Providing a Passwordless User Experience
Take a moment and remember your first time online, or perhaps your first time on a terminal. All that promise at your fingertips. You’re prompted for a password. Your first password. What did you type?
I admit a little nostalgia for my first few passwords. They meant something to me. A little bit of text, a shared secret between me and my machine. They meant something to others, too. Late last year, vintage passwords from BSD pioneers were found and cracked. We’re talking the early 1980s. Two struck me. Ken Thompson used a chess move (p/q2-q4!). Clever. Eric Schmidt’s password was his wife’s name (wendy!!!). Adorable.
I used to make jokes in my passwords. Sometimes, I’d make promises (saveMoney!, sleep@More). I’m willing to bet you did the same. What changed?
Well, a password is meaningful to create when it’s your first one. A password is fun when you have a couple. By the time you’re reaching hundreds of accounts? The joy is replaced with the tedium of entering another unique phrase. (Or worse, reusing a well-known password. If you’re doing that, don’t tell me.) Even the idea of sticky notes with passwords is now a quaint memory. Who has monitor space for hundreds of stickies?
I don’t churn butter. I don’t pluck chickens. And I no longer make up passwords. Today, most of mine are randomly generated. Frankly, I’m looking forward to even those random passwords going the way of homemade butter, acoustic coupler modems, and CRT screens.
Let’s look at planning for a passwordless tomorrow.
Passwordless Use Cases
The journey to passwordless begins with less passwords. Locally, that might be workarounds like password managers. Centrally, that might be single sign-on (SSO) dashboards. The task is to identify the authentication workflows people are using and then begin to reduce the complexity.
There are a couple challenges here. First, it’s no mean feat. A person in the workforce averages 191 passwords. It’ll take time to inventory, assess, and consolidate these passwords. Second, it still leaves passwords vulnerable to compromise. As we move towards fewer passwords, we’re still relying upon a long-lived shared secret as the primary authentication factor.
The security benefits come from removing passwords as the primary authentication factor for the use cases. For example, on mobile and desktop platforms, people may authenticate with biometric data in a Secure Enclave or Trusted Platform Module (TPM) on Touch ID or Windows Hello. For web application use cases, this likely means authenticating with FIDO2; the specification which uses Web Authentication (WebAuthn) and the Client-to-Authenticator Protocol (CTAP). Long term, passwordless will be extended to provide secure access for every enterprise use case (hybrid, cloud, on-premises, and legacy apps).
The passwordless experience for users means fast authentication with little friction. Criminals and adversaries experience IT with no shared secrets to copy, replay, or brute-force. And for administrators, the passwordless experience is one of identifying and migrating use cases, incrementally and iteratively, to delight the end user.
Passwordless Quick Wins and Long Hauls
Strategy is motivating people and marshalling resources towards a goal. As I wrote in Thinking Strategically About Passwordless, passwordless is a tactic for gaining support for security initiatives through providing a better user experience. The business case can be prioritized by influence, by impact, or by effort. Consider providing a passwordless experience to key stakeholders and security champions, thus building support. Evaluate deploying passwordless for teams with a high number of authentications or a high number of password resets, thus saving time and support costs. Of course, low effort areas to deploy such as web apps that already support FIDO2 are also good choices to build momentum.
There are some areas where passwordless is tougher to deploy. The first example is where people are unable or disinclined to use biometrics. As we’ve seen recently, this could be because of personal protective equipment interfering with facial or fingerprint recognition. Additionally, some people have significant trouble enrolling in fingerprints. We see this most often with older workforce. The next area is where shared equipment is the norm, such as call centers. Many passwordless solutions tie a person to their device for strong authentication. When multiple people share one device, this security model breaks down. For these types of use cases, it is better to tackle others first while the technology continues to improve.
There’s one other consideration when selecting use cases to migrate into a passwordless experience: regulatory compliance. Many standards require a password plus one or more additional authentication factors. While it can certainly be argued that passwordless provides the same level of security; auditors and standards will take time to catch up to new approaches. It is best to begin the conversations now with internal audit, while proving out the passwordless technology in other areas.
To help organizations prepare for passwordless, we published a new white paper “Passwordless: The Future of Authentication.”
In the paper, you’ll find a five-step phased approach to realizing passwordless authentication.
Providing a passwordless experience means incrementally shifting use cases from password-enabled authentication to other factors. The end goal is improving the user experience for our workforce, while removing many tactics criminals and adversaries use today to gain access.
Not all use cases will go quietly into the night. We’re still in the early days and it will take time for infrastructure and adoption to catch up. Good thing too, as this gives us time to plan and use this shift strategically.
And I don’t know about you, but I’m looking forward to someone cracking my password 40 years from now. “What did he mean by Wdx8yJGzXXOuobE3,” they’ll wonder, marveling at a time when people still had to manually type in credentials.
Read more about the path to passwordless in our passwordless blog series.
Try Duo For Free
With our free 30-day trial you can see how easy it is to get started with Duo and secure your workforce, from anywhere and on any device.