We have all heard the
- Something you know
- Something you have
- Something you are
triad a fair few times. If you scratch the surface of the information “out-there”, it appears that going passwordless just means, not using a password but sticking to the same old rule set above in other ways. We have all come to know the SMS codes, Authenticator apps, links via trusted email accounts, etcetera.
No news at all. Right?
So what is the hype about?
At a low-tech level, there are a few new underlying technologies at play that now make utilising the know/have/are triad safe without the use of a password, which wasn’t the case before. In particular, a protocol named FIDO and an API named webauthn. We will spare you the details. It boils down to the below surface stuff that now enables us to - in theory - live a password free life.
Great. Why does this not match my reality?
It sounds so easy, almost plug & play.
A lot of publications (especially and somewhat unsurprisingly, those by passwordless technology or services vendors) make it sound like a few mouse clicks away.
But delving a bit deeper, it appears to be a very hard trend to take from rainbows & unicorns theory through to execution. Microsoft tried to make a big passwordless play last year, which was quickly pulled apart by others.
In line with this, some of the stories about experiences of implementing these technologies reveal there is more below the surface of this glossy trend and it is so much harder than it seems due to the way apps, and humans are wired.
Before we go into why this is the case there is one other thing to clear up. Most of us know passwordless authentication methods from current multifactor authentication setups. This leads to confusion. Multifactor authentication is sometimes used interchangeably with passwordless authentication, however there can (and probably should) be a multifactor authentication setup in a passwordless scenario. If you get what we mean. The multifactor just refers to the number of steps in the authentication process.
Roughly, these are the categories of passwordless methods available today:
- Magic links, which you get in your email as a one-time way to get in to an application
- One time passwords or codes are usually sent via text message and need to be fed back into an application for authentication
- Biometric identification leveraging traits such as a fingerprint, or a retina scan
- Push notifications which need to be ‘allowed’ on a device to provide subsequent access to an application
In addition to this list, separate ‘code generator’ apps can be used as well in a passwordless scenario - these are commonly seen in contemporary multifactor authentication processes.
Underpinning the various methods above, is the precise device these are executed on. It’s not just a link, code or sms - there is a signature from your trusted device that’s verified as well, to just make sure it is really you attempting to log in. Over time, it is anticipated this will mature to further behavioural profiling, using not only the device, but also geolocation, time and other metadata points to build up a pattern of what typical user activity looks like. This can then be leveraged to rank logins on a spectrum of ‘safe’ to ‘risky’, and allow, notify or block accordingly.
Although nothing is 100% secure (in spite of what some of the vendor blogs out there claim), passwordless is arguably more secure than authentication processes that use a password.
And we are certainly sold on the user experience of passwordless methods!
Given all these options and advantages, why is passwordless not so prevalent? What is holding us humans and machines alike back? Virtually all applications we use, require a password for authentication!
Although there are some claims to the contrary, password-based authentication processes are easiest and cheapest to implement. Having said that, the pandemic, increases in compute power and other factors have seen cyber attacks soar over the last few years. So it is questionable how much longer the argument of ‘cost’ will hold.
Old habits die hard, and all change meets resistance. Enough said.
It is not unthinkable that passwords will remain the fallback option in case authentication via passwordless methods fails either.
As it turns out, 67% of organisations responded in a survey they aren’t well equipped to transition to passwordless.
In addition, a lot of applications and even cloud services have been coded with password-based authentication processes in mind. Changing all the associated code will be a long, drawn out and costly process. It is probable that going forward, application developers will build applications with passwordless options. So this hurdle could phase out. But not very soon.
Delving into passwordless has taught us that as with anything, there will be a need to keep updating our tech stack to deal with new ways of authentication, both on the machine/platform side (being an integration provider) as well as the human/user side.
There may be a grand future of passwordless integrations ahead, although there are many ‘ifs and buts’ that need to play out before we are certain. Forbes mentions the following:
In most cases, passwordless will only play in their little ecosystem: Microsoft won’t work with AWS, which won’t play with Google.
It got us thinking. Could there be a play for Harmonizer in the passwordless space? Potentially, since our technology leverages APIs and passwordless has webauthn available.
Ultimately, whether or not it is feasible to develop a new suite of code blocks to facilitate passwordless authentication between various environments, will depend on the market need as the technology matures.
It may be that the industry agrees on a standard that everyone adopts and which works seamlessly. Or perhaps there will be another, more efficient solution available for authentication than the ones covered in this blog. And maybe integrations for passwordless authentication processes becomes a niche in its own right? Only time will tell.
Picture by ar130405 on Pixabay