We often talk about the passwordless experience. For IT and IAM professionals the term passwordless is an abbreviation for “passwordless authentication” and it frequently involves a Single Sign-On system or SSO portal. For the rest of us it’s simply “passwordless login” — a convenient way to sign into my favorite mobile app or website without any password.
The fundamental value proposition of passwordless for anyone managing user identities is the removal of the human password element, the biggest risk in the system.
But passwordless login does not mean you are eliminating authentication. You still may require several authentication factors albeit they may not be as obvious or visible as a password.
Our customers often say: “It sounds great in theory, but we’re concerned about the security. If we make the SecureAuth Authenticate OTP app the primary authentication token — isn’t this really just one factor if you’re going passwordless?”
The simple answer is: “No, going passwordless with a single OTP app still meets the criteria of multiple factors.”
Connecting various visible and invisible factors into a single, adaptive authentication policy in your IAM system lets you determine which combination of two or more non-password authentication factors is acceptable for your risk tolerance. In practice, this will almost always represent multiple possible combinations – as some factors provide a low relative level of security assurance, while other factors provide a high level of security assurance.
Now let’s break this down:
1. Pre-authentication context analysis – the invisible factor “zero”
Pre-authentication context analysis is a core component. While this is technically not a factor, it serves as a critical signal in validating whether both a user and her authentication factors are behaving in an expected way.
Pre-authentication context analysis allows you to understand if the user (or a malicious actor entering the username) is initiating the login from an expected location, at an expected time, using an expected browser on an expected OS. These are critical pieces of information that your Cloud IAM system like SecureAuth can evaluate EVEN BEFORE the user provides any authentication factor.
As a result, this adaptive risk and trust assessment lets you identify a user with a high degree of probability before you ask her to enter anything, call it a password, call it MFA.
2. One-time “password” – the first factor
The most advanced OTP authenticators like SecureAuth Authenticate now provide Push-to-Accept. Push-to-Accept replaces the need for the user to retype a passcode from their smartphone screen, the passcode is sent behind the scenes.
Push-to-Accept provides the first (and often the only) authentication factor visible to the user.
For high-risk logins SecureAuth can switch to Symbol-to-Accept. The simple Accept/Deny options of Push-to-Accept are replaced with a set of four symbols (i.e. letters) and the user is required to tap the symbol that matches what she sees on the login screen. This makes the authentication step less susceptible to careless auto-accept.
3. Biometrics – the second factor
In a passwordless login flow you still may require that for the user to interact with the SecureAuth Authenticate app, the user must have biometrics enabled on their phone. With Push-to-Accept the user must first unlock the OTP app with Face Unlock, Face ID, Touch ID, or Fingerprint Unlock before she can tap Accept.
Even if someone stole the phone, they still wouldn’t be able to use the authenticator app without a Face ID.
As part of the request for an additional factor, you verify that the smartphone has a sufficient quality of biometrics associated with it. You won’t accept any smartphone with a fingerprint reader, the phone must reach the quality you require. This device integrity verification extends to a detection of jailbroken or cloned devices, detection if the phone is set up to require a PIN or Face ID – if these verifications fail, then you can reject all attempts coming from this phone.
True 2-factor passwordless with SecureAuth and mobile OTP app
So, with just the SecureAuth mobile authenticator app you now have passwordless authentication that relies on a combination of two types of factors:
- Something you have: your phone – as your first factor.
- Something you are: Face ID/Face Unlock biometrics – as your second factor.
Technically, you may also allow a PIN Unlock for the MFA app instead of biometrics – in that case “something you are” (fingerprint) would become “something you know” (PIN).
At this point, your user is using two independent factors but neither one of them have anything to do with typing a password. For us at SecureAuth entering a password is just another factor, doing passwordless means I’m using another factor instead.
In summary, two-factor passwordless login is something you can easily do with just the smartphone.
True 2-factor passwordless with SecureAuth and YubiKey
Let’s look at another authentication method that’s getting increasingly popular especially after the introduction of the FIDO2 WebAuthn standard – YubiKey.
Can you enable 2-factor passwordless with just YubiKey the same way you can with SecureAuth Authenticate? In short, yes.
One of SecureAuth’s customers in the energy sector has evolved to the point where they allow passwordless for most of their employees. The company’s IAM team standardized on YubiKey and in their passwordless login flows their users must use a YubiKey device.
Being an energy company, some of their employees are accessing critical infrastructure – interestingly, this is where we’re seeing some of these user authentication use cases cross between just digital access to digital and physical access.
Those employees – when they authenticate with YubiKey to one of the critical infrastructure systems – are additionally required to enter a YubiKey PIN (“something I have” – YubiKey, and “something I know” – YubiKey PIN). As you can see, this represents two-factor authentication in a pure passwordless setup. The two factors – the YubiKey hardware authenticator and its PIN – are the only two factors visible to a user. Behind the scenes SecureAuth is still performing its pre-authentication and real-time telemetry evaluation as part of the invisible factor zero we covered earlier.
Is passwordless secure? As long as you understand the authentication factors you need from the user, the answer is a resounding yes! Removing the password does not mean reducing security.
Continue reading
Passwordless Authentication in 10 Seconds (video)
Making passwordless possible (white paper)
Passwordless Authentication and Adaptive Authentication
Passwordless Authentication – Overview / Benefits / Challenges
