Passwordless Authentication Explained: Why to Make the Move Today
The sun is setting on the era of password security. Passwords are too weak and too big a target to keep using them. In their place, companies are adopting passwordless authentication systems that use more secure forms of identity verification.
We will help you understand why companies need to replace passwords, how passwordless authentication works, and some of the ways companies are using this new technology.
Passwordless authentication gives you a more reliable, affordable, and secure way to prove that the person trying to access your company’s resources is actually who they claim to be. Rather than relying on something the person knows, passwordless authentication relies on more secure factors such as security keys or biometric identification.
But why is there so much interest in replacing the password? After all, passwords are easy to implement. Almost everything on your network supports them. Most of your users grew up using them.
You can see why passwords are such a problem by analyzing the quarter-billion passwords leaked in 2020’s many security breaches. Despite decades of warnings and password tutorials, the five most popular passwords from last year’s breaches are depressingly familiar:
The problem with passwords goes even farther. In its latest investigation of cybercrime, Verizon found that more than 84% of breaches were due to vulnerable credentials. Here are six ways password-based authentication undermines security:
Lists of stolen passwords like these make brute-force attacks easier. They can start with the most common password and move down the list until they find one that works.
Remembering strong passwords is a pain. They must be at least 10 characters long with a mix of upper and lower case letters, numbers, and symbols. Even worse, every personal and professional account requires its own, unique password.
People share passwords all the time. Executives share their passwords with their assistants. Even IT professionals — who should know better — share passwords to critical systems.
People are bombarded with phishing and other social engineering attacks every day. Even IT pros can fall for them. More than half of organizations in a recent survey reported that hackers stole privileged credentials — and most of them suffered significant breaches as a result.
Users must share their passwords with IT departments. A shared secret is not really a secret — it is a target. The password database companies maintain, unsalted and unhashed, is pure treasure for cybercriminals.
When cybercriminals can monetize stolen passwords through dark web marketplaces. A recent study found that freshly-stolen RDP credentials are selling for as much as $25 each.
Passwordless authentication offers many benefits beyond security by making networks easier to manage and by improving the user experience.
Passwordless organizations eliminate the costs associated with password management. Help desk calls drop dramatically and there is no password database to protect.
Going passwordless lets users access resources and get to work by doing almost nothing. Letting users swipe their finger or approve a push notification on their phone is much faster and takes less effort than dealing with passwords.
Using passwordless authentication in a multi-factor authentication system further protects your networks. Replacing SMS with push notifications or security keys eliminates the risk of SIM hacking.
Many regulatory standards such as HIPAA and NIST’s Digital Identity Guidelines require organizations to document their policies for creating, storing, and protecting passwords. Going passwordless simplifies the compliance process.
In multi-factor authentication, a user must provide two or more proofs of identity. These proofs, or authentication factors, take the form of a device the user possesses, a code or password the user knows, or the user’s physical features. Passwordless authentication identifies the user through a combination of a device or token in their possession and either something they know or their physical features.
Biometric technologies such as fingerprint, voice, or facial recognition identify the user directly. In many cases, the biometric sensors are integrated into the user’s laptop and smartphone. This approach works best with managed devices. In a BYOD scenario, you must support a wider range of biometric technologies.
Authenticator apps are another way to go passwordless. The one-time codes these apps generate are unique to each user, device, and session. Although not quite as convenient for users as biometrics, apps are easier to provision in a mixed-device environment.
Security keys are particularly useful when many users need to access the same workstation. However, users are much more likely to lose a security key than their smartphones.
Email and SMS can send users a one-time code or a magic link that lets them access a resource. Tied to the user’s device, these messages are of no use to any criminals who intercept them (although care must still be taken in certain social engineering situations). Organizations may still limit this method to more controlled scenarios such as onboarding new users or provisioning new devices.
From the user’s perspective, passwordless authentication is an easy, two-step process:
- Enter their user ID.
- Supply their passwordless credential.
Whether that second step is a swipe of their finger or typing a one-time code, it takes less time or mental effort than remembering their current password. Eventually, it becomes second nature for users who will wonder why everything isn’t passwordless.
Behind the scenes, passwordless authentication is based on a system of cryptographic key pairs. When a user first registers with the system, their biometric device, security fob, or authenticator app generates a private key and shares a public key with the authentication system. The private key never leaves the device.
Consider a remote worker who uses a laptop that has a fingerprint reader. When they request access to a company resource, they get a login prompt. The remote worker enters their user ID and swipes the fingerprint reader. This clears the laptop’s Trusted Platform Module to encrypt an identity verification message using the private key. The company’s authentication system decrypts the message with the user’s public key. Identity confirmed, the remote worker can access the resource.
If you have more stringent security policies or need heightened protections for certain resources, you can make this process the first step in multi-factor authentication. You also get better visibility of network usage since passwordless authentication associates both the user and the device with each session. Sudden changes or unusual behavior become easier to detect.
The risks passwords create are well-known and the promises of passwordless authentication are enticing. Still, companies usually take a phased approach with their passwordless migrations. There are several ways to use passwordless authentication that may offer more immediate security and efficiency benefits.
Office workers have access to the company’s most sensitive resources. But when they step away from their desks, their workstations could be accessible to anyone who walks by. Since passwordless authentication is a faster, easier way for users to log in, you can set more aggressive inactivity timeout policies.
System administrators need to support the same servers, factory workers use shared workstations, hospital wards have systems that healthcare workers need to rapidly access. These are scenarios where the convenience and speed of shared passwords undermine security. Fast, passwordless authorization is even easier. And by ensuring every employee authenticates with each access, network administrators get more detailed activity logs.
The rapid shift to working-from-home has led companies on a search for ways to better secure remote connections. Administrators have little control over users’ home networks and family computers. Preventing cybercriminals — or curious children — from accessing company resources is much simpler with passwordless authentication.
Passwordless is not just for a company’s internal use. Over time, companies will eliminate passwords on their public-facing systems. Browser developers and hardware manufacturers have adopted the FIDO2 and WebAuthn standards to provide universal passwordless authentication. Apple’s Safari browser will integrate with iPhone facial and fingerprint recognition systems. Microsoft’s TPM requirement for Windows 11 will make all consumer PCs “passwordless by default.”
The time has come to sunset the password. Human nature and the limits of memory make effective password security impossible. Combined with the inherent weakness of shared secrets, passwords and password databases are now cybercriminals’ largest targets.
Passwordless authentication replaces this outmoded identification factor with more secure approaches that:
- Make companies more secure;
- Simplify the user experience; and
- Improve efficiency.
Going passwordless has another benefit — by linking the user, the device, and user identification, passwordless authentication is an ideal match for Twingate’s Zero Trust network access solution.
Twingate seamlessly integrates with your security stack to protect resources behind an invisible software-defined perimeter. Once you match the user and device context with role-based access policies, Twingate seamlessly creates direct, encrypted connections between the user and resource that optimize bandwidth and latency.
Contact us to learn how our modern approach to securing remote work complements your transition to passwordless authentication.