Apple, Google, and Microsoft now offer passwordless options to millions of consumers – and those users will now ask for this from other service providers.
Many alternative approaches to passwordless authentication are available: magic links emailed to users, (but email isn’t secure), one-time-passcodes sent to WhatsApp for re-entry (but it’s clumsy), or hardened security tokens for local applications and network access (but requires extensive IT management).
Each approach requires installing and configuring client software on the user’s device.
This is where Apple, Google and Microsoft hold the advantage to their own services, embedding this capability into their respective operating systems on user devices.
During the recent ‘World Password Day’, Microsoft, Apple and Google announced their support for FIDO2, the emerging industry standard for passwordless authentication.
In fact, they have all been party to the FIDO2 Alliance for a long time, so this was completely expected.
While your phone unlocks when it recognises your face, or your laptop opens when it reads your fingerprint, this local device authentication cannot be used to verify your access to other external services.
Every application service provider controls their own authentication.
Whether you’re accessing your bank, booking a medical procedure, or updating a personal student record, each service provider has Zero Trust that it is you using your Google, Facebook or Twitter account.
Zero Trust is becoming a foundation stone in cyber security.
Lastly, comes Apple
Apple’s big announcement this week was that it now supports passwordless authentication across its services.
In reality, Apple is late to the party.
It was the last and final operating system vendor to release support for WebAuthn, the FIDO2 standard for authenticating Web Services.
Now that all operating system vendors are participating, FIDO2/WebAuthn will soon become ubiquitous.
However, it’s not a fait accompli.
Every corporate network, business application and web service control its own authentication.
It is a critically important and complex project to build FIDO2 capability into the backend of a system.
Even an experienced team will take weeks or months, and then need to be retained for the life of the system.
The deployment project then depends on the size of the user base, requiring change management.
All users will need to install and configure software clients on their devices in order to change successfully to this new standard.
Compounding this complexity is that many passwordless projects are entangled with user Identity and Access Management (IAM) transformations, which can run for years.
It’s arguably better if passwordless transformations are executed separately from IAM deployments.
This approach can accelerate changing over to paswordless, yet only a minority of vendor solutions separate the two.
Passwordless for Web Services / SaaS
Today, almost all business applications are written for web services, and every Software as a Service (SaaS) provider on the planet employs username-password credentials.
Two-factor authentication (2FA) is deployed only if security is paramount, because it is clumsy, expensive, and can still be defeated.
The ideal solutions combine seamless authentication with multifactor authentication (MFA).
With no single attach surface, it is incredibly difficult to compromise and it provides a frictionless user experience.
Most IT professionals consider security to be the primary driver responsible for adoption, however, experiences from Silicon Valley entrepreneurs show a completely different reason.
The majority of web applications prioritise convenience ahead of security.
One measure of this is the proportion of websites that use social media to authenticate a user, in order to simplify onboarding for users.
Social media authentication (OAuth) is fragile for security.
Imagine relying on Facebook to access your bank account or linking it to absolutely everything you do online.
For web service providers, frictionless access increases user engagement.
Strong security builds trust.
This is a win-win for users, and that is a powerful business driver for online services.
SaaS providers, who are early adopters, gain a strong competitive advantage and ultimately this will be imperative to retain customers from churning to a competitor with easier access.
Often, passwordless vendors downplay the cost of onboarding users.
The type of solution and the size of the user base will determine the overall financial and human resources to complete a full deployment.
The FIDO Alliance cited in a recent white paper that the breakthrough needed for mass adoption is a seamless user experience for onboarding.
Simpler emerging solutions
Solving the onboarding of users is critical for SaaS companies.
If just 5% of a client base has difficulties setting up biometrics on their individual phone, then it creates a massive change management burden.
With investment levels at record highs in this white-hot sector of cyber security, we are already seeing the emergence of solutions where adoption happens naturally as if by osmosis, solving the choke point of FIDO’s onboarding issue.
That opens the throttle to rapid adoption, enabling users en mass to convert to a passwordless future instantly.
It will be interesting to see which solution emerges as the trusted default for web security.
Graeme Speak, is the founder and CEO of BankVault Cyber Security and led the innovation team behind MasterKey, an intelligent new approach to invisible passwordless authentication. He is an Australian entrepreneur based in Silicon Valley.
This content has been written by a topic area expert and is not a sponsored post or advertisement.