How Passwordless Authentication Supports Zero Trust

What Are Passkeys?

In a passwordless environment, users gain access to a network by using a passkey, which is something other than a password that your device or authenticator exchanges with a website or application to authenticate a user. Types of passkeys include biometrics (fingerprints, face recognition) and lock screen PIN numbers (think Windows Hello for Business or Apple’s Face ID or Touch ID). Hardware security tokens are another form of passkey.

Passkeys use public key cryptography, which involves generating two different keys — a public key and a corresponding private key — that are used for authentication. The public key is registered with the server of the website or app, while the private key (a passkey such as biometric data) is stored on a device and never exposed to the server. The public and private keys communicate, but secret or potentially compromising information is never transmitted between the two.

“What’s important is that we’re not storing the biometric data, so we don’t have privacy concerns,” Goerlich says. “We don’t have to worry about someone stealing a fingerprint and 3D printing it and all the James Bond type of attacks that you hear about.”

How Does Passwordless Authentication Benefit State and Local Governments?

Passkeys are considered more secure than passwords because they only work on their registered websites and applications, and they use a user’s unique characteristics to authenticate instead of a simple string of text that can be guessed or stolen.

Of course, better security is a boon for any organization in any sector. But passwordless authentication is particularly useful for state and local governments because it’s considered highly resistant to phishing, which is always a major threat to agencies because of vulnerabilities brought about by restricted budgets and resources. Bad actors know this: In fact, almost half of phishing attacks in 2021 targeted government employees, and in the third quarter of 2023, the public sector experienced a 292 percent increase in the number of phishing attacks quarter over quarter. Passkeys are so resistant to phishing attacks because passkeys are bound to a website or app’s identity, which means they can only be used with the website or app that created them. In other words, they can’t be written down or given to a bad actor.

How Does Passwordless Authentication Fit with Zero Trust?

Passwordless authentication fits seamlessly into a zero-trust security framework. Zero trust is fundamentally about assuming that every connection and endpoint is a potential threat, employing the principle of least privilege, and requiring verification at every step of a user’s interaction with the network. Strong, multifactor authentication is at the core of the zero-trust framework, and passwordless authentication is a sort of evolution of MFA and single sign-on. Multifactor authentication uses a password and a passwordless technique to authenticate; passkeys eliminate the password from that equation to provide even better security. Even with passwordless authentication, it’s recommended to use multiple factors to authenticate — just not a password. In the case that a device is stolen and the thief has access to PINs or one-time passwords, a second form of passwordless authentication such as a biometric prevents unauthorized use.

Passkeys can also provide a smoother user experience by streamlining the authentication process.

“When we think about zero trust, we want to regularly assess trust and evaluate everything,” Goerlich says. “If we’re constantly going to users and having them put in codes, PINs and passwords, we’re going to get a lot of resistance. So, I think many roadmaps that are successful for state and local governments pursuing zero trust are introducing passwordless as a way to reduce user friction while driving up assurance around identity.”

Passwordless authentication and zero trust work together. An agency may check a user’s fingerprint or face or have a user enter a PIN, but an agency that employs zero trust will also make sure the user is on the right computer in the right location and is behaving in a way that’s expected.

“This is the future of multifactor: implementing the strongest possible factors and addressing concerns around phishing and other common attacks,” Goerlich says.

How Can State and Local Agencies Implement Passwordless Authentication?

For passwordless authentication to work, an organization’s system of record or application must support it and the FIDO2 standard. While modernizing to obtain that support may seem difficult, Goerlich says that he’s seeing agencies pursue a portfolio strategy with multifactor authentication across the environment. Agencies have the strongest possible authentication with this strategy.

“When we go to municipalities or counties and local agencies, there’s a lot of technology that we’re running that may not necessarily be cutting-edge. So, what is unfortunately happening in the passwordless world right now is a story of haves and have-nots,” Goerlich says. “We need the devices to support passwordless directly through our endpoint devices, our phones or hardware security tokens. There is a front-end component of ensuring that the government workforce has the equipment for biometrics and all of these devices.”

Another component of implementation is communicating the secure nature of passkeys and making it clear that one’s biometric data is never collected by the website or application and never leaves the user’s personal device.

“A lot of the success around technologies such as biometrics and passwordless revolves around your security champion program, awareness program and communications,” Goerlich says. “We’ve been using passwords our entire lives. This is a matter of communication, explaining what’s going on and being very transparent.”