Passwords are known as the bane of every IT security manager, but often it’s the way they’re used that creates the most problems. Passwords are shared and reused across numerous logins and can frequently be easily guessed by using pet and children’s names. In other cases, passwords are compromised by users who stick with the default manufacturer settings years after their hardware is installed. Based on a recent survey, the average user has 10 different passwords and forgets at least three of them every month.
This has given rise to a number of solutions that are labeled ‘passwordless,’ even though they technically still use some form of authentication. The underlying concept is to replace a string of numbers, characters and letters with something a user doesn’t have to remember and that a hacker can’t easily compromise. This includes device fingerprinting — with an internal media access control address or some other number stored in a device’s digital firmware configuration — along with various biometrics such as a user’s fingerprints and facial recognition.
According to one whitepaper, the security of the passwordless approach “can be achieved in any number of different ways by leveraging public-key cryptography, which uses a public key that may be shared with anyone safely, and a private key that stays on the local device so that — unlike a password — it isn’t susceptible to eavesdropping attacks.” In that respect, passwordless isn’t much different from the split key methods that have been in use for decades.
With some passwordless vendors, they combine a variety of approaches: hardware elements, biometrics and a risk analysis engine to evaluate everything and determine what level of access is allowed. The belief is that users will prefer these approaches because they are less intrusive and don’t rely on remembering a password. This means that the underlying IT security will benefit from more secure authentications and logins.
If you were to re-read the above paragraph, you might have a sense of deja vu: the combination of different hardware and risk analysis techniques is usually referred to as adaptive authentication. The most developed applications include vendors that offer fully-featured adaptive authentication products that are closely tied to their identity management tools. These include RSA, SecureAuth and OneSpan, among others. These products will require a great deal of effort to implement, because they touch just about every corporate application and user.
The most recent adherent to the passwordless world is single sign-on vendor Okta, who announced its Verify multi-factor authentication app will expand to include device fingerprinting to make it passwordless. Like the identity management tools mentioned above, going with Okta is a big commitment and will require significant implementation.
Trusona has an interesting approach. When you sign up for their service, they send you a device that fits on the end of your smartphone and looks like a payment-based credit card reader like Square. They’ll use this device (and the chain of custody tracking its delivery from their plant to your hands) to associate your credit card or other magnetically-endowed items with your identity. In essence, it is another form of a hardware MFA security token like the Google Titan and RSA SecurID.
A second technology uses open source methods with the Tidas project. It began in 2016 but hasn’t taken off. It uses the private encryption keys inside the more recent iPhones (Android support has not been established) to sign and encrypt your data. The logins are handled by the software development kit, so that users don’t have to construct any passwords, and utilize the fingerprint and the TouchID button on the phone.
A third choice is Iovation, which has been purchased by credit agency Transunion and is now marketed under its ClearKey product and its adaptive authentication tool LaunchKey. They register the physical smartphone using its firmware fingerprint as an additional authentication factor.
Finally are the passwordless apps from Auth0, Nok Nok, Beyond Identity, SecretDoubleOctopus and HYPR, among others. These use various techniques to add passwordless features to your existing SSO and authentication products that don’t yet support this ability.
Then there are the various biometric efforts. When Apple and Android phones first implemented fingerprint recognition, there was a lot of hope that these methods would completely replace the need for users to specify passwords. Some application vendors added biometric authentication to their smartphone apps, but it hasn’t happened at the rate that was initially predicted. Now biometric recognition is just one of many MFA methods used in authentication.
One of the reasons why biometric authentication hasn’t taken off is the difficulty in integrating the fingerprint and facial sensors into applications. Another could be the fact that Apple and Android have two different API collections and code streams that need support. Thirdly, there are still few desktops and laptops with these sensors, and those that have them don’t work very well. However, there are some hopeful signs: Authy, Lastpass, and Dropbox have implemented support for fingerprints, Face ID and/or Touch ID authentications with their smartphone apps.
If you are looking at improving your password portfolio, you should certainly investigate one or more of these approaches. If you haven’t yet deployed a single sign-on or password manager product, take a look at how you can strengthen your passwords and implement one of the passwordless methods to make it more palatable for your users. If you don’t have a solid identity management system in place, check out what RSA, Nok Nok or Okta has to offer here and what it would take to implement the product.