Crypto

Passwordless authentication: soon to be a reality?

A future without a password is slowly taking shape. This perspective, while attractive, requires presenting options and, above all, challenges that companies may face.

Password management has always been a challenge for businesses and places a lot of responsibility on users who have to manage hundreds of passwords daily in their digital lives. Now imagine a future without a password. Attractive, isn’t it? Of course ! But before you get down to business and completely free yourself from passwords, it’s important to get down to business and outline the options and challenges that a business may face.

What exactly does “no password” mean?

On a mobile device, many apps offer additional fingerprint identification; if the user accepts it, they connect with passwordless authentication. If he has enabled Windows Hello on his laptop, it may be convenient for the user to sign in using facial recognition. Passwordless authentication is just that. This is an alternative way to identify, connect, which does not require a password.

However, there are a few interesting observations related to this concept that should be noted:

  • The absence of a password does not necessarily mean that it is removed, but simply means that the user is benefiting from the passwordless user experience. Typically, if a secondary authentication method (such as facial recognition) fails, the system will still ask for a password.
  • The passwordless methods used on phone and laptop are incompatible. If you connect to a mobile banking app using your fingerprint and then want to access that same app on your laptop, it will inevitably require you to enter your password.

Let’s face it, passwords aren’t going away anytime soon. Websites, streaming subscriptions, laptops, bank cards, and banking websites all use passwords, each with different requirements, such as the number of characters or a certain combination of characters.

I am convinced). And what should I do now?

If a company wants to implement a password-free experience, there are various solutions, which, however, can only cover part of its needs.

The first option is to use the Security Assertion Markup Language (SAML), an XML-based protocol that allows cloud applications to create trust relationships with an identity provider (SAML IdP). Within this trust relationship, the cloud application (such as Salesforce) that needs to be accessed will be redirected to the identity provider interface, where the user can be authenticated. For businesses, the benefits are significant, but the technology also allows employees to use single sign-on to these cloud-based applications with a completely passwordless experience. You still need to connect to the identity provider once, but once this is done, the user will have access to all configured applications: passwords are no longer needed. All you need to do is use a strong multi-factor authentication (MFA) method to connect to your identity provider. The Ministry of Foreign Affairs is a kind of master of the keys.

The second option is to use the FIDO2 device to work without a password. The FIDO Alliance has developed specifications for a password-free login method for applications and websites. Typically, this requires a hardware token (also called a token) that matches a given login method (USB, Bluetooth, NFC, etc.) to authenticate against a FIDO2-enabled application. For example, like Windows Hello facial recognition, FIDO2 devices can also be used to log into a computer without the need for a password. This is a great method, completely secure, but hampered in its development: applications with limited support, the need to have backup methods of authentication in case the token is forgotten or lost. Not to mention cost as FIDO2 devices can be relatively expensive.

A “passwordless” deployment should consider user experience and security. For example, a user should not remove a password if they plan to use a simple authentication method to log in. SMS OTPs (one-time passwords), for example, are notoriously insecure; making it your only form of authentication would be a huge mistake. When using only push authentication with no additional methods, attackers can use MFA bombing to force the user to accept the push notification if the MFA process itself is not secure.

Finally, we found that many people question the need for a password manager if the trend is more towards deleting passwords. Passwords aren’t going away anytime soon, and it’s nearly impossible to have different complex passwords for every app. A password manager is a great way to educate users and troubleshoot hard-to-hack dark web database issues, allowing users to enjoy password-free work. Ideally, you should connect to your password manager using MFA authentication and let it automatically launch the website and manage the connection.

Eventually…

Here are some findings and suggestions based on the current state of passwordless authentication:

  • “No password” means that the user does not enter a password; it does not mean that the password no longer exists.
  • Passwords won’t disappear anytime soon. Therefore, it will be necessary to find better ways to address and mitigate the problems that arise along the way.
  • For professional cloud applications, SAML is a great way to provide passwordless SSO access to secure cloud applications.
  • For computer logins, a FIDO2 token provides a high level of user experience and security, but typically at a higher cost.
  • A password manager can provide users with a password-free experience with applications that do not natively support multi-factor authentication, as well as mitigate many of the problems associated with identity verification.

Therefore, it is possible that completely passwordless authentication is the best solution for a company, depending on the goals that it sets …

The fact is that there is still no passwordless authentication standard that could interact with multiple devices and applications. Therefore, there will always be a need to resort to very expensive hardware tokens, a kind of Swiss army knife, to enjoy a similar experience on laptops and mobile devices, but the possibilities exist only for a very limited number of applications. Suppose a user logs into their computer every day using face recognition with Windows Hello; The Windows Hello login cannot be used to access most of the websites that are accessed every day: every website has its own identification method. In a few years, FIDO2 may indeed establish itself as a “passwordless” standard, but so far its use is still very limited.

As always, we can only advise you to identify the most important security applications and passwordless methods that can be applied to each of these applications. We obviously must not forget to consider user experience, but above all, we must not neglect security or management costs.

Back to top button