Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

Understanding passwordless technologies Slide 1 Understanding passwordless technologies Slide 2 Understanding passwordless technologies Slide 3 Understanding passwordless technologies Slide 4 Understanding passwordless technologies Slide 5 Understanding passwordless technologies Slide 6 Understanding passwordless technologies Slide 7 Understanding passwordless technologies Slide 8 Understanding passwordless technologies Slide 9 Understanding passwordless technologies Slide 10 Understanding passwordless technologies Slide 11 Understanding passwordless technologies Slide 12 Understanding passwordless technologies Slide 13 Understanding passwordless technologies Slide 14 Understanding passwordless technologies Slide 15 Understanding passwordless technologies Slide 16 Understanding passwordless technologies Slide 17 Understanding passwordless technologies Slide 18 Understanding passwordless technologies Slide 19 Understanding passwordless technologies Slide 20 Understanding passwordless technologies Slide 21 Understanding passwordless technologies Slide 22 Understanding passwordless technologies Slide 23 Understanding passwordless technologies Slide 24 Understanding passwordless technologies Slide 25 Understanding passwordless technologies Slide 26 Understanding passwordless technologies Slide 27 Understanding passwordless technologies Slide 28 Understanding passwordless technologies Slide 29 Understanding passwordless technologies Slide 30 Understanding passwordless technologies Slide 31 Understanding passwordless technologies Slide 32 Understanding passwordless technologies Slide 33 Understanding passwordless technologies Slide 34
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Understanding passwordless technologies

Download to read offline

This is a talk that I gave at the St Louis IAM meetup in November 2021.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Understanding passwordless technologies

  1. 1. Is passwordless really a thing, or just another fad? David Strom STL IAM November 2021 Meetup david@strom.com @dstrom
  2. 2. Agenda • Should you try passwordless? • Some of its potential benefits • What is the difference with Zero Trust? • The rise of biometrics and device hardware fingerprinting • Review various vendor solutions
  3. 3. Too many SaaS apps
  4. 4. You are tired of replacing hardware keys • RSA SecurID • Yubico • Trusona
  5. 5. And tired of supporting phone authentication apps
  6. 6. Fixing password spraying attacks
  7. 7. Other potential benefits • User simplicity and convenience – maybe • A better way to do MFA • Can help avoid most phishing, credential stuffing and keylogging attacks • Toss out your existing inscrutable corporate password policy
  8. 8. NIST password current recommendations • Length (much >8 characters) • No complexity requirements (decreases reusage) • No periodic reset requirements • Show your typing upon entry to reduce typos • Cut and paste encouraged • No hints or knowledge-based Q&A • Limit failed attempts • Hash and secure the overall password database
  9. 9. How does this differ from Zero Trust? • P-less is just one component, ZT needs an entire infrastructure redo • ZT: Everything is ”outside” and assumed untrustworthy initially, often called Software Defined Perimeter or protected surface • P-less: Just focused on the auth login experience
  10. 10. The rise of biometrics
  11. 11. Device fingerprinting
  12. 12. Potential passwordless solutions
  13. 13. Tidas project (c2016)
  14. 14. Iovation TruValidate • Confirms user ID with Transunion’s global databases • Uses risk-based adaptive and step-up authentication • Real-time fraud analytics (like what they do for credit card purchases) • Recognizes hardware device fingerprints, originally built by ClearKey • BUT: Uses an OTP SMS app as part of their authentication family
  15. 15. Fido v2 • Great idea whose time has (hopefully) come • Now supported well by Google, Microsoft, Apple and others • Google Titan and Yubico keys support it under various form factors • Challenge to integrate with Desktop WebAuthn, Mobile web browser, mobile native app, Windows and MacOS authentication
  16. 16. loginwithfido.com
  17. 17. SecretDoubleOctopus, Auth0, HYPR, Duo • Supports FIDO2, Okta and Forgerock MFA (+H: Ping) • Windows and Mac support (+ SDO: Linux) • On prem with hybrid cloud Active Directory • Smartphone auth app that push notifies and asks for finger/faceprint • Uses phone hardware as another auth factor
  18. 18. Trusona now does device fingerprints
  19. 19. The key takeaway • Not just a new auth factor, but the combination of: • OTP • Push notification • Using the phone hardware as another factor • A simple ack from the user, not typing in a OTP numeric code • Is this passwordless? Not really. But less of a password and more authentication! • In other words, it is a dessert topping AND a floor wax!
  20. 20. Everyone is selling MFA these days
  21. 21. https://duo.com/assets/ebooks/Duo-Security-Two-Factor-Evaluation-Guide.pdf
  22. 22. Questions • How many apps do you need access to anyway? • What will you do for those users who don’t have a smartphone? • How deep are you into deploying your SSO? • Have you done anything yet with FIDOv2? • Are you using Okta, RSA, or OneLogin for IAM? • If <100 users, consider Auth0 • If multicloud auth needed, get a CASB, don’t try to do it with IAM
  23. 23. Thanks for your attention • Questions? • Email me: david@strom.com • Slides available: slideshare.net/davidstrom • Twitter: @dstrom

This is a talk that I gave at the St Louis IAM meetup in November 2021.

Views

Total views

309

On Slideshare

0

From embeds

0

Number of embeds

269

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×