Separating fact from fiction in your journey to passwordless authentication

February 25, 2021 8 minute read
laptop, YubiKey 5C NFC, cell phone

Say the word “passwordless” to a room full of security professionals and you will get a range of reactions, from a wry smile to a walk-out. That’s because the information security community knows that “passwordless” is a loaded term, and the industry is filled with differing and contradictory positions on the topic. 

The purpose of this blog post is to take an objective approach to understand the challenges that passwords present, what “passwordless” means, and what enterprises can expect moving forward as passwordless authentication matures. Now, you can’t have a conversation about passwordless until you first have a conversation about passwords.

The password paradox

Passwords are the most common form of user authentication, and they are easy to hate because they offer weak security and a poor user experience.

By definition, a password is a shared secret. The secret is known by the user and the validation service, is often stored across various computing devices, and may even be shared in messages or on a sticky note. Each service, device, or user with knowledge of that secret can be the target of a cyber attack. 

To improve security, best practice dictates that passwords be unique and complex. However, these practices are increasingly ineffective against modern phishing attacks and make passwords more difficult to use. To avoid “forgot password” flows, it becomes tempting to share passwords across services (which, again, increases security risks).

Security and usability are at odds with passwords. Better security leads to a worse user experience, and vice versa. 

So time to say goodbye to passwords, right? Not so fast.

There is a lot to like about passwords. Let’s not throw the baby out with the bath water. While passwords may offer poor security and usability, they are still widely used for several reasons:

  • Portability – a password or shared secret can be applied to almost anything — access to devices, documents, accounts, services, or even your kid’s treehouse. It doesn’t require a lot of infrastructure or dependencies to implement this form of authentication, making it really easy to gate access to something.
  • Compatibility – with very few exceptions, every app and service that you use has a password. Sure, it may require an additional second factor to authenticate, but the password is foundational and universal. You never really have to think about whether or not a service is compatible with the concept of a password. Entering passwords is the default activity you do everyday.
  • Interoperability – whether you’re authenticating on a computer, smartphone, Nintendo, or Apple TV, you can easily input a password. Passwords are universally supported, and you don’t need to upgrade to the latest mobile device or install client software to use a password. They just work.

Why is this important? If the goal is to retire password authentication, any alternative needs to offer significant improvements in both security and usability without compromising our needs for portability, compatibility, and interoperability. To put these concepts in perspective, let’s define the term “passwordless”.

What is passwordless authentication?

Over the past few years, the term “passwordless” has gained momentum and now it is used by many security, authentication, and identity solution providers — each with their own unique nuance.

For clarity, I think it is best to use a broader definition. At Yubico, we have adopted the following:

Passwordless authentication is any form of authentication that doesn’t require the user to provide a password at login.”

It may seem simple, but there is a bit to unpack here. There are a lot of different implementations of passwordless authentication and they all have tradeoffs. 

Some implementations of passwordless are specifically designed to address usability issues:

SMS – Many refer to SMS verification as passwordless because you don’t need to remember a password. Usually you’re sent an OTP code that is valid for a short period of time that the user can use to authenticate themselves. (And the irony isn’t lost on me that “OTP” stands for “one-time password” — I’m just sharing common usage.)

Email Magic Link – A unique link with a token is created for a user and delivered to an email. Clicking the link verifies the user for that particular service. 

There are variants of using SMS to deliver the magic link but in general these two authentication flows may offer better usability than passwords, but both are highly susceptible to phishing. If the user is tricked into typing in the OTP code or clicking on the magic link, neither of these passwordless solutions offer much security. See our blog on “How modern phishing defeats basic multi-factor authentication”.

Other implementations of passwordless are specifically designed to address security issues:

Smart Cards (PIV/CAC) – Smart cards are one of the most effective ways to protect against phishing. The user must insert their smart card into a reader, and validate the smart card with a unique PIN. This is a surefire way to stop remote phishing attacks in their tracks. But traditional smart cards aren’t very portable, compatible, or interoperable. It can be complex and costly to implement traditional smart cards at scale, making it hard to use and inaccessible for most individuals and many businesses.

Let’s take a quick sidebar and talk about passwords and PINs.

