Passwordless Authentication

Know when you've been beaten!

Executive Summary

Your Challenge

• The IT world is an increasingly dangerous place.
• Every year literally billions of credentials are compromised and exposed on the internet.
• The average employee has between 27 and 191 passwords to manage.
• The line between business persona and personal persona has been blurred into irrelevancy.
• You need a method of authenticating users that is up to these challenges

Common Obstacles

• Legacy systems aside (wouldn't that be nice) this still won't be easy.
• Social inertia – passwords worked before, so surely, they can still work today! Besides, users don't want to change.
• Analysis paralysis – I don't want to get this wrong! How do I choose something that is going to be at the core of my infrastructure for the next 10 years?
• Identity management – how can you fix authentication when people have multiple usernames?

Info-Tech's Approach

• Inaction is not an option.
• Most commercial, off-the-shelf apps are moving to a SaaS model, so start your efforts with them.
• Your existing vendors already have technologies you are underusing or ignoring – stop that!
• Your users want this change – they just might not know it yet…
• Much like zero trust network access, the journey is more important than the destination. Incremental steps on the path toward passwordless authentication will still yield significant benefits.

Info-Tech Insight

Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.

Password Security Fallacy

"If you buy the premise…you buy the bit."
Johnny Carson

We've had plenty of time to see this coming.

Why haven't we done something?

• Passwords are a 1970s construct.
• End-users are complexity averse.
• Credentials are leaked all the time.
• New technologies will defeat even the most complex passwords.

Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."

Be ready for some objection handling!

Image courtesy of Microsoft

RSA Conference, 2004
San Francisco, CA

"There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
Bill Gates

What about "strong" passwords?

There has been a password arms race going on since 1988

A massive worm attack against ARPANET prompted the initial research into password strength

Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.

Table: Modern password security for users
Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects

From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.

How many passwords??

XKCD Comic #936 (published in 2011)

Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)

It turns out that humans however are really bad at remembering complex passwords.

An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.

PEBKAC
Problem Exists Between Keyboard and Chair

Increasing entropy is the wrong way to fight this battle – which is good because we'd lose anyway.

Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.

3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!

The entirety of the password ecosystem has significant vulnerabilities in multiple areas:

• Unencrypted server- and client-side storage
• Sharing
• Reuse
• Phishing
• Keylogging
• Question-based resets

Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.

Source: Google, University of California, Berkeley, International Computer Science Institute

Enabling Technologies

"Give me a place to stand, and a lever long enough, and I will move the world."
Archimedes

Technology gives us (too many) options

The time to prototype is NOW!

Chances are you are already paying for one or more of these technologies from a current vendor:

• SSO, password managers
• Conditional access
• Multifactor
• Hardware tokens
• Biometrics
• PINs

Address all three factors of authentication

• Something the user knows
• Something the user has
• Something the user is

Global Market of $12.8B
~16.7% CAGR
Source: Report Linker, 2022.

Focus your prototype efforts in four key testing areas

• Deployment
• User adoption/training
• Architecture (points of failure)
• Disaster recovery

Three factors for positive identification

Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.

Something you know Shared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords. Something you have A token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision. Something you are or do Commonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy. Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive.