What is passwordless?
Passwordless is a type of authentication, that utilises technical controls, other than passwords. As far as authentication is concerned, we have three flavours of factors. Something you know (for example a password), something you have (could be a car key) and something you are (biometrics ie. voice, retina, fingerprint, face). We could simplify and say passwordless uses the two latter. Something you have and/or something you are.
What’s the problem with passwords?
We have used the logic of something you know for years. In fact, for thousands of years, way before the era of computers. Romans utilised mutual authentication via passwords/codes and responses (watchwords).
So, what’s the big deal, if it’s so old and proven?
Well, the most significant issue isn’t the complexity (whether you use lowercase, uppercase, special characters or numbers), the length or how long you use the same password for. It’s also not the dictionary based passwords that create the fundamental problem either.
It’s the fact that… they simply exist. Before you laugh me out, let me explain what I mean. The most profound characteristic of “something you know” is that we can make copies of it and use the copies the same way as the originals. If I tell you my password, it’s as if I made a copy of it. If I write it down, same principle applies.
The ‘something I know’ is vulnerable at most at the time of processing, precisely because we need to make a copy of it – enter the password on the webpage, for the lack of a better example. And no matter how hard we try or how diligent we are, attackers find new ways to get hold of it. Just by not ever sharing or writing down your password, you are not making yourself resistant to a successful attack on your credentials. Credentials also leak from servers, where they’re stored. It kind of doesn’t matter how we store credentials server side either, because, at some point in the journey we need to have a copy of it in clear text. Of course we utilise encryption, but it’s only as strong (or as weak) as the key.
I really like how some identity providers market passwordless… they say something like ‘If there’s no money in the vault, you can’t steal it. Same with passwords’. I love this statement, as it captures the biggest problem of ‘something you know’ – ability to make a copy.
What’s our understanding of passwordless authentication?
For the majority not great and it’s not our fault. A while ago I asked on LinkedIn, what the showstoppers were for not having passwordless authentication widely deployed. I meant the enterprise. I haven’t made myself clear enough, but I’m actually glad it happened. People responded from the perspective of users and why they’re not using it (ironically not having a great deal of choice in the matter). For the majority of us, we simply don’t trust it. I kept digging and arrived at a conclusion there were two main contributors to the sentiment. Firstly, lack of understanding of the technical side, secondly falling for the edge use cases in what I’d call a vicious circle of disparity. We’d say, for example how certain can one be, that only their fingerprint can unlock the laptop or what the assurances are that the fingerprint definition never leaves the device. We quote articles on how identical twins can unlock iPhones with FaceID.
Let me put my risk hat on and respond to your concerns. You prefer passwords, while the method can be compromised outside of the proximity of your person.
Passwordless methods require some form of proximity for the theft to happen. Can I steal ‘something you have’ – of course! Can I steal ‘something you are’, like your fingerprint – indeed. And I don’t need to hack into the TouchID to do it.
The surface area of the attack though in the latter two is smaller and not just by a tick, but by an order of magnitude. I’ll risk a statement, that no matter what technical controls we put in place, there will always be a way round it, people tend to do pretty much anything when their lives or the lives of their families are at stake.
The odds of someone stealing your laptop, your fingerprint and successfully logging in are really, really slim. Put it in another way, if you are using a banking app on your phone and use facial recognition (like FaceID) or fingerprint (like TouchID) to unlock it without a password, you are already on the passwordless train. It’s a testament of the trust in the technology of a smart mobile phone. It’s a numbers game and the odds are very much on your side.
Is passwordless MFA?
It can be, but doesn’t have to be. If we substitute password for a possession factor, for example a car key, on it’s own, passwordless is in the single factor camp. If you need to scan your finger to start your engine in addition to the key, you cross to the MFA side. MFA makes the authentication stronger by an order of magnitude, even with passwords, so imagine what it does to passwordless journeys.
Examples of passwordless authentication
Banking app on a smart phone
If you think, it’s just your face or fingerprint, you’re wrong. What your bio is actually used for is to unlock a cryptography item that is stored on the device. What’s more significant – only on your device, as it never leaves it’s digital and physical boundary. The combination of the two also makes it MFA (although a uni-channel).
Ebay
Ebay utilises WebAuthN to eliminate passwords. All you need to know for now is that it’s an industry standard for performing passwordless authentication. It is also worth knowing, that by using WebAuthN, you are removing yourself (technically) from the possibility of ever falling for a phishing attack – a rogue website, pretending to be ebay and allowing someone else access your account. It’s the mutual trust required by WebAuthN and established by asymmetric cryptography methods that prevent phishing attempts from being successful.
My pet hate – One Time ‘Thingies’
We can argue for hours whether an OTP (one time pass code/password) belongs to the category of ‘something you know’ or ‘something you have’. If I was trying to be awkward I might say it’s both.
Thankfully it’s irrelevant and let me explain why. Whenever I hear OTP passwordless I start trembling. Not sure if it’s because it doesn’t make any logical sense or if I simply don’t like it. The painful thing to watch is that some market leading identity vendors advertise OTP as a valid passwordless solution (OTP passwordless, grrrrr…)
The problem of an OTP is that it’s prone to a MiTM attack (Man In The Middle). The underlying problem is the same as with the password. Remember what I said earlier, it’s not an issue how long or how many times we use the same password.
