Let’s talk about passwordless, but less about the how and more about the why of passwordless. The drive toward passwordless authentication flows across all sorts of technical and user landscapes is gaining momentum. A cursory search of the internet for “why passwordless” yields an emerging consensus on why passwordless technologies occupy so much mindshare for security and workplace technologies professionals. There are two major benefits to this push. The first centers on the improvements the user experiences by being liberated from the password. The second comes from the improved security posture from the elimination of passwords as an attack surface. These two benefits are not necessarily at odds with each other. However, we can argue that they do not completely explain why the industry wishes to raise the bar on authentication technologies.
What’s Wrong with Passwords?
Let’s review why the industry picks on the poor password. First, passwords are reusable. Though best practice is to use a password manager and store unique, complex passwords for each website and service where we have an account, this fails in practice. Second, even if we count ourselves among those rare “diligent flossers” of password hygiene, passwords remain phishable. Phishing is when an attacker uses social engineering to get the user to share a secret and includes more than just fake websites or password reset links. Person-in-the-middle attacks, brute force attacks, credential stuffing, and replay attacks are examples of phishing attacks. Since most people reuse passwords, a breach of security in one vendor or a successful phish at one website can quickly spread to others. Finally, and partially for the reasons outlined above, passwords are expensive to maintain. There is a time cost borne by consumers to manage their passwords well. Even then, phishing can make that effort moot. Organizations lose significant workforce productivity to password issues and support at the help desk. Wouldn’t it be better to be passwordless?
Passwordless Tech and Phishing
Going passwordless solves everything wrong with modern authentication, right? Well, it’s more nuanced than that. The password is a phishable authentication technology. Its history and ubiquity make it the obvious weak link amongst our available authenticators. We get so hung up on rooting out the passwords and the passwordless experience that we can lose sight of the actual principle we are pursuing by trying to remove them: phishing resistance. Phishing-resistant technologies are not a replacement for multifactor authentication. Rather, they are an additional layer of security that compounds and reinforces baseline multifactor authentication to inoculate the authentication flow from phishing attacks. This is done with mechanisms like demonstrating user intent at authentication time, such as requiring a biometric check to continue the authentication flow or responding to a time-boxed push. Another common mechanism is removing the need for a shared secret at all using public key cryptography. WebAuthn, built upon the FIDO2 standard, is among the most visible examples of this approach.
Of course, for any technology to succeed, we must meet our customers where they are in their risk tolerance and user experience journeys. Workforce identity has been very good about recognizing the risks of formerly-ubiquitous multifactor technologies, like SMS. SMS as an out-of-band authenticator recognized by the industry as a low-assurance authenticator in the workforce space for years, yet it grows increasingly ubiquitous on the customer identity side of the house. Whereas some vendors are beginning to use push notifications through their consumer apps, SMS remains a ubiquitous authentication technology globally. And that makes sense and still represents a significant upwards trend in identity security compared to the password-only baseline.
Meanwhile, a workforce implementation that removes passwords but replaces them with SMS or push notifications may improve the user experience. Still, it won’t impact security posture as much as ensuring that a phishing-resistant factor is required for access to any business resource. Of course, this is where the rubber hits the road in terms of figuring out how to make phishing-resistant, passwordless technologies successful in a workforce implementation. Major administrative challenges around identity verification, activation, and recovery of phishing-resistant credentials are where the industry can make the next major strides of value for simplifying the implementation and operation of phishing-resistant, passwordless technologies for the workforce.
It’s About the Users
And in the end, the user experience will drive the adoption of these technologies. Though the introduction of WebAuthn passkeys complicates the workforce use case by allowing the private keys of passkeys to be shared across devices and even shared with others, it remains significantly more phishing-resistant. Consumer adoption of technologies frequently drives the patterns adopted within the enterprise, especially those pushed by device manufacturers. There have been and will continue to be gallons of ink spilled on some of the “controversies” behind passkeys. However, its wide adoption in customer identity will do much to improve user experience and security. And I suspect passkeys will also find their place in workforce implementations in time.
So as you move your organization or business to passwordless technologies, keep in mind why you are doing so. The user experience improvements are great and will be a boon for customer use cases, but the end goal of the passwordless push should be a move toward requiring phishing-resistant authentication flows.
About the Author
Board of Directors, IDPro; Director, Okta-on-Okta, Okta
Jon Lehtinen specializes in both the strategy and execution of Identity & Access Management transformation in global-scale organizations. He builds diverse, passionate teams that deliver automated, future-oriented Identity solutions that provide the bedrock for information security, governance, and new opportunities for business. Moreover, Jon is dedicated to the growth and maturity of IAM as a profession. He serves on the Board of Directors and as Secretary of IDPro. He’s also served as an advisor to multiple identity vendors, published Implementing Identity Management on AWS through Pakt Publishing, and is a member of ISC2, the OpenID Foundation, and Women in Identity. Presently, Jon owns the workforce, customer, and federal identity implementations as Okta‘s Director of Okta on Okta.