What’s Wrong with Passwords?

Let’s review why the industry picks on the poor password. First, passwords are reusable. Though best practice is to use a password manager and store unique, complex passwords for each website and service where we have an account, this fails in practice. Second, even if we count ourselves among those rare “diligent flossers” of password hygiene, passwords remain phishable. Phishing is when an attacker uses social engineering to get the user to share a secret and includes more than just fake websites or password reset links. Person-in-the-middle attacks, brute force attacks, credential stuffing, and replay attacks are examples of phishing attacks. Since most people reuse passwords, a breach of security in one vendor or a successful phish at one website can quickly spread to others. Finally, and partially for the reasons outlined above, passwords are expensive to maintain. There is a time cost borne by consumers to manage their passwords well. Even then, phishing can make that effort moot. Organizations lose significant workforce productivity to password issues and support at the help desk. Wouldn’t it be better to be passwordless?

Passwordless Tech and Phishing

Going passwordless solves everything wrong with modern authentication, right? Well, it’s more nuanced than that. The password is a phishable authentication technology. Its history and ubiquity make it the obvious weak link amongst our available authenticators. We get so hung up on rooting out the passwords and the passwordless experience that we can lose sight of the actual principle we are pursuing by trying to remove them: phishing resistance. Phishing-resistant technologies are not a replacement for multifactor authentication. Rather, they are an additional layer of security that compounds and reinforces baseline multifactor authentication to inoculate the authentication flow from phishing attacks. This is done with mechanisms like demonstrating user intent at authentication time, such as requiring a biometric check to continue the authentication flow or responding to a time-boxed push. Another common mechanism is removing the need for a shared secret at all using public key cryptography. WebAuthn, built upon the FIDO2 standard, is among the most visible examples of this approach. 

Multifactor Authentication

Of course, for any technology to succeed, we must meet our customers where they are in their risk tolerance and user experience journeys. Workforce identity has been very good about recognizing the risks of formerly-ubiquitous multifactor technologies, like SMS. SMS as an out-of-band authenticator recognized by the industry as a low-assurance authenticator in the workforce space for years, yet it grows increasingly ubiquitous on the customer identity side of the house. Whereas some vendors are beginning to use push notifications through their consumer apps, SMS remains a ubiquitous authentication technology globally. And that makes sense and still represents a significant upwards trend in identity security compared to the password-only baseline. 

Meanwhile, a workforce implementation that removes passwords but replaces them with SMS or push notifications may improve the user experience. Still, it won’t impact security posture as much as ensuring that a phishing-resistant factor is required for access to any business resource. Of course, this is where the rubber hits the road in terms of figuring out how to make phishing-resistant, passwordless technologies successful in a workforce implementation. Major administrative challenges around identity verification, activation, and recovery of phishing-resistant credentials are where the industry can make the next major strides of value for simplifying the implementation and operation of phishing-resistant, passwordless technologies for the workforce.

It’s About the Users

And in the end, the user experience will drive the adoption of these technologies. Though the introduction of WebAuthn passkeys complicates the workforce use case by allowing the private keys of passkeys to be shared across devices and even shared with others, it remains significantly more phishing-resistant. Consumer adoption of technologies frequently drives the patterns adopted within the enterprise, especially those pushed by device manufacturers. There have been and will continue to be gallons of ink spilled on some of the “controversies” behind passkeys. However, its wide adoption in customer identity will do much to improve user experience and security. And I suspect passkeys will also find their place in workforce implementations in time.

So as you move your organization or business to passwordless technologies, keep in mind why you are doing so. The user experience improvements are great and will be a boon for customer use cases, but the end goal of the passwordless push should be a move toward requiring phishing-resistant authentication flows.

About the Author

Jon Lehtinen

Board of Directors, IDPro; Director, Okta-on-Okta, Okta

Jon Lehtinen specializes in both the strategy and execution of Identity & Access Management transformation in global-scale organizations. He builds diverse, passionate teams that deliver automated, future-oriented Identity solutions that provide the bedrock for information security, governance, and new opportunities for business. Moreover, Jon is dedicated to the growth and maturity of IAM as a profession. He serves on the Board of Directors and as Secretary of IDPro. He’s also served as an advisor to multiple identity vendors, published Implementing Identity Management on AWS through Pakt Publishing, and is a member of ISC2, the OpenID Foundation, and Women in Identity. Presently, Jon owns the workforce, customer, and federal identity implementations as Okta‘s Director of Okta on Okta.

The post The real value of passwordless authentication appeared first on IDPro.

Well, as we enter 2022 – and a good way into 60 years of using commercial computer technology of some sort – the password is very much alive and kicking. For example:

• This article is being written in Google Docs, which requires my username, password + MFA.  
• It will be promoted on Twitter: Username, password + MFA.
• Shared on LinkedIn. Username, password + MFA.  

Note the pattern?  Yes MFA is absolutely in the mix for me personally, but a) that doesn’t necessarily equate for all users and b) the underlying requirement for a shared secret still exists.

