Dawn of a new age
A much-anticipated new dawn in the world of authentication has finally arrived – the push to eliminate user passwords altogether. The computing industry, with this goal in mind, came together in 2012 to create the FIDO Alliance (https://fidoalliance.org/). It has taken many years of collaboration, but we are now entering the “production-ready” phase of what is known as “passwordless” authentication. So, just what does “passwordless” really mean?
In simple terms, it means eliminating the password field on logon screens, and instead, using a personal security key to release unique, phish-resistant, cryptographic credentials to authenticate users across multiple systems. When it comes to entering credentials on modern computing platforms, if a user is expected to type, the battle has been long lost and this includes legacy 2FA OTPs such as SMS, Google Authenticator, and others. It is an irrefutable fact that humans are simply not capable of creating or entering secure credentials for digital systems, we need help.
The devices mentioned above are personal trusted hardware devices that users first activate to perform the heavy lifting required to digitally authenticate themselves. This class of devices from FIDO are generically called FIDO Authenticators or “security keys.” Unlike past hardware tokens, FIDO security keys are capable of independently unlocking many apps, they transport credentials over USB, Bluetooth, or NFC communication channels, and most importantly are based on modern web standards. Examples of security keys are Yubico’s YubiKeys, Feitian’s BioPass, eWBM’s Goldengate, any number of Android phones, etc. Expect to see a wide variety of devices certified as FIDO2 Authenticators (see FIDO Certified). Examples of adoption of the mentioned web standards can be found in major browsers, all Google properties, and recently Microsoft announced their move to passwordless with FIDO2 support in Windows 10, version 1903. The standards adoption ball is well on its way down the hill.
Before use, security keys need to be unlocked, which is typically accomplished through a biometric match such as a fingerprint, entering a PIN (Personal ID Number), or simply touching to indicate human presence (prevents automatic triggering by headless browsers). Once unlocked security keys use the CTAP2 (Client to Authenticator Protocol ver 2) with the recently adopted W3C standard WebAuthn to perform registration to associate the key with the user’s account and subsequent authentication for later use, all without passwords. Collectively CTAP2 and WebAuthn are known as the “FIDO2” protocol.
Hey, wait a minute, isn't a PIN a Password?
A special note about the above term “PIN” which is technically just another form of a password which we are claiming to be eliminated. We differentiate a PIN from a password because FIDO PINs are used to unlock FIDO2 security keys with little, to no, network exposure. PINs, as well as biometric samples, are stored (and matched) only on the security keys, never in a central database. Application passwords on the other hand are many and are at constant risk of exposure in a multitude of well-known ways. It is this second class of server-side passwords that are intended to be eliminated thus earning the name of “passwordless” authentication. FIDO security keys are “device-side” authenticated dramatically reducing the attack vector between the user and the computer (onboard processor). The most secure unlock is of course with a biometric match capable security key, but PIN or even just a human touch is exponentially more secure than the best password ever remembered by a user.
Back to the passwordless experience.
FIDO2 authenticators enable a passwordless experience across multiple applications which is to say one key can be used for many applications. In addition, application designers are encouraged to allow multiple security keys to be registered per user. The goal is for users to have a set of security keys (primary, backup, extra for laptops, etc.) that can easily be unlocked and used. SSO systems such as CloudGate UNO greatly simplify this process as user’s logon experience is funneled through CloudGate which extends FIDO passwordless experience to all applications under management regardless of their adoption of FIDO standards.
Stand-alone, or “roaming” security keys are designed to operate across three communications channels: USB, BLE, and/or NFC. Mobile phones with trusted execution environments and biometric sensors can be used as “platform” security keys enabling existing mobile devices to operate as FIDO certified authenticators. The objective is to allow users to operate security keys in all situations they find themselves in; on a laptop, desktop, trusted mobile device, untrusted mobile device, etc.
Once unlocked, all security keys perform the heavy cryptographic lifting presenting the right credentials for the registered origin or application commonly known as Relying Party. For users it is a simple task to register multiple security keys. If lost, they are simple to deregister, and if found, simple to re-register to preserve investment. Each key also protects the privacy of users by minting mathematically independent credentials for all Relying Parties preventing web properties from colluding to track usage for resell or other nefarious reasons. The benefits are many and the industry finally got it right by eliminating the need for passwords in modern computing with devices that give users a great experience.
The bottom line from a user’s perspective is their authentication event moves much closer to home, literally just a centimeter away to their security key, rather than their passwords traversing the net. Security keys on the other hand are well suited to navigate proper credentials to the right location. Put your security key away and your identity is 100% offline, try that with passwords.
How is SSO related?
Before explaining why ISR is well positioned to take companies into this new world, it is important to explain the relationship between Authentication and Single Sign-On (SSO). Ideally you perform the first (authentication) 100% correct and perform the second (SSO) to propagate that 100% authenticated user wherever the workload takes the user. Authenticate once and let authorized automation (propagation) to take over reducing the burden on users – this should be a pretty simple concept.
Unfortunately, this isn’t how the identity industry evolved. Rather, the focus has been on the propagation standards such as SAML and OpenID Connect without getting the authentication correct. While I applaud and have promoted these standards as critically needed, I have always maintained they are weapons when accounts are protected with user-managed passwords. Glossing over the fact that a flawed assumption is at the heart of SSO has been the worst kept secret in security circles for decades. I understand why, but the standards got developed in the wrong order, it should be “authenticate first, propagate second.”
The message here is never trust an SSO implementation that does not take seriously the initial authentication event which ideally does not solely involve a user-managed password. Better yet, it should be “passwordless.” My message doesn’t stop there however, the next step is for customers to implement proper authentication along with SSO and this has not always been easy because it requires changes in end-user behaviors.
Which brings us to ISR.
So what makes ISR and their CloudGate UNO product so interesting? First, ISR’s CloudGate UNO is an identity platform which uses SSO technology to give their customers’ users a streamlined computing experience. There are many additional security features, but the first objective remains the most important – to eliminate multitudes of logins while giving users a single, consistent, user experience or entry point for business applications. CloudGate UNO fully supports the suite of modern federated identity protocols mentioned above which is the easy part.
Second, ISR’s roots are firmly planted in the Google Suite community which enabled them to follow both Google and Yubico into FIDO embracing the earlier versions of FIDO authentication protocols namely U2F (Universal 2nd Factor). ISR achieved FIDO Server U2F certification 03/31/2016 and just recently received FIDO2 certification 06/06/2019. In short, ISR has years of experience in knowing how to get the authentication event 100% correct which is exactly right as I mentioned above.
Third, and most interesting, ISR is tackling the ease of implementation problem. After all, if standards are not used then we haven’t accomplished anything. ISR recently announced the ability for their customers to lease security keys from several vendors as part of their CloudGate UNO subscription. This Hardware as a Service model allows easy, affordable, access to security keys that have been fully attested by ISR. A note regarding costs, passwords appear free, but they are anything but free in lost productivity (just check your own experience) and their potential to ruin a career or cripple a business.
And finally, a special bonus, security keys are not just for professional use, they are for personal use too. Security Keys registered for business apps such as CloudGate UNO can also be used as personal security keys for non-employer owned apps that natively support FIDO protocols (namely U2F and FIDO2) such as Windows 10, Google, Dropbox, etc. Remember, FIDO authenticators are designed to create, or mint, mathematically independent credentials for all relying parties, regardless of personal or business intention. Also remember security keys are privacy preserving such that business and personal apps cannot detect or track usage across any other application(s) thereby protecting the end-user’s privacy as well as any liability for employers.
It is well known that poor personal security hygiene has major consequences for employers. ISR’s customers can not only protect their businesses, but they can encourage users to independently secure their personal systems and applications as well. Changing end-user behaviors matters, critically so. FIDO2 security keys can bridge the personal and business computing behavior and this benefits everyone.
Hopefully I’ve given you a glimpse of the new “passwordless” future sparking your investigation into standards you may not yet be aware. When ready to demo, ISR’s CloudGate UNO is ready too.
John Haggard
John serves as ISR America's Advisor. He was the President, COO, and CTO of VASCO Data Security International (Nasdaq: VDSI) from 1994 to 2000, successfully launching VASCO into the number one strong authentication company for financial institutions.
