In this blog, we’re not going to go in-depth regarding the logistics of passwordless authentication; however, we are going to provide you with a solid, high-level overview. If you want to go deep into the weeds of passwordless authentication, though, check out this whitepaper on the technology behind passwordless authentication for more detail.
Passwordless authentication is made possible through the use of public and private key cryptography. It’s almost magic – you can prove that the user has a private key without EVER needing to know the private key! One of the main advantages of this is that the server never knows your private key; so, even if a server gets hacked and users’ credentials are stolen (see the video below detailing the LinkedIn hack of 2012), your users are fine. All the hackers gain access to are public keys which, by definition, are public – not exactly a groundbreaking hack.
So, passwordless authentication utilizes cryptographic keys in order to run smoothly and securely. These keys come in many forms, but we want to highlight three: phone authentication, FIDO2 keys, and smartcards. Are all of these passwordless authentication methods unphishable, though?
A truly unphishable credential is one in which any user, no matter their stature, cannot give away access to their credential. You cannot be tricked in any way to give up your key. So, what does that mean for phone authentication, FIDO2 keys, and smartcards? The unfortunate reality is that not all of these passwordless authentication methods are unphishable. FIDO2 keys and smartcards are considered unphishable credentials since they provide strong secure authentication tied to the device the user is authenticating with, making it impossible for a user to unwillingly give away their credentials. Phone authentication, on the other hand, is not considered unphishable – if you receive a bunch of push notifications on your phone with buttons that say something along the lines of, “Do you accept?” or, “Is this you logging in?” and you then receive a call from what you think is your organization’s helpdesk saying, “We’re with IT, just click ‘yes’ on the popup, we’re running routine maintenance,” you might still be able to fall for this phishing scheme and click “yes” on the push notifications.
Just because both FIDO2 authentication and smartcard authentication are unphishable does not mean that they are the same thing. Smartcard authentication is the first passwordless authentication method ever created, and it is based on X.509 certificates. FIDO2 authentication, on the other hand, is a newer method of passwordless authentication that was created to simplify the smartcard authentication process. How is FIDO2 authentication simpler than smartcard authentication? In short, FIDO2 authentication does not need all of the infrastructure that smartcard authentication does, since it deviates from using X509 certificates and instead utilizes key-based authentication. For more detail on the differences between these authentication methods, check out our blog on FIDO2 vs smartcard authentication and the below webinar.
First things first, we need to answer the question of whether or not passwords are bad. As technology expands and cybersecurity increasingly becomes a focal point, it becomes clearer and clearer that passwords are no longer up to par. In 2021, over 6 billion credentials were leaked online by hackers, and over 60% of breaches were caused by stolen credentials. The scariest part? Those numbers don’t even begin to tell the full story. Check out our blog detailing the problem with passwords to learn more about the specifics, but one thing is certain: passwords are a thing of the past. What is the solution to this password epidemic, then? Passwordless authentication.
Ultimately, going passwordless is your best bet at safe and easy org-wide authentication, but it is vital to understand how it works and the differences between passwordless authentication methods before fully committing. If you would like to see how going passwordless can improve your organization’s security, schedule a FREE consultation with one of our experts today!