The Rise of Passwordless Authentication

Servers, Kubernetes clusters and databases hold a company’s secrets, intellectual property, financials and confidential information about customers and employees. That’s why they’re popular targets for attacks, and why traditional passwords aren’t nearly strong enough to protect them.

Over the years, companies have tried to make passwords more sophisticated, rotate them and use SSH keys to make them harder to crack. But bad actors are advancing at the same pace — or faster with the help of AI — and admins still struggle to provision, decommission and rotate passwords, tokens and SSH keys.

Passwordless authentication is one solution to prevent bad actors from gaining access to infrastructure and applications. It verifies a user based on characteristics inherent to a person or a piece of hardware that can’t be compromised, like a fingerprint or physical USB. The best passwordless access both simplifies access for users and improves your security posture by removing a single point of compromise. Here’s how.

How BastionZero Provides Passwordless Access to Infrastructure

In a zero trust model, companies don’t trust anyone or anything. Passwordless is an efficient way to confirm that a user is who they say they are, which is why it should be part of a holistic authentication process. If a company’s authenticating with multiple roots of trust, like BastionZero and an identity provider (IdP), at least one root should have passwordless authentication. 

BastionZero Integrations That Support Passwordless Authentication

  • Okta 
  • OneLogin
  • Google
  • Microsoft
  • Keycloak

Passwordless = Better Security With Less Stress

Types of Passwordless Authentication

Third-Party Identity Provider (IdP)

If a user logs in with credentials from a third-party IdP, like Google or Okta, the IdP can verify the user and their privileges with the company’s IT. Once verified, the service will grant access to the target. 

Software Token

An authenticator app, like Google Authenticator, sends a software token to a user’s smartphone, computer or tablet. The token is a one-time code that the user enters (sometimes with a second form of authentication) to gain access to a target.

Hardware Token

A hardware token is a physical device like a USB or fob, which works through a physical connection to a computer or by generating a one-time passcode that the user enters into an on-screen prompt to gain access. 

Biometrics

Biometrics, like fingerprints, retinas, voice or facial recognition are compared to saved data to grant or deny access. This may be done through a user's smartphone, tablet or laptop if it has built-in biometric authentication.

Magic Link

A magic link is a one-time URL sent to a user via email or SMS. When a user opens the link, it matches the device it’s opened on with a token in a database to verify the device.

Smart Card

Smart cards are physical cards that generally use a data-containing chip and RFID wireless connectivity to authenticate a user. They are often used to grant access to workstations or applications. 

Persistent Cookie

A persistent cookie is a file that’s stored on a device to remember a user's credentials and grant access if the user is logged in. This can stay on a computer indefinitely, or until a predetermined expiration date or the user clears their cookies.

Native Options

Some systems and applications have native passwordless authentication, which may be built into their multi-factor authentication (MFA) process. Google and Microsoft are prime examples.

Single Sign-On and Double Verification With BastionZero’s Passwordless Auth

Although passwordless authentication is gaining popularity, it’s not embedded in all infrastructure access solutions. Here’s how to bolster the security of your infrastructure using passwordless authentication.

Ensure One Root of Trust Uses Passwordless Authentication

A best practice for zero trust infrastructure access is to use two roots of trust, like BastionZero and an IdP, to grant a user access to a target. This prevents threat actors from getting into your infrastructure, even if one root of trust is compromised. In this model, at least one root of trust should use passwordless authentication. 

Modernize Your Credential Management System

It’s not easy to securely manage credentials in today’s enterprise. BastionZero eliminates the huge hassles of provisioning, decommissioning and rotating passwords, tokens and SSH keys. There’s no need to set up IAM roles across different clouds and accounts, which simplifies the process to on- and off-board users.

Risks of Passing on Passwordless

You Remain Vulnerable

81% of hacking-related data breaches are caused by weak or stolen credentials, according to Verizon’s 2022 Data Breach Investigations Report. Passwordless helps mitigate the risk of a breach to your critical infrastructure.

It Prohibits Productivity

Admins often manage a mess of passwords, SSH keys and tokens, and waste time and resources provisioning, decommissioning and rotating them. Passwordless removes this burden so admins can focus their attention on other activities.

It Fuels Frustration

It’s a hassle to create and memorize or securly store passwords and SSH keys. Not to mention answering a series of security questions every time you forget or need to verify a password. Passwordless authentication eliminates friction and reduces user frustration, while providing secure access to infrastructure.

Frequently Asked Questions

What is Passwordless Authentication?

“Passwordless” is a way to gain access to something using characteristics inherent to a person or a piece of hardware that can’t be compromised, unlike a password. The idea is that it should be impossible for someone to impersonate another person using something unstealable, like a physical USB or a fingerprint.

What’s the Difference Between Passwordless and Credential Management?

Credentials control what a user has access to. Passwordless is the means by which they get access. Credential management is often a pain because multiple users need access to servers, databases and Kubernetes clusters, but there often isn’t a standard platform for admins to manage access across all of these systems. Companies need a unified control plane to manage all of these credentials and define necessary authentication methods. 

Do I Have to Use Passwordless in a Zero Trust Model?

Zero trust means that you don’t trust anyone or anything. Just because someone has a password doesn’t mean they are who they say they are. Passwordless allows a system to efficiently authenticate that a user is who they say they are, which is why it’s a good idea to use it as part of your overall authentication process in a zero trust model.

How are MFA and Passwordless Authentication Related?

MFA is a digital identity verification method that adds one or more steps to the login process. It typically requires users to provide at least two distinct factors of authentication, such as something they know (e.g., a password), something they have (e.g., a hardware token) or something they are (e.g., biometric data). The main purpose of MFA is to prevent unauthorized access to an account or device, even if a password has been compromised.

Passwordless authentication, on the other hand, is a method of verifying a user's identity without the use of a password or knowledge-based factors. Instead of a password, the user authenticates using something they possess, such as a mobile device or a security key, or something they are, such as a biometric feature. Each time a user requests access, a new authenticating message is generated, eliminating the need to remember and manage passwords.

Both MFA and passwordless authentication can leverage biometric or possessive factors to enhance security. Some systems also offer passwordless multi-factor authentication, combining the benefits of both approaches.

What Are The Benefits of Passwordless Authentication?

The main benefits of passwordless authentication are reducing user friction, as users no longer need to remember, rotate or reset their passwords, and increasing security by replacing shared secrets with something stronger.

Can I Integrate My Existing IdP With BastionZero for Passwordless Authentication?

Yes! Many IdPs provide passwordless authentication out of the box. BastionZero currently integrates with Okta, OneLogin, Google, Microsoft and Keycloack, which all support passwordless authentication.

Resources