True Passwordless? Show me...
Passwordless is more than a buzzword. Idaptive has been granted a key patent in Passwordless technology by the United States Patent Office: Zero sign-on using a web browser.
Passwordless is a major security industry buzzword for 2020. I’m sure you have heard many identity and access management vendors touting their Passwordless technology in their blogs, press releases, and conferences as being the first to market. If I was from Missouri, the “show me” state, I would insist that vendors show real innovation — more than just supporting common Passwordless authentication standards.
One of our core values at Idaptive is to back up our claims with true innovation and real intellectual property, and this last weekend brought a really nice surprise for us here at Idaptive; we have been granted a key patent in Passwordless technology by the United States Patent Office: Zero sign-on using a web browser.
Zero Sign-on (ZSO)
This patent for Zero Sign-on (ZSO), implemented in the Idaptive Next-Gen Access platform, is about eliminating passwords while delivering strong authentication to login to any application, cloud or on-premises, through a web browser using user and device certificates. This innovation leverages two core pieces of the Idaptive platform – the cloud service, and the cloud agents.
To summarize, this is how it works; when a user on the device enrolls the device with the Idaptive platform, the Idaptive cloud endpoint agent configures all standard browsers on the device to enable ZSO via each standard browser installed on the device. After configuration, any of the browsers can create an authenticated secure connection to Idaptive platform (and any application protected by it) without need for user to enter in their credential information such as a username or password. From the user's point of view, the user simply requests the application in the browser and accesses it with no further input, enabling a seamless, or “silent”, login experience with the underlying security controls offered by strong certificate-based authentication.
The foundational pillars of Passwordless
In the past year or so, I’ve had the opportunity to have many discussions with our customers and prospects about what constitutes a true Passwordless solution, and the foundational pillars of such a solution. Here’s my view on what are the foundational pillars of a true Passwordless solution.
Pillar 1: Zero Sign-on with Passwordless multi-factor authentication
The first pillar of a true Passwordless solution is Zero sign-on, leveraging strong cryptographic standards such as certificates and combining user identities with contextual information such as device fingerprints and security posture. But ZSO, alone, is not enough. ZSO needs to be combined with one or more additional authentication factors, none of which should be passwords. With Idaptive, you can implement ZSO and layer on additional forms of authentication, such a mobile-push notification, Yubikeys of even FIDO 2 supported on-device authenticators such as TouchID and Windows Hello (hopefully not SMS OTP). In highly secure environments where privileged users are not allowed to plug-in USB keys or devices, nor have other devices such as fingerprint sensors or cameras enabled on their endpoints, ZSO may be the only real form of high assurance, cryptographic, Passwordless authentication you have available.
Pillar 2: FIDO 2 support and integration
Pillar #2 for Passwordless is Fast Identity Online (FIDO). I’m a great fan and supporter of the FIDO alliance, and it seems, so is our industry! Most every identity as a service vendor supports FIDO 2 Web Authentication (WebAuthN) and this standard is key to enabling Passwordless authentication to typical end user machines. I’ve personally loved using FIDO 2 compliant keys from Yubikey and using my MacOS TouchID to access my Idaptive secured applications and Idaptive user portal. I also use my FIDO 2 keys as an additional factor when step-up authentication is triggered. For example, Idaptive can require multi-factor authentication when the risk level is determined to be elevated by my behavior, such as accessing an app that I haven’t used recently or from a location I don’t normally access it from.
Pillar 3: Endpoint Agent for Passwordless multi-factor authentication
The third pillar of true Passwordless is login authentication to endpoints. While technologies like Windows Hello, which Idaptive works seamlessly today, have made it easier to eliminate passwords during endpoint login, they often come with their own share of challenges; for one, they replace the password with a PIN, which is just as easy to forget and prone to being reused for personal and corporate logins; second, they do not provide a versatile and wide range of Passwordless authenticators to work with; and third, they further lock you into using and paying a premium for Microsoft technologies, which only work on Microsoft platforms (what about all those Macs?). While the Idaptive endpoint agents require password as one of their factors today, this restriction will be removed in the future releases. In other words, Idaptive will enable login to your windows and mac endpoints with no passwords!
Pillar 4: Remote users Passwordless authentication to on-premises apps
Pillar number 4 is a key Passwordless use case that affects all hybrid enterprises, especially in today’s work from home environment. Remote users often use a VPN connection into the network to access on-premises applications and resources. As a key security control, you should always require users to use multi-factor authentication (MFA) when accessing the network through a VPN. Making sure this MFA is Passwordless is a key element of enabling a Passwordless environment.
NOTE: Widespread VPN usage introduces its own security and scale challenges, especially when a typical user only needs access to a handful of applications. That is why Idaptive offers VPN-less access through its App Gateway service, and you can leverage Idaptive’s ZSO and FIDO 2 support with this service to achieve true Passwordless authentication to on-premises apps.
Pillar 5: Self-service Passwordless Authenticator replacement
The last pillar of Passwordless, is a solution that will offer you the ability to self-enroll, replace and delete your Passwordless authenticators with the appropriate security controls, along with a wide variety of alternative Passwordless authenticators to choose from. If a user were to lose their YubiKey, or misplace their mobile phone, they shouldn’t be dead in the water. A true Passwordless solution will offer you the ability to self-enroll, replace and delete your Passwordless authenticators with the appropriate security controls, and provide a wide variety of alternative Passwordless authenticators to choose from.
NOTE: With Idaptive’s self-service enrollment and management of authenticators, you can self-enroll and manage push notifications, OATH tokens, security questions, security keys, FIDO authenticators, Windows Hello or MacOS TouchID, etc. So, if you forget your PIN, login with an equally strong or stronger security key. If lose your YubiKey, use a mobile push notification instead. Wide authenticator selection and simple self-service ensures that you will never be locked out, even in a Passwordless world!
So, the next time you discuss Passwordless with an identity vendor, do not hesitate to ask them about their idea of a true, holistic, and Passwordless solution — and what innovation and intellectual property have they invested in to make that a reality! And please let us know if they meet the “Idaptive” Passwordless standards.