You’ve likely heard of the passwordless concept before, and you may have heard predictions that passwordless environments would become a reality in our near future. However, the password hasn’t gone extinct quite yet — in fact, you’ve probably typed in at least one today to access your resources. So, is passwordless authentication a coming reality or an elusive pipe dream?
In this blog, we’ll explore the possibility of a passwordless world, what’s driving the passwordless push, barriers to its adoption, developments in technologies like FIDO2 and WebAuthn powering passwordless authentication, and business environment changes that are bringing it closer to reality.
Have Rumors of the Password’s Death Been Greatly Exaggerated?
The passwordless world isn’t a new concept. The IT community has been discussing the death of the password since 2004, when Bill Gates predicted it at an RSA Security conference.
In 2011, IBM echoed Gates’ prediction, assigning the password’s extinction a five-year timeline — but, just like Y2K and the 2012 Mayan doomsday, the password’s death date came and went, and we continue to type our passwords in (or forget and reset them) day in and day out.
This brings us to the question: Is passwordless authentication even possible?
Is Passwordless Authentication Possible?
In short, yes. Essentially, passwordless authentication is multi-factor authentication (MFA) where a password isn’t one of the factors. Typically, logging into a resource requires a username and password, and with MFA, it usually requires a username/password combination plus one other authentication factor, like a time-based one-time password (TOTP). With a passwordless login, the password would be replaced with another MFA factor, like a push notification, biometric, or security token. This way, the user could simply scan their fingerprint and tap a button on their phone — or complete another combination of simple passwordless MFA steps — to log in securely.
But just because something is possible doesn’t mean it’s desirable, which brings us to our next question: Is passwordless authentication safe? Is it something we should be working toward?
Is Passwordless Authentication Secure?
When a technology has spent decades as the reigning security solution around the world, that means hackers have spent decades perfecting techniques for compromising it. Passwords are no longer a highly secure means of protecting resources — and especially not when they stand alone, without the added layer of MFA. In fact, compromised passwords were the leading source of breaches last year, followed closely by shared credentials and phishing attacks.
Two main weaknesses of the password are driving the need for a better security solution:
Password theft and hacking techniques are sophisticated and rampant. Hackers have developed ways to compromise just about every type of password, including TOTPs. From running phishing scams to sourcing compute power to mounting brute-force attacks that can guess billions of password combinations per second, hackers have made it near impossible to create a password that someone couldn’t crack.
Users rarely follow password best practices. From writing passwords down to reusing them to using passwords like “password123,” users have trouble following password best practices. While most indiscretions are not malicious, they still create targets for compromise.
Most of these malpractices come from the inefficiency of the password as an authentication factor. As businesses move to cloud and SaaS-based models, users have to remember more and more passwords — an average of over 170. Expecting users to create and remember unique, complex passwords for each resource is unrealistic, and most use fewer than 20 passwords to lock all 170+ resources.
As bad password habits become the norm and hackers learn to spot and target vulnerable password-protected accounts, companies have started looking for more secure ways to protect their assets. When implemented correctly, passwordless authentication does just that. So, what’s taking so long? Why haven’t we implemented it yet?
What Are the Barriers to Passwordless Adoption?
If passwordless authentication is possible and secure, and the IT community has been predicting it for years, why hasn’t it become a reality yet?
It’s difficult to stop decades of worldwide inertia, and the password has enjoyed over 50 years of use as it gained global popularity. Now, it’s become so common that people have come to expect it, and logging into applications without one can be jarring, confusing, and hard to promote buy-in among users and leadership.
Many people’s first thought about passwordless logins is that it sounds less secure, not more secure than a password-protected account. For busy, business-oriented leadership teams, this could be enough to bar adoption; many businesses aren’t looking to be at the vanguard of security — they just want to implement reasonably secure policies, and to the untrained eye, the password accomplishes this. However, passwords are becoming less and less secure, and the norm is moving toward MFA, Zero Trust security, and higher security standards that rely less and less on passwords.
When MFA made its debut, it wasn’t as sleek as it is today — the first instances of MFA included factors being sent to pagers, printers, landline phones, and other receivers (check out the original 1997 patent). Even today, some MFA methods impose significant demands on the user, like sourcing and typing in a TOTP.
Some TOTP instances can be even more cumbersome: RADIUS, for example, requires users to type in their password, then a comma, then their TOTP. It’s easy to imagine how a user might lock themselves out after too many failed attempts (or worse, give up and find a workaround or sign into an easier-to-access network).
Further, passwordless solutions have historically worked for some solutions, but not others, making it a less attractive solution than the well-understood and universal password. However, as providers hone their passwordless technology and software vendors come to understand the importance and growing demand for it, more and more solutions are supporting passwordless authentication and, crucially, prioritizing MFA accessibility.
Lack of Buy-In
All of these barriers created a lack of user competency around passwordless MFA and skepticism among leadership, generating low buy-in. However, as tools streamline the user experience and the business world’s understanding of the precarious security landscape improves, buy-in is growing and more businesses are seriously considering the idea of moving toward passwordless authentication.
What Makes This Time Different?
Although passwords have proliferated longer than many IT experts expected, changing business environments, evolving mindsets, and rapidly developing technology are carving the path toward a passwordless future. The following are some of the changes the modern workplace is experiencing that are spurring faster and wider adoption of passwordless authentication.
