A Passwordless Authentication Future

The passwordless revolution is coming! OK, the passwordless revolution has been a long time coming. Security teams would very much like to see organizations finally do away with passwords once and for all; passwords are a vulnerability, and even when paired with multi-factor authentication, the operating costs of password management are high—up to 40% of help desk calls can be attributed to password management. Yet, a high percentage of organizations continue to rely on passwords. In part, the resistance to change is user-driven—users have grown used to passwords and feel like, if they’re entering a password, that’s the “best” way to authenticate to systems. The security community has, to a degree, fostered that notion. And though "best” may have been true 10, 15 years ago, a simple user/password combination is not sufficient today. We all know that. We’ve seen the statics and credential-facilitated breaches.

As a mitigation technique, organizations have been compensating for passwords with SMS, OTP hardware and software tokens, PKI tokens, biometrics, and more as a second factor of authentication. Though two-factor/multi-factor authentication ratchets up security control and raises the bar for attackers, the consistent factor here is that they are all tied to passwords. Plus, users, while they’re becoming more comfortable with and accepting of 2FA/MFA, traditional techniques and tools like OTPs or mainstream authenticator apps add friction to the authentication process.

A TCO approach

Secret Double Octopus was founded in 2015 on a belief that passwords need to be eliminated altogether and that passwordless can be accomplished in a way that reduces the burden on both the end user and IT/help desk/security teams. Or Finklestein, head of product marketing for SDO, said during a recent call that the problem the company is trying to solve isn’t just a migration away from passwords for security reasons (though he believes this is the best path forward), but that the company is also focused on helping IT teams streamline. “With passwordless,” he said, “password policies are gone—no one has to manage them. This is a huge time and cost saver. Attacks against passwords are gone—there is much less potential for phishing, account hijacking, or man-in-the-middle attacks. This dramatically increases security and compliance for the organization.”

What does “passwordless” mean to SDO and how do their products work? Generally speaking, Octopus Authentication is deployed on-premises or in the cloud and integrates with Active Directory or any other identity provider. Users must also download the Octopus Authenticator app. Once the platform is set up, authentication is achieved by prompting the user to validate their identity on the authenticator with biometrics. The password, even if it was in use previously, is now eliminated. Users no longer have to manage passwords and admins can stop enforcing password policies. Even if an attacker gains physical possession of a device, they are prevented from compromising the authentication process because of the built-in biometric factor and the cryptographic secret sharing.

The Octopus Authenticator is certified FIDO compliant and is fully compatible with all FIDO2 authenticators. This provides feature parity across workstations to servers, web applications, and for remote access. SDO integrates with most identity and access management providers and offers a single sign-on portal, meaning, organizations don’t have to replace existing solution, and can easily increase security and login convenience.

The secret behind Secret

The secret to Secret Double Octopus is the cryptographic secret sharing algorithm which results in high-assurance verification and eliminates the possibility of stolen, phished, or intercepted passwords. The shared key exchange means that even if an attacker somehow gains access to the SDO authenticator app, they can’t do anything useful with the partial keys.

“The security benefits range from resiliency against password leaks to network asset protection,” said Finklestein, “but at times, the security aspect of passwordless solutions alone has been a tough sell for companies. That’s why when we built the solution, we also wanted to make sure the total cost of ownership was attractive to admins. Our clients are able to eliminate most password-related support expenses —because there aren’t any more passwords to manage—and easily migrate employees to the system because it’s one-touch. Easy installation and management are also important for security and IT teams that are already overworked and trying to keep the business running, especially right now with everyone working from home.”

A metamorphosis

The passwordless revolution is coming. Albeit slowly. Maybe it should be considered a metamorphosis instead. Even though IT and security teams would be happy to see passwords replaced by something easier and more secure, adoption of passwordless authentication isn't even close to critical mass. The reasons for this include inertia, familiarity, and user pushback. None of these reasons are necessarily convincing arguments for sticking with an old technology that doesn’t work optimally in today’s business environment. Nonetheless, companies like SDO and others would be wise to create playbooks organizations can use to migrate away from password-based authentication. The easier it is (and looks) for companies to adopt passwordless, the more likely they’ll be to buy in.

The market for passwordless is starting to get crowded, which is a positive sign. Familiarity breeds adoption, especially when adoption is as simple as it seems with technology like Secret Double Octopus. It’s not likely we’ll see a full-scale passwordless revolution in the coming days, weeks, or months, but if we can incrementally increase adoption over time, that’s a win.