Get Ready for the Passwordless Future

By: Sean Frazier, Advisory Chief Information Security Officer – Federal, Duo Security

Most of us have a standard list of go-to passwords for various logins and websites – each fluctuating slightly with upper or lowercase letters, extra numbers, symbols and punctuation. Some of us keep them scribbled on a notepad, while others click “remember me” when logging onto sites, to speed up the process and relieve the stress of remembering them time and time again.

But as cyberattacks become more sophisticated, and Federal agencies work to modernize their IT systems and protect vital data, passwords are becoming a thing of the past. And the push toward a passwordless world introduces the need for new standards and technical innovation.

Everything old is new Again – Updating Legacy Technology

Truth be told, we have been lazy when it comes to passwords. Administrators put all the onus on the end user to manage the password lifecycle – requiring them to use longer passwords, a mix of characters/cases, etc. – making it harder and harder for users to manage the various passwords they need for different applications and sites.

The idea of a passwordless world is not entirely foreign to the Federal government. But while 80 percent to 85 percent of agencies use Personal Identity Verification (PIV) cards and/or Common Access Cards (CAC), these are not ideal solutions for agile and modern IT and application access. They are difficult to issue and replace when lost; they sometimes can’t be used to authenticate to cloud applications; and they are a non-starter from mobile devices. As such, these legacy identity verification technologies don’t lend themselves well to IT modernization, and agencies haven’t done the appropriate plumbing exercises to update federation by using newer federation technologies such as OIDC or SAML.

Agencies are also dealing with Public Key Infrastructure (PKI) stacks that are, for the most part, at least 15 years old. The financial burden of maintaining these PKI stacks over their lifecycle can be immense, and modern technology is passing them by. Government organizations need to find a balance between working with these pre-implemented legacy systems, in which they have heavily invested, and adopting new, standards-based (more flexible, more affordable) authentication technologies in the commercial technology space.

The Cresting Wave of the Authentication Future

In March 2019, the World Wide Web Consortium (W3C) announced Web Authentication (WebAuthn) as the official passwordless web standard. WebAuthn is a browser-based API that allows for web applications to create strong, public key-based credentials for the purpose of user authentication. It will enable the most convenient and secure authentication method for end users – the device that they are already using – to validate that the user is who they say they are via a biometric.

While WebAuthn is a nascent standard, it is the wave of the future. Five years ago, many organizations and individuals were wary of biometrics. No one trusted fingerprint authentication or facial identification. While these technologies are not perfect, the Apple platform, for example, proves they work at scale by processing millions of transactions per day.

Shifting from traditional passwords can seem burdensome, but a passwordless authentication method doesn’t have to start from the ground up. Apple, Google, and Microsoft have already added WebAuthn support to their products. This commercially available technology can help agencies leverage industry standards like WebAuthn to improve security and drive flexibility. Instead of building custom models, putting trust into top tech providers in the space can help agencies save money and get rid of the security baggage associated with traditional passwords.

Of course, there will always be hiccups in technology. When all else fails, passwords will be necessary as a backup for authentication systems when biometrics fall short. But shifting from the traditional passwords of the past to the authentication mechanisms of the future is the logical next step for the public and private sectors alike. It’s the PKI that we all know and love, but just done the right way with strong protection and ease of use. With government’s buy-in of updated authentication models, agencies can modernize their IT infrastructures more easily and ensure stronger, safer, and more secure protection for their data.

To learn how your agency can make the move toward a passwordless future, check out Duo Security’s website for more information.