Feb 14 2024

How Passwordless Authentication Supports Zero Trust

Passwordless authentication can make a zero-trust environment even more secure. Here’s what state and local governments need to know.

State and local government agencies carry the heavy burden of collecting and managing large amounts of sensitive data to bring essential services to citizens. Naturally, they want to be on the cutting edge of cybersecurity, which is where the zero-trust security model comes in. And now, we’re seeing an innovation that could bolster zero trust’s already formidable defenses: passwordless authentication.

Passwordless authentication is exactly what it sounds like: a means to authorize users without having them use passwords. The formal definition of passwordless authentication would be using a FIDO2 authentication mechanism, a passkey, to authenticate to a device, website, app, etc., without using a password at all in the process. According to the FIDO Alliance — an industry association created to reduce reliance on passwords and establish passwordless sign-in standards — FIDO2 “is comprised of the W3C Web Authentication specification and corresponding Client-to-Authenticator Protocols (CTAP) from the FIDO Alliance.”

But why completely do away with the password? A FIDO Alliance press release explains that passwords ultimately pose a major security risk: “Managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.”

In 2022, Apple, Google and Microsoft announced support of FIDO’s passwordless sign-in standards. Since then, Google has deemed passkeys “the beginning of the end of the password” and Microsoft debuted passwordless login for websites and apps. And in January, X (formerly known as Twitter) announced the launch of its own passkeys as a login option for US users.

“We know that the password has long been the weakest factor — the easiest to crack, forget and lose,” says J Wolfgang Goerlich, advisory CISO of Duo Security at Cisco.

With major tech leaders and companies advocating for a passwordless environment, state and local governments would benefit from knowing how passwordless security can support zero trust.

Click the banner below for more on getting the most out of zero trust.

What Are Passkeys?

In a passwordless environment, users gain access to a network by using a passkey, which is something other than a password that your device or authenticator exchanges with a website or application to authenticate a user. Types of passkeys include biometrics (fingerprints, face recognition) and lock screen PIN numbers (think Windows Hello for Business or Apple’s Face ID or Touch ID). Hardware security tokens are another form of passkey.

Passkeys use public key cryptography, which involves generating two different keys — a public key and a corresponding private key — that are used for authentication. The public key is registered with the server of the website or app, while the private key (a passkey such as biometric data) is stored on a device and never exposed to the server. The public and private keys communicate, but secret or potentially compromising information is never transmitted between the two.

“What’s important is that we’re not storing the biometric data, so we don’t have privacy concerns,” Goerlich says. “We don’t have to worry about someone stealing a fingerprint and 3D printing it and all the James Bond type of attacks that you hear about.”

How Does Passwordless Authentication Benefit State and Local Governments?

Passkeys are considered more secure than passwords because they only work on their registered websites and applications, and they use a user’s unique characteristics to authenticate instead of a simple string of text that can be guessed or stolen.

Of course, better security is a boon for any organization in any sector. But passwordless authentication is particularly useful for state and local governments because it’s considered highly resistant to phishing, which is always a major threat to agencies because of vulnerabilities brought about by restricted budgets and resources. Bad actors know this: In fact, almost half of phishing attacks in 2021 targeted government employees, and in the third quarter of 2023, the public sector experienced a 292 percent increase in the number of phishing attacks quarter over quarter. Passkeys are so resistant to phishing attacks because passkeys are bound to a website or app’s identity, which means they can only be used with the website or app that created them. In other words, they can’t be written down or given to a bad actor.

J Wolfgang Goerlich
We know that the password has long been the weakest factor — the easiest to crack, forget and lose.”

J Wolfgang Goerlich Advisory CISO for Duo Security, Cisco

How Does Passwordless Authentication Fit with Zero Trust?

Passwordless authentication fits seamlessly into a zero-trust security framework. Zero trust is fundamentally about assuming that every connection and endpoint is a potential threat, employing the principle of least privilege, and requiring verification at every step of a user’s interaction with the network. Strong, multifactor authentication is at the core of the zero-trust framework, and passwordless authentication is a sort of evolution of MFA and single sign-on. Multifactor authentication uses a password and a passwordless technique to authenticate; passkeys eliminate the password from that equation to provide even better security. Even with passwordless authentication, it’s recommended to use multiple factors to authenticate — just not a password. In the case that a device is stolen and the thief has access to PINs or one-time passwords, a second form of passwordless authentication such as a biometric prevents unauthorized use.

Passkeys can also provide a smoother user experience by streamlining the authentication process.

“When we think about zero trust, we want to regularly assess trust and evaluate everything,” Goerlich says. “If we’re constantly going to users and having them put in codes, PINs and passwords, we’re going to get a lot of resistance. So, I think many roadmaps that are successful for state and local governments pursuing zero trust are introducing passwordless as a way to reduce user friction while driving up assurance around identity.”

Passwordless authentication and zero trust work together. An agency may check a user’s fingerprint or face or have a user enter a PIN, but an agency that employs zero trust will also make sure the user is on the right computer in the right location and is behaving in a way that’s expected.

“This is the future of multifactor: implementing the strongest possible factors and addressing concerns around phishing and other common attacks,” Goerlich says.

How Can State and Local Agencies Implement Passwordless Authentication?

For passwordless authentication to work, an organization’s system of record or application must support it and the FIDO2 standard. While modernizing to obtain that support may seem difficult, Goerlich says that he’s seeing agencies pursue a portfolio strategy with multifactor authentication across the environment. Agencies have the strongest possible authentication with this strategy.

“When we go to municipalities or counties and local agencies, there’s a lot of technology that we’re running that may not necessarily be cutting-edge. So, what is unfortunately happening in the passwordless world right now is a story of haves and have-nots,” Goerlich says. “We need the devices to support passwordless directly through our endpoint devices, our phones or hardware security tokens. There is a front-end component of ensuring that the government workforce has the equipment for biometrics and all of these devices.”

Another component of implementation is communicating the secure nature of passkeys and making it clear that one’s biometric data is never collected by the website or application and never leaves the user’s personal device.

“A lot of the success around technologies such as biometrics and passwordless revolves around your security champion program, awareness program and communications,” Goerlich says. “We’ve been using passwords our entire lives. This is a matter of communication, explaining what’s going on and being very transparent.”

ArtemisDiana/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.