Passwordless Authentication – An interesting proposition for partners.

Thales teams up with Microsoft to offer FIDO token.

By Guido Gerrits

Passwords are the weakest link in Access Management. Time and time again we see data breaches due to criminals managing to steal login details through phishing. Logging in without passwords is the ultimate solution. Jointly with Microsoft, Thales enables partners to let their customers log in paswordlessly, hence securely.

The Fast Identity Online (FIDO) Alliance began developing technology to enable passwordless logins back in 2013. In recent years, the alliance already released several versions for passwordless authentication, with limited success. But now it truly is a mature product, and now is a great time for resellers to get on board.

The numerous reports of phishing attacks and breaches are also leading to more demand for the solution. For that reason, we at Thales, where we have been providing FIDO for over a year in the form of a USB token & Smartcard, are launching a FIDO token together with Microsoft. The proposition is solely focused on Microsoft partners.

Two-factor authentication

The good thing about FIDO is that on one hand it is a very easy solution, yet on the other hand it is a very secure solution. The convenience lies in the fact that users can enroll the Fido token themselves. And this passwordless solution is also very simple for end users - they do not have to remember a password and there is no risk of phishing or a data breach involving passwords.

The FIDO token is secured with a PIN. That way, you immediately use Two Factor Authentication (2FA), because you combine the token and a PIN. The strength of such a token is that you can use it for both business and private use cases - something that a reseller can emphasize when talking to its customers: it is a security tool that you can use for your business application, but also for your personal applications.

Many companies try to prevent mixing business and personal use of devices, but usually don’t succeed. This form of security reduces that need, and employees are also more likely to take better care of their token if it also grants access to their personal mailbox etc.

FIDO, like 2FA, must be supported by the apps and environments that users want to log in to, such as social media accounts or mailboxes.

Integrating FIDO into an Access Management Solution

Despite all its advantages, FIDO technology is not yet perfect as it still lacks centralized management within the standard. The FIDO solution is designed from the user's point of view. Whoever manages it links the token to the mailbox, or to other applications. This means that if someone loses a token that is (also) used for business purposes, he or she has to roll out a new token in all applications, e.g. Outlook and Salesforce. So in practice, you have to go to the application manager to have this taken care of: first to revoke the old token and then to roll out a new one. For each individual application. This can lead to an application being forgotten.

Thales overcomes this disadvantage in the FIDO standard by supporting the central management from its own access management solution. This means we can ensure employees do actually use FIDO. Partners thus make FIDO an integrated part of a managed Single Sign On environment for their customers.

This has the advantage that if a user loses their token, it can be blocked immediately, and applications are no longer accessible until a new token is enrolled. The token fits perfectly into the security solutions offered by MSPs and into the Microsoft portfolio of partners.

Access to garage, PC and printer

The FIDO technology is not deployed exclusively with a USB token, otherwise it would be of little use with tablets and smartphones. Thales also supplies Fido in the form of a credit card sized card with an a RFID chip in it that communicates with mobile devices. However, even more is possible. You can also use FIDO to provide physical access, for example to garages and access gates. In essence - ?you can be using the technology all day long, from the access gate to the coffee machine and printer.