The Administrator’s Guide to Passwordless: An Introduction

Introduction

It’s 2030, and passwords are a thing of the past. Okay, there are a few lingering cases we haven’t been able to eradicate yet, such as old WiFi systems and some legacy software nobody knows how to work with anymore. It’s been an interesting decade. Do you remember how we used to be afraid of biometrics because a few early implementations stored users’ personal information in a central database? Good thing we stopped doing that pretty early on. Oh, and enrolling each of our devices individually with our accounts took a little bit of getting used to.

But wow, it’s hard to think back to pre-2020 when we had to remember a mnemonic or series of semi-random words every time we wanted to do something online. And doing that for each site? Forget about it. And then even if we did our due diligence, sometimes a database would get popped and we’d have to go reset our passwords anyway! (If we were lucky enough to notice we got hacked). Anyway, things are much better now in 2030.

Now, back to reality. It’s 2021 and you’re an administrator or security engineer trying to figure out what this whole “passwordless” thing is about. Maybe trying to figure out your strategy for rolling it out in your own organization. We’ve been using passwords for decades. What does it mean to go without them now? It seems like a half step forward and a full step back. After all, we leave our fingerprints and faces sitting out in the open all the time.

It’s much harder to steal something kept secret in your brain, right? People trying to sell us something keep telling us that just getting rid of the password is more secure, but that seems risky. Even with one of those fancy security keys, that’s still just something you have. Now someone can just steal your security key and they’re in. Where is the something you know?

In this series, we’ll cover everything you need to know to determine for yourself why “passwordless” can be both more secure, and more usable than today’s leading authentication systems. But you’re also right to worry. Not every passwordless product or system meets this high bar. Some products conform to the “passwordless” moniker by removing the password and making login simple and easy, but not necessarily phishing-resistant or more secure. Some products require special software, or special hardware. Some don’t.

This isn’t a step-by-step guide to picking a product. It’s a discussion of the important aspects of passwordless authentication so that when you’re evaluating whether a solution is right for you, you know what to look for.

What the Heck Is a Passwordless?

Let’s start by breaking down what passwordless authentication is and isn’t. Obviously, the big promise is that it gets rid of the password, and all the baggage that comes along with it: weak passwords, credential reuse, phishing etc. If you weren’t already familiar with the problems with passwords and looking to get away from them, you probably wouldn’t be here. But if not passwords, then what do we use to secure access to our accounts?

In security-critical environments, you may find client certificate-based or smart card authentication solutions, often in addition to passwords, although sometimes used as a sole factor. Both of these approaches use asymmetric keys to uniquely identify employees or their devices and make it much harder for adversaries to gain unauthorized account access.

However, these solutions typically create a large administrative burden and necessitate securely distributing keys or physical hardware devices to each employee or each managed device. Smart cards often require special software and may also only be compatible with a limited set of applications. The overhead and limitations of these solutions makes them unpalatable for many organizations.

Today’s leading passwordless model is built on the open community standards of Web Authentication (WebAuthn) and the Client To Authenticator Protocol 2 (CTAP2), collectively branded as FIDO2 under the FIDO Alliance. In contrast to older approaches, these protocols are designed to both authenticate and enroll users natively in a web browser, without the need for a managed service to distribute keys. WebAuthn defines a browser API that websites can access to invoke registration and login procedures, while CTAP2 defines a protocol that browsers can use to access authenticator devices attached to the local machine.

At its heart, FIDO2 is merely a convenient way of generating, registering, managing, and using standard public and private keys to assert identities. However, it is an open, community vetted, and widely adopted standard for achieving the following two authentication properties on every passwordless authentication:

The authentication verifies something you have, the cryptographic private key stored on your authenticator device, and something you know or are, either a PIN or a biometric. By verifying both of these things, WebAuthn and CTAP2 meet the multi-factor standard necessary for safe and secure passwordless authentication.
The authentication is strongly phishing resistant, enforcing origin and channel binding on every authentication. Origin binding ensures the WebAuthn private key will be unusable unless you are on the intended website, blocking both passive and active phishing attacks. Channel binding is a bit more subtle. It requires that the device accessing the resource and the device authenticating to the service are strongly bound. They may be the same device, or two different devices, but binding the channel between them ensures an adversary cannot make authentication requests from an anonymous device. This prevents active man-in-the-middle or push-phish attacks and avoids relying on the user to make a determination of whether a given authentication attempt is valid or not. WebAuthn has origin binding baked in, and inherits channel binding for authenticators built into or attached to the access device, such as Touch ID and security keys. For other passwordless solutions, especially those that delegate authentication to another device like a mobile phone, care must be taken to ensure proper channel binding.

WebAuthn and CTAP2 are the current state of the art, and any passwordless solution that diverges from the straightforward and intended use of these protocols should have clear technical documentation on how it maintains these same security properties.

Context of Passwordless Authentication Solutions

When evaluating an authentication solution, the authentication framework itself may be the starting point, but it certainly isn’t the only thing to consider. While this series focuses specifically on concerns around passwordless authentication, it’s also important to consider how well your authentication stack supports your applications, interfaces with policy enforcement, manages device health and trust, adapts to dynamic user behaviors, and interfaces with other compatible frameworks through standard protocols.

Passwordless has the potential to greatly simplify the user-facing aspects of the authentication stack and raise the baseline of user security across your organization, but it’s just one part of a balanced breakfast robust authentication stack.