by Simon Moffatt
Well, as we enter 2022 – and a good way into 60 years of using commercial computer technology of some sort – the password is very much alive and kicking. For example:
- This article is being written in Google Docs, which requires my username, password + MFA.
- It will be promoted on Twitter: Username, password + MFA.
- Shared on LinkedIn. Username, password + MFA.
Note the pattern? Yes MFA is absolutely in the mix for me personally, but a) that doesn’t necessarily equate for all users and b) the underlying requirement for a shared secret still exists.
The “cost” to a service provider or application developer to reach out for the username and password pattern is very low. Libraries exist and many password storage approaches now rely heavily on techniques using salts and hashes. Making a choice for something different has some pretty big impacts – namely changes to usability and hoops to skip through regarding security change management if some new and funky passwordless approach is selected.
Drivers Towards Passwordless
However, there are emerging shoots of hope for those who wish to see a password-free world. A quick Crunchbase search reveals a tasty $700+ million has been poured into startups with the word “passwordless” in their description in the last 36 months. A chunk of change (admittedly heavily influenced by Transmit Security’s $543 million last summer) that is empowering new techniques to the age-old problem of authentication.
The interesting aspect is that authentication is the main pinch-point of both B2E and B2C interactions. B2E identity is having to contend with distributed working, migrations to zero trust and secure service edges and data security, whilst the continued drive for B2C consumer identity sees a need for secure yet usable user verification driven by retail and financial services and the increasing need for secure PII sharing.
All in all, user interruptions during the authentication process are increasing hugely. The volume increases and the context surrounding the transaction is becoming more complex and subtle, too. Usernames and passwords just won’t cut it, even with a decent MFA overlay leveraging one time passwords (generated client side of course not sent via SMS or email…) or Push Notifications.
Passwordless adoption requirements for both B2C and B2E will be subtly different. It can be quite interesting to analyze requirements of passwordless just as you would any other credential – via a life cycle model.
A basic example would see steps such as enroll, use, add, migrate, reset, and remove.
Each step in the life cycle can then be broken down into the capabilities needed. A consistent theme would seem to be a need for increased end user self-sufficiency – especially around enrollment and reset, where the dreaded call to the helpdesk instantly increases cost and reduces end user happiness. (Obligatory sales nudge, I worked on a buyer guide for passwordless in 2021…)
From a B2E perspective, concerns for a passwordless model seem to focus upon replacing existing MFA components. Many organisations often have numerous disconnected modals perhaps focused on specific user communities or applications. Any consolidated passwordless approach must provide a range of application integration options from SDK’s, standards integration, or out of the box native integrations. It would also be worth considering orthogonal authentication use cases for PAM and even physical building access. Can that be integrated into a mobile centric passwordless approach? The buzz words of zero trust and contextual and
adaptive access need to be shoe-horned into this landscape too, likely with a decoupled
approach to authentication away from the identity provider and network infrastructure plumbing.
Consumers are a different beast. The focus is often upon rapid user onboarding with transparency and usability being important. Can KYC and identity proofing be augmented into the credential issuance process? Can those processes also be used during any reset
activities? Clearly fraud – I’m thinking ATO, phishing, credential stuffing and basic brute force attacks – are all a huge issue with an Internet facing service, so any passwordless service needs to be immune. Compliance initiatives such as the Strong Customer Authentication aspect of PSD2 is also driving a need for an authentication method that is secure yet can be operated at high scale by the end user.
What Are The Options?
So we all hate passwords. Service providers are getting hacked daily – the HaveIBeenPwned site is nearly at 12 billion breached accounts – and end users pick easy to break passwords that they re-use. But, numerous startups are coming to the rescue – typically with a local mobile focused biometric (aka FaceID/fingerprint) that unlocks a private key on a device in order to respond to a challenge being set by a service that requires an authentication result. Many do this in a proprietary way and many now leverage the W3C WebAuthn approach as a standards-based model.
A few other subtleties start to emerge. How is the private key stored? If on device, does it
leverage the trusted execution environment or secure enclave? If off-device, is it stored in a
distributed manner, so no single point of failure exists? If on device, what happens if the device is lost or stolen? Does the end user have to re-enroll? Questions that all emerge once roll out starts to hit big numbers.
Another aspect to consider, away from just the technicalities, are things like end user training
and awareness. Whilst many service providers aim for “frictionless” experiences and
transparency, a user journey that is too seamless, may actually make the end user suspicious – they want to see some aspect of security. The classic “security theatre” scenario. As with any mass rollout approach, not all users are the same. Behaviour, geographical differences, device preferences and the like will result in the need for a broad array of usage options and coverage. Can the new passwordless models cope with this?
Passwords aren’t dead, but they’re definitely quite ill. The options for moving to something new are starting to become broad and numerous. However, authentication doesn’t exist in a silo and on its own carries little use. It would seem that before authentication (think proofing) and after authentication (think session integration coverage) use cases would likely emerge as the biggest competitive battlegrounds in the next 24 months. Those suppliers that can create authentication ecosystems that integrate into a range of different devices, users, and systems
would likely see success.
Founder & Industry Analyst, The Cyber Hut
Simon Moffatt is Founder & Industry Analyst at The Cyber Hut. He is a published author with over 20 years experience within the cyber and identity and access management sectors. His most recent book, “Consumer Identity & Access Management: Design Fundamentals”, is available on Amazon. He is a CISSP, CCSP, CEH and CISA. He is also a part-time postgraduate on the GCHQ certified MSc. Information Security at Royal Holloway University, UK. His 2022 research diary focuses upon “How To Kill The Password”, “Next Generation Authorization Technology” and “Identity for Hybrid Cloud”.