It’s likely been a very long time since you’ve evaluated your user authentication solutions.
After all, it is not every day that businesses are in the market for a new user authentication solution. Some have never used anything other than a simple password to authenticate their users. Others may have deployed a traditional multi-factor authentication solution to address specific security concerns related to authenticating remote access connections or in response to a regulatory requirement for stronger authentication. This short guide provides a current review of modern user authentication approaches.
Verizon’s Data Breach Investigation Report (DBIR) published in 2017 has been somewhat of a watershed moment for perceptions on user authentication. The report made headlines throughout the IT world when it revealed that 81 percent of data breaches were the result of compromised passwords.
This is when many businesses realized that passwords were not solving their security problems and instead causing a lot of them, and when they began to look at alternative authentication options. This is the moment when passwordless authentication went from being a niche alternative pursued by forward thinking businesses to something everyone was talking about.
What is passwordless authentication?
Passwordless authentication defines a class of authentication solutions that verify a user’s identity without use of a password. Proof of identity is based on other factors that uniquely identify the user such as possession of something uniquely associated with the user (e.g. a one-time password generator, a registered mobile device, or a hardware token), or the user’s biometric signature (e.g. fingerprint, faceprint, retinal scan, etc.). Authenticating based on something the user knows (i.e. knowledge-based authentication) is also possible, so long as that something is not a password.
4 types of passwordless authentication methods
Here are a few commonly-used passwordless authentication methods people often choose from:
One-time code sent to a registered mobile device or email address. This is typically deployed by businesses to authenticate their customers (B2C). It is less commonly used for enterprise authentication, i.e. for authenticating employees.
This passwordless authentication method has become the norm for authenticating users to their mobile devices, with popular implementations of the technology in Apple Face ID, and fingerprint authentication ubiquitously available on even the cheapest mobile devices. Biometrics is primarily used to authenticate the user to the device itself and less often to resources that are accessed from the device.
Dedicated hardware security tokens
Dedicated hardware security tokens, typically storing a Public Key Infrastructure (PKI) credential. In recent years, FIDO-compliant devices such as YubiKeys are growing in popularity as a high-assurance user authentication alternative to passwords. These devices offer a good level of security, as they are hard to forge and require physical possession, but they are also rather expensive and cumbersome for users to carry around and use.
Authentication credentials attached to a host device
This credential (i.e. a PKI certificate pinned to a personal computer) is mostly used to authenticate employee workstations to business networks and resources. Here again, FIDO-compliant solutions are gaining popularity, with the most notable example being Microsoft Windows Hello for Business. Windows Hello is available on newer versions of Windows and combines a FIDO compliant credential together with a user PIN or biometric print to unlock access to the credential.
Multi-factor authentication (MFA) vs. passwordless authentication
Combining multiple forms of authentication for identity proofing results in multi-factor authentication (MFA). Historically, MFA was used as a way to improve the security of password-based authentication. Using a password (something you know) together with a dedicated key fob or registered mobile device (something you have) would provide multiple factors of authentication that are harder to phish, crack, or hack, and therefore provide a higher level of assurance.
Today, it is possible to use multiple factors of authentication without passwords as one of the factors, resulting in passwordless MFA. Most commonly used authentication factors for passwordless MFA are the user’s registered mobile device together with a user PIN or fingerprint provided via the device’s built-in fingerprint sensor.
Considerations when evaluating a passwordless authentication solution
So what should an enterprise be looking at when searching for the right authentication solution? There are many considerations when buying a new user authentication solution, but the three most important ones are:
Does the authentication solution support the full breadth of users’ authentication use-cases?
The most fundamental consideration is whether an authentication solution supports the full breadth authentication use-cases encountered by users over the course of their workday. When specific use-cases are not supported, then one of two options are available: leave in place the existing authentication solution – typically simple username and password – or bring in a second authentication solution.
Reverting to usernames and passwords defeats the purpose of investing in a better, more secure authentication solution because it means vulnerable passwords can still be exploited by attackers, leaving the business exposed. It is likened to building a fortified wall around your house and leaving in place a backdoor entry with a padlock.
Acquiring a second authentication solution that can handle the unsupported use-cases means deploying another solution, and more importantly, requiring users to carry around another credential/authenticator. This is an expensive proposition that also delivers an experience that will likely frustrate users.
Supporting the full breadth of user authentication use-cases can add up to quite a few scenarios for a typical enterprise. Common enterprise use-cases include:
Workstation log-on, including Windows and Mac hosts, and in some companies Linux is also an important consideration. This is often the most challenging use-case for many authentication solutions as it requires delicate integrations with operating systems and network domain management solutions.
Remote access VPN has been a staple technology that enables mobile and remote employees to stay connected to their work. There are several technologies in use and a plethora of vendors offering solutions. Fortunately, over the years, a set of standards has emerged to enable straightforward integration with authentication systems.
Access to cloud apps has become mainstream even for the most traditional enterprises. While some standards are in place to facilitate interoperability between enterprise authentication systems and cloud services, they are not all fully baked. Competing standards and frequent revisions to existing standards means that supporting access to cloud services has been a moving target.
Offline authentication has been the achilles heel for many authentication systems in general and multifactor authentication (MFA) in particular. It presents a difficult challenge because most authentication solutions were designed for a connected world. So when the network connection is down or unavailable, and the authenticating server not accessible, then elaborate workarounds are required to ensure that users can continue to authenticate to their computer and locally-hosted resources.
