Passwordless authentication is no longer a fiction

To enhance security, best practices dictate that passwords be unique and complex; but this is proving increasingly ineffective against modern phishing attacks. To avoid forgotten passwords, it is also tempting to share these identifiers between services; which increases the risks. Security and ease of use don’t mix with passwords as well. Increased security translates into a less pleasant user experience, and vice versa. Nevertheless, passwords are still very widely used for several reasons:

  • Portability – a password can be used for almost all use cases: access to devices, documents, accounts, or even services. Its needs are relatively limited in terms of infrastructure and dependencies, so that it allows very easy access to a service.
  • Compatibility – with a few exceptions, each application and service used in a business has a password. A second additional factor is sometimes required to authenticate, but the password remains fundamental and universal. Entering passwords is the default activity performed by employees every day.
  • Interoperability – whether on a computer, a smartphone, or a tablet, it is always easy to enter a password. This is because they are universally supported, and you don’t need to get the latest mobile device, or install any software, to use a password.

In view of these advantages, any other authentication solution that does not use passwords must offer significant improvements in security and ergonomics, without compromising the needs of portability, compatibility and interoperability. A password-less alternative has gained popularity among many security, authentication and identity providers – each applying their own nuance. Passwordless authentication can indeed be implemented in different ways, all of which have their advantages and disadvantages.

Implementations are thus specifically designed to solve ergonomic problems. Thus, the user can receive an OTP code by SMS, valid for a short period, which he can use to authenticate himself. Or, a unique link accompanied by a token is created and sent by email, or SMS, to the user. The latter is subject, by clicking on the link, to verification for the purposes of that particular service. However, while these two authentication streams are easier to use than passwords, they are both very vulnerable to phishing attacks.

Conversely, other implementations of “no password” are specifically designed to address security concerns. This is particularly the case with smart cards. They are one of the most effective ways to protect yourself against phishing. The user must insert his smart card in a reader, and validate it using a unique PIN code. It’s a safe way to stop phishing attacks from a distance. But classic smart cards are not very portable, compatible or interoperable. It can therefore be complex and costly to deploy them on a large scale.

What is more, laptops with integrated smart card readers are becoming extremely rare, and the use of an external USB reader greatly compromises the ergonomics of the workstation.

The role of open standards and identity platforms

A rich ecosystem of open standards is needed to ensure security and ease of use, while meeting the needs of large-scale portability, compatibility and interoperability. These standards ensure strong authentication across devices, applications and services, without any additional proprietary software.

Identity and Access Management (IAM) solutions have therefore embraced open standards by layering over platform giants to deliver the features and capabilities businesses need to adopt strong passwordless authentication for their applications. and critical services. Most IAMs have a mobile authentication application to improve the user experience on different traditional systems, thus providing a password-less alternative other than WEBAuthn / FIDO, referred to as “push notification”.

Unfortunately, mobile authentication apps are also vulnerable to phishing. That’s why all major IAM platforms natively support FIDO2 hardware security keys, which are design-tight to interception.

Switching to without a password

The massive adoption of “no password” is a long-term project. In this period of transition, hardware security keys are the ideal ally. They follow the user in his movements, as well as the evolution of the security infrastructure. In addition, some do not require software or peripherals – unlike a smart card – and can support a wide range of security protocols.

Therefore, it is possible to put an end to account takeovers via phishing, because the key acts as a second factor in addition to a password. And, gradually, the migration to passwordless environments will take precedence, without any compromise in terms of user experience or security.

Back to top button