a password breach is a fairly frequent occurrence if you look at the likes of Have I Been Pwned.
In the last 3 years or so, we have seen huge interest in the need to improve authentication techniques, that either deliver a passwordless MFA experience…or are actually delivering a passwordless MFA solution. There is certainly some nuance between solutions that look like no shared secrets or passwords are involved (as they’re masked, continually rotated via automation, or are not used during the flow) and those solutions where no passwords need to be maintained at all – which may actually be quite rare. Passwords are often still needed during initial registration or perhaps during credential reset.
So we have the technology available. See the likes of Transmit Security, 1Kosmos, HYPR, Secret Double Octopus, Beyond Identity, Sift/Keyless, Keyri and tru.id amongst others – a few of which are tracked in our Signals Tracker for Passwordless.
So what are these vendors seeking to deliver? Let’s break this down in to the “why” (the problem they’re solving) and the “how” (the solution they bring to the table).
The Why – a few items to consider here, namely the migration from passwords, but also from existing MFA modals. Modals such as SMS OTP, email based OTP, push and app notifications and some legacy approaches to MFA such as proprietary biometrics or application specific hardware. These approaches are typically less secure and less usable than more modern alternatives. These existing approaches are likely to be being used in both the B2E (productivity and cost reduction) as well as B2C (revenue, trust, usability) spaces, making the addressable market for passwordless pretty large.
The How – so most vendors seem to leverage the mobile phone – either with an app, or app-less QR-code based approach to trigger authentication. Typically a public/private key pair generation process exists and the subsequent login is based on challenge response. Some deliver this in a proprietary way, others leverage standards such as FIDO2/WebAuthn. The private key aspect gets stored securely on the mobile (think TEE or secure element). To access the private key to complete a login, most of the apps restrict app opening, until a local biometric (face/fingerprint) authentication has taken place. This bio-template typically stays local to the device – albeit the likes of 1Kosmos and Keyless offer different storage approaches here away from the device.
There are lot more subtle capabilities starting to emerge that powers vendor differentiation. For this we need to think about the before and after events of authentication.
Before Authentication – so before the login occurs, credentials need to be created and issued and other use cases start to occur, such as the level of identity proofing that is needed before this issuance aspect takes place. What contextual checks take place on the device? Is this driven by policy? These “pre-auth” checks help to create the IAL (identity assurance level in NIST parlance) and validate and verify the presented biometric identity data, and how that data is being provided.
After Authentication – another extension of the passwordless play, is essentially what happens after login. What systems are reliant on the authentication event? What information do they need? What events – high risk, high volume, fraud relevant transactions – may be triggering this login event? This is really about coverage – how many systems can be integrated against the passwordless solution and what process can be improved by this integration? Does that also extend to physical door/gate access?
What is Stopping Adoption?
So back to the highly scientific poll that was ran September 20 – 27th. So the question asked, was “What is stopping your organisation from moving to passwordless authentication?
So the overwhelming response, was a lack of coverage and integration options from the passwordless vendor. This seems quite sensible and obvious on analysis, but my initial thought would be one of FUD – that is many buy side decision makers simply see the myriad of providers not being secure enough. Perhaps that was the case 3-4 years ago. Today it seems, buyer’s want and quite rightly so, need good value. They want to see passwordless not just as another MFA option, but the MFA option.
Myself and David Mahdi discussed the mid-week poll results in E10 of “The Week in Identity” podcast. Organisations are already facing huge silos of identity data. They can’t afford another solution to feed and water, if that means an existing solution can not be retired or consolidated. And that consolidation process by design, requires that any new solution has long and wide ranging tentacles into the existing systems landscape – E.g. cloud, SaaS, legacy, on-premises, APIs, web sites, consumer facing, employee facing and so on.
Vendors who can only provide passwordless capabilities for a narrow window of systems, are likely to see limited adoption. If new processes are needed for credential enrolment and reset, it carries forward that the passwordless MFA component must work against a wide range of systems.
How Can Vendors Solve It?
So how can vendors achieve this broad coverage? I guess firstly, integrate with existing identity providers – ie the middleware SSO and session management players like ForgeRock, Ping Identity and Okta as well as the old guard such as IBM and CA/Broadcom. Either via standards (see OIDC, SAML) or simple REST APIs, that provide a many to one integration pattern between the passwordless vendor and application integration layer. APIs and SDKs in general allow a further group of applications which may, for whatever reason be not part of the IDP landscape.
Another concept to think about, is desktop to cloud. B2E environments – whilst not necessarily be logging in from an office due to Covid-19 – may well be logging into a Windows desktop. Starting the passwordless process there and continuing through to cloud and SaaS systems would surely account for a good 80% of end user system interactions for the small to medium sized enterprise.
Migration approaches – either tooling, toolkits (see the podcast above about auth design and assessment) or best practices to support migration from known legacy MFA components also improves confidence in the buy side decision maker, that they can get to a passwordless future relatively rapidly without huge cost and application redesign.
We all hate passwords. We have the tools to potentially rid ourselves of passwords. Yet, there are still some big obstacles. Passwords are “free” at the point of consumption – just the cost of poor user experience and data breaches comes much later. If a vendor will (and should) charge large sums for modern and secure passwordless technology, it seems the ability to deploy that technology to a broad array of systems is key to starting to the ball rolling to a password-free world.
About the Author
Simon Moffatt is Founder & Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He has a Post Graduate Diploma in Information Security, is a Fellow of the Chartered Institute of Information Security and is a CISSP, CCSP, CEH and CISA. His 2022 research diary focuses upon “Next Generation Authorization Technology” and “Identity for The Hybrid Cloud”.