Gather identity and security leaders in a room, douse with workforce passwordless as the topic, and enjoy the fireworks.
It’ll start with blaming the users; “if only they'd”…fill in the blank. Followed by declarations of "oh, the humanity, something must be done," with an eventual fade to resignation.
Why? Because today's concept of passwordless is a myth. That's right, a tale. “Passwordless” implies no password anywhere.
The fireworks represent a cognitive dissonance for these leaders, caused by looking at the two sides of shared secrets, but unable to resolve them with passwordless. To the left are the users. No one questions that eliminating passwords from user logins in favor of stronger "what you have" and "what you are" would be good for our people and improve security.
Then our IT leaders look to the right and see the mesh of directories, applications, and services that depend on passwords that drive the business. Eliminating all passwords in the infrastructure usually means swapping or rewriting apps and services to a PKI-based authentication infrastructure–a possible, but expensive proposition for most IT leadership. If only we could start from scratch, greenfield it all, and be one of the SaaS-only unicorns.
But even that doesn't eliminate user passwords.
Why passwordless is a myth
For the workforce, there’s always a password. For security teams that use any active directory or laptop, they know this. For example, it’s almost impossible to log into a Mac with TouchID or Windows Hello for Business PC after a reset or perform local machine admin tasks without typing a password?
Unfortunately, a less frequently used password isn't passwordless. Worse yet, infrequently used passwords are the most dangerous as people write them down or make them simple to remember and hack. In these "sometimes password" workflows, the user creates passwords, uses them, and has to protect them. That is, by all definitions, password administration. Identity and security administrators play a supporting role: clean-up in aisle five.
What about the directory? There’s always a password in the directory, even for smart card and virtual certificate-based authentication. Passwords are necessary for fallback when things go wrong or for the many custom and legacy apps and services that don't follow PKI-based authentication. Unfortunately, these less-used passwords must get rotated on mandated cycles creating an even bigger swell of confused user password helpdesk calls.
Passwordless MFA versus passwordless
It's easy to blame passwords, but secrets are a part of doing business. Instead, password management has become the real problem.
Creating an identity starts with the admin inviting the new employee or contractor with an admin-created identity to join the domain. Next, the worker creates a password for that identity. The dysfunction is rooted. The user gets elevated to password administrator and nudged into the attacker's crosshairs.
Passwordless purists say we need to eliminate the password everywhere. But realists say we really need to mitigate the ability of attackers to exploit users and their passwords. The infrastructure running on encrypted passwords or PKI doesn't have to always link to how users prove their identity. In fact, dividing password security into two zones–the passwordless user and the password-centric infrastructure–resolves the dissonance. This approach reduces the scope of dependencies to accomplish the real security goal.
Passwordless MFA users
Users don't have to know their directory password if their MFA authenticator can take that responsibility once the user proves their identity with strong authentication.
Most of today's MFA technology acts as a proxy to the directory, passing the user's credentials after additional factors have been tested. Then, leave the last authentication phase for the directory to verify the entered password match. Closer integration between the user authenticator and the directory eliminates the need for the user to know that directory password.
There are sometimes instances where the user needs to know the directory password. But there’s a difference between remembering a secret and knowing how to get to that secret. Here the authenticator can show the user the password after strong authentication in various ways. For additional security, the authenticator platform can rotate that user's password without the user's intervention, to make the spent secret's value fleeting.
Why Passwordless MFA matters
Technology that removes users from password management promises a big win for the workforce, administrators, and the business.
After all, users remembering and typing 12-digit passwords with an uppercase, a number, and a special character dozens of times a day causes friction. We know this relief from TouchID while reflecting on the bad old days of 6-digit pin entry at every iPhone timeout.
Less obvious are the gains on the administration side of the business. First, they didn't change the apps, services, and identity infrastructure to bring passwordless MFA to the workforce. However, once users are out of password administration, secrets are exclusive to administrators. Admins create directory passwords with any length and complexity. And these secrets are rotated frequently without user coordination, shrinking the exposure window from insider threats and lateral moving intruders. In effect, the company buys down security risk through attack surface reduction.
Even frontline IT gets to eliminate time-draining password reset help desk calls. According to Gartner, this buys IT a significant time buyback as password issues drive an astonishing 40% of help desk calls.
This approach promises a win-win for everyone. Except for the attackers, who will have to move on to the more technically challenging zero-days, malware, and vulnerability exploits to crack the shell.
Don Shin, security marketing strategist, Secret Double Octopus