Or, Passwordless as the 0th Factor of Authentication
Passwordless authentication is kind of hot right now, even though “passwordless” predates the password — much like horse-drawn carriages predated cars (which were first known as “horseless carriages”). But after witnessing a groundswell of support for new passwordless methods such as YubiKey, FIDO Passkey (not to be confused with Apple Passkey), and MS passwordless authentication methods, I resolved to determine for myself whether that brave new world that has such security in it had in fact arrived. In short, we’re still not quite there yet.
Consider, for example, my recent search for KuppingerCole Analysts. As many of you are aware, I took some needed time off before joining KuppingerCole Analysts — a kind of self-directed sabbatical. During that time, when I found any job listing that seemed interesting, I’d naturally apply. That usually meant setting up an account with the employer and then connecting to LinkedIn to autofill my profile and work experience. But the authorization flow on LinkedIn requires username and password.
The risk of Zero Factor Authentication
I panicked! I didn’t know my password — Apple Keychain had it. So, I scrambled to authenticate to Keychain on my phone and then realized, “dang it! How do I transfer this ridiculous password that’s longer than my screen onto this web browser??” I thought about copying and pasting the password somewhere I could see it in a large, easy to read font — but then my Apple Passkey is out there in the universe! I then realized I could go get the MacBook I sync my Keychain to, start the flow over from there, then open Keychain on that MacBook and copy and paste from there (note: this is an embellishment — I don’t actually own a set of security-separated MacBooks, but it illustrates a point).
Hmm… I mean, I normally like having options, as long as one of them is good. But, in this case I realized that in pursuit of multi-factor authentication I had ended up with none — I now call it Zero Factor Authentication (ZFA). I guess that’s what is meant by Zero Trust? Anyway, after a couple such occurrences, I reset my LinkedIn password back to something I actually know.
What kind of factor is passwordless?
Now, some of you may be thinking, that if had only used a FIDO Passkey instead, things would have gone smoothly. But, allow the pun: not so fast. A FIDO Passkey uses a Private Key that resides on my device. This begs invoking the “practitioner’s refrain”: is this something I know? is it something I have? is it something I am? OK, it’s something I have, so that’s 1-for-3 and arguably stronger than something I know.
So, what kind of factor is passwordless? The way I see it, it’s a flow that provides evidence to a website you’re visiting that you have successfully enabled your device to sign a challenge that the site just sent. See? But again, what kind of factor is that? Well, it’s “something special you enable a pre-registered device to do,” which strongly implies to the website that it can consequently continue with the operation at hand … conveniently. So, maybe passwordless defies our decades-long adherence to the 3-pronged approach to identity verification; maybe passwordless is more of a root factor — say, a “0th“ factor?
The absence of a priori technology agreements
The quality of passwords that continually escapes our security consciousness is their utility; no other authentication method even comes close to the utility of a password. Passwords can be used anytime, anywhere, by anybody for whatever reason, and across any technology. Passwords don’t require a priori agreement on technology or standards. These qualities must also be part of any passwordless solution if it is to become ubiquitous.
This all reminded me of a Lex Fridman podcast I once heard during which Steven Wolfram discussed his ideas on entropy, the 2nd Law of Thermodynamics. In Wolfram’s interpretation, this law predicts that closed systems prefer to settle in a state that appears chaotic from the human perspective, while eschewing states that we find much simpler and more organized.
To apply Wolfram’s definition here, passwords exist because that’s the state the system is most likely to be in, whereas passwordless is a state that requires vast amounts of energy or luck to arrive at and sustain. Why do we still use passwords? It’s elementary, everyone: entropy; or as I call it “The Second Law of AuthN Dynamics.”
For the record, I’m still working out the First Law, so stay tuned! One way you can do that is by attending my next (and first) webinar at KuppingerCole, “Digital Transformation in Financial Services Using Biometrics” on September 19. I’ll be hosting Pascal Tavernier, Identity & Access Management Architect, Executive Director at UBS, to get his insights on how to make strong forms of authentication ubiquitous. In the meantime, feel free to reach out to me with questions or comments.