EDITOR ’ S QUESTION
BILL MROCHEK , HEAD OF PRODUCT , IAM , JUMPCLOUD
Passwords , or ‘ something you know ’, have been the cornerstone for identity but aren ’ t robust enough for the security challenges of today . not tokens or push authentication with public / private key pairs , which use asymmetric key cryptography .
A service creates a ‘ one time challenge ’ at logon , which is signed by the user ’ s private key and verified by the service with the user ’ s public key and a logon token is returned . This is the essence of FIDO U2F tokens , FIDO2 pinless , and some mobile push authenticators .
Yes , a passwordless future helps to ensure
effective cybersecurity . MIT and Bell Labs introduced password security in the 1960s , but the concept dates back centuries . As children , many of us read Ali Baba and the Forty Thieves and remember the passphrase ‘ Open Sesame ’. Passwords , or ‘ something you know ’, have been the cornerstone for identity but aren ’ t robust enough for the security challenges of today .
The inherent vulnerabilities with passwords alone – shared passwords , the same password used for different accounts , stolen or hacked credentials , etc . – has driven a shift to passwords functioning often as just one part of Multi-Factor Authentication ( MFA ).
MFA also includes elements of ‘ something you have ’ like a card , token , or mobile push authenticator or ‘ something you are ’, like biometrics that analyze fingerprints , face scans , typing behavior , voiceprints , gestures or even your gait .
There are two schools of thought with passwordless . One argues that a passwordless flow alone with a card , token or push authentication is strong enough by itself to thwart any attack , while others believe that passwordless should involve MFA for a layered security approach . Let ’ s explore both .
Passwordless flows that use cards , tokens or authenticators alone still trump the password from a strict security sense . Passwords can be phished , but
The problem is that if used alone , it can be stolen by a malicious actor and can be an easier attack than even a password , but an attack that requires physical theft .
Passwordless MFA is much stronger because it adds one more authentication layer . Even MFA used today alongside a regular old password has been shown to prevent many types of attacks .
There is a middle step in the path to passwordless ; many consider a Smart Card + PIN or Windows Hello + PIN , or FIDO2 token + PIN as passwordless .
But the PIN is in fact a short , numeric password , so it becomes a MFA with another ‘ something you know ’ secret . This middle step is light years ahead of previous password-based MFA , since this form of passwordless MFA uses the strong cryptography mentioned above ; the PIN is stored in a HW secure element and it has a lockout count .
Truly passwordless MFA requires biometric authentication along with an asymmetric key pair .
This is possible with FIDO2 , Windows Hello , Smart Cards or push authentication paired with a biometric second factor .
As you journey toward passwordless authentication , whether with MFA or not , you will be increasing your security stance , improving your user experience and finally saying goodbye to the 1960s as you create a truly 21st century cybersecurity world .
34 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com