Passwordless Is Coming—Don’t Let Your Guard Down

At Frontegg, we’re big fans of Passwordless. That’s why, over the past year, we added support for magic links, speedy login (one-time codes, touch id), and new MFA methods that use WebAuthn. We’re excited about the way innovations in Passwordless tech, such as Passkeys, have improved both user experience and security! But they’re not a silver bullet… and there are times you’ll need to say:

Passkeys are amazing and we’re excited about them, too! But it’s important to remember they’re just another authentication factor; one more piece of the user management puzzle. Modern SaaS providers need a comprehensive, secure user management solution that offers a range of authentication factors and the flexibility to configure it themselves.

This is particularly true if a SaaS provider wants to offer Zero Trust (ZT) capabilities, which emphasize a “never trust, always verify” approach to authentication that requires continuous verification of user activity. ZT best practices also mandate more aggressive and granular application of “least-use” privilege policies, going well beyond the initial authentication and login. Many scenarios require more secure authentication or scrutiny:

• Users logging into critical infrastructure over a VPN
• Users logging into their organization correctly but from an unknown IP address or device

We believe there are many aspects of secure user management that are not covered by passwordless by itself. This post will help you understand the role of different authentication factors and the importance a comprehensive security user management strategy. We’ll help identify the primary levers you can and should use to ensure the right users are accessing the right systems — even if someone can get past strong authentication technologies like passwordless.

The Trouble with Passwords

We all know why passwords are a pain. The user experience with passwords is never good and can be downright awful. The human brain is not made to remember dozens and dozens of passwords, so we forget them all the time.

This means requesting a new password, which requires us to wait for an email to come with a password reset link. What if we don’t have access to our email for some reason? We’re out of luck until someone responds to our Slack message. What if our phone, which we’re using for corporate email, runs out of juice and we need to access a system from another browser? Again, out of luck.

Worse, many conservative system admins still refuse to enable self-service password resets, which is problematic, for example, if employees are in different time zones from system admins or the admin is on vacation. Almost worse than forgetting a password, humans frequently reuse the same password for multiple systems.

This means that any compromise of a system holding one password likely allows cybercriminals to use the same email and password or email and username combo to illegally access other accounts held by the same user. A coping tactic is to use easy-to-remember passwords. Those passwords are also easy to crack with automated systems.

According to Verizon’s 2022 Data Breach Investigations Report,

• More than 60% of breaches due to hacking were “using stolen creds”
• Approximately 30% of IT service desk calls are password resets

Even when multi-factor authentication (MFA), using methods such as authenticator apps or SMS codes, are added to improve security, attackers increasingly are bypassing MFA through clever methods that allow them to either capture the MFA or mount a man-in-the-middle attack on the user’s device.

Attackers are able to compromise a password for an official email account effectively control both modalities of authentication. This is why in 2021, the U.S. Federal Bureau of Investigation received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.

For many years critics have complained about problems with passwords. At the 2004 RSA Conference Bill Gates foretold the end of passwords saying, “they [passwords] just don’t meet the challenge for anything you really want to secure.” In subsequent years, famous journalists, leading analysts at Gartner, and technologists at major technology companies such as IBM and Google all said passwords were insufficient.

Yet… passwords remain the dominant form of foundational authentication in enterprises. Many enterprises have glossed over the problems with passwords by adding various forms of automated authentication such as SSO or SAML. Equally problematic, businesses rarely mandate supporting tools like password managers to improve password security. Only 25% of workers say their employer mandates use of password managers, according to Bitwarden.

A Quick History of Biometrics and Passwordless

Biometrics is the science and related technologies for identifying someone based on a unique physical or behavioral characteristic. This can include any measurable metric including fingerprints, facial geometry, vocal patterns, eyeballs (retinas and iris), or even gait. Biometrics have been used throughout history!

• Ancient Babylonians used fingerprints to verify signatures and identities on clay for business transactions in 500 BC.
• Fourteenth century Chinese merchants used palm and footprints.
• Early fingerprint systems to identify criminals emerged in the late 19th century.

As technology grew, advancements in security systems and cryptography enabled biometrics to go digital. Initially, biometric authentication systems required large, upfront investments and were primarily used to protect critical systems and locations in defense and industry. But it’s become a commodity, with smartphones and many smart devices offering biometric authentication like facial recognition or fingerprints.

Over the last few years, passwordless authentication technologies have rapidly matured. Improvements in security and user experience have led to adoption from large technology firms with billions of users (external and internal combined). Passwordless is exactly what it claims; users don’t need use, remember, or enter a password! Instead, passwordless systems may use a variety of authentication factors to verify a user’s identity.