Lost authenticator creates a huge headache, especially when it is a hardware authenticator. Physically shipping a replacement token to a remote employee is costly and time consuming. So to prevent prolonged downtime, software-based recovery solutions were developed for some of the hardware-based MFA solutions.
Generally speaking, a modern enterprise authentication solution has to be an all around player that can handle a wide variety of authentication use-cases. Going for a point solution that addresses specific use-cases well will likely result in the need to deploy multiple authentication solutions, which is expensive and hard on users.
Will the authentication solution work with what you already have in place?
The reality for most enterprises is that they’ve acquired a varied mix of systems and applications over years of investment in IT. Those systems are a reality that needs to be acknowledged and any new authentication solution needs to be able to work with everything that is already in place. A rip-and-replace approach is simply too painful and expensive.
It should therefore be expected that modern authentication solutions be designed to support legacy systems and applications and easily integrate with existing IT investments. Supporting existing user directories (e.g. Active Directory), working with legacy systems, working alongside existing authentication solutions, etc. should all be built into the solution and not something that requires expensive customization and integration projects.
Working with existing authentication solutions such as USB-tokens, OTP-tokens, FIDO authenticators, mobile authenticators, and more should also be required. Many enterprises have invested in strong authentication solutions, which means there are hardly any greenfield opportunities where nothing else is deployed. Thus, working in harmony with existing authentication solutions, simplifying the operations of a heterogeneous authentication environment, and providing a means to gradually retire older solutions and migrate to more modern ones has become an important consideration in and of itself.
Does the solution address requirements from auditors and regulators?
Most enterprises these days operate in regulated industries and are subject to strict demands on data protection and user authentication. Compliance with regulations and industry standards like PCI DSS, DFARS, HIPAA, SOX/GLBA, PSD2, GDPR, etc. is therefore a significant consideration and often the main driver for investing in a new user authentication solution.
Benefits of passwordless authentication
Passwordless authentication is one of those rare cases in life where the new solution is clearly superior, on every aspect. Choosing it does not require making any trade offs or weighing pros and cons. Passwordless authentication offers better security, better user experience and is cheaper to own and operate when compared to password-based authentication solutions.
Enhances the user experience
Passwordless authentication offers better user experience because users don’t need to recall and key-in passwords. This means quicker logons and less failed attempts. And passwords are never forgotten or have to be reset, which means less downtime due to lost or forgotten passwords, and less aggravation.
Improves overall security
Replacing vulnerable passwords with a well-designed passwordless authentication solution actually improves security because passwordless is phishing resistant and offers better protection against other forms of credential access attacks, including man-in-the-middle, keylogging, credential stuffing, password spraying, and others.
It’s cheaper in the long run
Passwordless authentication is cheaper to own and operate when compared to passwords. Passwords require expensive management because they require supporting password management systems to enable users to perform periodic password refreshes and the occasional password reset.
Passwords also create a significant load on helpdesks when users forget their passwords or losing their authenticator and call the helpdesk for assistance in recovery. Further cost savings can be realized by shutting down phishing prevention programs put in place to educate users and protect them from phishing. Well-designed passwordless authentication is phishing-proof.
Challenges with passwordless authentication
The number one challenge for businesses that decide to deploy passwordless authentication is usually their legacy systems and applications that were not designed for passwordless authentication. So while it is easy to buy into the vision of a passwordless workplace, getting there can be daunting when dealing with a heterogeneous IT environment that combines new and dated systems.
One approach is to deploy passwordless authentication only for systems and apps that support it. This generally translates into deployment of passwordless authentication for cloud apps and sometimes also on newer operating systems (i.e. latest versions of Windows 10). But going passwordless is really an all or nothing effort: you either get rid of passwords or you don’t.
So to successfully deploy passwordless authentication for users, it is usually not enough to decide that passwordless is a better, cheaper, more secure option. It is important to choose the technology that will help you deploy passwordless across an existing and heterogeneous IT environment, and address all your authentication use-cases.
Passwordless authentication solution landscape
Almost every authentication solution vendor in-market claims to offer passwordless authentication. The incumbent authentication vendors have adapted their MFA offering to allow some forms of passwordless authentication for some use-cases. The newer authentication players are going all-in on passwordless, targeting customers with modern infrastructure and applications that will work well with passwordless – legacy systems and apps are left behind.
But universally deploying passwordless authentication is still not possible for most enterprises, because there are still plenty of systems and apps that are not designed to work passwordless. Leaving passwords in place for some systems almost defeats the purpose because to benefit from passwordless you really need to get rid of all passwords.
Successful migration to passwordless authentication solution requires a solution that can work across all systems and applications, delivering passwordless authentication where possible and creating a passwordless experience where passwordless is not possible. The benefit of this approach is that from a UX perspective, users don’t have to create, recall or enter a password.
From a security perspective, passwords are either completely removed or simply not known to the users, which makes them phishing-proof. Furthermore, when implementing a passwordless experience, passwords are managed by machines, which means they benefit from high-complexity and frequent rotations, which in turn makes them more resistant to many forms of attacks on passwords.
Shimrit is the CTO and Co-Founder of Secret Double Octopus. She holds an MSc and Ph.D. from the Hebrew University of Jerusalem in Computer Science, researching cryptography technologies and security systems. Shimrit also served as a product consultant for Check Point and Marvell Semiconductor.