Deciding to go passwordless is one thing, but deciding HOW to ACTUALLY do it is another thing altogether. We’ve done our best to summarize the major redeeming qualities of the three most prominent passwordless authentication methodologies: Certificate-Based Authentication (CBA), FIDO2, and Phone. The following is a high-level synopsis of each authentication method, their ideal use cases, and other key characteristics regarding their employment.
FIDO2 is undoubtedly one of the most secure passwordless authentication methods available. This methodology is a brainchild of the FIDO (Fast Identity Online) Alliance. It harnesses the strengths of both the WebAuthn and CTAP (Client to Authenticator Protocol) specifications. This method leverages hardware security keys, physical devices that store cryptographic keys and perform authentication locally. The keys need to be authenticated into each service, individually. They are highly secure because they are resistant to phishing and other attacks. Users must possess the physical key to authenticate.
Utilizing digital certificates for user authentication, CBA operates in virtually the same way as FIDO2, but with its own unique advantage. By utilizing CAs and CRLs, certificates tend to be much easier to manage at scale. For example, if you lose a hardware key, it needs to be reissued, shipped, and reauthenticated into EVERY system. With certs, you simply revoke the certificate and issue a new one. Because certificate-based authentication has been around for decades, it is the most interoperable passwordless method of all.
No doubt a convenient avenue, but it’s the obvious frontrunner for least secure passwordless MFA. It capitalizes on a device most individuals have readily available, their cellphones. There’s a variety of methods under this umbrella. The user could receive a code via SMS that they input for verification, or perhaps a push notification might prompt them to approve an authentication request. However, there are inherent vulnerabilities. For instance, there’s the looming threat of cybercriminals intercepting or diverting SMS messages or hijacking the phone completely.
See how EZCMS is your one-stop shop for all things passwordless! Why settle for anything less than the soliton that does it all from FIDO2, to CBA, to Phone? No matter what, where, who, or how you’re trying to authenticate, EZCMS is the truly passwordless solution for you.
FIDO2 Authentication: As a FIDO Alliance Member, we enable the first ever self-service FIDO2 onboarding system for Azure AD, allowing you to protect your organization with the most secure authentication method from the most secure identity provider.
Smart Card Authentication: Complexity of implementation has been a major barrier to entry limiting its adoption primarily to federal governments and government contractors. With the creation of Azure CBA (Certificate Based Authentication) and EZCMS, this secure authentication method is now available to all Azure customers.
Phone Authentication: We’re going to advise you to explore the other methods, but this is clearly the most cost effective and popular passwordless authentication method, primarily due to convenience; nearly all users already have a smartphone. Save valuable time and money by enabling your users to easily self-onboard.
To wrap it up, while each of the methods carries its set of advantages, it’s evident that Certificate-Based Authentication (CBA) is the gold standard in terms of security. FIDO2, on the other hand, offers a harmonious blend of versatility and security. Phone-based methods, while exceptionally convenient, warrant a cautious approach due to their associated vulnerabilities.
Learn which passwordless authentication method is best for your organization by taking this quiz: