#TalesFromTheCyberFront: Passwordless and Why It Matters

I recently had a rather enlightening conversation with Merill Fernando . A discussion that started with an intriguing challenge quickly morphed into an insightful deep-dive into passwordless authentication.

The Challenge

A client directed me to some content on Microsoft's Docs questioning the purported security benefits of passwordless over passwords paired with two-factor authentication (2FA). The document seemed to convey mixed messaging as it portrays passwordless as only "more convenient" when compared to Password + MFA:

Is it genuinely the case that passwordless offers no security benefits when compared to the traditional duo of passwords and 2FA? That can't be. Can it?

In The Trenches

If there is one trait I acknowledge to myself that is that I don't just take anything someone may have put out there as the source of truth.

Irrespective of who that may be. We are in the business of challenging and questioning everything as we are in the one where you are happy to be proven wrong.

Since article contributions on those series of articles were not turned on, I decided to use LinkedIn and some brevity, reaching out to Merrill whom I hold in high regard and came to know through his invaluable content shared on LinkedIn:

Merill was quick to point out that the messaging was not entirely on point, with its purpose being primarily illustrative.

Yet, this query led us to a broader contemplation: what truly differentiates passwordless from the widely-adopted passwords + 2FA approach?

Why Passwordless Matters?

Let's start by understanding the inherent issues with passwords. A password, no matter how complex, can be phished. One of the most common cyber-attack methods involves tricking users into entering their passwords on counterfeit websites that closely resemble legitimate ones. Such phishing attacks predominantly aim to capture passwords as they are often reused across platforms.

Enter passwordless. On the surface, it might seem like just another MFA method, sans the password. However, it's fundamentally different.

Passwordless requires users to register their mobile devices, establishing a "hardware dependency."

This registration ties your biometric data, used to unlock the authenticator, to a specific device. In simple terms, even if a cybercriminal manages to snatch your token, it should (picking my words carefully) be rendered useless on a different device.

Merill backed this, noting that when paired with device compliance such authentication is phishing-resistant and aligns with the NIST AAL 3 maturity standard .

To be clear, Microsoft today uses passwordless and phishing resistance interchangeably with the difference being that Microsoft Authenticator Mobile Phone Sign-In (as is the alternate term for Passwordless) is not phishing resistant on its own today.

But Am I Safer Removing the Password on a Jailbroken Device?

Interestingly this was also part of the challenge posed by the customer.

Is Microsoft Authenticator capable of discerning jailbroken devices? Yes. When GPS-based Named Locations are used.

The Authenticator natively identifies if a device is jailbroken or rooted when GPS-based Named Locations are used:

But Passwordless (or Phone Sign-in) also natively checks for jailbroken devices:

For anyone still feeling insecure by the above a combination of device compliance and conditional access is your best friend.

So What Are Some Security Benefits of Passwordless?

Following my confirmations and reading (not just relying on MS Docs) I went back to the customer with renewed trust in the technology I was recommending (I am always thankful for such questions btw):

Security Benefits of Passwordless vs Password + MFA

1. Any Credential Access tactic (and not just Credential Stuffing) would be mitigated to a good extent: Credential Access, Tactic TA0031 - Mobile | MITRE ATT&CK?
2. There are certain behavioural scenarios that would result in a successful EASIER token theft when the password is used on a routine basis, with most common being that users would enter a password on a phishing page easier than when asked to approve a request on their phone.
3. Most attackers replicate pages that "look like" the legitimate ones but aim into capturing the password first (as this is also commonly re-used elsewhere) and would not prompt you by default as a passwordless sign-in experience would.
4. Passwordless seems like it's just MFA without the password but it is not: a more accurate description for it would be "Microsoft Authenticator Phone Sign In". ?Passwordless gets you to REGISTER your mobile phone with the business and uses it as the "hardware dependency" to tie your biometric data in an encrypted form (used to unlock the authenticator) to the specific device. Even if an attacker manages to steal your token they should not be able to use it on a different device because of that bond.?
5. Also in regards to the MS Authenticator as long as the GPS-based Named Location is enabled the Authenticator will deny authentication if the device is jailbroken or rooted. It natively carries that capability, and this is also enforced during Phone Sign-In. Reference: New Microsoft Authenticator security features are now available! - Microsoft Community Hub
6. When passwordless on its own is PAIRED with device compliance it becomes a phishing resistant method that ties to the NIST AAL 3 maturity: Achieve NIST AAL3 by using Microsoft Entra ID | Microsoft Learn
7. In terms of future-proofing, passwordless is going to be everywhere in the coming years, from consumer apps to sites and passkeys. The latter form part of Microsoft's strategy as well, but unfortunately the public preview is not expected before January 2024 with General Availability taking anything between a few months to a few years as is the case with similar roadmaps in the Microsoft Identity stream. Thus we would still have to use FIDO2 tokens before we would be ready to upgrade to a native passkey version to achieve some level of uniformity - What’s new in Microsoft Entra - Microsoft Community Hub

Closing Notes

In a final reflection, Merill aptly noted that in a few years, entering passwords would be considered outdated.

The future belongs to passwordless. Where do you want to be at?

As I conclude this piece, a word of gratitude to Merill Fernando for his insights. It's conversations like these that push the envelope and shape the future of cybersecurity.