Passwordless can be a one-time code sent to your phone or a magic link sent to an email address, where clicking a link authenticates that user. The passwordless systems become more secure by requiring additional authentication factors, or “multi-factor authentication”.

The additional factor might be an additional biometric, an SMS message, or a code entered from an “authenticator” application. But passwordless systems can also consider signal-based factors like IP address, geolocation, hardware, client signature, or dozens of other attributes!

Enter FIDO, WebAuthn and Passkeys — The New Awesome Sauce

The Passwordless movement was started in 2013 by the FIDO Alliance, a global technology standards body governed collectively by its members. Members of FIDO include Google, Apple, PayPal, Microsoft, Facebook and hundreds of other companies. FIDO’s focus is on changing the nature of authentication through open standards that reduce the world’s over-reliance on passwords.

FIDO has published three specifications: Universal Second Factor (FIDO U2F), Universal Authentication Framework (FIDO UAF), and Client to Authenticator Protocols (CTAP). The FIDO2 standard is comprised of the W3C Web authentication spec (WebAuthn) and CTAP. All of the major browsers, including Google Chrome, Mozilla Firefox and Microsoft Edge have implemented the standards; Android now supports WebAuthn as does Apple with its latest iOS systems. There’s also a growing list of B2B SaaS providers that are running WebAuthn.

Passkeys are the latest passwordless tech to emerge and they’re convenient. The same technology used to unlock your smartphone, a combination of biometric and code, can now be used for authentication for SaaS apps. We fully anticipate industry-wide adoption of Passkeys and passwordless across enterprise SaaS.

The main drivers are the combination of a better user experience (UX) and the improved, phish-resistant security. There is also a large scale push by major tech companies and mobile app vendors to educate consumers on the benefits of passwordless (another shout out to FIDO here), which is often a precursor to enterprise demand. We agree that Passkeys are great, but they’re only the tip of the iceberg when it comes to implementing a secure user management approach.

Thinking Beyond Passkeys to Secure User Management

Passkeys are not a silver bullet. Relying exclusively on Passkeys for secure user management is effectively like turning back the clock on security to the days of hardened perimeters and soft, lightly-secured internal environments. Rest assured, attackers are already plotting ways to compromise Passkeys and WebAuthn. It could be potentially through newer types of man-in-the-middle attacks or through other methods to force password resets that revert back to email or SMS combinations for authentication. Smarter teams we work with are implementing passwordless, but viewing it as only the first step in secure user management and a portion of their overall secure management strategy.

As part of their initial authentication flows or when users are interacting with their app, they check users against other criteria and enact additional security measures as needed. Some examples of criteria they might use:

• Is user accessing critical system like finance or production?
• Did the user bypass Passkey or passwordless somehow?
• Is the user using single-factor authentication or multi-factor with passwordless?
• Is this the first access after a credential reset?
• Is the user following previous usage patterns on a system?
  • Time of day, location, or IP address
  • Familiar device or client types
  • Repeat logins
  • Making anomalous requests (asking to access systems it does not have access to)

You’ll need to determine the tradeoff for yourself. How will you balance delightful, low-friction user authentication with the need for secure, resilient user management? We recommend finding your answer using teamwork. Collaborate with the product, UX, security, and even marketing teams to create policies that map to security requirements for specific situations but minimize friction where possible. A couple examples:

• A known user (an app developer) has already logged in with their Passkey from a familiar location. You allow them access to their own code repository, but attempting to access the Continuous Integration (CI) pipeline or project settings triggers another authentication factor.
• You may give someone on the finance team access to the accounts payable system during working hours. However, attempts to access the system during the weekend or from unrecognized devices trigger additional authentication factors they wouldn’t have during regular working hours.

Conclusion: Secure User Management Beyond Passkeys

Some of this might seem like common sense, but there’s a lot to get right and it’s important to take seriously. You want to reduce friction in authentication flows, but need to balance that with your company’s risk tolerance.

That’s why having detailed policy design that considers the human factors associated with different personas and needs is essential. Creating those policies can be time-consuming, but is worth the effort and can create good cross-functional alignment between teams. We recommend involving stakeholders from different areas of your company.

Designing the right security policies is vital to the “identity-first” security that is required for modern SaaS tools and technologies. This is particularly true for SaaS platforms built on top of microservices and microfrontends, where segmentation makes it easier to pursue more granular user management approaches.

Passkeys and WebAuthn are coming and they’re amazing! We’re confident that passwordless technology will improve security and user experience as a whole. But they’re not a silver bullet or security panacea, and these technologies should be used to complement, not replace, well-designed authentication flows and security systems. These tools give us more to push the boundaries of delightful UX from within the boundaries of a robust, secure user management platform.