Passwordless Authentication, This is the Way
Security leaders the world over tend to share many, if not all, of the same issues in their respective organizations. From having to deal with patching, firewalls, network zone segmentation of accumulated security debt. The issues repeat in every industry vertical with alarming consistency. Often security leaders find themselves as a lone figure trying to navigate the corporate world with a dedication to their mission that they carry in the face of overwhelming odds. This is the way.
As security practitioners we have a fiduciary responsibility to protect the users, devices and applications that, in conjunction with the intellectual property, compromise the workplace, workforce and workload of the organization. That includes the data that the organization collects and utilizes in the course of their business activities. Securing the company is a constantly evolving goal, and the attackers have an unfortunate predisposition to move the goalposts.
Passwords are a great example of a security control that has outlived its useful life. I often draw the analogy with the house key. Sure you can use it to lock your front door but if someone of a nefarious nature managed to find that key there is nothing to say who should or should not be coming through the front door. Therein lies the rub. Thankfully there are technologies that can alleviate the stress of trying to manage the myriad threats that are arrayed before us.
The Progression to Passwordless Authentication
Let’s look at the natural progression of life. We’re born into this world, we crawl, then we learn to walk and ultimately to run. As with security there is a growth element to improve as we grow and mature as an industry. The criminal attackers in the past would compromise websites to gain credibility amongst their peer groups. Now we jump forward to the present day and we see that the criminal element has rolled that skill set into a massive monetary enterprise in its own right.
Now when we apply the concept of forward progress cycle to the defender side of the equation, we can look at passwords as an example. Moving ahead we can get people to learn to use a password manager. This will help to better secure end-user credentials in a way that helps manage the risk of static passwords being stored in an insecure fashion. The next step is the move into multi-factor authentication (MFA). From push technology to biometric authentication and others, we have options available to us.
But, what about the future? A couple of years ago the World Wide Web Consortium published the WebAuthn standard. This was a first real stake in the ground for the future of passwordless authentication.
What Passwordless Authentication Is Not
There has been a lot of confusion in the market as to what and what isn’t passwordless. As an example I have seen a case where one vendor was positioning QR codes as being passwordless. This is about as accurate as calling a username and password two-factor authentication. It’s incumbent upon the industry to be sure to not muddy the waters.
To put a finer point on it, passwordless authentication is a method in which a user can log in to a system without the need to enter a password. WebAuthn is one of the core components of the FIDO2 project. Simply put: we have a website, a web browser as the client and a WebAuthn compatible authenticator. This is built on open standards and will help to shape the future of how we handle authentication.
As with any security journey we learn lessons along the road. We improve our defenses and work to stay on mission. Be sure to watch this space for more on passwordless authentication over the coming weeks. The passwordless future provides us a new hope to secure our systems. This is the way.
Try Duo For Free
With our free 30-day trial and see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.