What is passwordless authentication?
Over the past few years, the term “passwordless” has gained momentum and now it is used by many security, authentication, and identity solution providers — each with their own unique nuance. At Yubico, we have adopted the following:“Passwordless authentication is any form of authentication that doesn’t require the user to provide a password at login.”
There are a lot of different implementations of passwordless authentication and they all have tradeoffs. Some implementations of passwordless are specifically designed to address usability issues:
SMS – Many refer to SMS verification as passwordless because you don’t need to remember a password. Usually you’re sent an OTP code that is valid for a short period of time that the user can use to authenticate themselves.
Email Magic Link – A unique link with a token is created for a user and delivered to an email. Clicking the link verifies the user for that particular service.
There are variants of using SMS to deliver the magic link, but in general these two authentication flows may offer better usability than passwords, but both are highly susceptible to phishing. If the user is tricked into typing in the OTP code or clicking on the magic link, neither of these passwordless solutions offer much security. See the Yubico blog on “How modern phishing defeats basic multi-factor authentication”.
Other implementations of passwordless are specifically designed to address security issues:
Smart Cards (PIV/CAC) – Smart cards are one of the most effective ways to protect against phishing. The user must insert their smart card into a reader, and validate the smart card with a unique PIN. This is a surefire way to stop remote phishing attacks in their tracks. But traditional smart cards aren’t very portable, compatible, or interoperable. It can be complex and costly to implement traditional smart cards at scale, making it hard to use and inaccessible for most individuals and many businesses.
Let’s take a quick sidebar and talk about passwords and PINs.
Password vs. PIN
From a usability standpoint, they may seem very similar — something else to remember. But from a security perspective, they are very different. A password is transmitted and validated on a server, which means it can be intercepted or stolen. A PIN is local to the device. For example, when you use your debit card at an ATM, the PIN only unlocks the debit card. It is never transmitted or stored elsewhere. That’s why when you have a debit card stolen and are issued a new card, you are required to select a new PIN.The role of open standards and identity platforms
Yubico paved the way by pioneering the WebAuthn and FIDO open standards, and worked with tech giants like Google, Microsoft, and Apple to integrate these standards into the operating systems, and browsers we use every day. These standards, paired with a YubiKey, allow for strong authentication across devices, apps, and services without any additional proprietary software.Identity and access management (IAM) solutions (e.g. Azure Active Directory, Okta, Duo, Ping) have also embraced open standards by layering on top of the platform giants to deliver the functionality and scale that enterprises need to adopt strong passwordless authentication for business critical applications and services.
If you’re already invested in an IAM platform, explore what passwordless options they offer. Most will have a mobile authentication app to augment some of the user experiences on various legacy systems providing an alternative non-WebAuthn/FIDO passwordless experience. While mobile authentication is stronger than a password, mobile authentication apps are phishable, which is why all leading IAM platforms have native support for hardware security keys like the YubiKey.
Going passwordless with YubiKeys and Microsoft Azure Active Directory
Passwordless is a journey, not an overnight transition. And Yubico is on this journey with you.Yubico recently celebrated an important milestone in the evolution of modern authentication. We are excited to report that YubiKey passwordless authentication is now generally available to Microsoft’s Azure Active Directory (Azure AD) users, a critical step toward achieving better security without compromising usability. Nearly three years ago, Yubico started on this journey with Microsoft and brought the first FIDO2-enabled security key to the market.
With the general availability of passwordless login for Azure AD, admins can now enable a passwordless login flow for their users with a variety of authentication options including: Windows Hello, Microsoft Authenticator App, and FIDO2 security keys, like YubiKeys. Once enabled, enrolling, adding, and removing YubiKeys is a self-service process for employees.
The transitory period for other applications and services to support passwordless is what the YubiKey was designed for — to be able to meet you right where you are and evolve with your security infrastructure. YubiKeys don’t require client software or peripherals, like a card reader. And we designed the YubiKey to support the broadest set of security protocols. You can put an end to account takeovers now using the phishing-resistant YubiKey as a second factor on top of a password. And that same YubiKey can be deployed in passwordless environments with our IAM partners as a smart card or a FIDO2 security key. The YubiKey truly is your bridge to passwordless.
How to get started on your passwordless journey today
To get started with passwordless authentication in your Microsoft environment, visit our e-commerce site to purchase a passwordless starter kit, or contact me to get a consultation and learn about what solutions are best suited for your needs.You can also learn more about other YubiKey and Microsoft passwordless deployments by reading our latest case study with the Government of Nunavut. In 2019, the Government of Nunavut turned to phishing-resistant YubiKeys and Azure AD to rebuild their infrastructure after a ransomware attack.
Michael Santini
Sales Leader, Yubico
michael.santini@yubico.com