WebAuthn, the Road to Passwordless, and Other Considerations

Passwords. Most of us have a love-hate relationship with them. Security best practices and common sense tells us to pick unique, hard-to-guess passwords for every account, which makes management of them a pain, or leads to bad password habits like reusing them. Then there’s the inherent security of passwords, or rather, the insecurity of them. As a “something you know” authentication factor, they can be guessed or obtained through phishing or social engineering. And yet, they’re easy to use, cheap, and always accessible. But it’s safe to say that if there was an as easy-to-use and equally ubiquitous alternative to passwords, most of us would be happy to ditch them.

Technological developments, however, have made going “passwordless” an achievable goal. Out-of-band push notifications have become common requests for enterprise users, and the integration of biometric authentication capabilities with popular devices like Apple Face ID for iPhones or Windows Hello for Windows 10 have made biometric factors a feasible alternative to passwords.

Web Authentication, or WebAuthn, is another effort that promises to make passwordless a reality. WebAuthn is an open standard that allows hardware-based authenticators to be used to authenticate to web-based applications. The way WebAuthn works would allow a user to authenticate with a YubiKey, for example, without having to make the private keys stored on the device available to a browser. This allows for a phish-resistant authentication method that does not rely on passwords.

Does WebAuthn = No More Passwords?

So does WebAuthn mean the end of passwords? Not necessarily. WebAuthn can certainly reduce the use of passwords in many “normal use” scenarios, but what about corner cases? Since WebAuthn may involve authenticating with a “something you have” factor, what if a user forgets their hardware token or can’t find their mobile phone? To prevent account lockouts when a user lacks access to his or her primary factor, you’ll always need a backup process. Often, a “something you know” factor, like a password, is used as that backup factor. Similarly, what about initial registration and enrollment, which commonly uses username and password as part of the flow?

This, of course, offers additional food for thought.... If security is only as strong as the weakest link, is it still beneficial to invest in and adopt new technologies like WebAuthn? The answer is yes. While WebAuthn may not be perfect, it’s certainly more secure than a username/password combo, and reduces reliance on passwords as the primary authentication method. WebAuthn won’t kill the password, but for security and authentication, it’s a step in the right direction.

Protecting the Weakest Link

However, this also means that organizations need to pay special attention to situations where attackers can exploit weaknesses in the authentication process, namely during enrollment and recovery. Attackers often target these two stages for two reasons: stronger factors have not been enrolled yet, or the primary factor isn’t available, so a less secure, fallback method is being used. For example, a common strategy for an attacker attempting to obtain login credentials is to use password reset links. If the attacker knows the username or has obtained access to the user’s recovery email account, the attack can simply initiate a password reset and follow the workflow to pick a new password of their choosing. There’s even been cases where the attacker takes advantage of an account that hasn’t enrolled in MFA yet, and enrolls their own phone.

Luckily, there are ways to mitigate additional risks during the enrollment and recovery phases. During enrollment, restricting initial enrollment to when users are within corporate networks, and limiting enrollment windows (e.g., new users must enroll within 3 days of their start date) can reduce risks during this phase. For the recovery process, providing more visibility (through automated emails, notifying users when a factor recovery is requested for example) ensures that suspicious incidents are immediately noticed and acted upon.

At Okta, we’re dedicated to developing secure, passwordless solutions to help our customers solve authentication challenges. We are committed to supporting authentication standards like WebAuthn that help ease the way for broader adoption of passwordless strategies. But we also recognize that the hard part for many organizations is securing the enrollment and recovery phases. Features like end-user visibility for factor enrollment and recovery, app specific enrollment policies (i.e., restricting enrollment when accessing certain apps), and supporting custom identity proofing processes during enrollment are just a few of the developments Okta is undertaking to solve this challenge.

To find out how Okta can help your organization achieve your passwordless goals, or solve enrollment and recovery challenges, check out our Adaptive MFA capabilities or schedule a meeting with us to chat.