Multi Factor Passwordless Authentication
WARNING: Passwords were harmed in the making of this blog
Rant continued… Since I posted this blog about passwordless I went on a LinkedIn quest to shame passwords even more, that included reposting the never-ending debate how bad passwords are, what portion of cyber attacks are caused by ATO (Account Take Over) or how long it takes to crack a password. All I hear is MFA prompt bombing and attack vectors, countless blogs on fatigue of the push notifications and how it aids bad actors.
Let’s put it all behind us
Talking about passwordless doesn’t propel us to the future, we need to actually deploy it. Here’s one option, call it a proposal for what I am calling MFPA – Multi-Factor Passwordless Authentication. Since some of my recent blogs were talking about workforce scenario, today I’ll focus on customer use case (CIAM). Let me tell the story of passwordless throughout the lifecycle, for completeness.
Since passwordless is a possession based factor (allow me for now) we absolutely need to register the device we are going to use to consume the service. That doesn’t mean we cannot use ANY device in future (including those transient, that we don’t own), but at the very beginning of this journey, it needs to be our tablet, phone, laptop or desktop (does anyone still use them???).
And at this time all I am asking for us to be honest with ourselves. Our phones and laptops are very private items. We live in times, that force us to be careful. We have fairly high standards for privacy. Therefore I would like to put the argument of ‘oh, what if I lose my phone’ to bed. Well, you’ll be gutted and phone-less for a day or two. Nothing beyond that if you shift your thinking to omni channel/multi device world of identity.
The genesis – registration
The customer goes on-line and creates an account. It’s a self-service flow, where we either use our social media account or bore the customer’s pants off and make them fill the details in manually. We only need email and the name at this stage, let’s not overwhelm the poor gal (or guy, identity is inclusive). The whole thing takes seconds.
If we chose the laptop-first approach, the app will now show a QR code to scan, if we were on the mobile device, it will just get registered. If we used mobile to register, it would be reasonable to go and log into the app using another device, for example a laptop or a tablet.
Et voila, we’re set! You may wonder what just happened and how does this make it a multi factor solution? Your mobile* now contains cryptographic material (which never leaves your device, at least the sensitive part), which you can only unlock using the biometrics, a finger print for example. The combination of bio and possession of the crypto key makes it a true multi-factor authentication.
New device
You bought a new laptop? No, that would be too easy. You went to visit your friend. You need to log into the app from his/her laptop. You don’t want to leave any crypto material on that device, but you also don’t have a password to play with. So, you put your username into the app, use your mobile to scan a QR code, which takes you to either passkeys (by Apple) or to any similar logic of an omni channel hand-off on your mobile device. Remember – your mobile device is registered. You confirm the login on your phone and you’re in. After you log out, no passwordless residue is left on friend’s laptop.
I lost my phone.. argh!
No problem. Remember, omni channel, multi device world? You are logged in on your laptop/tablet. You can use those devices to enrol your new phone.
I lost all my devices
Pretty sure that’s a serious problem. But from the identity perspective, it’s only a problem if you also lost access to your email. If you haven’t you will get an email with a magic link that will allow you to login seamlessly (just this one time) and register a new phone. From there, remember you can use your phone to log into the application. Another option would be to have your friends and family authenticate you. After all they know you best and they are the best people to confirm your identity. I wrote about trust vs authority based recovery here. Yes, it can be safe, in fact much safer than the magic link on its own. You can achieve higher assurance levels from friends and family recovery flows.
Does anyone do this today?
Yes! Some trading platforms use exactly the mechanism I described to log you into their mobile app. There’s no concept of password whatsoever. Ebay allows you to substitute password for WebAuthN, though the password is still there on the back end, so the passwordless option is more a usability feature than a security control. Rest assured we are going to see a surge of the move-to-passwordless over the next couple of years.
The business value
We hardly ever do anything in business for kicks-and-giggles. The multi factor passwordless solution not only decreases friction for the user but improves security by an order of magnitude. Combine it with Risk Based Authentication (yes, there is value in doing so) and it may make the difference between your customer using your service or the competitor’s.
Conclusion
Passwordless isn’t nearly as complicated as we think. Let’s be bold and brave and shift the mindset. It honestly takes less time to scan your finger on your laptop than to enter the password and then type the one time code from SMS. Everything I described above and beyond can easily be achieved using orchestration, so ForgeRock and Ping Identity will be at the front line for a solution. It will take minutes to set up WebAuthN and maybe hours to cover the omni channel aspects (though passkeys are in the minutes category). If you spend a couple of weeks on the project, make it really friction-less, eliminate passwords, you are guaranteed to attract users and increase the speed of trust between your business and your customers. Not to mention the reduction of fraud, but that’s a story for another day.
* by a mobile we mean modern smartphone with biometric authentication like face or fingerprint recognition