| Last Updated | 22 November 2021 |
| Document Id | tch-research-how-to-kill-the-password |
| Author | simonm@thecyberhut.com |
| Part of Research Product | How to Kill The Password – Buyer’s Guide to Passwordless Authentication |
Authentication Credential Lifecycle
The use of passwordless technology, irrespective of the technology being used, is essentially an issued credential that is tied to a specific identity in a scoped and sometimes time-based fashion. If treated via a lifecycle, analysis of the capabilities can be mapped into the corresponding area to allow for greater analysis and focus.
Many credential lifecycles exist and have been documented by the likes of NIST (National Institute of Standards and Technology) and ICANN (Internet Corporation for the Assigned Names & Numbers).
A basic 6 step process can be followed that allows a mapping into both the employee and consumer identity life cycles which operate on a slightly higher level.
Capability Analysis
Enrol
Enrollment is focused upon the initial registration, onboarding and issuing of a credential that can be later used for subsequent authentication attempts.
| Capability | Description | Questions to Ask The Vendor |
| App-less | The ability for the enrollment and registration processes to take place without the need to download an application. | Does enrollment require the download of an application? Can enrollment be performed without the download of an application? Can enrollment be performed natively using the mobile phone browser? Can the process be triggered by the scanning of a QR-code? |
| Capability | Description | Questions to Ask The Vendor |
| App Support | If an application is needed, how can that be customized and made available to the end user? | Is the app pre-built and supplied by the vendor? Can the app be customised for localised look and feel, including branding and coloration? What operating systems are supported – with Android and iOS a minimum requirement? If more specialised platforms are needed, can they be supported? What is the cost for more specialist platforms? |
| Credential Storage | Enrollment typically results in the creation of credentials – often in the form of cryptographic keys. | What credentials are issued to the end user? Are asymmetric or symmetric keys issued? What algorithms and key lengths are used? Can they be altered? Where are the credentials stored? If stored on the device are they stored within a TPM/TEE/Secure Element? If stored away from the device are they stored in a centralised vault or a distributed block chain? |
| Capability | Description | Questions to Ask The Vendor |
| Biometrics | The enrollment process may leverage biometric capture – the most likely being fingerprint or facial recognition. | What biometric technology is supported?Is the biometric based on the mobile operating system (TouchId/FaceId or similar) or proprietary? If proprietary, is it patented? Are liveness checks performed during the biometric check to prevent spoofing? Where is the biometric template stored that future logins are compared to? If the template is stored on the device, is it stored in a tamper proof manner Eg TPM/TEE/Secure Element? If the template is stored off-device is it stored centrally or distributed? |
| Capability | Description | Questions to Ask The Vendor |
| Proofing | Biometric enrollment may also involve verifying and validating data in order to improve identity assurance. | Is biometric data proofed?What authoritative sources are supported? Are driving licenses and passports accepted as part of the proofing process? Is the proofing process via a partner or native to the vendor? Proofing processes are typically geographically specific – what countries are supported for proofing? If not supported out of the box, can existing providers be integrated? |
| Migrations | Existing MFA or credentialing systems may exist already – can they be migrated into the new solution? | Are migrations from existing MFA providers supported? If so, which vendors and capabilities are supported? What software or capabilities need to be integrated to allow migration to take place? Are customized migrations available? Are they performed by the vendor or a partner? |
Use
Use of the authentication modal will occur at numerous application touch points, across different devices and for subtly different outcomes – from initial login, through to stepup and continual security and post-session re-validation use cases.
