IAM Technologies, Identity, Security Architecture

Are users ready to go passwordless? Why it’s better to move slowly

Share
Passkey

If you work in cybersecurity or IT, you've heard the hype about a couple of the latest and greatest innovations in identity and access management.

Passkeys? They'll eliminate phishing, speed up authentication and kill passwords forever. Decentralized identity? It'll neutralize data breaches, put power back in the hands of users and kill passwords forever.

These concepts may sound great, but for the moment, they're impractical. Identity and access management (IAM) technology has gotten far ahead of what ordinary people are comfortable using, and despite the excitement, neither of these new passwordless protocols are truly ready for enterprise use.

There's little point for your organization to focus on IAM standards that will not be widely adopted until they are streamlined and made easier to use. After all, it's already hard enough getting your staff, let alone your family members, to use multi-factor authentication (MFA).

Instead, focus on what can be achieved here and now, such as company-wide implementation of MFA, single sign-on (SSO), and password managers. You can substantially strengthen your organization's IAM posture without deploying protocols that will baffle and annoy staffers and executives alike.

Do you need an MBA to use MFA?

Multi-factor authentication, also known as two-factor authentication (2FA), has been around for more than 20 years and works very well at stopping account takeovers. Yet the rate of uptake of MFA is pitiful.

In December 2021, Twitter/X reported that only 2.6% of its active accounts had 2FA enabled. Seventy-five percent of those accounts used SMS text-based notifications, the weakest form of MFA.

Three months later, Microsoft reported that only 22% of Azure Active Directory accounts were enabled with "strong authentication," which Microsoft defines as MFA or passwordless authentication.

Google has had more success with consumer MFA, but only because it automatically enrolls account holders' smartphones as the second factor and sends push notifications if it spots login attempts from an unfamiliar source.

Corporate executives don't fare much better than consumers. A June 2022 study found that only 8% of C-suite and board members across a range of industries had MFA enabled across most of their apps and devices.

Too much friction

Why the slow adoption rate? It's partly because most forms of MFA, whether SMS texts, push notifications or authenticator apps, create additional friction. Consumers have the option to "recognize this device" so they don't have to do MFA every time, but enterprises that require MFA often require it at each login.

"Employees aren't compensated on security, they're compensated on productivity," Okta's Chris Niggle pointed out to SD Times in 2023. "MFA traditionally impeded that productivity and organizations were very reluctant to roll that out."

Moving to passwordless authentication can be an ordeal for IT staffers. In a January 2023 CyberRisk Alliance Business Intelligence survey of 203 security and IT managers in North America, less than a third of respondents said their organizations had implemented biometrics, behavioral authentication or pre-shared cryptographic keys.

"Who wants to spend hours in understanding a product that always requires additional expertise to handle when its objective is to provide efficiency?" one respondent said in the survey.

Outmoded technology is another factor, especially among government agencies and other underfunded organizations.

"No insignificant number of federal systems are running on legacy infrastructure, which means that it's not just as simple as deploying a modern authentication stack on top of your modernized infrastructure," the Cybersecurity and Infrastructure Security Agency's Eric Goldstein told CyberScoop in June 2022.

Security experts are trying to increase MFA uptake by lessening friction. One way is to use a cryptographically-coded hardware key, such as a Yubikey or Google's Titan key. Instead of waiting for a code to be generated or sent, the user simply plugs the hardware key into a USB port on their computer or smartphone. Some hardware keys also use NFC or Bluetooth to link to devices.

I use a hardware key myself, and it's great. Yet good hardware keys range from $20 to $90 apiece. Google can afford to give Titan keys to all its employees, but not every organization can foot that bill, although the lowered risk of a breach might be a solid return on investment.

Another smooth-ish MFA method is a push notification, which appears on your phone's screen when you try to log into a website on your computer. Microsoft's push notifications ask you to tap a two-digit number (out of three presented) that matches what you see on your computer monitor. Google and Yahoo ask you to tap "Yes" to confirm that it's you logging in. (The latter method is vulnerable to "push bombing," in which an attacker pesters you with push notifications until you approve one.)

Then there are biometrics, such as the facial-recognition or fingerprint scans on modern smartphones. Biometrics by themselves aren't very strong, as a scanner might be fooled by a mask or a rubber finger overlay, and they'll often admit an authorized user who is sleeping, unconscious or recently dead.

But when combined with a strong authentication factor like a hardware key, biometrics aren't bad. That's the reasoning behind passkeys — put the software equivalent of a cryptographically-secure hardware key into a modern smartphone or laptop, and let the device's biometric reader (or PIN, password or pattern screen lock) be the other factor. 

Let me be clear: Passkeys are the future of authentication. Once you understand how they work (and they're quite different from passwords), the appeal is obvious. But there are still a lot of practical hurdles that need to be overcome before passkeys can gain mass adoption.

The perils of passkeys

In May 2022, Apple, Google and Microsoft, not normally the best of friends, jointly committed to implementing passkeys. All three now let their account holders use them.

The concept of passkeys sounds great. When you create a passkey with an account provider, say Google, your passkey-enabled device, say a Windows laptop, creates a public-private cryptographic key pair. You log into Google using your password, and then your laptop uploads the public cryptographic key to Google.

