By Aviad Mizrachi.
As a society that craves convenience, it’s no surprise that we’ve become huge fans of Passkeys and passwordless authentication capabilities. These new solutions are necessary and improve both security as well as the user experience. That said, Passkeys and passwordless are only a small part of what is needed for comprehensive secure user management.
This is particularly true if a SaaS provider wants to offer Zero Trust (ZT) capabilities, which require continuous verification of user activity. ZT best practices also mandate more aggressive and granular application of least-use privilege policies, going well beyond the initial authentication and login.
From requiring that logins to critical infrastructure happen over a specific VPN to ensuring that only users from the correct organization can log in to asking why a user is accessing an application from a previously unknown IP address, we believe there are many aspects of secure user management that are not covered by passwordless. This article will support developing a comprehensive security user management strategy and identify the primary levers that can (and should!) be used to ensure the right users are accessing the right systems — even if someone can get past strong authentication technologies like passwordless.
The Trouble with Passwords
We all know why passwords are a pain. The user experience with passwords can be downright awful. The human brain is not made to remember dozens and dozens of passwords, so we forget them all the time. When we need to request new passwords, we then find ourselves jumping through a new set of hoops just to log into systems we access daily.
Worse, many conservative system admins still refuse to enable self-service password resets, which is problematic, for example, if employees are in different time zones from system admins or the admin is on vacation.
Almost worse than forgetting a password, humans frequently reuse the same password for multiple systems. This means that any compromise of a system holding one password likely allows cybercriminals to use the same email and password or email and username combo to illegally access other accounts held by the same user. A coping tactic is to use easy-to-remember passwords. Those passwords are also easy to crack with automated systems.
Even when multi-factor authentication (MFA), using methods such as authenticator apps or SMS codes, are added, to improve security, attackers increasingly are bypassing MFA through clever methods that allow them to either capture the MFA or mount a man-in-the-middle attack on the user’s device. Attackers able to compromise a password for an official email account effectively control both modalities of authentication. This is why in 2021, the U.S. Federal Bureau of Investigation received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints with adjusted losses at nearly $2.4 billion.
For many years critics have complained about problems with passwords. At the 2004 RSA Conference, Bill Gates foretold the end of passwords saying, “they just don’t meet the challenge for anything you really want to secure.” And we’ve continued to hear that passwords are insufficient since. Yet passwords remain the dominant form of foundational authentication in enterprises.
A Quick History of Biometrics and Passwordless
With the digital era, modern security systems and cryptography enabled the digitization of biometrics. Biometrics is the science and related technologies for identifying someone based on a unique physical or behavioral characteristic. There is evidence that Ancient Babylonians used fingerprints to verify signatures and identities on clay for business transactions in 500 BC. Fourteenth century Chinese merchants used palm and footprints. Early fingerprint systems to identify criminals emerged in the late 19th century. Initially expensive and mainly used to protect critical systems and locations in defense and industry, biometrics entered the mainstream in the modern smartphone era as Apple and Android systems made it easy to use facial recognition or fingerprints to access phones and load applications.
Over the last few years, passwordless authentication technologies have rapidly matured and gained acceptance from large technology firms that count billions of users among consumers and business workers. Passwordless is exactly what it claims; users do not have to remember or enter a password. Instead, passwordless systems generally use a combination of authentication methods that usually includes a biometric or a link sent to an email address assigned to a known user. In some cases, the system is passwordless multi-factor authentication. This might include a biometric, an SMS message, or a token or a code from an authenticator application.
Enter FIDO, WebAuthn and Passkeys
Passwordless has been driven by the FIDO Alliance, a global technology standards body governed collectively by its members. Members of FIDO include Google, Apple, PayPal, Microsoft, Facebook and hundreds of other companies. There are two key passwordless standards — a Web Authentication JavaScript API standard (WebAuthn) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP). All of the major browsers, including Google Chrome, Mozilla Firefox and Microsoft Edge have implemented the standards and a growing list of B2B SaaS providers are running WebAuthn.
The fastest growing way to deploy passwordless is Passkeys. With Passkeys, the same combination of factors (biometric and code) used to unlock a device can also be used for authentication and log-in. Driven by the combination of a better user experience (UX) and the strong push by major tech companies and mobile app vendors to educate consumers, wide adoption of Passkeys and passwordless across enterprise SaaS is to be expected. And while Passkeys are great, they are only the tip of the iceberg when it comes to implementing a secure user management approach.
Thinking Beyond Passkeys to Secure User Management
Relying exclusively on Passkeys and passwordless for secure user management is effectively like turning back the clock on security to the days of hardened perimeters and soft, lightly-secured internal environments. Teams are implementing passwordless, but viewing it as only the first step in secure user management and a portion of their overall secure management strategy.
After login and initial authentication, companies can also apply a number of other criteria to interactions and enact additional security measures and checks at the user level. This includes considering:
- Is the user trying to access critical systems such as finance or production environments?
- Is the user trying to access a system for the first time or after a credential reset?
- Has the user bypassed Passkey or passwordless for any reason?
- Is the user only using one form of authentication or MFA passwordless?
- Is the user following previous usage patterns on a system including:
- Network Type (secured or public WiFi)
- Making anomalous requests (asking to access systems it does not have access to)
To build resilient and stronger secure user management, product, UX, and security teams collaborate to create policies that map security requirements to each of the above situations. For example, if a user has already logged in with Passkeys and is known to be an application developer, you might allow them access to their own code repository but force an additional authentication step or another Passkey validation prior to giving them access to the Continuous Integration (CI) pipeline environment. Or, alternatively, you may give someone on the finance team access to the accounts payable system during working hours but force additional authentication should they attempt to access on the weekend or from an unrecognized device.
Conclusion: Secure User Management Beyond Passkeys
While much of this is common sense, detailed policy design for secure user management can be a lengthy exercise and involves considering the human factors of all the different personas and their needs. However, this process is vital to enable the “security-in-depth” that is required for modern SaaS user management. This is particularly true for SaaS platforms built atop microservices and micro frontends, where segmentation makes it easier to pursue more granular user management approaches. Passkeys and WebAuthn are coming and they are amazing. Passwordless technology will improve security and user experience. But it is not a security panacea and should be used to complement, not replace, smart security implemented with modern user management systems.
Aviad Mizrachi is CTO at Frontegg, a user management platform for B2B apps.
