Can Passwordless Authentication Be Trusted?
Blog Article Published: 08/17/2020
By J. Wolfgang Goerlich, Advisory CISO for Duo Security
Every new feature we introduce to our users is potentially a new tactic we provide our adversaries. When I was learning to drive, this happened with car steering wheel locks. Do you remember these? Big bars people would put on their steering wheels, painted bright colors like neon pink. Sure, the owners felt more secure. But there was a problem. Car thieves developed a technique of cutting the steering wheel and using the bar to break the built-in wheel lock.
A security feature turned into a tactic the criminals used. Fortunately, we’ve learned a lot since I took to the road. Take passwordless, for example.
Is Passwordless Authentication Even Safe?
“If someone steals my password, I can change my password. If someone steals my fingerprint, what do I do then?”
Good question. We immediately think about password rotation because that’s about the only tool in the password toolbox. But moving to other authentication factors opens up new ways to stop credential reuse.
Tools to Help Passwordless Thwart Credential Theft
Device Trust is one of the clearest indicators of whether an authentication is trustworthy and comes from a device the person has used before. In other words, the device identity, is it trustworthy? It may seem easy to steal credentials, it’s significantly harder to steal them and their device used most often with them. Device visibility and device inventory reduces risk of credential theft. But like car security, the device itself might be used for circumventing controls. To address that, check the device health to see if the device is out-of-date, has been tampered with or jailbroken, or is potentially infected with malware.
We can’t make a smarter keyboard that prevents adversaries from entering passwords. But equipment manufacturers are making smarter fingerprint readers and anti-fraud cameras for facial recognition. In addition, storing biometric data in a Secure Enclave or Trusted Platform Module (TPM) greatly limits what adversaries can steal, as well as providing brute-force and anti-hammering protections.
Monitor Trusted Access with Behavioral Analytics
Assume the adversary has somehow gotten the person’s biometrics, and stolen their device and circumvented the device’s platform security. (I know, that’s a lot of assumptions). It is doubtful the adversary will connect up and do the person’s work. Setup behavior analytics with Trust Monitor to model activity and telemetry and baseline the person’s activity. When suspect and potentially malicious activity is detected, the adversary can be investigated, caught, and stopped.
Set Adaptive Policies
While the above increases trust in authentication in general, keeping abreast of a large workforce is a significant undertaking with passwordless authentication in particular. Automated and quick responses are key. We can enable adaptive access policies based on the above. Set the trust authentication based on the context of the user, device, location, behavior, and more, to prevent credential re-use.
Looking back, advances in ubiquitous connectivity and near-field communications shifted how we prevent car theft. Looking forward, advances in device health and behavior analytics will shift how we prevent credential theft. In both cases, the trick is to view the problem from a wider lens and consider how adversaries will act before and during an incident. The broader view makes it possible for us to take actions that have stopping power, without introducing new risks.
We can increase trust in new approaches such as passwordless by reducing overall risks associated with authentication.