| Capability | Description | Questions to Ask The Vendor |
| Zero Trust Support | Zero Trust (ZT) architectures promote the de-perimeterization aspect of network design and an emphasis on person authentication, device authentication and segmentation of access. | Does the solution support ZT principles? What integration points are available to integrate network, device, identity and third party security services? What device assurance checks are made during authentication events? Eg jailbreak, rooting, application assurance, OS / browser versioning What non-identity context checks are made during authentication? Eg impossible travel, geo-fence |
| Capability | Description | Questions to Ask The Vendor |
| Continuous Security Support / Authorization Support | Continual security sees the re-use of authentication services at different parts of the user interaction – as they move between services, with changing levels of risk and trust assessment. | Can the authentication verification service be accessible by access control and authorization services? How is that accessibility made available? Eg client SDK, API, connectors Can the authentication verification service receive notifications and data from third parties regarding levels of trust or risk? How is that accessibility made available? Eg client SDK, API, connectors |
| Capability | Description | Questions to Ask The Vendor |
| IDP & SSO Support | Many workplace enablement scenarios will leverage a central single sign on identity provider for broad integration of session management and authorization use cases. | Does the authentication service provide integration to third party IDPs? Which IDPs are supported out of the box? Eg Okta, Ping Identity, ForgeRock, Auth0 Does the authentication service provide an API for generic connections by IDPs? |
| Data Sharing / PII Sharing | In the employee space data sharing can trigger additional user verifications by an associated authentication modal. In the CIAM space the sharing of PII and transaction data can also require user intervention. | Can the authentication service provider be integrated into data sharing services? Can push notifications if used by customised to contain generic sharing request data? Are requests for data logged, stored and available for audit? Can the authentication credential be used to approve access to PII data or to respond to a sharing request? |
| Capability | Description | Questions to Ask The Vendor |
| Enterprise Application Coverage | The adoption of passwordless authentication must not be limited to specific applications – where a long term broad adoption strategy is recommended for both on prem and cloud applications. | What workplace enterprise applications are supported out of the box? Eg jamf, VMWare, Azure AD, SSH, Office365, Webex, Salesforce, Workday, Zendesk |
| Operating System Coverage | The adoption of passwordless authentication must not be limited to specific operating systems, either for mobile, desktop or server. | What mobile operating systems are supported? Eg Android, iOS Which Windows operating systems are supported? Which Unix/Linux operating systems are supported? |
| Privileged Access Management Support | PAM is often one of the first user groups to adopt MFA and higher security technology. The passwordless service provider must provide a range of options. | Does the authentication provider support PAM solutions? Which PAM providers are integrated out of the box? Eg BeyondTrust, CyberArk, Centrify, Thycotic |
| Capability | Description | Questions to Ask The Vendor |
| Remote Access / VPN Support | VPNs and remote access capabilities are still a huge part of the distributed workplace enablement solution set. The addition of MFA to VPN services has increased in demand since 2019 due to increased home working. | Can the authentication provider integrate with VPN services? Which VPNs are integrated out of the box? Eg zScaler, paloalto, F5, nordVPN, Fortinet |
| Support Offline Workstation Access | If passwordless authentication has been tied to a workstation, can the solution operate if the workstation is offline – that is, not attached to the network. | Can the passwordless solution be used when a workstation triggering the authentication even is offline? What communications mechanism is needed between the workstation and the mobile authenticator? Eg bluetooth |
| Physical Access Support | Physical access control scenarios often leverage smart cards and a secondary factor such as PIN entry. A combined passwordless-phone-biometric model could replace those flows. | Does the solution support integration in physical access control systems? Eg entrance doors, locks, turnstyles What method of integration is available? Eg SDK, APIWhat out of the box partnerships or integrations exist? |
| Capability | Description | Questions to Ask The Vendor |
| Transaction Signing / Code Signing | The use of MFA for financial service transaction processing is being extended into event confirmation too – in the form of transaction signing. From an enterprise perspective, the need to digitally sign code commits and devops related processes for secure supply chain functions can also trigger an authentication event. | Does the authentication service provide support for consumer facing transaction signing? Does the authentication service provide support for enterprise code signing and devops security? Eg git commit signing. |
Add
Many end user scenarios require the use of multiple devices – in differing combinations. For example the addition of a mobile from a previously registered workstation or the addition of a secondary mobile from the first registered and so on. Can this functionality be done independently of a call centre, help desk or re-enrollment ceremony? The addition of a new device would indicate the requirement that new credentials are being minted.
