Passwordless has arrived. The key components enabling the new authentication technology are all in place. The quality of biometric sensors built into modern hardware has improved drastically in the past several years. Additionally, virtually all new endpoints include a secure enclave or trusted platform module (TPM) enabling the secure storage of asymmetric key pairs. Bringing it all together, modern web protocols like FIDO2 are enabling smooth, secure mechanisms to create and unlock keys with the improved biometrics. Yes, with these puzzle pieces coming together, passwordless authentication looks more promising with each passing month.
Few will mourn the relegation of the password to ancillary status. The password’s problems are longstanding and well-known to end users and IT/Security administrators alike. From a security standpoint, passwords are easy to steal and use maliciously at scale. This makes compromised credentials a leading cause of breaches year in and year out. The user experience has never been ideal either. In order to combat the fallibility of shared secrets, password complexity and rotation requirements have left end users scratching their heads, if not actively banging their heads against the wall.
Therefore, it’s no wonder there’s so much excitement around the promise of passwordless. The market has been abuzz regarding the new technology. There have been calls akin to “forget everything you think you know about authentication.” We’re excited too! In fact, just a couple months ago at Cisco Live, Cisco Duo announced our entry into the passwordless authentication market. If we didn’t think the technology wasn’t promising and innovative, we definitely wouldn’t build a solution of our own.
Passwordless as a complement to SSO
However, the information and marketing buzzing throughout the security industry lately risks setting unrealistic expectations. While passwordless technology is immensely exciting, it is not a cure-all, silver bullet. When used responsibly, passwordless authentication will complement, not replace, many of the security controls currently used today. When innovation comes along, it’s best not to throw the baby out with the bathwater.
Passwordless is just a part of the long lineage of security innovation going back to the turn of the millennium. For example, while passwordless authentication is important, so is the concept of Single Sign-On and federation.
Let’s think about a simple equation for total time spent authenticating. Which is the number of authentications multiplied by the time of each authentication. Passwordless helps reduce the time of each authentication – but doesn’t affect the total number of authentications users perform a day.
Companies have been transitioning to a higher percentage of their applications behind SSO solutions for a few years. This trend should not slow down now that passwordless authentication has arrived. In fact, at Duo we see the two as inherently linked and strive to reach a point where the vast majority of corporate applications are federated behind an SSO. And, yes, passwordless authentication is leveraged to access that SSO portal.
Passwordless Authentication and Device Trust
There have also been advances in device security at the point of authentication. Questions like: “Does this device meet my company’s security requirements?” or, “Is this device managed by my company?” are important to answer before allowing access from any device.
At Duo, we have been building our Device Trust capabilities for years. In the world of passwordless authentication, assessing device posture will only become more important. With passwords removed as an easy attack vector, bad actors will move on to OS, browser, and device security flaws. Therefore, a passwordless authentication solution that doesn’t consider the trust or health of devices falls short of providing comprehensive security coverage.
Passwordless and Risk Detection
The improvement of machine learning and algorithmic risk assessment cannot be neglected as we transition to a passwordless future. Setting historical baselines of access behavior and highlighting deviations from “normal” provides valuable insight into suspicious activity. Each authentication should be evaluated in light of expected values for that specific user and their role. If credentials are being used from an unexpected device or unexpected location or, more importantly, both, that information is highly relevant to remediating potential threats quickly. Without risk analytics assessing how and when passwordless authentication is used and by whom, administrators are left blind – left to sort through thousands of authentication logs searching for threats.
This is why, at Duo, we’ve taken pains to integrate our forthcoming passwordless solution into our machine-learning enabled risk detection toolset.
At the end of the day, passwordless is extremely exciting. The technology promises to revolutionize the way we authenticate to our applications and we’re thrilled to provide passwordless authentication from Duo. However, just because something is exciting doesn’t mean we should neglect other important components of an access security portfolio. As you consider incorporating passwordless authentication into your environment, make sure to consider how it will integrate with your other tools, controls and projects:
- How would passwordless work well with your SSO and enable your federation project?
- Will the passwordless authentication also assess the health and posture of a device at access time?
- Will the passwordless authentications be evaluated for risk and suspicious activity?
As we move into the passwordless future, it’s important to do so responsibly – and at Duo couldn’t be more excited to help. To learn more about our vision and stay in the loop on what we’re building, head over to our passwordless authentication page.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels