Microsoft
Alex Simons, corporate VP of program management in Microsoft’s Identity Division, says Microsoft believes it’s very important to move the entire industry away from passwords and into a world of strong and simple-to-use forms of authentication.
Windows Hello serves as the first part of Microsoft’s efforts to end passwords. Windows Hello lets people use a biometric or PIN to unlock a PC and access their apps and first-party cloud resources. The second part of Microsoft’s passwordless approach is the Microsoft Authenticator app, which lets users on any platform (Mac, Chromebook, Android, iOS) use an app on their smartphones to sign in to their accounts without a password. Finally, with Microsoft’s support for FIDO2, the software maker aims to work with the industry to deliver strong, easy-to-use, cross-platform passwordless authentication.
In a nutshell, FIDO2 consists of two standards: WebAuthn and CTAP (Client to Authenticator Protocol). WebAuthn functions as a browser-based API that lets Web applications authenticate users with public-key cryptography instead of passwords. WebAuthn supports user authentication with built-in authenticators, such as Microsoft Windows Hello, or a remote authenticator, like a cell phone or FIDO security key. CTAP allows remote authenticators to “talk” to Web browsers. According to Andrew Shikiar, chief marketing officer of the FIDO Alliance, FIDO2 offers an open standard that can run on any device and website.
Microsoft was one of the first Fortune 500 companies to support passwordless authentication using the FIDO2 open standard, Simons adds.
Guemmy Kim, group product manager for account security at Google, says Google has made it a priority to implement two-factor authentication (2FA) so that it is not relying solely on passwords for account security. She says phishing has become one of the most common causes of security breaches, and securing access to online accounts is critical for safeguarding private, financial, and other sensitive data online.
2FA and passwordless authentication based on FIDO standards can help to offer users a safer and convenient security experience, Kim adds. In a recent announcement, Google said it would bring built-in security keys to Android 7+ phones.
“One way to make security more usable and accessible is to bring support for industry standards across our products so that as users become more familiar with these standards across all the services they use, they’re also able to take advantage of higher levels of security,” Kim says. “With the FIDO2 standard protocol, we are within reach of solving the security implications of phishing together as an industry. Android and Chrome already support FIDO2. Android phone’s built-in security key is also built with FIDO2 support. And our next goal is to enable FIDO2/WebAuthn in Google login.”
HYPR
George Avetisov, CEO and co-founder of HYPR, has been on a mission for some time now. He aims to help people understand that moving away from the “shared secret” of a password must be replaced by a system where the user’s device holds a private key that can get authenticated by either touch, a thumbprint, or facial recognition.
“We look to eliminate shared secrets,” says Avetisov, who adds that in deploying HYPR, security teams can give their users a choice of how they want to authenticate.
“People don’t want to be forced,” he says. “For example, we ran a study in Australia and found that people didn’t like eye recognition, where in Europe and the United States, they found it more acceptable.” HYPR customer Mastercard, Avetisov added, gives its users a choice of a fingerprint, facial recognition, and a PIN.
SecureAuth
SecureAuth works to help its customers through the transition of moving off the legacy system of passwords to passwordless authentication, says Stephen Cox, the company’s chief security architect. Companies stumble with the concept of passwordless authentication, he says, because they have legacy applications that depend on passwords and have been deployed, in some cases, for decades.
“We can help them with that migration by creating a ‘façade’ in front of the legacy app so people can authenticate with a fingerprint,” Cox explains. “We also do risk-based authentication behind the scenes so it’s clear that the user is legitimate.”
Duo Security
Steve Won, group product manager at Duo Security, says three building blocks have propelled passwordless authentication into the forefront. It started with hardware like Apple’s S-Series chips, which are tamper-resistant and can safeguard and manage digital keys.
Next up was biometric authentication in the form of thumbprints and facial recognition pioneered by Apple and Android products. Finally, open standards, such as WebAuthn and CTAP contained in FIDO2, let companies like Duo Security make it possible for users to authenticate with a biometric, replacing traditional passwords.
“Essentially, WebAuthn allows for asymmetric cryptography in which the private key never leaves the user’s device,” Won explains. “The key is never shared.”
Duo Security has posted two educational websites that help security pros learn more about WebAuthn: One provides a general background on the Web authentication specification and passwordless authentication. The other lets developers demo and test the functionality of the WebAuthn spec on their websites with open source libraries.
Yubico
Jerrod Chong, chief solutions officer at Yubico, says open standards such as FIDO2 have made passwordless Web authentication possible. And while passwordless authentication promises simplicity and enhanced security for users, Chong asks what happens when users want to access their accounts from a new device, or log on to reset the password on the device, or log on to their applications from another device?
People change computing devices all the time, or they get lost or stolen, Chong says. By authenticating with a YubiKey, they can safely move between multiple devices – such as a smartphone to a laptop – to access their accounts.
“The YubiKey gives them an anchored credential that’s stored in a portable, external hardware device, which serves as a secure, reliable, primary or backup method for passwordless authentication,” Chong explains. “Users can also have multiple credentials [YubiKeys] associated with each account based on their computing needs.”
Ping Identity
Ping Identity CISO Robb Reck says the promise of future continuous, risk-based authentication is better security and improved convenience. By using multifactor authentication, Ping Identity can use sensors in people’s phones and laptops to continuously authenticate users and allow them to access their resources based on the quality of that ongoing trust. This process only calls for authentication when trust is lost, and then only requests the level of assurance required for the type of transaction the user wants to make.
“The key to a successful end-user experience is providing it regardless of the device the consumers are connecting from,” Reck says. “A huge portion of consumer-facing businesses, such as online retail, have moved to the smartphone, so any customer experience initiative needs to consider that platform from the start.”
Ping plans to replace passwords with push notifications to mobile devices and offer scannable QR codes, which produce one-time passcodes for users, Reck says. With the PingID mobile SDK, enterprises can balance security and convenience for customers by embedding advanced MFA functionality directly into their own iOS or Android mobile apps. This lets organizations allow their customers to log in with easier methods than having to remember a password.
The same goes for laptops and PCs, Reck adds. Organizations are replacing passwords and supplementing them in the sign-on process to these devices.
“By adding multifactor authentication to processes like Windows login, organizations can either remove password requirements and instead have employees use a friendlier range of mobile push authentication methods, or use those in addition to passwords for a more secure logon process,” Reck says. “We’re also implementing Windows Hello as an authentication factor in PingID with the same intention.”
Secret Double Octopus
Amit Rahav, vice president of marketing and customer success at Secret Double Octopus, says over the past five years people have become used to touch ID finger scanning as well as facial recognition. While consumers are more comfortable with these biometrics on their personal smartphone devices, until now it hasn’t been easy to bring those capabilities to the workplace.
Rahav says Secret Double Octopus lets users at the workplace authenticate workstations, legacy apps, and cloud services using their smartphones or FIDO devices whether they are on a Windows or Mac machine.
“We give users 360-degree access via strong passwordless authentication,” Rahav says. “Users never have to reset and memorize cryptic passwords at work as they connect to the company network, cloud apps like Salesforce, legacy apps, Wi-Fi, or virtual desktop services.”
Daily Tech 