{"id":52358,"date":"2021-08-04T12:00:00","date_gmt":"2021-08-04T16:00:00","guid":{"rendered":"https:\/\/live-jc-marketing-site.pantheonsite.io\/?p=52358"},"modified":"2024-11-08T17:14:40","modified_gmt":"2024-11-08T22:14:40","slug":"are-we-there-yet-approaching-a-passwordless-future-with-fido2","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/are-we-there-yet-approaching-a-passwordless-future-with-fido2","title":{"rendered":"Are We There Yet? Approaching a Passwordless Future with FIDO2"},"content":{"rendered":"\n

You\u2019ve likely heard of the passwordless concept before, and you may have heard predictions that passwordless environments would become a reality in our near future. However, the password hasn\u2019t gone extinct quite yet \u2014 in fact, you\u2019ve probably typed in at least one today to access your resources. So, is passwordless authentication<\/a> a coming reality or an elusive pipe dream?<\/p>\n\n\n\n

In this blog, we\u2019ll explore the possibility of a passwordless world, what\u2019s driving the passwordless push, barriers to its adoption, developments in technologies like FIDO2 and WebAuthn powering passwordless authentication, and business environment changes that are bringing it closer to reality. <\/p>\n\n\n\n

Have Rumors of the Password\u2019s Death Been Greatly Exaggerated?<\/h2>\n\n\n\n

The passwordless world isn\u2019t a new concept. The IT community has been discussing the death of the password since 2004<\/a>, when Bill Gates predicted it at an RSA Security conference. <\/p>\n\n\n\n

In 2011<\/a>, IBM echoed Gates\u2019 prediction, assigning the password\u2019s extinction a five-year timeline \u2014 but, just like Y2K and the 2012 Mayan doomsday, the password\u2019s death date came and went, and we continue to type our passwords in (or forget and reset them) day in and day out. <\/p>\n\n\n\n

This brings us to the question: Is passwordless authentication even possible?<\/p>\n\n\n\n

Is Passwordless Authentication Possible?<\/h3>\n\n\n\n

In short, yes. Essentially, passwordless authentication is multi-factor authentication (MFA)<\/a> where a password isn\u2019t one of the factors. Typically, logging into a resource requires a username and password, and with MFA, it usually requires a username\/password combination plus one other authentication factor, like a time-based one-time password (TOTP)<\/a>. With a passwordless login, the password would be replaced with another MFA factor<\/a>, like a push notification<\/a>, biometric<\/a>, or security token. This way, the user could simply scan their fingerprint and tap a button on their phone \u2014 or complete another combination of simple passwordless MFA<\/a> steps \u2014 to log in securely. <\/p>\n\n\n\n

But just because something is possible doesn\u2019t mean it\u2019s desirable, which brings us to our next question: Is passwordless authentication safe<\/a>? Is it something we should be working toward?<\/p>\n\n\n\n

Is Passwordless Authentication Secure?<\/h3>\n\n\n\n

When a technology has spent decades as the reigning security solution around the world, that means hackers have spent decades perfecting techniques for compromising it. Passwords are no longer a highly secure means of protecting resources \u2014 and especially not when they stand alone, without the added layer of MFA. In fact, compromised passwords were the leading source of breaches last year<\/a>, followed closely by shared credentials and phishing attacks. <\/p>\n\n\n\n

Two main weaknesses of the password are driving the need for a better security solution:<\/p>\n\n\n\n

Password theft<\/a> and hacking techniques are sophisticated and rampant. <\/strong>Hackers have developed ways to compromise just about every type of password, including TOTPs. From running phishing scams to sourcing compute power to mounting brute-force attacks that can guess billions of password combinations per second<\/a>, hackers have made it near impossible to create a password that someone couldn\u2019t crack.\u00a0<\/p>\n\n\n\n

Users rarely follow password best practices. <\/strong>From writing passwords down to reusing them to using passwords like \u201cpassword123,\u201d users have trouble following password best practices. While most indiscretions are not malicious, they still create targets for compromise.<\/p>\n\n\n\n

Most of these malpractices come from the inefficiency of the password as an authentication factor. As businesses move to cloud and SaaS-based models, users have to remember more and more passwords \u2014 an average of over 170. Expecting users to create and remember unique, complex passwords for each resource is unrealistic, and most use fewer than 20 passwords to lock all 170+ resources.\u00a0<\/p>\n\n\n\n

As bad password habits become the norm and hackers learn to spot and target vulnerable password-protected accounts, companies have started looking for more secure ways to protect their assets. When implemented correctly, passwordless authentication does just that. So, what\u2019s taking so long? Why haven\u2019t we implemented it yet?<\/p>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

Learn more about critical password management statistics<\/a> and trends you should be monitoring.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

What Are the Barriers to Passwordless Adoption?<\/h2>\n\n\n\n

If passwordless authentication is possible and secure, and the IT community has been predicting it for years, why hasn\u2019t it become a reality yet? <\/p>\n\n\n\n

Inertia<\/h3>\n\n\n\n

It\u2019s difficult to stop decades of worldwide inertia, and the password has enjoyed over 50 years of use<\/a> as it gained global popularity. Now, it\u2019s become so common that people have come to expect it, and logging into applications without one can be jarring, confusing, and hard to promote buy-in among users and leadership. <\/p>\n\n\n\n

