The hybridization of the workforce and subsequent challenges within the IAM world has resulted in many organizations beginning (or reimagining) their journey towards building a mature identity program. Protiviti has observed several new trends in the IAM space, as discussed in several previous posts, Emerging Trends in IAM: Simplified Engineering, Using the Sunlit Approach to Simplify RBAC and Machine Identity Management. This series evaluates those key trends that organizations will focus on over the next few years. In this post, we highlight why and how organizations might want to consider a passwordless approach to protecting their IT environments.
Are passwords going away?
An emerging trend that many organizations are moving toward in 2023 and beyond is the elimination of passwords and migration toward passwordless authentication. Moving away from passwords to different authentication methods such as something a user has (i.e., smart card) or something a user is (i.e., biometrics) can be a great way to not only increase security across the enterprise but improve the user’s experience. Common password-based attacks, such as man in the middle, brute force or credential stuffing can all be more effectively protected against using correctly implemented passwordless capabilities.
What is FIDO?
The Fast Identity Online standard (FIDO) is an authentication protocol created by the FIDO Alliance that can be used to support an organization’s transition to a passwordless security model. Many data breaches are the result of hackers gaining access to and compromising a user’s active credentials. The FIDO authentication protocol works to eliminate this problem by removing passwords entirely and enabling users to login using a physical authenticator (most likely a USB, SIM card, YubiKey, etc.) which can support different password types such as password, pin, biometric or voice.
How does FIDO work?
At a high level, FIDO authentication works by using public and private key cryptography and challenge/response authentication. At a more detailed level, a private key is stored on the authenticator device while the public key pair is placed on the server of the associated application. When a user seeks to authenticate to the specified application, they will verify their identity with the authenticator device using their password or biometric information, unlocking the private key on the authenticator device. The application server will then generate and send a random string of numbers as a challenge to the authenticator which will then use the unlocked private key to encrypt and return the generated numbers. The application server receives this response from the authenticator, decrypts the message using the public key and allows the user access to the application.
This form of authentication is secure because the randomly generated number string is never repeated, and the application will only authenticate users who are able to correctly encrypt the challenge using the private key. Hackers may be able to intercept the randomly generated number as the challenge or decrypt with the public key, but as this data is only valuable as a challenge, it is of little use to the attacker. Add the additional security layer of only being able to unlock the private key through a user’s biometric information, and attackers will struggle to gain access to the application.
Passwordless benefits and when to use FIDO
- By using FIDO, managing secrets becomes simpler as only public keys are stored on application servers. Should the public key be compromised, it is of no use to the hackers as they lack the private key to successfully respond to the authentication challenge.
- Removing passwords solves the problem of users forgetting their passwords, especially when replaced with a biometric authentication method.
- When considering passwordless authentication, security professionals should weigh the needs of the business against the overall business benefit. For large organizations with tens of thousands of employees, investing in complete passwordless may not be feasible due to the large numbers of authenticators that would need to be purchased. Another circumstance where passwordless capabilities may not make sense is if legacy environmental conditions add significant complexity to a point where greater upkeep exceeds ROI. Companies should identify use cases, such as privileged access or for specific IT personnel where passwordless capabilities should be deployed.
Although FIDO and other encryption technologies have beneficial use cases, it is important to consider the inherent risk on the horizon for every asymmetric encryption algorithm, quantum computing. Modern public key infrastructures (PKIs) are under threat as advancements into quantum computing are made. Does this mean FIDO’s useful life is coming to an end? Probably not. The FIDO alliance is currently working to ensure FIDO2 (the most current FIDO standard) remains secure in a post-quantum world. This endeavor has many facets, but one of its main drivers is to create a hybrid encryption protocol which provides security in a post-quantum world while still being able to fit older security standards.
Quantum computing does represent a key turning point in the way cybersecurity is handled worldwide and will affect how organizations need to protect sensitive data and resources. This may be daunting, but there are certainly technologies that have a more recent expiration date than FIDO, as the standard will continue to evolve and remain a worthwhile investment. Passwordless architectures can provide massive benefits to authentication usability and security, but it will always be up to each organization to decide if this technology is the right fit for their specific needs.
Read the other blogs in this series: Emerging Trends in IAM Part 1: Simplified Engineering, Emerging Trends in IAM – Part 2: Using the Sunlit Approach to Simplify RBAC, and Emerging Trends in IAM Part 3: Machine Identity Management.
Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.