ForgeRock CTO Eve Maler answers seven critical questions
ForgeRock's purpose is to help people simply and safely access the connected world. Passwordless capabilities are helping us do that in exciting new ways, solving problems for consumers as well as enterprise workforces. But passwordless is often misunderstood and over-hyped. I recently spoke with Eve Maler about her perspective on passwordless and the questions she most frequently addresses. Here are seven of them.
- What does passwordless authentication really mean?
EM: Let's start from the beginning: authentication is defined in terms of factors, and if you mix factors, your authentication gets stronger. So, one factor may be something you know, like a password; another is something you have, like a device that's been associated with you; finally, a factor may be something you are, such as a fingerprint or another biometric that is unique to you.
If you mix any two of those, you get two-factor authentication, or 2FA. If you mix multiple factors, you get multi-factor authentication, or MFA. Passwordless, at its simplest, means the absence of a password for authentication. But I want to get a little more specific.
A password is what is known as a static shared secret, which means that it's a secret that both sides know and that persists over time, perhaps 90 days per enterprise policy, or even possibly many years. Some representation of this password, secured and scrambled, has to be stored on a server, so that when you type it in somewhere it gets checked.
So passwordless relies on something you have or something you are — and no longer something you know. Push authentication is a good example. QR codes and magic links are others. Often, people talk about "passwordless" – even when referring to it as an additional factor on top of passwords to add up to 2FA or MFA. We call this approach a passwordless factor. Unfortunately, as soon as you do that, you have all the frailties of involving a static shared secret. The total experience is not passwordless. Essentially, you can interpret a passwordless factor plus a password as plain old MFA.
- So, how can we do better than passwordless as an authentication factor?
EM: If passwordless is done right, it gets you a long way down the path to increasing security – and certainly improving the experience.
We call this complete passwordless, where the user doesn't have the experience of interacting with a static shared secret at all because there isn't one. And it is possible, for example, with a magic link and other methods, to eliminate that static shared secret. Since the user's not interacting with the password, you get rid of all the security risks and usability issues of static shared secrets.
Enabling consumers to encounter complete passwordless is a little bit easier than it is for employees. There's a whole stack of technology that employees interact with — it's not always going to be a web app or a mobile app or some SaaS service. It'll be things like Oracle databases or logging into a VPN, and it's hard to make databases and VPNs stop expecting passwords.
- Passwordless can mitigate certain threats, like man-in-the-middle attacks where a password is grabbed in transit, but is it enough to only eliminate password-based attacks?
EM: When it comes to passwords, some prevention is definitely better than none. Our most recent Consumer Identity Breach Report revealed that threats using compromised credentials, particularly unauthorized access, accounted for fully half of all data breaches in 2021. It showed the danger of breaches that release credentials into the wild again and again.
It's been a one-two punch. You know, credentials just have to be stolen once, and from there, they can often be used to perpetrate many more data-rich breaches. And there are many risks, such as medical identity theft, insurance, fraud — massive numbers of account takeovers and lateral movement across all kinds of different environments within an enterprise.
Where complete passwordless isn't possible due to the complexity of IT systems, it's possible to enable what we call a passwordless experience. In these cases, there may be a password behind the scenes but it can remain untouched by human hands, so to speak. Workforce users can avoid actually having to see or experience the password. And that in itself is a big mitigation against some other threats when a password still exists and still works.
- Speaking of workforce, what are key differences in a passwordless journey for a consumer deployment vs. workforce?
EM: The widely available consumer devices are much more in play, because, hey, you're not the boss of them, so they get to choose. For example, you can't make your consumers stop using that old Android device that everyone knows is terrible for security.
So, you have to roll with the devices they choose. Luckily, these days the FIDO standards tend to be pre-integrated or pre-enabled in modern laptops, smartphones, and tablets. And there are even a few circumstances where consumers are incentivized to use a security key – a hard authenticator or hard token. It might be a FIDO-enabled YubiKey.
In the enterprise, it's easier to provide interface shims around the workforce users to provide that passwordless experience, letting them avoid interactions with passwords. This makes it safer and it can also result in a great experience if it's designed well. That's exactly what we do with our Enterprise Connect Passwordless offering. It enables passwordless experiences for a lot of use cases in the employee's environment.
- I heard you say that we may not always be able to achieve complete passwordless in the enterprise, but can we get far enough to see a more secure environment?
EM: Yes. Don't let the perfect be the enemy of the good. It's possible to be better — and in different, clever ways for different users and for different kinds of services and applications. And that's what I think of as the subtle art of orchestrating the journey, so that you make sure to improve the experience and reduce the friction, along with increasing the security. It's crucial, because everybody's felt the pain of plain old MFA, right? I mean, nobody likes it, even though they're being forced to do it more often.
- You mentioned FIDO. Is FIDO implementation required for passwordless?
EM: FIDO is the Fast IDentity Online Alliance. ForgeRock is a sponsor member of FIDO. The FIDO2 WebAuthn standards are the latest in a series of standards that have been created to enable interoperability and security around the use of different authentication methods.
FIDO2 WebAuthn has become very popular, partly because of the adoption by Apple, Google, and Microsoft — the makers of so many popular devices, browsers, and operating systems in the world. It's a big deal because they've decided that FIDO2 WebAuthn is something worth baking into their products and, in some cases, laptops and other hardware enable FIDO-based fingerprint unlock.
Passkeys, otherwise known as multi-device credentials, are the very latest thing from FIDO. For multi-device credentials, you register one device — here I am waving around my iPhone! — and, because I've got my identity connected throughout the Apple ecosystem, I have my iPad and the laptop that I'm speaking to you on — all those things know the same "me." I wouldn't have to pre-register any of these other devices to save me in case I lost my phone.
While passkeys are becoming popular primarily for consumer-facing use cases, like web and mobile apps, enterprise employees are people too. They're often in a bring-your-own-device situation and FIDO helps strong auth and complete passwordless to be more readily applied to these kinds of user-centric environments. FIDO is not strictly required for passwordless. As I already mentioned, there are ways you can integrate to those IT systems that are trickier and maybe older and less configurable and less customizable, so as to remove passwords from the employee's experience.
- How would you advise organizations that want to get started with passwordless?
EM: First, I advise them to stick to standards. SAML and OAuth and OpenID Connect — leveraging those standards for secure single sign-on pairs really well with a properly designed passwordless environment.
Of course, single sign-on helps reduce the number of apps that need to be enabled. So that's something to consider. And then picking the population, the risk level, the particular apps that you want to focus on first — go in phases, parcel that out.
While you're doing any kind of rollout, it's really important not to disable existing methods until you've collected enough telemetry to identify emerging issues.
Other things to do: design authentication journeys to be adaptive and responsive. One size really can't fit all. Different organizations have different backends, they have different needs, different risk appetites, different fraud levels. And so, it's important to design the journeys that make sense for your business. And that's where ForgeRock Intelligent Access, commonly known as "Trees," really shines.
And then the last advice I have is to fold fraud management into the authentication experience. A.I. is a companion to orchestration as it does some of that heuristic checking of the environment to make sure it smells right. You can do those checks silently. And if you decide you don't want to be silent and you want to actually approach your user and ask them to prove themselves more thoroughly with transactional authorization, then you can do that.
For CISOs and CIOs — for anyone in the enterprise who is looking at the user experience end of it and feeling the pain of fraud — the actuality of eliminating passwords is really attractive.