Passwordless has been a buzzword since 2019 with Microsoft releasing the public preview for FIDO2 based passwordless sign-in. However, Microsoft’s original “Go Passwordless!” story can be traced back to May 2016, when Microsoft released a paper with their recommendations for password management, being one of the world’s largest Identity Providers.
Then in 2017, Microsoft announced the GA release of phone sign-in with its Authenticator app. It was an important development that enabled us for the first time to let go of usual passwords and sign in to M365 workloads using our phones only.
Note that the use of the phone here was not for the usual 2nd-factor auth that we are accustomed to, but instead doing the actual sign-in, thereby opening the doors to a whole new world that was beyond regular passwords!
And finally, the circle completed with the Ignite March 2021 event with Microsoft making the GA release announcement for Passwordless Authentication in Azure AD.
Today in this blog post, we will be talking about
- what Passwordless is and why is it such a buzzword in the Identity and Access management area,
- what problems does it solves, and
- how it adds to an organization’s security posture.
Table of Contents
Why do we need Passwordless?
We all have to agree that the Covid-19 pandemic, in reality, has forced the digital transformation of numerous organizations, from SMBs to large enterprises worldwide, with more and more organizations making their move to the cloud, adopting digital workplace solutions and strategies to enable what is still the requirement of the moment – the ability to Work from Home.
With users now accessing data stored in the cloud to work effectively, the regular username-password auth mechanism which seemed enough for your closed environment within the organization boundaries, unfortunately no longer serves as an effective auth mechanism in the open cloud world.
As a matter of fact, 81% of successful cyberattacks happened due to compromised username and password.
Understanding the problems with traditional Password based authentication
Traditional password-based authentication is where the user performs sign-in with only a password to get access to data and other services required for work.
This authentication method is also referred to as a single-factor authentication system since it involves requiring only a single factor that the user knows (password).
There are many problems associated with this authentication method and let’s try to understand them.
First, most organizations impose security measures for passwords like requiring users to
- change their passwords after a predefined period of time,
- ensure password meets the security criteria (length and strength)
which leads to the obvious problem with passwords that we can’t deny – users are made to create and remember a new password every X days.
We have to understand that in today's modern world, it's not only the work account that we as users/employees deal with in our daily life. There are various other types of accounts like bank accounts, social accounts, streaming accounts, etc. that a user needs to maintain and it's really difficult to maintain unique credentials for all the different accounts. As a result, we see many users having a tendency to use their corporate account password for all the other accounts that they have.
The use of corporate credentials in other accounts greatly increases the likelihood of credentials compromise that can be used against the organization.
This is because, for every sign-in event, users need to type in their passwords thereby increasing the external exposure. Also, the use of the same password for multiple accounts greatly increases the attack surface.
Further, password based authentication is susceptible to a number of attack vectors, such as
- data breaches exposing user account credentials,
- credential theft (social engineering, phishing scams, password sniffing, malware, etc.)
- cracked or brute-forced.
As such, if there is no additional verification method in place, an attacker can easily gain access to the data sitting from anywhere in the world.
Passwords are a hassle to use and using single factor auth makes it a security risk for users and organizations of all sizes.
What about having MFA enabled?
If passwords are not safe, the automatic question that comes is what else we can do to improve the security in the sign-in process?
Enter strong authentication facilitated via Multi-Factor authentication.
MFA improves the authentication security by requiring a 2nd factor (something that you have) to be provided in addition to your account password (something you know) to successfully sign in.
The 2nd factor can be
- an OTP received via SMS/Call,
- confirming a phone app notification,
- short-lived security codes generated by a phone app
to confirm the authenticity of the auth event.
Since the user receives a 2nd-factor request for a sign-in attempt, if the auth event is not initiated by the user, MFA also helps to alert users of possible compromised credentials.
Adopting an “MFA Everywhere” approach is an important aspect of an organizations Zero-Trust stance, and it greatly helps to minimize the authentication risks. As per Microsoft, using MFA can block over 99.9% of account compromise attacks.
However, there is always a trade-off between security and usability, and MFA is no different.
Though 2nd factor definitely helps to secure authentication, it adds complexity to the sign-in process, which has led to its slow adoption rate.
