In part one of my blog series, Moving Passwordless Beyond a Short-Term Itch, I emphasized the benefits of using passwordless, including a new paradigm access control, of a broader security strategy rather than the focus. In part two, I offer some concrete observations of the main method categories.
How Far will you let Passwordless take you?
The most common objective that a B2C business owner wants to achieve from passwordless authentication is usability. He wants a slick entry experience as part of his new Wizbang service rather than a clunky experience each time a user consumes his service. For internal users, a fast and simple entry into a business process invites the employee to complete it sooner rather than later, perhaps even while on the road on a mobile device, creating efficiency across the organization. Conversely, an app or service that is a hassle to get into is often pushed to the bottom of the to-do list, slowing down business.
Musings about Passwordless options
To my surprise, I have found myself wishing that I had access to a broader range of methods to fit the situation that I'm in. Whether it's part of a multi-factor authentication requirement or simply an option over passwords, I've appreciated services that provide options. The more, the better. Below are some of my observations from the most common methods that I've used:
OTPs/TOTPs – one-time passwords, or time-based ones, are most always part of a multi-factor authentication experience. I like them best for a purely mobile situation where copy and paste seem to be the simplest experience.
Google Authenticator – when I’m on my laptop and have my phone with me, count me as a Google authenticator fan. The time-sensitive number token is always ready, and it’s easy to type as I read.
Out of band Push – for the laptop – phone combo, this is one step simpler than Google Authenticator because as a user, if the app is already loaded, all I have to do is touch “approved” as part of a 2FA experience. No numbers to enter or expire. I always feel a sense of satisfaction when I complete a 2FA operation without entering in a code.
Facial recognition – namely, Windows Hello and mobile apps. Overall, I’ve been pleased with the low friction nature of Windows Hello, noting that it seems to get better over time. The biggest challenge is that Windows Hello doesn’t deal well with different light situations. When I’m in the context where Windows Hello doesn’t recognize me, I take a moment to register my face in that context. So, as I build up a library of registered faces in different contexts, it successfully recognizes me more often and faster.
I have a few mobile apps that use facial technology and one that registers my eyes. They all work well. The eye (I doubt it’s retina, could it be my eyelids or other related features?) method is cool in that the banking app treats it as a very strong form of identity verification. It lets me manipulate larger quantities of money that are otherwise not allowed. It’s a differentiated level of convenience because I can do more wherever I’m at without having to go into the branch, and that authentication type allows me to interact in ways that other banking apps don’t. As a consumer, I also have confidence in that authentication type, and I’m more loyal to that institution.
Voice recognition – this is another biggie because it can be designed to be passive in voice call situations, which makes for a great multi-factor authentication experience. Because of its high accuracy, voice printing is very common in the financial services vertical. In my experience, rarely does voice recognition fail, but when it does, I’m presented a short list of challenge questions. As a consumer, not only is the passive nature of voice print authentication an awesome experience, but I have confidence in the level of security it offers.
Bluetooth – a factor type of "what you have." Being a huge fan of passive authentication technologies, I was surprised that I hadn't incorporated this option as much. In open areas where you want to take care not to leave apps or information unattended, Windows has a lock option that locks your laptop when you and your phone step away. There are also wearable devices such as Smart Rings that seem to be easier to keep with you.
Bluetooth also offers a low energy option (BLE) with various devices, such as a keyring finder that can be used as a beacon. There are also wearable devices such as Smart Rings that can function as BLE beacons covering several yards.
Phone gestures – there are gesture types of security apps that perform heuristics on how you handle and physically interact with your phone, the result being a confidence rating. While not strong enough to be the primary form of identity verification, it could serve as a suitable multi-factor used in conjunction with other types. I view this type of identity verification to be a great fit for continuation authentication scenarios involving mobile devices. This type of risk scoring technology increases in accuracy the longer it is used on a specific device; meaning, that early on higher risk score could trigger another authentication type more often. And yes, NetIQ Advanced Authentication supports such technology.
FIDO/FIDO2 – for the right application or service, I think FIDO is an attractive authentication option. It's quite amazing to see different ways that vendors build on those standards. FIDO devices seem especially popular in university settings. For me, I haven't adopted them because that is just one more thing that I have to carry around and likely lose. The methods above that require a phone is more natural because I usually have it within reach anyway.
The business value of choice
Getting back to my point of choice. The more authentication methods that you offer your users (customers, employees, contractors, etc.), the more likely that you’re providing a type that fits their situation, raising both satisfaction and security. And as I will go into more detail next, having a rich library of identity verification options allows you to implement higher security methodologies without sabotaging usability. This is one of the areas that NetIQ Advanced Authentication excels. It offers out-of-the-box native integrations with an industry-leading number of supported authentications.
Passwordless for Your Future Security Needs
Going back to my points made earlier in this blog, if it's done right, passwordless authentication can be so much more than just an option to username and password. It empowers you to raise security to zero trust levels without alienating users. The less friction that you bother your users with, the more effective your continuous authentication will be. If your passwordless implementation is part of an infrastructure that accurately identifies risky situations, you're able to invoke a method(s) that is strong enough to match the risk. This level of identity verification pushes down risk within your business and frees you up to increase your interactions, transaction, and overall engagement with your consumers. Check out this white paper, The Next Generation of Access Control, that describes how to take an adaptive approach to access management that more effectively measures risk and protects against outsiders.