Microsoft’s recent move to offer passwordless authentication for consumer accounts elicited sighs of relief from security experts everywhere. Passwords rank among the most significant security risks facing individuals and businesses. A recent survey found that 65% of people reuse passwords across accounts and 45% hadn’t changed their passwords in the past year, even after a breach. With simple, inexpensive to deploy credential stuffing and password spraying attacks, passwords are the equivalent of locking a door but leaving the key under the mat.
Many multi-factor authentication (MFA) solutions simply add another compromisable authentication factor on top of a password. Attackers can use multiple methods such as phishing, Man in the Middle (MitM) or Push attacks to seize accounts and gain access to entire systems. Some “passwordless” authentication solutions, despite their name, fall into this category. That’s why recent MFA directives and best practice guidelines are aiming to move authentication to secure phishing-resistant methods of proving identity.
Aside from their security failings, some passwordless authentication solutions are overly complicated and frustrate users. Others create integration headaches for IT teams or are not business scalable. Here we look at the big questions you need to ask any potential vendor about their passwordless authentication solution.
1. Does It Use Passwords?
This should be obvious, but many so-called passwordless providers offer a passwordless “experience” rather than a truly passwordless product. They may use passwordless biometrics convenience features such as TouchID or FaceID for the user interface, but these simply unlock a stored password to be sent for authentication. Or solutions send a one-time password (OTP) by SMS or email as part of their MFA flow. By definition, an OTP is still a password and like all other passwords it is vulnerable to the same phishing and interception threats.
Though authentication via public key infrastructure (PKI) has been long regarded as the most secure method, the availability of business- and user-friendly PKI-based solutions is relatively recent. Make sure that the passwordless authentication solution you choose leverages robust cryptography and does not use insecure modes of authentication such as passwords, OTPs or SMS tokens at any point in the login flow.
2. Does It Provide Passwordless MFA for Desktop Login?
Secure application login is important, however the initial authentication point for most of your workforce is the laptop, desktop or workstation itself. If the passwordless authentication solution you use only works for applications, you are leaving open a critical security gap for your workforce. Moreover, with regulatory obligations, such as the Executive Order on Improving the Nation’s Cybersecurity, and cyber insurers insisting on MFA deployment to obtain coverage, desktop authentication is now one of your legal and business imperatives.
Your passwordless authentication solution should offer several secure authentication options for your workforce’s desktops, ideally with the same user login experience as for apps. In addition, a secure offline authentication capability is needed for when employees are traveling or otherwise unable to connect to the internet.
3. Is It FIDO-Certified from End-to-End?
Fast Identity Online (FIDO) is a set of open standards for improving cybersecurity by reducing the reliance on passwords. The Cybersecurity & Infrastructure Security Agency (CISA) considers it the gold standard for MFA.
Being FIDO® Certified means deploying public key cryptography for authentication and adhering to usability and interoperability standards to aid user adoption and ensure compatibility with other FIDO-certified products.
Some vendors make marketing claims that they’re FIDO compliant or support FIDO, which does not guarantee the same security, usability and interoperability as FIDO certification. It’s also possible for a provider to have FIDO certification for its validation server, but a non-certified authenticator. This means that their server has the ability to accept external FIDO Certified authentication verifiers, but that the solution’s client itself does not meet FIDO standards.
The FIDO standards match guidance from NIST (800-63B), the FFIEC, the OMB, and other cybersecurity statutes as well as PSD2 Strong Customer Authentication requirements. Using a fully FIDO Certified solution means built-in compliance.
To determine a passwordless authentication solution’s certification status, you can check FIDO’s registry of Certified technologies here.
4. Is It Interoperable with Your Identity Provider?
Identity providers (IdPs) such as Okta and Azure AD are essential for maintaining system security, especially for businesses with a distributed workforce. With the huge shift to work-from-home in recent years, the increased attack surface of users logging in from insecure environments or shared devices threatens the integrity of entire networks. IdPs harden those potential attack vectors, so a passwordless authentication solution must integrate with whichever IdP you are using.
Many “passwordless” solutions either work only with specific IdPs or attempt to leverage their product to lock in organizations to their own IdP. We recommend that authentication be decoupled from your identity provider. Whichever passwordless authentication solution you use, it should integrate with all the major identity providers as well as support open standards (such as SAML or OIDC) to easily integrate with the SSO service of your choice.
5. Is It Easy to Integrate and Deploy?
A big obstacle to replacing outdated password-based authentication systems is the potential difficulties and disruption of deploying a new technology. This needn’t be the case, however. A passwordless authentication solution that follows a standards-based approach should be trivial to integrate with your current SSO providers. In addition, solutions that provide a robust SDK let development teams easily integrate with custom or legacy applications not connected to your SSO. If regulatory obligations such as PSD2 Strong Customer Authentication (SCA) affect your business, make sure that the solution’s SDKs include built-in security controls and functions to help you meet them.
6. How Is the User Experience?
User comfort with any security system plays a key role in its successful adoption and makes it much less likely that people will seek workarounds for the sake of expediency or ease. Unfortunately, many passwordless authentication solutions focus on the security aspect and forget about the user experience. If your passwordless solution takes longer than typing in a password, your organization will struggle with adoption.
Solution providers need to make the authentication experience fast, intuitive and convenient, and to account for user preferences across demographics, verticals and industries. A sound passwordless authentication solution should also provide alternatives for those who can’t or won’t use biometrics.
Besides pleasing your users, an effective, fast authentication solution delivers better ROI through improved productivity and saved IT and support time.
7. How Are Private Keys Stored on Devices?
A passwordless authentication solution can still be vulnerable to device-side attacks by hackers, even if it uses public key cryptography. Malware, side-channel attacks and reverse engineering are among the many techniques available to attackers who want to steal the private keys of a cryptographic system. To ensure key safety on mobile devices, authentication systems should utilize hardware-based security, such as ARM’s TrustZone technology, Android’s Trusted Execution Environments, the iOS Secure Enclave or Samsung KNOX to store keys and perform cryptographic operations.
True Passwordless MFA
Deploying an effective passwordless authentication solution is critical for regulatory compliance, winning procurement tenders and lowering cyber insurance costs. However, many vendors claiming to offer such a solution merely offer a passwordless “experience” or subpar security. On top of that, solutions often prove difficult to integrate with current IdPs or make adoption unlikely with poor or convoluted interfaces.
HYPR provides True Passwordless™ MFA that turns an ordinary smartphone into a PKI-backed security key for a frictionless, familiar authentication experience. As a fully FIDO-certified authentication system, we are committed to improving security and system interoperability while putting the needs of your workforce and customers at the forefront.