The passwordless future has arrived, here are your options
Sep 23, 2021
A passwordless future can soon be a reality, one website at a time!
Microsoft recently introduced a "passwordless account" option for users of their popular services. Users can now utilize password alternatives such as authenticators, biometrics, one-time passwords, or a security key. Users can in fact remove the password associated with their Microsoft account after configuring the alternative.
This shift to passwordless is a major industry trend. Next year, Gartner predicts that 60% of large and global enterprises and 90% of midsize firms will implement password-less methods in more than 50% of use cases – up from 5% in 2018. Several identity vendors announced passwordless options for business users.
Passwords have been around for 50 years since they first appeared on the tech scene and they've always been under scrutiny. News reports about website breaches and account takeovers due to passwords are far too common. These are either due to poor password hygiene (e.g., using easy to guess passwords or reusing passwords across services) or poor storage of the passwords by websites themselves.
Websites started requiring additional factors to go along with passwords for authentication, or multi-factor authentication (MFA). Then, dynamic risk scoring and conditional-access policies were introduced to detect and act on anomalous behavior. Password managers cropped up that allowed users to create unique passwords and remember them easily. Ironically, password managers utilize another master password to secure all the passwords they store!
Today, there are many passwordless alternatives. Not all are created equal and some have security issues that make them as vulnerable as passwords. The options below are the most common.
One-time passwords or One-time pins (OTPs) are alternatives to static passwords. These are dynamically generated and sent to a registered SMS or an email address during a login session. The user retrieves the code from their mobile phone or email and enters this to complete the login process.
Users benefit from not having to remember passwords. OTPs work across multiple devices and don’t requireadditional software or apps on a mobile device.
Unfortunately, SMS OTPs have suffered from attacks such as SIMjacker where attackers gained access to a mobile number, retrieved the OTPs and compromised the account.
Compromised email accounts can similarly reduce the utility of email OTPs as a passwordless option.
Email magic links
Email magic links are a refinement of email OTPs. Apps send a link instead of an OTP to a registered email address during sign-up/sign-in. The user clicks on the link and is redirected back to the application and logged in.
Like email OTPs, the utility of email magic links is diminished if the email account is compromised.
Time-based OTPs change after a fixed, regular duration. They're generated from a seed that is assigned to a user during enrollment. The seed is transmitted using a QR code to an authenticator app like Google Authenticator.
During login, the user enters the new OTP from the authenticator app. The website verifies the OTP using the seed associated with the user and grants access.
The advantage of time-based OTPs is that the authenticator app doesn't need to be connected to a mobile network or the internet.
The disadvantage is the increased friction during the account enrollment. If the device with the authenticator app is lost or stolen, the user will have to go through an account recovery process and re-enroll on the new device.
Authenticators with push notifications
Push notification authentication is a login process where the user is alerted of an authentication attempt via a push notification on a registered device such as a mobile device. The notification is associated with an authenticator app such as Okta Verify.
The user sees additional contextual information, such as the location where the login was attempted and can allow/deny access. The experience is seamless since users don't need to enter verification codes. This method offers a good combination of security and convenience.
Push notification authenticators have the same user friction associated with device enrollment during signup and re-enrollment on a different device if the original device is lost or stolen.
Security keys provide a hardware-based, public-key cryptography solution that makes it very effective against phishing attacks and account takeovers. These devices use USB, NFC or Bluetooth to work with devices such as mobile phones or desktops as authenticators. They can be used in modern browsers and websites that support WebAuthN and CTAP––two protocols that make up the FIDO2 alliance standard.
Yubikey and Titan Keys are popular security keys. These are also called roaming authenticators as they can work with multiple devices. Security keys have high phishing and session hijacking resistance and consequently are very secure.
The cons of security keys include cost, although Amazon Web Services plans to offer free security keys to administrators in a bid to bolster the security of accounts. Security keys are hard to replace if lost or stolen.
Biometric authentication involves identifying and verifying some biological characteristics such as fingerprints, retinal or facial features. Modern devices such as the Apple iPhone support TouchID and FaceID, Microsoft Surface supports Windows Hello.
The biometric information is stored locally during the device enrollment process. The user has to repeat the process on every unique device since platform authenticators limit authenticating a user via a specific device.
Smartphone manufacturers have made biometric authentication easily accessible to users. However, a vast majority of the users still don't possess high-end smartphones that have biometric authentication features. User friction during re-enrollment is also high.
Single sign-on (SSO) approaches such as "Sign in with Apple" provide a low-friction way for end users to sign up and log into non-corporate websites. If users are already associated with an Apple or Google account, they can seamlessly log in to participating websites. Apple and Google use existing logged-in information to sign the user into the website.
Such federation approaches are gaining popularity on the consumer side.
On the corporate side, this is still not very pervasive. Google sign-in provides the SSO experience in certain third-party websites and only if the corporate identities are hosted within the Google workplace.
There has never been a better time to abandon passwords. On the corporate side, options abound for switching from passwords. Weigh the pros and cons of a passwordless option before standardizing it. And use a migration strategy to allow your users to configure a passwordless option and provide a mechanism to remove the password after migration.
What to read next