Explore our platform and learn how it can help your application shine.
Learn about modern authentication techniques and best practices.
Learn about access management practices and technologies.
Learn to manage user accounts and access at scale.
Understand multi-tenancy, a foundation of shared computing.
Learn how to design and build successful SaaS applications.
Understand what is required to provide an enterprise-ready product.
Understand the uses and benefits of Attribute-Based Access Control.
Learn how Single Sign On (SSO) can improve security and UX.
Learn about OpenID Connect, an open authentication protocol.
Learn about SAML, a popular SSO protocol.
Learn about our history, our team, and our mission.
At Frontegg, we’re big fans of Passwordless. That’s why, over the past year, we added support for magic links, speedy login (one-time codes, touch id), and new MFA methods that use WebAuthn. We’re excited about the way innovations in Passwordless tech, such as Passkeys, have improved both user experience and security! But they’re not a silver bullet… and there are times you’ll need to say:
Passkeys are amazing and we’re excited about them, too! But it’s important to remember they’re just another authentication factor; one more piece of the user management puzzle. Modern SaaS providers need a comprehensive, secure user management solution that offers a range of authentication factors and the flexibility to configure it themselves.
This is particularly true if a SaaS provider wants to offer Zero Trust (ZT) capabilities, which emphasize a “never trust, always verify” approach to authentication that requires continuous verification of user activity. ZT best practices also mandate more aggressive and granular application of “least-use” privilege policies, going well beyond the initial authentication and login. Many scenarios require more secure authentication or scrutiny:
We believe there are many aspects of secure user management that are not covered by passwordless by itself. This post will help you understand the role of different authentication factors and the importance a comprehensive security user management strategy. We’ll help identify the primary levers you can and should use to ensure the right users are accessing the right systems — even if someone can get past strong authentication technologies like passwordless.
We all know why passwords are a pain. The user experience with passwords is never good and can be downright awful. The human brain is not made to remember dozens and dozens of passwords, so we forget them all the time. This means requesting a new password, which requires us to wait for an email to come with a password reset link. What if we don’t have access to our email for some reason? We’re out of luck until someone responds to our Slack message. What if our phone, which we’re using for corporate email, runs out of juice and we need to access a system from another browser? Again, out of luck.
Worse, many conservative system admins still refuse to enable self-service password resets, which is problematic, for example, if employees are in different time zones from system admins or the admin is on vacation. Almost worse than forgetting a password, humans frequently reuse the same password for multiple systems. This means that any compromise of a system holding one password likely allows cybercriminals to use the same email and password or email and username combo to illegally access other accounts held by the same user. A coping tactic is to use easy-to-remember passwords. Those passwords are also easy to crack with automated systems.
According to Verizon’s 2022 Data Breach Investigations Report,
Even when multi-factor authentication (MFA), using methods such as authenticator apps or SMS codes, are added to improve security, attackers increasingly are bypassing MFA through clever methods that allow them to either capture the MFA or mount a man-in-the-middle attack on the user’s device. Attackers able to compromise a password for an official email account effectively control both modalities of authentication. This is why in 2021, the U.S. Federal Bureau of Investigation received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.
For many years critics have complained about problems with passwords. At the 2004 RSA Conference Bill Gates foretold the end of passwords saying, “they [passwords] just don’t meet the challenge for anything you really want to secure.” In subsequent years, famous journalists, leading analysts at Gartner, and technologists at major technology companies such as IBM and Google all said passwords were insufficient. Yet… passwords remain the dominant form of foundational authentication in enterprises. Many enterprises have glossed over the problems with passwords by adding various forms of automated authentication such as SSO or SAML. Equally problematic, businesses rarely mandate supporting tools like password managers to improve password security. Only 25% of workers say their employer mandates use of password managers, according to Bitwarden.
Biometrics is the science and related technologies for identifying someone based on a unique physical or behavioral characteristic. This can include any measurable metric including fingerprints, facial geometry, vocal patterns, eyeballs (retinas and iris), or even gait. Biometrics have been used throughout history!
As technology grew, advancements in security systems and cryptography enabled biometrics to go digital. Initially, biometric authentication systems required large, upfront investments and were primarily used to protect critical systems and locations in defense and industry. But it’s become a commodity, with smartphones and many smart devices offering biometric authentication like facial recognition or fingerprints.
