In today’s interconnected and SaaS driven world, authentication isn’t as simple as it used to be. We’ve all experienced some sort of a breach where a password or key has been compromised - many times from an external service. Inevitably, in order to authenticate we have to provide a “credential” somehow and this opens an avenue for attack or compromise.
“Back in the day” we all used usernames and passwords to authenticate. “Good” security was never reusing passwords across services, rotating passwords frequently to mitigate undetected breaches, and generating a password complex enough that it couldn’t be brute-forced in a reasonable amount of time. We just had to make sure our password database was encrypted with non-reversible techniques and our users didn’t write their password on sticky notes under their keyboard.
Today is considerably different. Processing power is putting even the most robust encryption schemes under threat, password databases can be brute-forced far faster than we ever considered possible, and we never got to the mythical “paperless office” where users wouldn’t have access to sticky notes. To make matters worse, we now have a far more interconnected SaaS world where a user is authenticating to systems all over the place and can easily be tricked into providing their credentials to a 3rd party. In short, it’s really hard to keep credentials out of the hands of bad actors.
So what do we do? We implement MFA and password leak monitoring (haveibeenpwned, etc.) to mitigate the impact of leaked credentials, centralise authentication with SSO to limit the number of credentials involved (and keep credentials from passing through 3rd party systems), and make it easier on users by only requiring a password change when there’s a reason (it’s better than having their password be “mypassword1” then “mypassword2, etc.) None of these are particularly great. Some MFA techniques (email, sms) are susceptible to MITM and redirection attacks, password leak monitoring mostly lets you know you’ve got a bigger problem, and post-it notes under keyboards are still a thing.
The best option would be if nobody had the credentials - not our authentication database, not the services we subscribe to, not even us or our users. The problem isn’t MFA, the problem is the password itself. It’s time we held a funeral for the venerable password and move on to better things.
Now, imagine a world where your user database could be posted publicly without compromising security? A world where MFA is handled without the user ever realizing it. A world where we visit the grave of the humble password with fondness, but not regret. This is the promise of password-less authentication. And it’s possible today.
FIDO2, aka WebAuthn and CTAP, provide this ideal world by relying on dedicated hardware in the user’s physical control (the TPM in their computer, the security chip in their phone, etc.) to authenticate the user and maintain a per-service public/private keypair. All your password database contains is the public certificate. The private cert (that’s unique per credential so even that public cert isn’t shared across services) never leaves the dedicated hardware. The user goes to the login page, puts in their username and is prompted to perform their local device authentication procedure (scans fingerprint, uses face-id, users unlock pin, etc.) and they’re in. No passwords, no authenticator app, nada.
What about MFA? Well, it just happened! They proved they have something (their computer) and they know/are something (unlock procedure). Even if they still insist on putting their local credentials on a post-it note, the credentials used to authenticate to corporate services are permanently tied to their device AND NEVER LEAVE IT. They can’t be stolen short of stealing the device itself, which would hopefully be immediately noticed.
Thoughts? Are you considering a password-less future for your organization? Do you have reservations?