Mirko Zorz, Help Net Security’s Editor in Chief, recently published an article about the state of passwordless authentication that predicted a long journey before this technology is viable. We would like to share that passwordless multi-factor authentication is a reality today.
Large and respected organizations, including a significant healthcare software provider, are already using this technology with great success. Here is how TraitWare has completed the journey to deliver passwordless authentication.
Passwordless authentication doesn’t have to be reliant on a password
In the article, Jim Ducharme, VP of Identity Products, RSA Security, “points out that, for the moment, all passwordless authentication is rooted and reliant on a password and username.” By design, TraitWare’s passwordless authentication process instead works without any passwords. Users login without ever using a username or password. Ducharme also proposes that “if your device is lost or stolen, the account is recovered using a password.” This is not the case with the TraitWare solution. There is no reversion (rollback) to username and passwords with the TraitWare process, including when authentication must be reestablished.
Stand alone authentication solutions or single factor is not enough – multi-factor is the way to go
TraitWare agrees with Ducharme when he states that, “no single authentication solution is unhackable” and that, “authentication solutions should always be coupled with additional security.” A multi-factor authentication solution such as TraitWare’s combines the built-in biometric capabilities of the majority of smartphones with up to four additional factors to authorize access much more secure than using a single password and does it in an extremely simple manner.
When evaluating multi-factor authentication solutions that use biometrics, it is important to confirm that the biometric signature stays and is evaluated on the user’s device and never in the cloud. This greatly reduces the risk of a theft of the biometric template (mathematical identity).
Authentication factors carry varying levels of security
TraitWare’s use of unique, user-specific use traits also greatly reduces the risk of hacking and our process of capturing this uniqueness eliminates the potential for exposure of any Personally Identifiable Information (PII). Simultaneously, this process greatly reduces friction for the user, since the authentication factors include a device that is registered as a cyrptographically secured token (something you possess), a use trait (something you are), where you are (geo-location), transparent one time code and something you know.
All of these authentication factors require no effort on the part of the user. These authentication factors also reduce the risk of human error. The user cannot share these factors and they cannot be phished or used in a brute force attack.
Additional layers provide better security
Ducharme recommends additional layers of security to manage digital risk. There are many other processes that can be used to secure the device to server authentication process, such as digital signing with key pairs, nonces, and certificate pinning. Administrators may also enable geo-fencing and knowledge factors for additional security. TraitWare delivers all of these.
TraitWare meets all of the criteria for passwordless authentication
Ducharme suggests that a CISO consider several criteria when considering a passwordless authentication solution:
Identity proofing – The TraitWare solution is in full compliance with the standards that the National Institute of Standards and Technology (NIST) has established for initial identity proofing security requirements in the United States. We support a variety of registration processes, according to the security level that the customer requires.
Cost – The cost for passwordless authentication can be quite low, especially in comparison to the costs for a forgotten password reset, anti-phishing training and testing, and, of course, recovery from an attack. In TraitWare’s solution, the user pays a low monthly fee for SaaS based on the number of users. In most cases, the user’s own mobile device is used as the authentication device, eliminating the need for additional hardware.
Integration with the enterprise’s spectrum of applications – TraitWare solutions are astonishingly simple to set up, integrating easily with most applications. Because protecting back-end server and other systems is critical, TraitWare uses standard SAML2 and OpenID Connect protocols to provide passwordless logins to AWS, Azure, Google cloud consoles, Google Apps, Office 365 as well as thousands of clouds applications. Further Linux servers can now be passwordless with SSH and SFTP logins to a TraitWare’s PAM (pluggable authentication module). TraitWare is currently doing final testing on a passwordless login to Windows machines with planned release is Q4 of 2019.
Ability of the organization’s infrastructure to support the technology and standards required to go passwordless – Very little is required to support the TraitWare solution: The only requirements to integrate TraitWare are to use an existing authorization standard such as OIDC, SAML2 or install a PAM module on a Linux machine. Windows installers for AD and direct PC use are also coming Q4 2019. Once a relying party trust is established with the TraitWare authorization server, a user installs an app from either the iOS or Android store and all users are ready to go passwordless with as little as two clicks.
TraitWare meets SP_800-63 AAL2 of the NIST standards, and we are currently working to demonstrate and achieve certification for the requirements for SOC2 and FedRAMP Moderate.
In summary, the very good news is that TraitWare has brought the desired future passwordless state referenced in Mr. Zorz’s article here now. It is in use and loved by those who have it, and ready to be deployed in your organization.