Many users consider the requirement to provide a 2nd factor every time they need to sign in after entering the password as an inconvenience to their workflow. Organizations try to mitigate this by implementing SSO and not requiring 2nd factor if the sign-in request is coming from a "trusted location".
Moreover, Multi-Factor Authentication
- isn’t unhackable,
- can be bypassed,
- does not prevent phishing or social engineering from being successful,
- security awareness training has still got to be a big part of your overall security defense.
Further, MFA does not eliminate the need for passwords, thus most of the problems that we discussed for password-only auth still continue, like the user still needs to maintain account credentials.
When it comes to security vs usability, Microsoft nicely summed it up using the diagram which shows Passwordless authentication is surely the way to go forward with, balancing that sweet-spot in the security-usability trade-off.
Passwordless – The way forward…
Passwordless authentication approaches the auth model as
- something that you have (mobile device or security key) with
- something that you are (Biometrics, PIN) in a unified auth flow,
thereby replacing the requirement of something you know (password) and there by getting its name – Password-less!
From the interpretation of the auth model for Passwordless authentication, it seems that the strategy implemented is very similar to that of Multi-Factor authentication. However, there are differences.
First, passwordless authentication replaces the traditional password with digital certificate, a cryptographic key pair with a private and a public key.
- The private key remains stored on the user’s local device (something that you have – mobile device or security key) protected by another authentication factor such as biometrics or PIN (something you are). The private key can be only accessed with the user biometrics or PIN.
- The public key is provided to Identity Provider.
Secondly, though it involves two authentication factors like MFA, unlike in an MFA auth flow where the two factors are implemented in the auth flow separately (you have to enter your password, followed by the 2nd factor), for Passwordless auth, the two auth factors involved are unified in an effortless sign-in flow.
In Passwordless authentication, the user’s biometric signature or PIN is stored locally on the device which uses specialized hardware to protect the information.
The biometric signature/PIN in itself is not used to authenticate and as such is never sent over the network. It is only used as an initial factor to unlock the more secure factor that is stored in the device, a private key that works to authenticate the user to the service behind the scenes.
As the biometric signature or PIN is tied to the device, the attacker would require to gain physical access to the device, along with the requirement to be able to spoof your biometrics or get your PIN to be able to get in and have access.
Since passwordless auth methods already involve two factors for authentication, it is by design considered strong authentication.
In passwordless authentication, the account still technically has a password. But since users do not require to use the account password as frequently, it reduces the external exposure and attack surface for the account thereby helping to
- reduce stolen credentials (phishing, keyloggers, etc.)
- reduce the reuse of passwords,
- reduce weak account passwords,
- reduce calls to helpdesk for password resets,
- reduce MFA complains from users.
An attacker can get your password and use it to sign in to your account from anywhere. But with passwordless, an attacker has to steal your PIN (or even you to get your biometrics) along with your physical device to sign in and get access.
And for example, if you misplace your security key, an attacker wouldn’t probably get to know that it was yours as it shows no identification, unless you add your name tag or any other such personalization.
However, even with Passwordless, organizations should not take such incidents lightly and must continue to educate their users to report immediately if they have misplaced/lost their device (mobile or laptop) or security key so that
- the authentication method can be revoked, and/or the
- the device can be wiped
to proactively mitigate any possible chances of data breach happening due to the incident.
Going Passwordless with Microsoft
Microsoft being one of the largest Identity Providers (via Azure AD) helps you to transition to a Passwordless environment in 4 steps as shown below.
Below are the passwordless options offered by Microsoft as listed below
However, whether you can deploy passwordless authentication in your environment depends on the infrastructure, as the work involved doesn’t only involve Microsoft products. Your environment may also have other software and services and they must support modern authentication protocols for you to be able to go fully passwordless.
To get rid of passwords, you first need to ensure that you don’t need them anymore!
Ready to take the leap…
The move to the modern “anywhere, any device” approach to end-user computing means that there is a need to start re-assessing how you approach security.
Passwordless authentication methods surely help to better secure digital accounts that users rely on every day to get the work done.
Passwordless aids the Zero-Trust stance of an organization improving the overall security posture and 2021 seems the perfect year for organizations to start embracing this new world without passwords!