The Move to Passwordless Authentication
There’s been a big move to passwordless authentication in recent years. After all, large scale data breaches are occurring on a weekly basis — and data breaches are just one way security breaches manifest themselves. Compromised credentials are, by and large, the hardest problem to identify and fix. Take a look at this chart from IBM’s Cost of a Data Breach Report 2021:
On average, it takes almost a year for an organization to identify and contain a compromised credential breach. Hackers could have your CEO’s password right now and your organization wouldn’t know for another three fiscal quarters. That is, assuming your organization ever finds out.
So, organizations are contemplating a move to a passwordless security model. Your organization has questions and we have answers, no password required. Spoiler alert: just having passwords alone is bad — but keep reading to understand why and what options your organization can implement to make the shift.
In this blog post we’ll cover the following questions:
- Is a passwordless security model a good idea for organizations to implement?
- What technologies should organizations consider before making the shift?
- What else do organizations need to consider before moving to a passwordless security model?
- What are the best practices for easy adoption?
Is a passwordless security model a good idea for organizations to implement?
You can absolutely keep your password security model, just understand the risks associated with it.
That being said, passwordless security models will become more prevalent in the future. Many companies, Apple included, are trying to make the adoption of passwordless authentication easier using the WebAuthN standard.
A quick primer — authentication types can be categorized into the following:
- Knowledge, also defined as “something you know” (e.g.: passwords, login credentials)
- Ownership, usually implemented as “something you have” (e.g.: your phone, a security key)
- Inherence, often used as “something you are” (e.g.: FaceID, fingerprint)
Satisfactory confirmation of one or more of these factors is how security systems authenticate an entity. The system replacing a passwordless authentication system will probably rely on a combination of the other two factors (known as multi-factor authentication, MFA). Keep in mind that while involving more authentication factors generally does mean stronger security, the tradeoff is you are also introducing more friction and annoyance to your end users.
The intent behind shifting away from a password-centric authentication method is simple: the password, or “something you know,” is simply a suboptimal authentication system for the modern era. They can be guessed, brute-forced, or phished by bad actors, not to mention simply forgotten by their intended holders.
The very factors that make a password strong and secure are also contributing factors to making a password hard to remember — a direct trade-off with no winning solution.
Additionally, most modern hacking and phishing attempts by bad actors operate under the assumption of the password security model. By shifting to a passwordless security model, an organization immediately gains resiliency from many methods employed by bad actors. After all, there’s no longer a password to phish for.
What technologies should organizations consider before making the shift?
When replacing the legacy password system, organizations should understand what they’re replacing it with. The replacement system needs to be easy for the organization as a whole to adopt, so evaluate technology with that in mind.
Ideally, use open standard and open-source tools like WebAuthN and Pomerium. Any tool that requires no installable client from the end users is ideal because it reduces one of the primary sources of friction, and technologies built into the browser like WebAuthN don’t require the end users to download, install, or maintain any new software.
WebAuthN is particularly powerful because it falls under the “something you have” authentication model using a hardware-based enclave system. This system includes the following attractive security properties:
- It cannot be cloned
- The secret cannot be leaked
- It is an open-standard which can be utilized by open-source tools such as Pomerium
Of course, there is no perfect system. By shifting to the “something you have” security model such as a Yubikey or phone, there is no password to forget or be phished — but there is now an item to leave behind. Because of how the new system will operate, forgetful users that leave their authentication object elsewhere will find themselves unable to access a system. Additionally, while end users are protected from phishing attempts, they are now susceptible to being physically stolen from (though that is another security matter entirely).
If the organization shifts to the “something you are” security model, please remember that this comes with its own host of problems: retinas, fingerprints, even faces can change over time or as a result of injury. Finally, there is the difficult problem of software bias against minorities or even the complication of identical twins.
Where possible, combine multiple passwordless methods of authentication (e.g. biometric and Yubikeys) to better limit possible attack vectors.
- How does it work?
- Why does it work?
- Who audits that it works?
- What happens if the security provider is compromised?
- Ultimately: how much can you really trust that system and its provider?
This is where open-source shines, because nothing is hidden and everything is audited. Organizations can verify all of the above and deploy open-source solutions on top of their own infrastructure, insulating themselves from 3rd party mishaps.
What else do organizations need to consider before moving to a passwordless security model?
The overall goal is a security measure that discourages all attempts because it is simply no longer worth it for bad actors to try.
Once an organization has determined they will make the shift, that organization will need to consider the security assumptions and tradeoffs of a passwordless security model, how it will be adopted within the organization, and how that will affect the organization’s operations during the adoption period.
Touching upon all three of these is end-user behavior, which needs to be considered from the outset and will be the biggest factor in a successful implementation of a passwordless system:
- The security design must make sense for the organization’s overarching needs and work for the end users.
- The adoption process must not overwhelm end users, at any level of technical knowledge, or result in undesired user behavior.
- The pain of transition must be limited in scope for the organization’s operational bandwidth to stay efficient and productive.
There is never a perfect solution, only a better one considering your circumstances. When you adopt a new security model, know that it will simultaneously end and create new user frustration and avenues for mistakes.
What are the best practices for easy adoption?
Organizations should design and plan around the users instead of forcing them to adapt. Security should go with the flow and never against it, or your users themselves will start looking for ways to circumvent your own system.
First, take an iterative approach when adopting a new system. Here’s a quick example below, but it should be adjusted for each organization’s needs:
- Don’t force it on users. Tools like Pomerium are excellent for supporting multiple authentication methods by offering end users both options (in Pomerium’s case, VPN and IAP) so they can get comfortable with the new method you want them to adopt.
- Slowly encourage the desired behavior. Introduce the system and tools in phases instead of forcing the users to switch immediately. For example, your organization could allow your end users to keep a password with a set expiration date, and over time start requesting them to input both the password and display the Ownership factor so they become accustomed to bringing it around.
- Phase out the password. Finally, get rid of the password when you’re reasonably sure that your end users are in the habit of bringing their Ownership factor around.
Shifting to Passwordless Authentication Made Easy
Enabling an easy shift to a passwordless security model is just one of the benefits of using Pomerium. Pomerium is an open-source platform for managing secure, identity aware access to applications and services.
Organizations can easily deploy Pomerium with their existing infrastructure to adopt a secure, identity-driven access to their internal services. IT management teams can easily use Pomerium to provision access and ensure security for all users without sacrificing productivity. Context-aware access is increasingly necessary as the workforce shifts to remote-work and organizations open their internal infrastructure up to the dangers of the internet.