Passwordless Security Guide
Passwordless Identity Management
What is a Passwordless Identity?
A “Passwordless Identity” is a user identity which does not require an alphanumeric password for gaining access to applications and services associated with that particular user. Instead, the identity is bound to a public-private key pair that acts as the primary credential for user authentication. The user’s private key is stored on a smartphone, a smart card, or a FIDO security token; the public key is stored on a validation server on-premises or in the cloud. Learn more about Passwordless Login Methods.
Generally speaking a passwordless login based on public-key encryption is inherently multi-factor, as it requires the use of a strong possession factor and a combination of biometrics and/or PIN.
Most legacy MFA methods include passwords an option in the multi-factor layering; these are known as password-based MFA.
More recently, enterprise teams are modernizing their identity stack by implementing a process that removes passwords entirely. This is what we refer to as True Passwordless MFA.
How Passwordless works with SAML, OAUTH & SSO
Passwordless authentication is designed to reduce the friction associated with validation of a reported identity, while also reducing the risks and management costs associated with passwords. It is not intended to displace the use of existing identity tools and standards. This guide provides an overview of how Passwordless MFA combines the use of open standards such as FIDO, SAML, OAuth, and OIDC.
Check out this video demo of a True Passwordless Single Sign On in which the user identity requires no password:
The schema for passwordless authentication generally involves an identification step to some target asset, system, or resource, followed by a validation step that does not require passwords.
This process takes place in one of 2 ways:
1. Mobile-Initiated Desktop SSO
In this scenario the user first logs into their workstation using a mobile-initiated Desktop MFA powered by HYPR. After this initial step the user logs into Office365 managed by PingFederate as the IdP. No passwords are required since they are already logged into the machine using certificate-based authentication. By leveraging Desktop SSO, the user is automatically authenticated to all 3rd party identity providers and web applications tied to them.
When you combine mobile-first login with Integrated Windows Authentication (IWA), also called desktop SSO, you can achieve a very high level of assurance for workstation login, web applications and Single-Sign On. Initiating login on the user’s smartphone creates a phishing resistant flow so your employees cannot be tricked into logging into the enterprise. What are PUSH Attacks?
2. Web-Initiated Authentication
When Desktop SSO is unavailable, such as on a shared workstation or BYOD scenario, a web-based passwordless authentication is utilized. In this scenario the user performs a Web-Initiated True Passwordless SSO in which the user identity requires no password.
When a user wants to log into a workstation or into an SSO-enabled application, all they need to do is provide their username. At this point they will be redirected to HYPR through a protocol such as SAML or OIDC. The Identity Provider will then request that HYPR authenticate the individual via their HYPR mobile device.
HYPR will send a policy and a challenge to the users mobile device by using a PUSH-based authentication. At that point HYPR will enforce that policy by performing a secure FIDO-Certified authentication. Once complete, the user will be granted access into the web application.
This Passwordless MFA process takes less than five seconds, requires no shared secrets, and completely protects the user from phishing and protects the enterprise from credential stuffing attacks.
Using Passwordless with Identity Providers
HYPR has delivered an extensive suite of pre-built plugins and integrations to help you eliminate passwords across all your identity providers. Extend and modernize your existing identity infrastructure without displacing any of your favorite IAM tools.
HYPR eliminates the hassle of rip and replace so you can quickly deliver login experiences and True Passwordless Single Sign-On for all major IdP platforms including:
How Passwordless Enhances Identity Proofing
“Why should we solve passwordless first, and how does that improve our overall customer journey?” This question comes up often for companies undergoing digital transformation. This video demonstrates the pain of password-based login flows, and how passwordless can be leveraged to enhance identity proofing for improved security and ease of use.
As you consider whether you should start passwordless authentication or identity proofing first, keep it mind that by going passwordless first, you enhance your security and ease of use, which benefits your identity proofing in the long run.
True Passwordless works alongside your Identity Proofing and Identity products to remove the #1 pain – the password. This reduces the need for threat detection focused on credential reuse because your authentication is now based on trusted factors.
Why is Authentication being Decoupled from Identity Providers?
The cloud wars have created a state of identity turmoil characterized by poor user experience, MFA fatigue, and an unsolved password problem. In an effort to mitigate this chaos, businesses are decoupling authentication from identity. We explore growing trend and the impact it will have on the next 5 years of digital identity.