Passwordless Security Guide
Passwordless Myths & Misconceptions
The Identity Access Management world is full of nuanced concepts, terminology, buzzwords, confusing acronyms, and jargon. There’s a lot of noise and it makes for some bizarre, confusing ideas about passwordless. So what are some of the common myths?
Passwordless is a Fad
It’s been talked about for 20 years — since Bill Gates mentioned it in 2004. Passwordless is a paradigm shift happening right in front of our eyes. According to Microsoft, more than 150 million people log in with passwordless authentication every month — on their systems alone. Today there is a whole standard dedicated to empowering passwordless, strong authentication — FIDO. The existence and adoption of an open standard is indicative of a technology’s maturity and dominance. More recently the W3C has adopted WebAuthn as a standard bringing passwordless capability to billions of people leveraging compliant browsers. Add the billions of iPhone users, the 250+ organizations of the FIDO Alliance, and the billions of users they represent, and you’ve got a major paradigm shift.
Passwordless is Less Safe
Passwords and shared secrets, combined with user habits of such, are the least safe part of any authentication process. Passwordless replaces these with Public-Key Cryptography (PKC), enabling a much stronger authentication. When used on a mobile device, passwordless is also inherently multi-factor since it brings in a strong possession factor and local, often user inherent, factors. That makes it far safer than legacy, password-based MFA. Check out the Authentication Attack Matrix to learn more.
Our Employees Don’t Want to Use a Smartphone to Log in
Employees love their smartphones. They want to use their phone — the experience of doing so just needs to be more convenient, faster and easier than using a password. It’s got to look like this.
True Passwordless Authentication Only Works with a Smartphone
While a smartphone is just one of several passwordless login methods, it happens to be the users’ favorite and is the most commonly used. Your users can use FIDO Security Tokens, on-device such as Windows Hello and MacOS Touch ID, and even Smart Cards. The best way to eliminate passwords is to give your users the ability to use their preferred authenticator and not limit them to just one method.
Going Passwordless Will Increase the Volume of Support Tickets
A large chunk of your helpdesk tickets are caused by password resets and lockets. By going passwordless your users will no longer have this problem and the volume of support tickets will drop significantly. The “I forgot my password” request will be replaced with “I lost my login Smartphone” or “I lost my security token” – both of which happen far less often than the forgotten password.
Passwordless is Not Multi-Factor
Passwordless implementations differ. When used on a smartphone or hardware token, passwordless MFA is inherently multi-factor. It combines the use of Something I am (a biometric), Something I have (my phone or security token), and Something I know (PINs). Some passwordless systems are not necessarily multi-factor, such as Windows Hello. It has been argued that since such systems lack a secondary device or out-of-band authentication, they are therefore a single-factor approach. For such situations, passwordless login should be used in addition to a secondary factor such as a PIN.
There are Privacy Concerns in Using a Personal Device for Workstation Access
Enterprises that adopt passwordless educate their employees that the passwordless mobile app does not store any PII, nor does it communicate any credentials over the air. In fact, passwordless enhances user privacy by taking passwords out of the equation. The passwordless employee does not need to worry about who has their password or access to their account because they are in control of their own personal credentials. Enrolling one’s personal device for employee authentication raises fewer privacy questions when compared to enrolling the device in the company’s mobile device management system.
Passwordless Means “There is no Login Requirement”
This is a funny one. Passwordless authentication does not mean “no authentication” — it just means that the user is accessing a system without being required to use their password or other shared secret. A cryptographic exchange that provides verification governs the process.
You Cannot Make Everything Passwordless
Some people consider certain applications and use cases as being permanently married to passwords. For example, legacy software in a back office somewhere that hasn’t been maintained in years. We cover these scenarios in our Password Elimination Guide. Remember, as recently as 2016 people were saying Passwordless Can’t be Done. FIDO Certified solutions enforce interoperability, signaling that passwordless authentication is ready and well-suited to scale across current and future uses, including the Internet of Things.
Doesn’t Touch ID or Face ID Already Enable Passwordless Authentication?
Simply utilizing Touch ID or Face ID, or any other biometric authenticator on a smartphone, falls short of what it means to be passwordless. When you use Touch ID out of the box it merely unlocks your password. True passwordless solutions combine the use of a biometric smartphone with public-key encryption to then generate a public/private key pair. More recently Apple has introduced WebAuthn for iOS devices. The public key is shared with the desired service, which then sends an encrypted challenge. The user digitally signs that challenge and verifies their identity. This methodology is often referred to as “True Passwordless” – where the user experience is familiar, but the underlying architecture is very different.