Password vs. PIN

From a usability standpoint, they may seem very similar — something else to remember. But from a security perspective, they are very different. A password is transmitted and validated on a server, which means it can be intercepted or stolen. A PIN is local to the device. For example, when you use your debit card at an ATM, the PIN only unlocks the debit card. It is never transmitted or stored elsewhere. That’s why when you have a debit card stolen and are issued a new card, you are required to select a new PIN.

There are a few reasons why this distinction is important. 

  1. A PIN is way more secure than a password (yay).
  2. Most strong forms of passwordless authentication require a PIN, so you still have to remember something (sorry).
  3. Most biometric authenticators use your face or fingerprint to “release” the PIN to perform the operation, and will default to PIN when biometric isn’t available (like when you restart your iPhone or try to unlock it while wearing a mask). In other words, the biometric authenticator doesn’t actually replace the PIN.

Microsoft also provides a lot of useful information explaining “Why a PIN is better than a password”.

</sidebar>

The role of open standards and identity platforms

Want to have your passwordless cake and eat it too? That’s what open standards bring to the party.

It takes a rich open standards ecosystem built to achieve security and usability, while also satisfying the need for portability, compatibility, and interoperability to scale to the masses. Since our inception, Yubico has advocated for open security standards to achieve these goals. Yubico paved the way by pioneering the WebAuthn and FIDO open standards, and worked with tech giants like Google, Microsoft, and Apple to integrate these standards into the operating systems, and browsers we use every day. These standards, paired with a YubiKey, allow for strong authentication across devices, apps, and services without any additional proprietary software. It just works.

Identity and access management (IAM) solutions (e.g. Azure Active Directory, Okta, Duo, Ping) have also embraced open standards by layering on top of the platform giants to deliver the functionality and scale that enterprises need to adopt strong passwordless authentication for business critical applications and services.

If you’re already invested in an IAM platform, explore what passwordless options they offer. Most will have a mobile authentication app to augment some of the user experiences on various legacy systems providing an alternative non-WebAuthn/FIDO passwordless experience. While mobile authentication is stronger than a password, mobile authentication apps are phishable, which is why all leading IAM platforms have native support for hardware security keys like the YubiKey.

The bridge to passwordless

Passwordless is a journey, not an overnight transition. And Yubico is on this journey with you. 

This transitory period is what the YubiKey was designed for — to be able to meet you right where you are and evolve with your security infrastructure. YubiKeys don’t require client software or peripherals, like a card reader. And we designed the YubiKey to support the broadest set of security protocols. You can put an end to account takeovers now using the phishing-resistant YubiKey as a second factor on top of a password. And that same YubiKey can be deployed in passwordless environments with our IAM partners as a smart card or a FIDO2 security key. The YubiKey truly is your bridge to passwordless.

Together with the open standards ecosystem and IAM partners, Yubico is excited to deliver security and usability at any scale, without compromise.

Share this article:

Recommended content

Thumbnail

Future-Proofing Authentication and Compliance for Healthcare Organizations

Healthcare continues to remain one of the most highly targeted industries by cyber criminals. In fact, with the COVID-19 pandemic, the industry has seen a doubling of the number of cyber attacks – attacks which are both costly ($9.23 million, on average) and disruptive. What’s even more troubling is that these attacks are likely to ...

Thumbnail

Put Your Finger on the Pulse of What’s New with the YubiKey Bio Series

Today, we are announcing the YubiKey Bio Series, Yubico’s first-ever YubiKeys supporting biometric authentication. The YubiKey Bio was first previewed at Microsoft Ignite in 2019 where we showed a live demo of passwordless sign-in to Microsoft Azure Active Directory accounts. We’ve taken the time to ensure that we are launching products that are highly secure ...

Thumbnail

GitHub no longer accepts passwords for Git authentication, secure your accounts with YubiKey

GitHub has been a longstanding supporter of strong security for its customers and developer communities. From its most recent support for using U2F and FIDO2 security keys for SSH, to its 2019 announcement of Web Authentication (WebAuthn) support for security keys and 2015 Universal Second Factor (U2F) support, the company has continued to give its ...

Thumbnail

Top five pitfalls companies should avoid when rolling out a passwordless strategy

Given the number of breaches in the news today where passwords were at the root of the problem, many companies are now exploring the benefits of a secure passwordless future. Secure passwordless logins not only bring cost efficiencies and a more frictionless user login experience into the organization, but deliver the security that is necessary ...