From then on, you can sign into Google from the laptop without using a password — as long as you've already signed into the laptop itself. The Google website sends the public cryptographic key to your laptop, which then authenticates itself using its private cryptographic key and sends the mathematical proof back to Google. The private cryptographic key stays on the device.

The same process works with iPhones, iPads, Macs and Android phones and tablets. Because each public-private key pair is unique, there's no chance of password reuse, and because the private key is stored on your device only, it can't be phished. Awesome!

Dozens of major companies support passkeys, including Amazon, Best Buy, eBay, LinkedIn, Nintendo, TikTok, Uber, X/Twitter, Yahoo and, um, OnlyFans. So do leading password managers such as Bitwarden, Dashlane, LastPass and 1Password.

So what's not to like? The devil, as always, is in the details. Unlike passwords, passkeys are device-dependent. Their support varies among operating systems. And they can't be shared (yet) across different platforms.

A passkey created on an Apple device will be synced among all Macs and iPhones that share the same Apple ID, thanks to the Apple Keychain. Likewise, a passkey created on an Android device will be synced among all the user's other Android devices, thanks to the Google Password Manager. (Apple and Google insist that the cross-device syncing is completely secure.)

But unlike passwords, passkeys can't be shared between Android devices and Apple devices. You'll need to create different sets of passkeys for each ecosystem.

Meanwhile, Windows PCs can't sync passkeys at all. For now, a passkey created on a PC is good only for that PC. If you have more than one PC, you'll have to create new sets of passkeys. That's not exactly reducing MFA friction.

It's even worse if you use Linux or Chrome OS. Neither operating system supports passkeys yet. As a workaround, the website you're trying to sign into can put up a QR code, which your passkey-enabled smartphone can scan to verify your identity.

There's also a security downside. If your phone or laptop gets stolen, so will your passkeys. Whoever can unlock your device will have access to your passkey-enabled accounts. If your PC is shared among several users, you may not want to enable passkeys on it, even if each user has their own login.

With passkeys, the bottom line is: The security of the passkey depends on the security of the device.

Passkeys in the enterprise? Not just yet

If you're an IT administrator or a CISO, you can't expect your staffers, or your executives, to get the hang of passkeys without some serious training.

Furthermore, passkeys are fundamentally a consumer product. They can be deployed in the enterprise, but the IT manager will have to cede control of the cryptographic keys to Apple, Google or Microsoft, whose passkey protocols are optimized to interact with the end user rather than with a network administrator.

"CISOs need to consider their level of confidence in Apple's and Google's cloud-security protections," states a HYPR guide to enterprise use of passkeys. "CISOs must also understand the security and auditability of Apple Keychain and Google Password Manager — giving them the 'keys to the kingdom' can create a significant point of vulnerability."

Passkeys probably won't gain wide acceptance with consumers until they can be securely synced and maintain a consistent user experience across all widely used platforms. And passkeys won't gain wide acceptance in enterprises until there's a centralized management system that can remotely issue, replace and revoke passkeys on workplace devices.

"I haven't really seen good examples of passkey management out there yet in the field," Google Product Manager Christiaan Brand admitted to PC Magazine's Michael Kan at the RSA 2023 security conference. "A lot of this stuff is still early days. This is kind of part of the ugly. We haven't quite got this figured out as an industry."

The decentralized-identity mirage

Imperfect as they may be, passkeys can be easily set up and used right now. That can't be said about decentralized identity, another good passwordless solution that's getting a lot of attention but is a long way from being finalized, let alone widely adopted.

In standard identity management, an organization — let's call it Acme Widgets — stores customers' and employees' account credentials, typically a username and (hopefully) cryptographically hashed password, in a secure and (hopefully) encrypted database along with other information about the account holders. 

This centralized approach puts the onus on Acme Widgets to protect the account information and prevent attackers from breaking into the database. It also puts the onus on account holders to not re-use passwords, which can lead to a cascade of compromised accounts.

Decentralized identity flips this model around. Instead of organizations retaining account credentials and other user data, users keep all their information in a digital wallet on their smartphones. When accessing an organization's assets, the digital wallet presents the user interface with verification, based on a public-private cryptographic key pair, that the user is who they say they are.

The organization being accessed doesn't get anything besides the verification information and what the user chooses to share. No passwords are needed. There's no treasure trove of data or account credentials resting in the cloud waiting for someone to break in.

Unfortunately, decentralized identity is mostly just a concept for now. The various stakeholders are still working out the technical details, such as whether digital wallets should use a blockchain as part of the verification process.

Digital wallets themselves are already available on smartphones, mostly as accessories to Apple Pay and Google Pay. Apple and Google want them to store identification as well, but that initiative is going slowly. Apple announced in September 2021 that Apple Wallet would soon hold U.S. state driver's licenses, but as of February 2024, only four states had signed on.

The European Union is making steady but slow progress on decentralized identity. It has mandated the creation of a continent-wide standard that would let citizens of all EU member states use digital wallets to access government agencies and private companies designated as Very Large Online Platforms, including AliBaba, Amazon and Facebook.

