Bottom Line: Biometrics are proving to be better than passwords because they’re easier to use, provide greater privacy and security, and are gaining standardization across a broad base of mobile, desktop, and server devices that users rely on to access online services.
In keeping with the theme of this year’s RSA Conference of Human Element, vendors offering passwordless authentication were out in force. Centrify, Entrust Datacard, HID Global, Idaptive, ImageWare, MobileIron, Thales, and many others promoted their unique approaches to passwordless authentication, leveraging the FIDO2 standard. FIDO2 is the latest set of specifications from the FIDO Alliance, an industry standards organization that provides interoperability testing and certification for servers, clients, and authenticators that meet FIDO2 specifications.
The Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, WebAuthn, and CTAP). The following graphic explains how the FIDO2 architecture authenticates every account requesting access to resources on a secured system:
The security industry has been trying to kill the password for decades. It has long been viewed as a weakness, primarily because of the human element: people continue to use weak passwords, on multiple accounts, at work, and in their personal lives. 81% of data breaches involve weak, stolen, default, or otherwise compromised credentials, according to a Verizon Data Breach Investigations Report.
Usernames and passwords (“something you know”) was the best factor of authentication available for decades yet didn’t provide enough of a barrier to hackers. Then came two-factor authentication, which added “something you have” as a second factor, such as a smartphone, key card, token, or other tangible item associated with the user.
Today everyone lives in a multi-factor authentication (MFA) world where cybersecurity technologists have added another factor: “something you are.” This is where biometrics come in, and facial recognition, fingerprint scanning, retinal scanning, and other forms of bio-identification have become normal thanks to technologies like Apple’s Touch ID and Face ID. Many people have already been using these technologies for years on their iPhones.
The reality is that these additional factors based on “something you have” or “something you are” are both much stronger than “something you know,” such as a password or PIN. Not only can the latter be easily stolen, guessed, or phished for, but authentication based on biometrics is very hard to fake or duplicate.
In short, by using the two newer factors of authentication, everyone who uses an electronic device daily is moving closer to a passwordless reality. Cybersecurity technologists are going to continue making authentication easier and more secure to improve user experiences and reduce the threat of a breach.
Privileged Admin Passwords Need To Be The First To Go
Key lessons learned from visiting with the 30 or so vendors who claimed to support passwordless authentication include the following:
- Centrify was the only vendor who prioritized enforcing FIDO2-based privileged administrator logins. It was also one of the few that specifically mentioned support for Apple’s Touch ID and Face ID, as well as Windows Hello, showing full support for the FIDO2 standard.
- Windows Hello and Windows Hello for Business are table stakes in passwordless authentication, all vendors claim and can demo this capability.
- Combining multiple forms of biometrics is proving problematic for the majority of vendors, as evidenced by the inconsistent demos on the show floor. No one could conclusively demo multiple types of biometrics for their solutions on the fly in a demo environment while at RSA. Of the many vendors claiming this capability, Centrify’s approach is the most unique in that privileged user identities are verified, satisfying a valuable pillar of its Identity-Centric PAM approach.
- All vendors claiming FIDO2 compliance were able to demonstrate Apple’s Touch ID electronic fingerprint recognition, while Apple Face ID facial recognition product demos were hit or miss. If you are evaluating biometrics vendors who claim FIDO2 compliance be sure to stress-test facial recognition, as the demos on the show floor made it clear there’s work to do in this area.
- Product management teams have been studying the NIST 800-53 high-assurance authentication controls standard and integrating it into their roadmaps. The 170 controls that comprise the NIST 800-53 standard are being adopted quickly across the vendors who claim passwordless authentication as a core strength in their product strategies. Using biometrics eliminates the risk of credential theft techniques and provides better alignment with the NIST 800-53 high-assurance authentication controls standard.
- Vendors are at varying levels of maturity when it comes to being able to capitalize on the metadata biometrics provides, with a few claiming to have real-time analytics. Every vendor had a different response to how they manage the massive amount of metadata being generated by their biometrics, which all claim also to support analytics. After speaking with the vendors at RSA, analytics used to authenticate rather than just report activity is far more effective. I had a chance to talk to Dr. Torsten George, Cybersecurity Evangelist at Centrify, who said, “Centrify’s support for the FIDO2 standard is a direct result of our ongoing commitment to our customers and their requests for biometric authentication of privileged user identities. Combining our support for the FIDO2 standard with our existing multi-factor authentication and real-time analytics capabilities, we’re able to greatly reduce the risk of security breaches that might exploit weak, default, or stolen privileged credentials.”
RSA’s theme Human Element was prescient from the heavy emphasis on passwordless authentication at this year’s conference. FIDO2 is getting solid support across the cybersecurity vendors who chose to exhibit there, which is great for enterprises, organizations, and small businesses who need to defend themselves. Of the many vendors there, Centrify’s approach stood out based on its unique approach to authenticating privileged user identities for its Identity-Centric PAM platform.
FIDO2 ultimately makes security stronger and less disruptive because it can not only eliminate passwords but also make the user experience more seamless and less likely to be circumvented. Passwordless authentication ensures that login credentials are unique across every website, never stored on a server, and never leave the user’s device. This security model helps eliminate the risks of phishing, as well as all forms of password theft and replay attacks.
We’re closer than ever before to the elusive goal of a passwordless future.