Are we on the verge of passwordless security going mainstream?

Brett Winterford (Chief Security Officer, APJ at Okta) is a strong advocate for better security, with more than two decades of experience approaching security from a wide range of angles – as a practitioner, educator, advisor, and an award-winning journalist. 

At Okta, he helps customers understand the evolving threat landscape, and harness the technologies that can drive better business outcomes. 

Right now, passwordless security is high on the list of technological advancements that will contribute to more robust security for organisations and individuals. Before Brett heads to Riyadh to speak at Black Hat MEA 2024, we asked him to explain the benefits and challenges of passwordless security – and he shared how close he thinks we are to mainstream rollout. 

What are the key benefits of passwordless security – why is it worth striving for? 

“The vast majority of cyber security incidents stem from password-based attacks. According to the annual Verizon DBIR, 86% of security incidents stem from credential abuse. Irrespective of whether the root cause arose from phishing, credential stuffing or from infostealer malware, the one thing nearly all these attacks have in common is theft of a user-generated password.

“An effective defence against password-based attacks requires multiple blended controls. Applying multifactor authentication is the most effective, but it’s not infallible either. An OTP is just another secret that a skilled social engineer can trick you into handing over.

“The only MFA factors that are resilient to these attacks are passwordless, phishing resistant factors. Once you’re using these factors to access resources, you have the opportunity to eradicate passwords – and all the security issues they present – from your environment.”

Could you describe some of the major implementation challenges that make passwordless security a complex goal? 

“There are a few challenges, but none are insurmountable. 

“The first is compatibility: there are a small number of client apps that don’t support phishing resistant flows. The number of apps on that list is steadily decreasing, and can be handled by workflows that offer temporary policy exemptions.

“The second challenge involves how you apply phishing resistance to enrollment and recovery flows. Enforcing phishing resistance at sign-in is the easy part. The hard part is the ‘chicken and egg’ challenge of having enough assurance about a user’s identity to enrol them in phishing resistant factors in the first place, and enrolling the user in a sufficient number of high assurance factors to be able to validate their identity during account recovery. 

“Today we have solutions for this. Users at Okta (the organisation), much like many of our top customers, are now protected against phishing throughout the user lifecycle – from enrollment through to sign-in and recovery.”

Tell us a bit about Okta FastPass, and the research behind it? 

“The development of FastPass started at a time when WebAuthn was not widely available. Okta’s design goal for FastPass was to build the most secure, usable, and deployable enterprise authenticator to accelerate the adoption of passwordless while providing all the same security properties as FIDO2 WebAuthn. 

“Additionally we want to offer a consistent user experience across every operating system (Android, iOS, MacOS, Windows) and provide security teams with an ability to create a strong binding with the device to evaluate its context and posture at every sign-in and during a session. This is crucial for enterprise deployments.

“Using FastPass, a user can satisfy two factors (possession of the device and user verification either through inheritance or knowledge) in 3-4 seconds, thanks to a cryptographic relationship between the user device and the Okta service, and thanks to biometric checks in operating systems that allow a user to verify their presence to the device. Third party assessor’s have validated that with the right FIPS-approved hardware in place, FastPass can satisfy NIST AAL3 in terms of assurance. 

“Passwordless is one of those technologies for which end user experience and security are not in conflict. In fact, they complement each other. Given the rise of session hijacking (through malware and AiTM phishing), today it's prudent to re-authenticate users as they access sensitive resources or perform privileged actions, rather than simply relying on validating the user’s identity at sign-in. When an authentication challenge is easier and faster to complete, users are more open to policy configurations that challenge them at higher frequency.”

In terms of user trust and adoption, is there a big hill to climb before passwordless security can become mainstream? 

“Mainstream adoption of passwordless isn’t far off. FastPass is Okta’s fastest growing sign-in method for workforce use cases. I expect passkeys will unquestionably be the fastest growing sign-in method in customer identity use cases. We’re already seeing lower assurance use cases being adopted now. Entities with high assurance requirements – like healthcare and financial services providers – will likely wait until the work on passkey provenance within the FIDO Alliance to be resolved prior to adopting it.

“The final challenge to passwordless adoption will be a cultural one. I think it is flawed to assume that user populations are going to be too confused by a sign-in flow that doesn’t require a password. Yes, there is an end user education and awareness hurdle. But we know through our own lived experience, and the experience of Okta’s most progressive customers, that this is not insurmountable. Once passkey adoption in consumer apps takes off, passwordless will move from being a novel sign-in method to being a core user expectation very quickly.”

Finally, why are events like Black Hat MEA valuable to you and your work?

“Black Hat allows us to demonstrate the art of the possible to the people that matter. 

“Beyond that, the value lies in Black Hat’s hacker roots. Black Hat fosters an atmosphere of curiosity about how various technologies work, and how they might be abused or used in unintended ways. 

“We consider FastPass a “battle-hardened” authenticator because of the cumulative effort by our own security research team, the red teams at Okta customers, and members of the public that submit vulnerabilities via Okta’s public bug bounty program. We welcome security research because it’s very often the catalyst to drive further innovation in the product.”

Thanks to Brett Winterford at Okta. It’s not too late: register now to attend Black Hat MEA 2024 and learn directly from the leading minds in cybersecurity.