Pilot programs for the European Digital Wallet are underway, but the technical standards are still being formulated and the deadline to have the wallets available to citizens has been pushed back from 2024 to 2030.

Would decentralized identity work in the enterprise? It would certainly be good for retail companies and social-media platforms, which would no longer have to worry about data breaches involving customer data.

As for managing decentralized identity among employees, you'd need a scalable system that could easily authorize and revoke access from digital identities. That system would have to accept verification presented by consumer-grade digital wallets, unless the market settles into a situation where individuals are expected to hold separate personal and professional digital IDs.

The truth is, we don't know what's coming with decentralized identity. Despite the best efforts of the EU and several private companies on this side of the Atlantic, it's at least several years away. It's not worth trying to apply it to an enterprise until the standards are worked out.

How can you improve your IAM standing?

Like Apple, Google and Microsoft, enterprises and other large organizations have a role to play in getting the world to use stronger authentication. Due to user reluctance and the current impracticality of passwordless solutions in the workplace, the process will have to happen gradually.

A clearer picture of how to proceed emerges if we use the framework established by the U.S. National Institute of Standards and Technologies (NIST).

NIST places digital authentication technologies and methods into one of three "authenticator assurance levels" or "AALs":

AAL1 consists of a single factor. It can be a "memorized secret," such as a password or a static PIN, but it can also be a temporary one-time-passcode (TOTP) or a cryptographic hardware key, so long as it's the only type of authentication being presented. (NIST does not consider biometric factors reliable enough to be used as a single factor.)

AAL2 is basic MFA without phishing resistance. To parrot the standard MFA explanation, it's when you combine something you know (a password, static PIN or smartphone screen pattern), something you have (a TOTP generated by a smartphone app or keychain dongle, or sent via text, email or voice call to your phone; an emailed "magic link"; or a smartphone push notification) and/or something you are (a biometric scan verified by a physical reader). A combination of any two of these three types of factors will qualify.

AAL3 combines any of the knowledge or biometric factors above with a phishing-resistant possessed form of authentication, such as a cryptographic hardware key or its smartphone-based software equivalent. Passkeys qualify as AAL3 because you can access the device's stored cryptographic private key only after you unlock the device using something you are (face, fingerprint or other biometric scans) or something you know (PIN, password or pattern unlock).

Most people have been using AAL1, i.e. passwords-only, for decades. Most forms of MFA are AAL2. Clearly, a lot of people are having trouble getting from AAL1 to AAL2.

With passkeys, the consumer-focused part of the IAM industry is trying to get users to jump from AAL1 to AAL3, leapfrogging AAL2 entirely. But it's doubtful whether that approach will work or will instead just confuse people.

Baby steps to passwordless

So what should you do? Keep things simple and have your employees slowly move through different stages of increasingly stronger authentication. Treat your staffers like the responsible adults that they are and explain the rationale behind each new authentication method. And accept that a successful transition to passwordless will take a few years.

1. Start with SMS-based MFA if you've got nothing else. SMS-based MFA is better than no MFA at all, and it's something that most people understand.

2. Don't require MFA upon every login. That will just annoy people. Instead, make it every week or two.

3. Offer employees alternative forms of authentication, such as authenticator apps or push notifications. Make IT and security staffers use these methods so that they can show other employees how they work. You may need to make clear that authentication apps will not track employee locations or steal data.

4a. Implement single-sign-on (SSO) companywide. That will "give back" some of the time that employees spend typing in MFA codes and will reduce password-reset headaches for your IT team.

4b. Alternatively, roll out a company-licensed password manager and make sure it rejects weak passwords and flags repeated passwords.

5. After a year or two of this, phase out SMS-based MFA and switch everyone over to the alternative method(s) you chose in Step 3.

At this point, you'll have everyone happily using decent AAL2 MFA. But it will still be vulnerable to crafty phishing emails. It's time to introduce phishing-resistant factors. You could either:

6a. Hand out cryptographic hardware keys to all staffers. It'll be a substantial expense, but it'll be cheaper than cleaning up after a data breach caused by phished passwords.

Or:

6b. Implement phone-based passkeys if the standard has matured enough so that it's consistent across all platforms and is easy for IT to manage.

Finally, after another year or two, it'll be time to remove passwords altogether.

7a. If you've implemented hardware keys, remove passwords as the second factor and replace them with push notifications or authenticator apps.

7b. If you've implemented smartphone-based passkeys, remove passwords as a backup authentication method and replace them with push notifications or authenticator apps.

8. Delete the passwords from your database.

Delayed response

There's no question that the future of identity and access management is passwordless. Right now, passkeys and decentralized identity look like the best way forward. But you'll gain little by rushing your organization into implementing either or both protocols.

Let others be the beta testers that iron out the wrinkles. Wait until these standards have matured, and in the meantime slow-walk your staffers through increasingly strong levels of multi-factor authentication augmented by single-sign-on or password managers.

An In-Depth Guide to Identity

Get essential knowledge and practical strategies to fortify your identity security.
Paul Wagenseil

Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.