| Capability | Description | Questions to Ask The Vendor |
| Addition of Secondary Mobile (using original mobile) | The ability to add a secondary mobile authenticator by using a previously registered mobile device. | Can the originally registered mobile device be used as part of an authentication ceremony to add a second mobile? What does the process involve? Eg QR-code on 2nd device scanned by 1st; push notification to the 1st triggered by the 2nd. Are new credentials minted on the second device? |
| Capability | Description | Questions to Ask The Vendor |
| Addition of Secondary Mobile (by using a different device) | The ability to add a secondary mobile authenticator by using a separate out of band device or method. | Can a second mobile device be bound to the user by a separate out of band method? What does the process involve? Eg notification to a desktop client? Email to pre-registered address after trigger from mobile device |
| Capability | Description | Questions to Ask The Vendor |
| Addition of Desktop Authenticator | The ability to add a workstation as a trusted authenticator by using the originally registered mobile device | Can a second workstation device be bound to the user by a separate out of band method? What does the process involve? Eg scanning of QR-code on a registered mobile device? |
Migrate
The use of mobile phones as a credential store opens up the use case of migration – where new devices are purchased before the old has expired, allowing for a potentially seamless transition. The migration process should consider whether new credentials are minted and if so, does that allow seamless integration or additional steps against the authentication verifier and existing integrations.
| Capability | Description | Questions to Ask The Vendor |
| Migration From One Mobile To Another | Leverage the existing pre-enrolled mobile device as part of the ceremony to migrate to a second device. | Can the migration to a new device be performed without a helpdesk / call centre involvement? Can the existing mobile authenticator be used to migrate to a new device? Does the new device receive existing credentials or has new one generated? If new ones are generated, are any secondary steps needed on first use of the new device? |
Reset
The use of a mobile authenticator brings three common use cases: loss of a device, damage to a device and theft of a device. Whilst many options exist to report and respond to inoperable devices, the modern platform should aim to allow autonomy for the end user to handle these use cases independently of administrative assistance.
| Capability | Description | Questions to Ask The Vendor |
| Reset a Device Via Help Desk | A basic requirement to reset a lost, stolen or inoperable device via administrative support prior to its natural expiration. | Can a previously issued credential on a mobile device be prevented from use in future login events? Can this process be triggered by the owner contacting the helpdesk? What authentication steps are provided against the caller to prevent denial of service from a malicious adversary? |
| Capability | Description | Questions to Ask The Vendor |
| Reset a Device Autonomously | Ability to reset a lost, stolen or inoperable device via a process performed solely by the device owner. | Can a previously issued credential on a mobile device be prevented from use in future login events? Can this process be triggered by the owner themselves? What does this process involve? Eg access to end user consoleHow does the user authenticate to the end user console to perform a reset? |
Remove
The final part of the lifecycle is the removal and destruction of issued credentials from a mobile authenticator. This could be the result of a successful migration or the expiration or a timed credential.
| Capability | Description | Questions to Ask The Vendor |
| Remove Issued Credential From Device | Can a previously issued credential be removed from a device – either before it naturally expires or afterwards. | Can a credential be removed from a device once issued? Can the credential be removed by the end user without uninstalling an application or making a global change? Can the credential be removed without having to contact a helpdesk or call center? Can the credential be removed without the need of a centralised end user dashboard? |
Non-Functional
There are several other non-functional capabilities that should also be considered when analysing passwordless authentication suppliers. These include how the technology is deployed, any API or SDK integration options and support for standards.