Over the last few years, passwordless authentication technologies have rapidly matured. Improvements in security and user experience have led to adoption from large technology firms with billions of users (external and internal combined). Passwordless is exactly what it claims; users don’t need use, remember, or enter a password! Instead, passwordless systems may use a variety of authentication factors to verify a user’s identity.
Passwordless can be a one-time code sent to your phone or a magic link sent to an email address, where clicking a link authenticates that user. The passwordless systems become more secure by requiring additional authentication factors, or “multi-factor authentication”. The addtiional factor might be an additional biometric, an SMS message, or a code entered from an “authenticator” application. But passwordless systems can also consider signal-based factors like IP address, geolocation, hardware, client signature, or dozens of other attributes!
The Passwordless movement was started in 2013 by the FIDO Alliance, a global technology standards body governed collectively by its members. Members of FIDO include Google, Apple, PayPal, Microsoft, Facebook and hundreds of other companies. FIDO’s focus is on changing the nature of authentication through open standards that reduce the world’s over-reliance on passwords.
FIDO has published three specifications: Universal Second Factor (FIDO U2F), Universal Authentication Framework (FIDO UAF), and Client to Authenticator Protocols (CTAP). The FIDO2 standard is comprised of the W3C Web authentication spec (WebAuthn) and CTAP. All of the major browsers, including Google Chrome, Mozilla Firefox and Microsoft Edge have implemented the standards; Android now supports WebAuthn as does Apple with its latest iOS systems. There’s also a growing list of B2B SaaS providers that are running WebAuthn.
Passkeys are the latest passwordless tech to emerge and they’re convenient. The same technology used to unlock your smartphone, a combination of biometric and code, can now be used for authentication for SaaS apps. We fully anticipate industry-wide adoption of Passkeys and passwordless across enterprise SaaS. The main drivers are the combination of a better user experience (UX) and the improved, phish-resistant security. There is also a large scale push by major tech companies and mobile app vendors to educate consumers on the benefits of paswordless (another shout out to FIDO here), which is often a precursor to enterprise demand. We agree that Passkeys are great, but they’re only the tip of the iceberg when it comes to implementing a secure user management approach.
Passkeys are not a silver bullet. Relying exclusively on Passkeys for secure user management is effectively like turning back the clock on security to the days of hardened perimeters and soft, lightly-secured internal environments. Rest assured, attackers are already plotting ways to compromise Passkeys and WebAuthn, potentially through newer types of man-in-the-middle attacks or through other methods to force password resets that revert back to email or SMS combinations for authentication. Smarter teams we work with are implementing passwordless, but viewing it as only the first step in secure user management and a portion of their overall secure management strategy.
As part of their initial authentication flows or when users are interacting with their app, they check users against other criteria and enact additional security measures as needed. Some examples of criteria they might use:
You’ll need to determine the tradeoff for yourself. How will you balance delightful, low-friction user authentication with the need for secure, resilient user management? We recommend finding your answer using teamwork. Collaborate with the product, UX, security, and even marketing teams to create policies that map to security requirements for specific situations but minimize friction where possible. A couple examples:
Some of this might seem like common sense, but there’s a lot to get right and it’s important to take seriously. You want to reduce friction in authentication flows, but need to balance that with your company’s risk tolerance. That’s why having detailed policy design that considers the human factors associated with different personas and needs is essential. Creating those policies can be time-consuming, but is worth the effort and can create good cross-functional alignment between teams. We recommend involving stakeholders from different areas of your company.
Designing the right security policies is vital to the “identity-first” security that is required for modern SaaS tools and technologies. This is particularly true for SaaS platforms built on top of microservices and microfrontends, where segmentation makes it easier to pursue more granular user management approaches. Passkeys and WebAuthn are coming and they’re amazing! We’re confident that passwordless technology will improve security and user experience as a whole. But they’re not a silver bullet or security panacea, and these technologies should be used to complement, not replace, well-designed authentication flows and security systems. These tools give us more to push the boundaries of delightful UX from within the boundaries of a robust, secure user management platform.