Passwordless security gains ground

As state and local agencies look to limit compromised and weak passwords and improve identity management, some are considering passkeys, which take advantage of the security features built into smartphones for authentication.

The passwordless technology lets users access sites or systems with a fingerprint, a face scan or the PIN on their phone’s screen lock as a login credential. This type of multifactor authentication is also phishing resistant, making it more secure than methods like sending one-time SMS codes.

In what it called the “beginning of the end of the password,” Google last month began rolling out its own passkeys, an effort that could help agencies go passwordless and embrace a “zero trust” approach with layers of authentication required.

Google’s move could create a “positive snowball effect” away from passwords, said Andrew Shikiar, executive director of the FIDO Alliance, which works to develop open authentication standards.

The Biden administration’s 2021 executive order on cybersecurity suggested a shift is already afoot in federal policy around passkeys and authentication methods. Previously, federal agencies were mandated to only use PIV or CAC smart cards for multifactor authentication, but the executive order widened the scope and allowed the use of any phishing-resistant MFA.

“The good news is we're seeing government-driven mandates for government utilization of multifactor authentication, including passwordless authentication,” he added. And while those mandates are federal right now, Shikiar said it is inevitable that states will follow suit.

It might not be an easy transition to passwordless, however. Shikiar acknowledged that there must also be a culture shift around passwordless security, especially among long-tenured government employees who may be reluctant to embrace change. “Some people, they're going to make you pry their passwords from their cold dead hands,” he said.

One way to make agency employees more comfortable using passkeys is to ensure user experience is as easy and optimal as possible, Shikiar said. He pointed to the FIDO Alliance’s recent guidelines on user experience for passkeys, which urged organizations of all sizes to direct users to default security and privacy settings to manage new sign-in options. 

FIDO said organizations should encourage users to actively manage their account settings and sign-in options, help them compare what alternatives are available, educate them on the entire process and ensure it is as smooth as possible.

Shikiar said while it may be a little more difficult or time-consuming to get people to enroll for a passkey rather than set up a standard password, once they are up and running, they prefer it.

“What we found is that once people have enrolled through a passkey, their signup success rate is super high, and their satisfaction is very high,” he said. “It's one of the things that people need to try and experience to then want it.”

Others are not so sure a transition to fully passwordless authentication is possible, even though it has been discussed for nearly a decade. PricewaterhouseCoopers said in a recent report that going completely passwordless is “likely, not feasible,” adding that progress is often stalled when organizations use authentication tools that are incompatible with their operating systems or devices.

A recent report indicated that an intermediate step towards going passwordless—embracing multifactor authentication—is catching on, but plenty of work lies ahead. Identity management company Okta found that MFA adoption continues to climb, and that as of January, nearly two-thirds of users and 90% of administrators across the economy authenticated their identities with MFA.

Adoption jumped at the start of the Covid-19 pandemic and has risen steadily since. Shikiar said that indicates that the pandemic “took everyone's five-year digital transformation plans and compacted them into five months.”

Sean Frazier, federal chief security officer at Okta said that the figures show that MFA has “reached the lexicon of the public” and that the majority understands why it is necessary and the risks inherent in not enabling it. 

But there is work ahead for the government sector, which only has 48% adoption of multifactor authentication, far behind the technology sector, which leads the way at 87%. Shikiar said government agencies may be “less emboldened” than the private sector, hence their lower adoption rate. But he noted that a shift to passwordless would also represent a shift in mindset among government agencies, away from putting “Band-Aids on passwords through MFA mandates.”

Frazier said it would also mark a shift away from governments “over relying” on passwords.

Given how quickly online identity and the tech that underpins it is evolving, governments and their contractors must keep their eye on the horizon, said Matt Keller, vice president of federal services at cybersecurity company GuidePoint Security. “What you're deploying today from an identity perspective might not be the right identity solution in five years,” he said.