Passwords are intrinsic to the way our modern lives function, across every network, device, and account.
The vision of a passwordless world could be simple and elegant, as these technologies would provide secure new options for authentication and improve user experience.
To combat passwords, Apple, Google, and Microsoft jointly announced their intention to start supporting FIDO (“Fast Identity Online”) passkey authentication on all of their browsers, platforms, and operating systems before the end of 2022 in an attempt to move to a “post-password world” -- but it brings numerous complex challenges for business users.
“The advantage of eliminating passwords is the reduction of password-related attacks on the services which support the technology,” says Darren Guccione, CEO and co-founder at Keeper Security. “However, the path to getting there will be very long and messy.”
He explains passkeys were specifically designed to become a password replacement in full, and along with passkeys, the use of biometrics or other strong attestations of the user's identity are required.
To make passkeys work, it requires significant development from all parties including the operating system vendor (Apple, Microsoft, Google) and the website/application software vendors.
“Once they have the technology in place, the users will then need to migrate their accounts from password-based logins to passwordless logins,” Guccione says. “The user experience will greatly vary between products.”
Technologies that move the password into the background, such as biometrics and mobile application authentications, are becoming more common, especially as they are getting easier to use and enable.
Passwords Moved to the Background
Joseph Carson, chief security scientist and advisory CISO at Delinea, points out that passwords still exist with many of these technologies. “Typically, the password is now a recovery key, backup key or a pin being used when a device is restarted, for example,” he says. “The purpose is slightly changing, and it is becoming less used daily.”
For privileged passwords, these are typically secured with password managers and privileged access management solutions, which will protect access to privileged accounts. “This ensures that the right security controls are required before access is granted, and once access is no longer required, it is revoked, ensuring that the principle of least privilege is enforced,” he says.
From Carson's perspective, the understanding of the term passwordless is misleading and a bit confusing. “It is a passwordless authentication experience in which the password or secret are simply moving into the background,” he points out. “To the user, it appears to be passwordless, however, the technology still requires a secret, often a key, to be exchanged for authentication.”
Preparing for a Post-Password World
Shiva Nathan, founder and CEO of Onymos, says he thinks a post-password business world could be two to five years away.
“Outside of the technology adoption and project planning necessary for a passwordless world, there are more here-and-now things that businesses have to work on,” he explains.
At the onset, businesses must take an inventory on two fronts; services that a business provides itself requiring passwords and services that a business consumes from other providers requiring passwords. “While this might seem like a trivial exercise, there is much to be learned,” Nathan says. “How much are these businesses relying on shadow IT and third-party SaaS services?”
He adds the next critical work businesses must do is to plan for what I think of as the pre-post-password world. “It's the transition time between passwords and passwordless,” he notes. “How will they effectively provide two different user experiences simultaneously?”
Carson agrees that there are many advantages to a passwordless authentication experience and that is no longer requiring users to create and think of complex passwords which are often difficult to remember, resulting in password reuse.
“The more that organizations move to a passwordless authentication experience will force attackers to move to alternative methods, such as social engineering techniques to gain access,” he explains. “The threats do not go away; they simply evolve continuing to focus on abusing users trust.”
The passwordless authentication experience has been mostly focused on user interaction identities, however, many machine identities still require passwords such as IoT devices, endpoints, servers, applications, and services.
“It will be a long time before these can move away from passwords,” Carson says.
Distributed Workforces Complicate Passwordless Posture
Nathan points out most post-password plans, including the leading one from FIDO alliance, rely on secure access to a user’s device.
“There are three challenges with this approach,” he says. “The first is that a user is expected to always have access to the device. In our new distributed workforce world, this isn't always the case.”
He says in the event a user loses their device, the expectation is to re-instantiate from a previously synced device.
“This approach will leave out the vast majority of the users who cannot afford or do not have a second device available and at the ready,” he adds.
The third challenge concerns the fact that there are multiplying endpoints to sync and work with one provider versus the other, which is theoretically defined and yet to be proven to work in practice.
Guccione adds there will be many challenges regarding user management, device replacement and enterprise controls.
“Most likely, accounts will still need to be protected with a strong and unique password, and managed within a secure password management system,” he says. “Additionally, if a physical device or security key is lost, damaged or forgotten, a strong password must still be used for fallback authentication.”