By Abiad Mizrachi.
As a society that craves convenience, it’s no surprise that we’ve become big fans of passkeys and passwordless authentication. These new solutions are necessary and improve both security and user experience. However, passkeys and passwordless are just a small part of what is required for comprehensive and secure user management.
This is especially true when SaaS providers want to offer Zero Trust (ZT) capabilities that require continuous verification of user activity. ZT best practices also mandate more aggressive and granular enforcement of infrequently used privilege policies well beyond initial authentication and login.
From requiring logins to critical infrastructure to occur over a specific VPN, to ensuring that only users from the correct organization can log in, to users accessing applications from previously unknown IP addresses As far as asking why, we believe there are many aspects to secure user management. What is passwordless and not covered. This article helps you develop a comprehensive security user management strategy and identifies key measures you can (and should!) use to ensure that the right users are accessing the right systems. increase.
Password trouble
We all know why passwords are a hassle. The user experience with passwords can be downright awful. The human brain isn’t designed to remember dozens of passwords, so we forget them all the time. When I have to ask for a new password, I find myself jumping through a new set of hoops just to log into the systems I access every day.
Worse, many conservative system administrators still refuse to enable self-service password reset. This can be a problem, for example, if the employee is in a different time zone than the system administrator’s, or if the administrator is on vacation.
Worse than forgetting passwords is humans frequently reusing the same password across multiple systems. This means that if a system holding one password is compromised, cybercriminals can use the same email and password, or email and username combination, to access other accounts held by the same user. This means that unauthorized access may be possible. The workaround is to use passwords that are easy to remember. These passwords can be easily cracked even by automated systems.
Even with the addition of multi-factor authentication (MFA) using authentication apps, SMS codes, and other methods to improve security, attackers can use clever methods to bypass MFA, capture MFA, man-in-man-in-the-middle attack on the user’s device. An attacker who can compromise the passwords of official email accounts effectively controls both modalities of authentication. This is why the US Federal Bureau of Investigation received 19,954 business email compromise (BEC)/email account fraud (EAC) complaints from him in 2021, resulting in an adjusted loss of approximately $2.4 billion.
For years, critics have complained about password problems. At his RSA Conference in 2004, Bill Gates predicted the demise of passwords, stating, “Passwords just don’t meet the challenges of what you really want to protect.” Since then, we continue to hear people complaining about poor passwords. However, passwords are still the primary form of basic authentication in enterprises.
A Brief History of Biometrics and Passwordless
In the digital age, modern security systems and encryption have made biometrics digitized. Biometrics is the science and related techniques for identifying someone based on their unique physical or behavioral characteristics. There is evidence that the ancient Babylonians used fingerprints to identify and sign clay for commercial transactions as early as 500 BC. Chinese merchants in the 14th century used palms and footprints. The earliest fingerprint systems for identifying criminals appeared in the late 19th century. Initially expensive and used primarily to protect defense and industrial critical systems and locations, Apple and Android systems used facial recognition and fingerprints to access the phone and load applications. Biometrics has become mainstream in the modern smartphone age as it has become easier to do things.
Over the past few years, passwordless authentication technology has matured rapidly and gained acceptance by large technology companies with billions of users among consumers and business workers. Passwordless is exactly what it claims. Users do not have to remember or enter passwords. Instead, passwordless systems typically use a combination of authentication methods, including biometrics and a link sent to an email address assigned to a known user. In some cases, the system is passwordless multi-factor authentication. This may include biometrics, SMS messages, tokens or codes from authentication applications.
Enter FIDO, WebAuthn, passkey
Passwordless has been promoted by the FIDO Alliance. The FIDO Alliance is a global technical standards body managed collectively by its members. FIDO members include Google, Apple, PayPal, Microsoft, Facebook, and hundreds of other companies. There are two major passwordless standards: the Web Authentication JavaScript API standard (WebAuthn) and FIDO’s counterpart Client-to-Authenticator Protocol (CTAP). All major browsers such as Google Chrome, Mozilla Firefox, and Microsoft Edge implement the standard, and the list of B2B SaaS providers doing WebAuthn continues to grow.
The fastest growing method of deploying passwordless is passkeys. With a passkey, the same combination of factors (biometrics and codes) used to unlock your device can also be used for authentication and login. A better user experience (UX) coupled with a strong push for consumer education by major technology companies and mobile app vendors is expected to lead to widespread adoption of passkey and passwordless across enterprise SaaS. . Passkeys are a great feature, but they are just the tip of the iceberg when it comes to implementing a secure user management approach.
Think Beyond Passkeys to Secure User Management
Relying solely on passkeys and passwordless for secure user management is like setting the security clock back to the days of hardened perimeters and soft, insecure internal environments. Although the team has implemented passwordless, we see it as just the first step in secure user management and as part of an overall secure administration strategy.
After login and initial authentication, companies can also apply many other criteria to interactions and enforce additional security measures and checks at the user level. This includes the following considerations:
- Are users trying to access critical systems such as financial or production environments?
- Is the user trying to access the system for the first time or after a credential reset?
- Did the user bypass Passkey or passwordless for some reason?
- Are your users using only one form of authentication or MFA passwordless?
- Are users following previous usage patterns on the system, such as:
- Network type (secured WiFi or public WiFi)
- Make an unusual request (request access to a system you do not have access to)
Product, UX, and security teams work together to create policies that map security requirements to each of the above scenarios in order to build resilient, stronger, and more secure user management. For example, if the user is already logged in with a passkey and you know they’re an application developer, before granting them access to their own code repositories and granting them access to continuous integration: You can force an additional authentication step or another passkey verification. (CI) pipeline environment. Or, alternatively, you could allow someone on your finance team to access your accounts payable system during business hours, and force additional authentication on weekends or when attempting to access from an unrecognized device.
Conclusion: Secure User Management Beyond Passkeys
Much of this is common sense, but detailed policy design for secure user management can be a time-consuming task and must consider the human factors of different personas and their needs. However, this process is essential to enable the “multi-layered security” required for modern her SaaS user management. This is especially true for SaaS platforms built on top of microservices and micro-frontends. Segmentation makes it easier to pursue a more granular user management approach. Passkeys and WebAuthn come along and they’re great. Passwordless technology improves security and user experience. However, this is not a security panacea and should be used to complement rather than replace smart he security implemented in modern user management systems.
Aviad Mizrachi is Frontegg’s CTO., User management platform for B2B apps.