| Capability | Description | Questions to Ask The Vendor |
| API | A REST/JSON based API should ideally be available for both user instantiation and administrative configuration. | Is an API available for service use? Eg enrol, authenticate, authenticate response, reset, statusIs an API available for administrative and configuration items? Eg add a create, read, update, delete users, credentials, mappings, changes to roles, policies, reading status/analyticsIs the API available for REST/JSON support? Does a documentation portal exist? Can the API be tested in a sandbox?Are the APIs versioned? What credentials are needed to call the APIs? Eg OAuth2, tokensAre API samples/snippets available for developers?Can developers self-enrol to use the API? |
| SDK | Software Development Kits (SDKs) can assist in the acceleration of feature adoption by the relying systems. | Are SDKs available? For what languages/platforms? Eg iOS, MacOS, Android, Windows, JavaScript variantsAre SDKs versioned? How often are they updated? Is there a developer portal for SDK documentation and testing? Are sample applications based on the SDKs available? |
| Administrative Console | An administrative console should be available to manage users, enrolment processes, third party integrations and so on. | Does the administrative console require installation? Eg on-premise serverIf available via a cloud offering can it be themed and branded? What authentication and access control requirements can be applied to administrators? Can administrators be invited/placed into organisational groups? What level of delegated administration is available to administrators and sub-administrators? |
| End User Console | An end user console can assist in the management of issued credentials, the association of new devices or the reset of previously issued credentials. | Does an end user console exist?Does it require installation? Eg on-premise server If available via a cloud offering can it be themed and branded? Can end users be invited to use the console? What languages and locales are supported in the end user console? |
| Logging & Analytics | Debug and audit logs should be made available for retrospective analysis regarding erroneous activity and general monitoring. Analytics can assist in measuring device types, localised usage differences, meters and timings of activity. | What logging mechanisms are in place? Eg centralised, localised Can logs be integrated to third party systems? Eg Splunk, ElasticSearch, Logstash, syslog, CSV What activity information is collected? Eg time, date, user, event, device, locationIs activity information privacy preserving? What controls exist for tamper proofing activity information? What debug information is collected? Are analytics available for meters, timers, device analysis? Can analytics and reporting information be integrated to third parties? Eg Prometheus |
| Standards Support | Integration of authentication technology to third party identity providers, authorization systems and native applications can be accelerated and expanded via the use of standards. | Does the vendor support the use of OIDC as a provider? Does the vendor support the use of SAML as a provider? Is the vendor platform FIDO certified? Is the vendor able to support compliance against PSD2 SCA? Does the vendor operate to identity assurance standards such as NIST 800-63a? Does the vendor operate to authentication assurance standards such as NIST 800-63b? Does the vendor support the use of decentralised identifiers? Eg W3C DiD Does the vendor use standardised cryptographic algorithms? Eg AES256, RSA with a minimum 2048 modulus, ECDH, ECDSA Does the vendor support the likes of SCIM for rapid user onboarding? What other standards are supported? |
| Deployment | What deployment model does the vendor support? Many authentication solutions provide cloud support to remove the operational burden, yet in some regulated industries an on-premises set of components are required. | Does the vendor support a cloud SaaS deployment model? If so, what regions are available?What SLA is provided? Eg 99.95% availabilityIs a single or multi-tenant model supported? If multi-tenant, can client data be isolated and sandboxed? What on-premise components need to be installed? Eg LDAP or RAS connectors and gateways Can the solution be installed on-premises / private cloud? If a non-SaaS delivery model is supported, can it be integrated into a containerized managed environment? Eg Kubernetes, Docker |
| App-less | Not all projects wish to install applications on mobile devices. What options are available for rapid service use without installations? | Does the vendor provide a way to enrol and use the authentication service without the need to install an application?How is this done? Eg REST API, browser redirectionIf leveraging a native mobile browser, can this process be instantiated by a QR-code? |
| Apps | Apps remain the most popular method of service use. Understand supported platforms and release options. | What app platforms are supported? Eg iOS, Android, Microsoft Are the apps available from the standard operating system stores? If available publicly, what download metrics are available? Can the apps be made available for private stores / enterprise download? Can the apps be customized? Branding, colouration, theming What is the release cadence? How quickly are critical security patches applied? |
| Pricing | An analysis of pricing options should be performed as part of the initial due diligence before contract negotiations are started. | What unit is measured for pricing? Eg per user, device, authentication event? Is the unit price reflective of functionality? What unit discounts are available? Eg tiered pricing, bulk purchases up front Is subscription pricing available? Eg per month or year Is the price reflective of service support level? Eg gold, silver, bronze Is pricing reflective of user type? Eg consumer -v- workforce, with consumer being cheaper. |