Post
Passwordless: Between Necessity and Challenges – Analyzing This Authentication Use Case
While it has been a topic of discussion among experts for over a decade, passwordless authentication is emerging as one of the cybersecurity trends for 2024. However, even though passwordless scenarios are increasingly frequent within organizations, fully transitioning to passwordless remains complex.
In this article, we revisit this underlying trend and address the many questions it raises. What drives CISOs to eliminate passwords? What alternative authentication methods are available? What potential obstacles exist in implementing them?
What is meant by passwordless?
To begin with, let’s revisit the term “passwordless.” Literally translated, it means “without a password.” In the context of cybersecurity, it refers to eliminating the need to enter passwords during the authentication process of a user on a device or application. This means completely doing away with traditional passwords and replacing them with more advanced authentication methods.
Now that we understand the concept, a new question arises: what exactly is a password?
By definition, a password is a secret combination of characters that the user must remember. In the context of authentication, it refers to a knowledge factor. Technically, it is not linked to the device used and is stored centrally, meaning it can be verified from anywhere. Simply put, a password is primarily a secret that the user must memorize and keep confidential, and it should not be stored carelessly in their data and computing resources.
With that said, there are other formats like one-time passwords (OTP) or PINs. Do they also fall under “passwords”?
While OTPs need to be entered, they do not carry the notion of “secret” and memorization inherent to passwords because they are generated on the fly. Their temporary nature makes them unusable by hackers in case of theft.
PIN codes, on the other hand, do involve a secret to be remembered. However, they are directly linked to a device and not centralized in a repository. Their role is primarily to prove that the user possesses the device in question. This is why these codes are generally simpler than passwords: even if compromised, they would not pose a risk and would be useless to hackers without the associated device.
Now that we understand what a password is, the question arises: why eliminate them at all costs?
Passwords have been around for a long time, and over time, security rules have evolved to govern their use:
- They must be complex: increased number of characters, inclusion of uppercase letters and special characters, etc.
- They must be changed regularly.
- The number of entry attempts must be limited.
These best practices are particularly effective against brute force attacks, where hackers try all possible combinations until they find the correct password linked to the user’s account.
Restricting the number of attempts immediately hinders brute force attacks. By making combinations more complex, we protect ourselves even in the event of a hashed password repository theft and against the use of rainbow tables. In fact, recovering a simple password in plain text is almost instantaneous, whereas for a robust password, it could take up to three years.
However, there is a downside: strengthening passwords leads to usability challenges and, by extension, user experience issues! Their complexity makes them difficult to memorize and tedious to enter, which poses a real constraint for users. Often, this becomes a source of frustration for those who forget their password or have to re-enter everything in case of a typing error. The process can be even more cumbersome depending on the connection context: imagine entering 12 characters on a television!
Moreover, even though the implementation of robust passwords has raised their security level, this authentication method is not without risk… Far from it! Organizations remain vulnerable to password theft, particularly through increasingly sophisticated phishing attacks. In fact, data breaches and the theft of credentials and passwords are the primary cause of information system compromise.
This brings us to the heart of the problem: ultimately, passwords remain exposed to theft risk, and by making them more complex, not only do we not eliminate the associated risks, but we also hinder ease of use. Passwords have reached their limits, and this is where passwordless comes into play! The approach is ultimately about identifying other methods to authenticate users, finding the right balance between user experience and security.
Transitioning to Passwordless Authentication
The entire challenge of passwordless is to achieve strong authentication by replacing password entry with other authentication factors.
First, let’s remember that strong authentication means proving “who I am” using at least two distinct factors among the following:
- A possession factor, i.e., something you have like an ID card, smartphone, USB security key (Yubikey, Winkeo, etc.), smart card, etc.
- An inherence factor, i.e., something inherent to you like a fingerprint, vein or retina scan, voice, face, etc.
- A knowledge factor, i.e., something you know. This category includes passwords as well as PIN codes mentioned earlier.
The idea is to combine authentication factors based on your business use cases. For example, you can authenticate using a Desfire card and a PIN code, or perhaps with your mobile paired with facial recognition, etc.
In a multi-factor authentication (MFA) approach, multiplying authentication factors complicates the attacker’s task by enhancing security.
While some methods like mobile push authentication are already widespread through applications like those from Google and Microsoft, new technologies available in the market are continuously emerging and innovating. For instance, we have ultrasonic OTPs from Copsonic, voice biometrics systems from Whispeak, Hitachi’s vein recognition, and many others, all compatible with our Ilex Access Management platform.
Technologies have also been specifically developed for passwordless authentication, such as WebAuthn and more generally passkeys, based on the FIDO2 protocol. The foundation of this approach lies in using asymmetric cryptography: instead of the traditional username/password pair, creating a new account generates a unique key pair for each user, consisting of a private key and a public key. The public key is stored by the online service, while the private key remains confidential, stored in the user’s personal device, usually their smartphone or key, protected by their fingerprint or a PIN. It is accessible only to the user.
As you can see, authentication methods are far from limited, and their diversity allows for addressing numerous use cases. To understand how to choose your authentication method in this booming market, we invite you to check out our blog post on the subject.
The Challenges of Full Passwordless
Now, we have the right to ask one final question: if passwordless perfectly addresses access management challenges, why isn’t it more widespread within organizations? Are there hidden challenges behind this apparent simplicity?
Let’s remember that the information system is a complex system. Whether it’s the application landscape, user accounts, devices, etc., each organization is different and has its own specificities. The diversity of user use cases, authentication methods, and access scenarios is vast.
For example, we observe various passwordless authentication trends depending on a company’s industry: mobile push and Windows Hello in banking; CPS cards, or e-CPS via Pro Santé Connect, in healthcare; Desfire badges in retail, etc.
Thus, as we explained for authentication in general, there is no universal passwordless solution, even within an organization. You must be able to combine technological approaches to adapt the authentication process to the user’s context.
For this reason, starting your transition to passwordless should be the result of pragmatic thinking and an iterative approach. It involves moving forward step by step, starting with a small, controlled scope to address the company’s priority needs.
To do this, one must ask: Which users or scopes are you targeting as a priority, and what are their different use cases? Can they connect from both a controlled and uncontrolled device? What happens if one of them forgets their device?
We can take the example of a degraded mode: forgetting the phone, losing the token, connecting offline… To prove the identity of a user who cannot present their usual authentication method, alternative modes to the primary authentication method must be planned.
For all these structural questions, the simplest answer might be to revert to passwords, especially given their decentralized nature.
But what is the point of switching to passwordless if it leads back to passwords at the first obstacle?
We should rather consider other backup solutions, preferring, for example, the following methods:
- Doubling authentication options per user: The goal is to allow them to prove their identity through multiple means, such as their mobile or a FIDO key, in case one of them is missing.
- Adopting a sponsorship system: This involves verifying the user’s identity through a trusted third party, like their manager, who knows them and can vouch for them.
Key Takeaways:
- The use of passwords remains problematic: even when complexified, the risk of theft persists, and usability is degraded.
- Implementing other factors like biometrics and devices is at the heart of passwordless.
- Generalizing a single passwordless authentication method is complex given the number of use cases and particularly for forgetting and unlocking.
- Building multiple scenarios with a pragmatic and evolving approach to cover all use cases is recommended.
- Ideally, rely on an authentication hub that supports multiple technologies and projects them into a truly adaptive process. This contextual approach addresses the multiplicity of use cases without forgetting the unlocking issues.
Pre-Sales Engineer
Inetum Software – Cybersecurity Solutions