Any OTP needs to be “replayed” to the same channel where the process of authentication was initiated. A rogue website pretending to be something else can harvest the OTP code and forward it to the attacker.
Out of the two main one-time ‘thingies’ – OTP and magic link, the latter is slightly stronger, even though the delivery channel is the same and could be considered a weak link (SMS is not considered very safe).
What is a magic link? It’s an URL, that you click on to ‘resume’ authentication journey. Having a magic link (which works only once) gives you the access. That’s why the delivery channel is so important. Magic link opens a Pandora’s box though and exposes you to another attack vector, so again, while slightly stronger than OTP in an email or SMS, it’s still something that CISO may lose sleep over.
You provide your email or phone number on the webpage, the system sends you an email (or SMS) with a link, you click on it and you’re in. No password. The trust in this flow is focused on the access to your email or phone.
Even if you replace OTP with push, you can get an MFA prompt bomb. The rhetoric changed recently and an authentication process based on username prompt and push MFA is not considered a valid and secure option.
You can make it work if your username is not derived in the same way for all users (cannot be guessed, therefore in principle I cannot initiate authentication process for someone else), but then again it becomes in itself a ‘something you know’.
The challenges of passwordless
As with everything in life, where there are advantages, there are disadvantages. Passwordless is no different and while top notch security wise, there are two nightmares we need to manage.
Chicken and egg scenario
Passwordless is a device centric process. We can either integrate the possession factor into our device (for example fingerprint reader) or use an external device, like a Yubikey or any other FIDO2 compliant dongle. To complicate things even more, your laptop’s integrated TouchID is considered a different device on different browsers. If you set it up on Chrome, it won’t work on Safari. If you clear the cookies… you guessed it, it’s lost. You can set it on all WebAuthN compliant browsers, but it’s an effort and it’s ugly.
This way or another we need to register the device with the authorisation server. That’s when we’re most vulnerable, as we haven’t got anything else to authenticate the action. Most of the time we resort back to one time thingies, provided to us through some secure channels or even… passwords. And to make things worse, after we successfully enrol, we always need to have the device with us in order to authenticate. What if I want to read my email on my mate’s shiny new M1?
That’s where (quite rightly) most of us start complaining. I may forget to take my Yubikey or the laptop with me. How do I access the application from my mate’s computer then?
Single point of failure and a lost device.
I can lose my laptop accidentally dropping it to a fjord or someone may steal my phone. This way or another if that was the only device that I used for passwordless access to my application, I am back to square one, the chicken and egg scenario – how do I prove me is me, without my only possession factor?
The solution
A mind shift
As we evolve as a digital society we need to stop operating in the uni-channel, password-gets-me-everywhere model. We have to accept the fact, that multi factor, multi-channel, multi-device is the new reality. I know, that the CX (Customer Experience) suffers, because we need to maintain more ‘stuff’. But in all honesty – what’s better out of the two: setting up 2-3 devices once or typing the password, few hundred times a year?
Trust vs Authority based recovery
I have recently published this blog, where I am proposing new methods to address the ‘chicken and egg’ scenario. Mainly around recovery, but the logic can easily be extended to enrolment. Identity proofing has its place, especially in the highly regulated businesses, but isn’t a panacea. Neither are the customer services. Utilising trust helps in both workforce and CIAM use cases. If you want to learn more about it, I’d encourage you to read it.
QR code based passwordless login
During IDLive 2022 conference in London, ForgeRock’s Mary Writz demo’ed a unique way to utilise a mobile phone to authenticate a web flow, in an omni-channel model. No app needed! You enter your username in the browser, which in turn generates a QR code. You scan that QR code with the mobile camera, which takes you to a WebAuthN powered service, you are identified and authenticated using your device with fingerprint or face recognition. That triggers a callback to the web flow in your laptop browser and you’re logged in. Brilliant right? Not exactly what Mary showed in her keynote, but a very similar logic was described here by another identity rock star Stéphane Orluc.
Apple Passkeys
Brand spanking new, shiny, fancy… and an evolution of the QR code approach described above. You can use the keychain in your phone to store the cryptographic material. Bluetooth ensures you’re in physical proximity, but the concept is the same. There’s a front channel to initiate the authentication and a backchannel to fulfil the login. There’s more. In a classic FIDO2 scenario, you cannot copy the key (duplicate a Yubikey for example), but the passkeys can be securely shared with your friends or family.
You start the journey on a laptop, identify yourself by providing a username (this could well be a facial recognition software, too) the WebAuthN component then renders a QR code, which you scan with your phone. Both devices need to have bluetooth enabled. iPhone recognises the code and asks you for consent to log in. If you agree, biometric authentication is triggered and you’re in! No keys are dropped onto the device, from which you are trying to get access, so one could even argue, it’s better for our own safety, as a logout means logout and no residue whatsoever.
Conclusion
Passwordless is the next step in our digital evolution. Don’t be scared or look for edge use cases to rule it out. It’s a numbers game and you are winning if you go with a good implementation. We do have the technology to both implement and manage the devices without affecting CX too much.