KaaS Series: Making Passwords Legacy Tech with Passwordless Logins

Knowledge as a Service: MFA and Passwordless Logins

How safe are your passwords? As technology continues to evolve, the methods we use to protect our online identities must do so as well.

Passwords are notoriously weak and can be easily hacked, guessed, or stolen. And how many times have you forgotten a password, leading to frustration and loss or productivity? Passwords have been the primary authentication method for decades, but they are increasingly being replaced by more secure methods such as passwordless logins and multi-factor authentication (MFA).

MFA is a security system that requires multiple forms of identification to gain access to an account or system. It adds an extra layer of security beyond passwords, making it harder for attackers to gain unauthorized access to sensitive information.

However, MFA is still susceptible to social engineering and phishing attacks where victims are convinced to disclose their one-time passcode. Despite this, MFA is an important part of the overall passwordless login strategy, which combines multiple authentication techniques with new technology like passwordless logins.

Authentication

The three ways of authenticating a person’s identity remain unchanged – something that you know, something that you are, or something that you have.

• Something that you know: The most obvious of this type of authentication is a password but may also include things like a PIN or security questions when creating an account
• Something that you are: This type of authentication includes biometrics, fingerprints, and face or retinal scanners. Among newer technologies is subdermal vein scanning. Pulled by your fingerprint device, it is one of the most secure ways of authentication as it can’t be replicated.
• Something that you have: Security keys are physical devices that require physical possession to be used, making them almost impossible to compromise remotely. Examples are smart cards, one-time password tokens, or push notifications to your phone.

Fast Identity Online Alliance (FIDO)

Passwordless login strategies incorporate these elements and unify them with a set of protocols. FIDO is a collaborative effort from all the major identity providers, which put together an authentication framework and developed industry protocols.  FIDO or FIDO2 make the process of authentication more secure and user-friendly.

These combined methods are used to protect security keys, which are created on the user’s behalf when they create an account. Despite never seeing the security key, every account the user creates will have its own unique security key. If an account is compromised, it won’t impact the others.

One of the biggest problems today is the use of the same password across multiple sites. Password managers ease the burden of remembering complex passwords, but these often have an echo effect by becoming the new attack surface to compromise the account. FIDO establishes a set of protocols to facilitate the exchange and storage of the security keys, so application developers can incorporate new authentication methods.

FIDO is also currently working on “platform authenticators” where a trusted provider can store all of a user’s security keys and send them on their behalf after multi-factor authentication. This alleviates the issue authenticating from multiple devices without needing to synchronize security keys across all of them.

Accessing email can provide a common example of paswordless entry. Most have received a push notification on their phone when logging into Outlook from a new device. Before opening the authenticator, you use a thumbprint scanner on your phone. Leveraging either Bluetooth or Near Field Communication (NFC), the phone and laptop will verify proximity and can “see” each other. The unique security key that’s stored on your phone is then sent to the email system to authenticate the session and – voila – you’re in. By leveraging the combined technologies we’ve discussed, access is gained without ever having to type in a password.

Active Directory

This does not mean the end of Active Directory, the password platform and authentication method for almost all businesses and desktops today. Active Directory is where passwords are stored and what they’re validated against. We currently use three forms of Active Directory:

1. On premises – runs on servers in your environment and has been used for decades.
2. Azure Federated Authentication- a hybrid between multiple environments.
3. Azure AD – exists exclusively in the cloud with Office 365. Microsoft has provided a new extension, Entra, to extend passwordless logins to Azure AD.

Starting the Passwordless Journey

Consider the options available to your organization, the type of work you do, and employee lifestyles. Evaluate the level of security needed. This will indicate how many factors you should be using. Then, consider what hardware and software meet your needs and improve current biometrics.

A strong partner like Mobius Partners will assess your needs and business requirements to determine the best path for a successful rollout.

Upgrade your organization’s data management capabilities and secure future success with Mobius Partners – the partner you can rely on for robust infrastructure, expert guidance, and ongoing support. Contact us today at info@mobiuspartners.com.