How to Secure Online Identities With Passwordless Authentication

essidsolutions

Since the advent of computers, passwords have controlled access to devices and data. Even with multi-factor authentication, most organizations continue to rely on passwords to secure their systems. However, passwordless authentication is quickly emerging as a secure replacement for passwords, making older authentication mechanisms obsolete as they are no longer strong enough to guard devices and data from emerging cyber threats.

Risks Associated With Passwords

Analysts and researchers have warned about risks associated with passwords for years. However, these risks are associated with factors other than managing threats. Below is a summary of all of the challenges organizations face due to the use of passwords.

  • A Google surveyOpens a new window found 75% of Americans were frustrated by the use of passwords.
  • The Google survey also found that IT professionals reuse passwords across resources more often than business users.
  • A Microsoft analysisOpens a new window of over 3 billion compromised credentials found that over 40 million Microsoft users have reused passwords.
  • According to a Verizon 2020 Data Breach Investigations ReportOpens a new window , password dumper malware is involved in more than one-third of all malware-related breaches.
  • The Verizon research also found that 80% of hacking-related breaches are linked to passwords.
  • IDEE writesOpens a new window that the cost of managing enterprise passwords costs about $420 per employee per year (based on a Centrify funded study)

Most organizations are taking steps to follow strong password management recommendationsOpens a new window offered by vendors like Microsoft. These steps reduce risks to an extent, but often not enough to secure the most sensitive information. The use of Multi-Factor Authentication (MFA) has also increased. Alex Weinert, writingOpens a new window for Microsoft, asserts that MFA blocks 99.9% of attacks that exploit passwords. While this is impressive, almost all MFA solutions still use passwords and continue to incur the frustration and cost of managing them.

Learn More: Going Passwordless: 5 Authentication Trends to Watch 

Passwordless Authentication: FIDO2

The recent move to passwordless authentication is driven by the FIDO (Fast ID Online) standard. Based on public key cryptography, the standard was developed and maintained by over 260 organizations (including PayPal, Amazon, and Microsoft) in collaboration with the World Wide Web Consortium.

The first workable standard with associated vendor support was made available in September 2018. FIDO certification exists across iOS, Android, macOS, and major browsers. Microsoft achieved accreditation in May 2019. Organizations can use FIDO-certified solutions to access both cloud and on-premise applications.

The FIDO standard is based on asymmetric encryption. A new employee, for example, would enroll in the organization’s passwordless authentication solution and receive a private key. The identity management server keeps the public key. This is a simple process, as shown in Figure 1.

Figure 1: How FIDO Works (from FIDO AllianceOpens a new window )

The private key is stored in a TPM or a token like a FIDO-certified YubiKey. Unlike passwords, it is not written down or vulnerable to the threat vectors that compromise passwords. It is automated, so the help desk does not have to create passwords for new users, and users do not have to remember strong passwords or call the help desk when they can’t remember their passwords.

Authenticating is an easy process. Organizations can initiate authentication with biometrics (for example; gestures, fingerprints, facial recognition, etc.). For example, Android phone users would only have to use their fingerprints to initiate a passwordless authentication.

Learn More: COVID-19 Sounds the Death Knell for Passwords – Passwordless Authentication Is the Future

How Does Microsoft Support Passwordless Authentication

Microsoft offers three different solutions for implementing FIDO: Windows Hello for Business, Microsoft Authenticator App, and use of FIDO2 security keys. The use of Microsoft’s passwordless authentication methods requires the use of Azure Active Directory.

Windows Hello

Windows Hello is designed for situations where a Windows PC is assigned to a specific employee. The private key created during registration is directly tied to the PC and stored in the TPM or on a token.

Figure 2 and the following authentication steps are from Microsoft’s FIDO documentationOpens a new window .  

Figure 2: Windows Hello Authentication

  1. A user signs in to Windows using biometrics or a PIN gesture. The gesture unlocks the Windows Hello for Business private key and is sent to the Cloud Authentication security support provider, referred to as the Cloud AP provider.
  2. The Cloud AP provider requests a nonce (a random arbitrary number that a user can use just once) from Azure AD.
  3. Azure AD returns a nonce that’s valid for 5 minutes.
  4. The Cloud AP provider signs the nonce using the user’s private key and returns the signed nonce to the Azure AD.
  5. Azure AD validates the signed nonce using the user’s securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. When the nonce is validated, Azure AD creates a primary refresh token (PRT) with a session key that is encrypted to the device’s transport key and returns it to the Cloud AP provider.
  6. The Cloud AP provider receives the encrypted PRT with the session key. Using the device’s private transport key, the Cloud AP provider decrypts the session key and protects the session key using the device’s Trusted Platform Module (TPM).
  7. The Cloud AP provider returns a successful authentication response to Windows.

The user can then access Windows and cloud and on-premises applications without the need to authenticate again. Passwordless authentication supports additional authentication factors. Consequently, organizations can lock down resources facing the highest risk with a second factor. Going passwordless does not eliminate the need for zero-trust and continuous authentication, as described in this article: Risk-Based Access Control and the Role of Continuous Authentication.

Learn More: Why Businesses Can’t Sleep on Password Attacks

Authenticator App

Many organizations are already using Microsoft’s authenticator application as a second factor. Enterprises can also use it to enable passwordless authentication. The process of using the app is the same as that of Hello. The only difference is that the user must enter a user ID so that the authentication process can look up the user’s passwordless authentication credentials. This is a good solution when users have to sign on to multiple systems or when using BYOD.

Figure 3: Microsoft Authenticator App (from MicrosoftOpens a new window )

FIDO2 Security Keys

When it is not appropriate or acceptable to use phones for authentication, using a FIDO2 token is a good alternative. Like the authenticator app, this enables users to log in to multiple devices that support token interaction. 

Tokens (Microsoft provides a listOpens a new window of token providers) contain the FIDO2 private key. When users want to use the token to authenticate to AD via Windows 10, they select “Sign in with Windows Hello or a security key” (as shown in Figure 4).

Figure 4: Windows 10 Passwordless Authentication Selection (from MicrosoftOpens a new window )

Personal Microsoft Passwordless Authentication

I just purchased a new Windows 10 laptop. During the setup process, I had the option of using a PIN to sign in. This creates a Hello authentication key pair. The PIN is hard to guess, and it is possible to go deeper and require full user ID/password authentication upon initial login. After that, getting past the locked screen after timeout only requires a PIN.

Other FIDO2 Players

FIDO2 authentication is supported by major browsers, including Chrome and Firefox that support login with Windows Hello as well. Cisco announced this month that it now provides passwordless authentication, thanks to its acquisition of Duo and its FIDO2 authentication solution. All of the 260+ FIDO Alliance member-organizationsOpens a new window are already allowing passwordless authentication, or are in the process of adopting it.

Closing Thoughts

Passwords are a long-living legacy of the early days of computing. Businesses lived with them because there was no acceptable and inexpensive alternative. Today, passwords are no longer needed but most organizations have not yet switched to passwordless authentication. Like most major business changes, it takes planning and training to make this happen.

Organizations managing passwordless authentication on-premise will need either an internal or external PKI solution. With solutions like Microsoft Azure and the new Cisco passwordless implementation, any organization can eliminate passwords and the headaches that go with them.

Is your organization willing to put in place passwordless authentication to secure online identities?  Comment below or let us know on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We’d love to hear from you!

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA