An Analysis of Passwordless Authentication
As of recently, a new term has come up in the IT world: passwordless. Passwordless authentication involves the idea of doing away with passwords completely when it comes to logging into an account or service, and instead relying on other factors for account authentication. Microsoft and Okta have recently added the ability to log in to their respective accounts without the use of a password.
In this paper, the details of passwordless authentication will be highlighted, and the reasons for and against it will be discussed and analyzed to provide the reader with the information required to decide whether this new idea is relevant to their personal or enterprise environment.
Understanding Authentication Factors
Before we delve into the topic of passwordless authentication, it is important to understand the three different authentication categories that are recommended by the NIST Special Publication 800-63-311:
- Something you know
- Something you have
- Something you are
The common authentication method that is under the something you know category is a password. Other methods can include a PIN or a security question. Items that fall under something you have can include a text message or authenticator app on a mobile phone, an access card or a USB security key; the latter two can be viewed as a modern replacement to traditional physical keys that we use to unlock the front doors on our homes. The final method, something you are, would involve Biometric authentication of sorts, such as a fingerprint scan or facial recognition.
Microsoft Support for Passwordless Authentication
Microsoft started officially supporting passwordless authentication beginning in March 2021. However, only in September did they provide the ability to remove the password entirely from a Microsoft account1. As Microsoft accounts can be used to log directly into Windows PCs, this means that you would not need a password to log into your computer anymore going forward. The following factors are supported in lieu of a password:
- Microsoft Authenticator app code or “push”
- Windows Hello PIN or facial recognition
- USB or Bluetooth Security key
- Verification code received via SMS text message
It’s worth noting that a Microsoft account is required to replace the typically used password with one or multiple of the previously mentioned authentication factors. Passwordless authentication is not currently supported for local Windows user accounts.
Okta Support for Passwordless Authentication
Okta has implemented passwordless authentication through an early access feature called factor sequencing2, which allows the order of authentication factors to be changed. Accordingly, the password can be bypassed if the Okta administrator sets it that way for the organization. This feature can only be turned on by Okta support at this time. Furthermore, Okta does not allow passwords to be removed from the users account at the moment, only bypass it in the authentication sequence.
Okta supports the enabling of the following authentication factors:
- Okta Verify Push
- SMS Auth
- Voice Call Auth
- Google Auth
- FIDO2 (WebAuthn)
- Duo Security
- Symantec VIP
- On-Prem MFA
- RSA SecurID
- Security question
- Email Auth
Abacode completed a Proof of Concept (POC) changing the factor sequencing in Okta to effectively test passwordless authentication with the Okta Identity Management system. For this purpose, the authentication factors were changed in the Okta admin portal by going to Security > Authentication > Sign on and creating policies and rules with specific authentication chains (see image below).
Benefits of Passwordless Authentication
The primary reason cited in favor of going passwordless is that passwords themselves are inherently insecure. There are only so many characters that can be used, and with ever-increasing computing power, dictionary attacks, brute-force attacks and other advanced password cracking methods are becoming much more frequent and successful. In 2019, a computer was able to generate over 100 billion passwords per second to use against all sorts of accounts3. This number will only increase as CPUs, GPUs and other newly developed computer components become more powerful.
Secondly, most people set passwords that are easy to remember, hence easier to guess. Keep in mind that passwords are under the something you know category. As Wesley Dunnington writes in his article Passwordless: A complete guide to passwordless authentication, “While passwords are seen as a necessary evil, they present too many risks to ignore. For starters, passwords are too easy to steal and guess. The 2021 Verizon Data Breach Investigations Report confirms this, finding that 61% of breaches in 2020 were executed using unauthorized credentials.”4
Additionally, if a phishing or social engineering attempt is successful at enticing a system user into providing their credentials to a threat actor, then the password strength and complexity would be irrelevant.
Due to the intense requirements needed for passwords to be more secure, passwordless authentication makes life easier for the end user, as they are no longer required to remember a complex password. Eliminating the password also eliminates the need of having to change passwords regularly. The perennial issue of users requiring assistance to reset their password is resolved by passwordless authentication, resulting in considerable IT support savings.
Drawbacks of Passwordless Authentication
Most arguments in favor of passwordless authentication revolve around the security issues with password authentication themselves. However, depending on how passwordless authentication is configured, there could be some negatives that are worth considering.
Firstly, it is important to have a solid idea of how secure the authentication factor that will replace passwords is. For instance, an autogenerated code via SMS is not the most secure authentication factor as SMS messages are not encrypted by default6. Accordingly, SMS text messages are susceptible to being intercepted. SMS text messages are also vulnerable to SIM Swapping attacks, which consist of transferring the SIM card information from a legit phone to a phone the threat actor owns. Using this attack vector, a threat actor could start receiving your MFA SMS text codes.
When it comes to authenticator apps such as Google Authenticator, the authentication dialog between the phone and the authentication server could be prone to channel-jacking, even though the connection is encrypted. This could result in the compromise of communication channel for the authenticator app9. It is also possible to obtain authenticator codes using malware on the mobile device running the authenticator app. For instance, there is a trojan known as Cerberus that targets Android devices and that can “get the content of the interface and can send it to the C2 server”, according to the 2020 Year of the RAT report8.
We often don’t think about having antivirus software on our phones, but mobile devices are just as prone to malware as Windows, Apple and Linux computers5. Albeit Apple iPhones are less likely targets for malware than Android phones. Also, mobile devices can be physically stolen regardless of manufacturer or technology. Accordingly, threat actors could get the authenticator app authentication code if they steal your phone and are able to crack the phone’s biometric/PIN lock. Users that end up losing their phone or that forget their phone at home would not be able to log into their computer and accounts, hence requiring support from the IT team. With all that said, SMS authentication and the authentication apps are more secure than passwords on their own, as they are much newer forms of authentication and aren’t static, meaning typical attacks that work against passwords, such as dictionary attacks, are not effective.
Of course, a simple way to fix this is to employ the use of Multifactor Authentication (MFA). The other factor in this instance could be, for example, a security key (Bluetooth, NFC or USB). For the user to authenticate, they will need both their phone to get the verification approval message or code, as well as the security key. This creates a new problem… As both of these factors fall into the something you have category, they could be lost, broken or stolen, which will result in the IT helpdesk having to burn more hours on authentication workarounds for those cases. Those workarounds may introduce vulnerabilities in of themselves.
By using MFA, one could argue that the whole idea of going passwordless becomes pointless, as MFA could be implemented with one of the factors being the password. The second factor will “patch” the vulnerabilities that passwords bring with them. As of 2019, 57% of businesses around the world utilized MFA in some form10.
There are plenty of reasons for and against passwordless authentication. It’s true that passwords on their own are vulnerable to all sorts of attacks and can be obtained through phishing and social engineering. Meanwhile, using another authentication factor in lieu of passwords isn’t necessarily safer from threat actors either, and as time goes on, it’s only inevitable that attackers will figure out more ways of breaking through authenticator apps and SMS message barriers.
As both are vulnerable in their own ways, the most secure option would be MFA/2FA; keep the password as the something you know item and also have an additional factor of some kind as the something you have item, such as the authenticator app on your phone, to get the best out of both. These factors fall into separate authentication categories, as recommended by NIST standards on MFA11. While this won’t remove the hassle of remembering a sufficiently secure password, it means that the password requirements could be relaxed a bit with minimal security impact. For example, the password rotation requirements could be lengthened from every three months to every six months or once annually. In the event MFA is not possible, then an authenticator app is the way to go; authenticator apps are more secure than passwords at time.
It is a good idea for IT professionals to do some testing with passwordless authentication on their own platforms, assuming said platforms support it. The industry is quickly moving in that direction, so investigating and testing with the feature to get an understanding of how said platforms handle it to “get ahead of the curve” as the saying goes would be beneficial. MFA has gained traction very quickly and has already been implemented in some form by more than half of all world companies for internal employees. It is starting to creep into customer logins too, especially in the banking sector. MFA has become the big thing, and it’s worthy of that due to the enhanced security it brings. However, it may not be long before the next big thing is passwordless authentication.
- The passwordless future is here for your Microsoft account, by Vasu Jakkal https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/
- MFA Factor Sequencing, Unknown author
- A computer can guess more than 100,000,000,000 passwords per second. Still think yours is secure? by Paul Haskell-Dowland, Brianna O’Shea
- passwordless: A complete guide to passwordless authentication, by Wesley Dunnington https://www.pingidentity.com/en/company/blog/posts/2020/what-does-passwordless-really-mean.html
- What you need to know about cellphone security, Unknown author https://www.verizon.com/articles/mobile-device-security/
- Why SMS text messages aren’t so private or secure, Chris Hoffman
- How hackers can use message mirroring apps to see all your SMS texts – and bypass 2FA security, by Syed Wajid Shah, Jongkil Jay Jeong and Robin Doss
- 2020 – Year of the RAT, Unknown author
- All your creds are belong to us! Alex Weinert
- 57% of Businesses use Multi-Factor Auth (MFA), says Lastpass, by Sergiu Gatlan
- NIST Standard 800-63-3, page 12