Increased Understanding of the Password’s Weaknesses
The illusion of the password’s security is fading as catastrophic breaches caused by password compromise continue to make the news and additional studies of user behavior have confirmed suspicions that users don’t follow best practices — like the fact that only 20% of users use unique passwords for every account. Businesses are taking note and beginning to look for alternative solutions rather than continue to impress unrealistic expectations that users remember growing numbers of unique, complex passwords.
Remote and Hybrid Work
Before the coronavirus pandemic forced businesses around the world to go remote, the norm was in-office work. Workspaces were more homogenous, with employees all signing onto their office’s central network (probably LAN or WAN) from the same location at the same time. While cybersecurity was still a growing threat, it wasn’t as top-of-mind for executives as it is now, as companies need to secure employees using various methods and devices to access resources from widespread remote locations.
The Rise of Zero Trust Security and Increased Leadership Buy-In
The shift in leaders’ attention toward securing remote work has spurred more interest in tighter security. The business world is seeing a growing adoption of Zero Trust security, including MFA solutions, conditional access, and other security methods more advanced than the password.
In fact, in a recent JumpCloud survey of IT professionals, 21% of respondents said their business already had Zero Trust in place, and another 46% said their company planned to adopt it by the end of 2021, if not sooner. The same study showed that 84% of respondents worked at companies that had some level of MFA implemented.
While IT admins may have long been advocates for passwordless authentication, changing workplace trends and rising security concerns have opened the ears of company decision-makers, who are now more willing to slow inertia in favor of more secure solutions.
Passwordless models have been clunky in the past, whether they were only compatible with a small subset of tools, substantially increased friction in the user experience, or were susceptible to the same hacking techniques that passwords were. Fortunately, technology has been advancing to meet password and security challenges with more streamlined, secure, and user-friendly approaches.
Push notifications, for example, streamline clunky MFA steps like SMS codes: users can simply tap a button on their phone rather than type out the code sent via text message. Biometrics similarly reduce friction with secure, user-friendly technology.
One of the key developments in recent years that is streamlining MFA and bringing passwordless authentication within reach is the FIDO Alliance and the principles and protocols they’ve developed in pursuit of a passwordless world.
Passwordless Authentication with FIDO2
FIDO, or Fast Identification Online, is a set of standards for secure passwordless authentication put forth by the FIDO Alliance. FIDO2 is the most current set of standards, which include Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP).
WebAuthn is an API that facilitates secure authenticator-to-website interaction with public key cryptography. This can take place via:
- Security keys as an MFA factor
- Device-generated biometrics as identity verification
CTAP is a protocol that facilitates secure communication from client to removable authenticator.
How FIDO2 Works
FIDO2 (the second and most current iteration of FIDO standards) uses authentication hardware, like a security key or built-in biometric scanner, as an MFA factor. The hardware generates a public/private key pair, registering the public key with the client and storing the private key on the device. Then, every time the user goes to log in, they complete an action on the device (like scanning their fingerprint or pressing a button) to authenticate their identity.
A FIDO2-supported login can be supplemented with another non-password MFA factor, like a push notification, to facilitate a secure passwordless login.
FIDO2’s ability to facilitate web-based authentication with secure hardware-generated data allows businesses to use passwordless technology on websites. Previously, this technology was only available on mobile device applications (like providing your fingerprint to re-authenticate your identity on a mobile application); now, users can use security keys and biometrics to log into web-based applications.
WebAuthn can also be used in conjunction with single sign-on (SSO), allowing for one secure, FIDO2-based login to grant users access to all of their FIDO2-enabled services.
Some older security keys plugged into devices and registered as another keyboard so they could auto-input TOTPs. While this bypasses the user’s step of sourcing and typing in the TOTP, it doesn’t eliminate the security concerns associated with TOTPs. In this model, spray, brute-force, and phishing attacks still have the potential to compromise resource access.
In fact, most MFA factors can fall victim to phishing. While they still exponentially improve security, they don’t eliminate risk in sophisticated attacks. FIDO-enabled security keys cannot be phished; the hacker would essentially have to gain access to the physical device. Even better, biometrics hold up against the hacker gaining access to the device, because they are unique to the user and difficult to replicate.
FIDO2 authentication imposes much less friction on the login process than many other MFA factors. It does not, for instance, require the user to receive and type in a TOTP. In addition to improving the user experience, this also improves security.
FIDO2 also enables biometrics to authenticate identity on websites, making authentication one step easier for users by eliminating their need to carry a security device. When paired with another seamless factor like a push notification to the user’s personal device, this creates a fast, seamless, and highly secure passwordless authentication experience.
Promote a Passwordless Environment
As in the example above, FIDO2-enabled devices are prime candidates for creating passwordless environments because they’re secure, easy to use, widely applicable, and cost-effective. They create a secure environment for users to complete a second passwordless MFA factor, like a push notification, helping organizations put passwords aside for easier, more secure authentication methods to all the resources users need to complete their work.
Streamline Passwordless Authentication with a Unified Platform
Going passwordless requires an ironclad grip on your user base and a sophisticated IAM platform that can support WebAuthn, security keys, push notifications, and other MFA factors to ensure users have options available to them to keep friction low and buy-in high. The JumpCloud Directory Platform is a cloud-based IAM platform that manages access to all the IT resources users need to Make (Remote) Work Happen.
JumpCloud can power passwordless authentication from a centralized identity directory by supporting FIDO2 logins to our user portal, offering a push notification app, interfacing with third-party authenticator apps, enabling conditional access policies, and more. Learn more about our MFA offering powering a passwordless future.