Perceived Security <\/h3>\n\n\n\n

Many people\u2019s first thought about passwordless logins<\/a> is that it sounds less<\/em> secure, not more secure than a password-protected account. For busy, business-oriented leadership teams, this could be enough to bar adoption; many businesses aren\u2019t looking to be at the vanguard of security \u2014 they just want to implement reasonably secure policies, and to the untrained eye, the password accomplishes this. However, passwords are becoming less and less secure, and the norm is moving toward MFA, Zero Trust security<\/a>, and higher security standards that rely less and less on passwords.\u00a0<\/p>\n\n\n\n

Cumbersome Tools<\/h3>\n\n\n\n

When MFA made its debut, it wasn\u2019t as sleek as it is today \u2014 the first instances of MFA included factors being sent to pagers, printers, landline phones, and other receivers (check out the original 1997 patent<\/a>). Even today, some MFA methods impose significant demands on the user, like sourcing and typing in a TOTP. <\/p>\n\n\n\n

Some TOTP instances can be even more cumbersome: RADIUS, for example, requires users to type in their password, then a comma, then their TOTP. It\u2019s easy to imagine how a user might lock themselves out after too many failed attempts (or worse, give up and find a workaround or sign into an easier-to-access network).<\/p>\n\n\n\n

Further, passwordless solutions have historically worked for some<\/em> solutions, but not others, making it a less attractive solution than the well-understood and universal password. However, as providers hone their passwordless technology and software vendors come to understand the importance and growing demand for it, more and more solutions are supporting passwordless authentication and, crucially, prioritizing MFA accessibility<\/a>.<\/p>\n\n\n\n

Lack of Buy-In<\/h3>\n\n\n\n

All of these barriers created a lack of user competency around passwordless MFA and skepticism among leadership, generating low buy-in. However, as tools streamline the user experience and the business world\u2019s understanding of the precarious security landscape improves, buy-in is growing and more businesses are seriously considering the idea of moving toward passwordless authentication.<\/p>\n\n\n\n

What Makes This Time Different?<\/h2>\n\n\n\n

Although passwords have proliferated longer than many IT experts expected, changing business environments, evolving mindsets, and rapidly developing technology are carving the path toward a passwordless future. The following are some of the changes the modern workplace is experiencing that are spurring faster and wider adoption of passwordless authentication.<\/p>\n\n\n\n

Increased Understanding of the Password\u2019s Weaknesses<\/h3>\n\n\n\n

The illusion of the password\u2019s security is fading as catastrophic breaches caused by password compromise continue to make the news and additional studies of user behavior have confirmed suspicions that users don\u2019t follow best practices \u2014 like the fact that only 20% of users use unique passwords<\/a> for every account. Businesses are taking note and beginning to look for alternative solutions rather than continue to impress unrealistic expectations that users remember growing numbers of unique, complex passwords. <\/p>\n\n\n\n

Remote and Hybrid Work<\/h3>\n\n\n\n

Before the coronavirus pandemic forced businesses around the world to go remote, the norm was in-office work. Workspaces were more homogenous, with employees all signing onto their office\u2019s central network (probably LAN or WAN) from the same location at the same time. While cybersecurity was still a growing threat, it wasn\u2019t as top-of-mind for executives as it is now, as companies need to secure employees using various methods and devices to access resources from widespread remote locations. <\/p>\n\n\n\n

The Rise of Zero Trust Security and Increased Leadership Buy-In<\/h3>\n\n\n\n

The shift in leaders\u2019 attention toward securing remote work has spurred more interest in tighter security. The business world is seeing a growing adoption of Zero Trust security, including MFA solutions, conditional access, and other security methods more advanced than the password.<\/p>\n\n\n\n

In fact, in a recent 黑料海角91入口 survey of IT professionals<\/a>, 21% of respondents said their business already had Zero Trust in place, and another 46% said their company planned to adopt it by the end of 2021, if not sooner. The same study showed that 84% of respondents worked at companies that had some level of MFA implemented.<\/p>\n\n\n\n

While IT admins may have long been advocates for passwordless authentication, changing workplace trends and rising security concerns have opened the ears of company decision-makers, who are now more willing to slow inertia in favor of more secure solutions. <\/p>\n\n\n\n

Better Tools<\/h3>\n\n\n\n

Passwordless models have been clunky in the past, whether they were only compatible with a small subset of tools, substantially increased friction in the user experience, or were susceptible to the same hacking techniques that passwords were. Fortunately, technology has been advancing to meet password and security challenges with more streamlined, secure, and user-friendly approaches. <\/p>\n\n\n\n

Push notifications, for example, streamline clunky MFA steps like SMS codes: users can simply tap a button on their phone rather than type out the code sent via text message. Biometrics similarly reduce friction with secure, user-friendly technology. <\/p>\n\n\n\n

One of the key developments in recent years that is streamlining MFA and bringing passwordless authentication within reach is the FIDO Alliance and the principles and protocols they\u2019ve developed in pursuit of a passwordless world.<\/p>\n\n\n\n

Passwordless Authentication with FIDO2<\/h2>\n\n\n\n

FIDO, or Fast Identification Online, is a set of standards for secure passwordless authentication put forth by the FIDO Alliance. FIDO2 is the most current set of standards, which include Web Authentication (WebAuthn) and Client-to-Authenticator Protocol (CTAP). <\/p>\n\n\n\n

WebAuthn<\/h3>\n\n\n\n

WebAuthn<\/a> is an API that facilitates secure authenticator-to-website interaction with public key cryptography. This can take place via:<\/p>\n\n\n\n