The “cost” to a service provider or application developer to reach out for the username and password pattern is very low.  Libraries exist and many password storage approaches now rely heavily on techniques using salts and hashes.  Making a choice for something different has some pretty big impacts – namely changes to usability and hoops to skip through regarding security change management if some new and funky passwordless approach is selected.

Drivers Towards Passwordless

However, there are emerging shoots of hope for those who wish to see a password-free world. A quick Crunchbase search reveals a tasty $700+ million has been poured into startups with the word “passwordless” in their description in the last 36 months.  A chunk of change (admittedly heavily influenced by Transmit Security’s $543 million last summer) that is empowering new techniques to the age-old problem of authentication.

The interesting aspect is that authentication is the main pinch-point of both B2E and B2C interactions.  B2E identity is having to contend with distributed working, migrations to zero trust and secure service edges and data security, whilst the continued drive for B2C consumer identity sees a need for secure yet usable user verification driven by retail and financial services and the increasing need for secure PII sharing.

All in all, user interruptions during the authentication process are increasing hugely.  The volume increases and the context surrounding the transaction is becoming more complex and subtle, too.  Usernames and passwords just won’t cut it, even with a decent MFA overlay leveraging one time passwords (generated client side of course not sent via SMS or email…) or Push Notifications.

Passwordless Requirements

Passwordless adoption requirements for both B2C and B2E will be subtly different.  It can be quite interesting to analyze requirements of passwordless just as you would any other credential – via a life cycle model.

A basic example would see steps such as enroll, use, add, migrate, reset, and remove.

Each step in the life cycle can then be broken down into the capabilities needed.  A consistent theme would seem to be a need for increased end user self-sufficiency – especially around enrollment and reset, where the dreaded call to the helpdesk instantly increases cost and reduces end user happiness.  (Obligatory sales nudge, I worked on a buyer guide for passwordless in 2021…)

B2E

From a B2E perspective, concerns for a passwordless model seem to focus upon replacing existing MFA components.  Many organisations often have numerous disconnected modals perhaps focused on specific user communities or applications.  Any consolidated passwordless approach must provide a range of application integration options from SDK’s, standards integration, or out of the box native integrations.  It would also be worth considering orthogonal authentication use cases for PAM and even physical building access.  Can that be integrated into a mobile centric passwordless approach?  The buzz words of zero trust and contextual and

adaptive access need to be shoe-horned into this landscape too, likely with a decoupled

approach to authentication away from the identity provider and network infrastructure plumbing.

B2C

Consumers are a different beast.  The focus is often upon rapid user onboarding with transparency and usability being important.  Can KYC and identity proofing be augmented into the credential issuance process?  Can those processes also be used during any reset

activities?  Clearly fraud – I’m thinking ATO, phishing, credential stuffing and basic brute force attacks – are all a huge issue with an Internet facing service, so any passwordless service needs to be immune.  Compliance initiatives such as the Strong Customer Authentication aspect of PSD2 is also driving a need for an authentication method that is secure yet can be operated at high scale by the end user.

What Are The Options?

So we all hate passwords. Service providers are getting hacked daily – the HaveIBeenPwned site is nearly at 12 billion breached accounts – and end users pick easy to break passwords that they re-use.  But, numerous startups are coming to the rescue – typically with a local mobile focused biometric (aka FaceID/fingerprint) that unlocks a private key on a device in order to respond to a challenge being set by a service that requires an authentication result.  Many do this in a proprietary way and many now leverage the W3C WebAuthn approach as a standards-based model.

A few other subtleties start to emerge.  How is the private key stored?  If on device, does it

leverage the trusted execution environment or secure enclave?  If off-device, is it stored in a

distributed manner, so no single point of failure exists?  If on device, what happens if the device is lost or stolen?  Does the end user have to re-enroll? Questions that all emerge once roll out starts to hit big numbers.

Another aspect to consider, away from just the technicalities, are things like end user training

and awareness.  Whilst many service providers aim for “frictionless” experiences and

transparency, a user journey that is too seamless, may actually make the end user suspicious – they want to see some aspect of security.  The classic “security theatre” scenario.  As with any mass rollout approach, not all users are the same. Behaviour, geographical differences, device preferences and the like will result in the need for a broad array of usage options and coverage. Can the new passwordless models cope with this?

Summary

Passwords aren’t dead, but they’re definitely quite ill.  The options for moving to something new are starting to become broad and numerous.  However, authentication doesn’t exist in a silo and on its own carries little use.  It would seem that before authentication (think proofing) and after authentication (think session integration coverage) use cases would likely emerge as the biggest competitive battlegrounds in the next 24 months.  Those suppliers that can create authentication ecosystems that integrate into a range of different devices, users, and systems

would likely see success.

Simon Moffatt is Founder & Industry Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. He is also a part-time postgraduate on the GCHQ certified MSc. Information Security at Royal Holloway University, UK. His 2022 research diary focuses upon “How To Kill The Password”, “Next Generation Authorization Technology” and “Identity for Hybrid Cloud”.

The post The Password Isn’t Dead…But It’s Quite Ill appeared first on IDPro.