If you have your ear to the ground, you may be hearing some rumblings about passwordless authentication methods. As the name suggests, passwordless authentication is a form of secure authentication that eliminates the use of passwords.
Passwordless authentication is a new technology and it’s starting to gain attention in the IT world. Most organizations aren’t in a position to even think about transitioning to passwordless — but should you be?
More importantly, what are the compliance implications of adopting passwordless authentication in your organization?
What Is Passwordless Authentication?
Back in the day, all you needed was a username and password to gain access to a secure site or application. But that meant that anyone could be authenticated if they got ahold of someone’s username and password — and too often, a password was guessed or exposed.
So two-factor authentication (2FA) was introduced. In addition to your username / password, you also need another key or a code that continually changes, like an old-school RSA keyfob. If you have access to the code as well as the right credentials, you’re authenticated.
Multi factor authentication (MFA) takes 2FA to the next level, by requiring two of three factors. MFA consists of something you know, something you have, and something you are. For example:
- Know = username and password
- Have = one-time code that’s sent to your phone or other device
- Are = biometrics (retinal scan, facial recognition, fingerprint, etc.)
Both 2FA and MFA layer additional authentication requirements on top of a password.
Passwordless authentication, on the other hand, eliminates the password altogether — even as a backup. A truly passwordless solution authenticates users using technologies like authenticator apps or security keys. Essentially, it’s MFA without the “Know” factor.
Even though you have one less factor, going passwordless is often considered more secure, because attackers can’t take advantage of a potentially weak authentication method.
Passwordless Authentication with Compliance Standards
While passwordless authentication may continue to grow in popularity, it will take a while for all the governing bodies that administer certifications to catch up. So if you want to adopt passwordless authentication, it may be disallowed by the compliance standards you’re going up against.
For example, passwords are presently required by PCI DSS 3.2.1. You must have passwords, password change requirements, and other password requirements. So it will be some time before we see widespread adoption by all compliance standards.
For organizations that go up against multiple certifications, whether you can move to passwordless authentication will depend on the mix of standards you’re currently subject to — as well as the standards you could go up against in the future.
What if You Still Want to Go Passwordless?
Before you make any moves, do an upfront analysis and research the compliance requirements thoroughly. The last thing you want is to roll out a new authentication approach, only to discover after all of your investments and organizational changes that you’ll struggle to become compliant.
Involve your Assessor early and often. They will make the call on whether your approach will meet requirements or not. If you’re going to make any kind of move on anything that could have implications for your compliance, do a pulse check with your Assessor before you commit to a path forward.
Keep in mind that your Assessor may approve a risk-based approach when considering the nature of the requirements you want to take an alternative approach to meet. You don’t want to spend time, money, and effort on a major initiative that your Assessor won’t sign off on.
Also lean on your Consultant’s expertise. They’re a great resource for analysis and wisdom — especially since they have an outsider’s perspective that your personnel don’t have. Your Consultant can draw on a breadth of experience to provide solutions and recommendations that you would never think of on your own. And they can guide you around pitfalls you’d never see coming, including playing coordinator with your Assessor for validation measures.
What if You’re Already Using Passwordless Authentication?
Some companies go passwordless then later decide to become compliant under a certification that disallows passwordless authentication. If that’s you, are you S.O.L.? It comes down to the way you approach passwordless authentication. There are some ways to roll out passwordless authentication and maintain compliance.
One option is to use passwords as a backup — for example, as a recovery method. Or you can use passwords to set up accounts and then never use them again for sign-on. While these aren’t true passwordless solutions, they allow you to give a day-by-day passwordless experience to your users while maintaining passwords for compliance purposes.
At some point, assuming compliance standards eventually allow passwordless authentication, you can then remove the passwords as backups and use a truly passwordless approach to your authentication.
Store passwords off-network
Often you’ll have devices that allow local authentication to the device, in addition to integration to an Active Directory or single sign-on.
You could set up a local, direct authentication to a switch where you have to login to the switch. That’s where your credentials are stored — these credentials aren’t integrated into the Active Directory, SSO, or any other multifactor authentication.
Practically speaking, you’re using a passwordless solution for mainline authentication, but you’re also satisfying the password requirements of PCI DSS and other standards.
Limit the compliance scope
In some cases, you could have an environment within your organization that is specifically subject to compliance — but the rest of your organization could be outside of scope. For example, perhaps you have a web application accepting cards. Depending how you’re set up, you can limit your PCI certification to that environment alone.
This segmentation allows you to adopt passwordless authentication throughout the company, secluding the in-scope environment.
So Where Does That Leave You on Passwordless Authentication?
Passwordless authentication may be gaining popularity, but it’s still a no-go for many compliance standards today. Before you make any decisions about going passwordless, do your research and lean on your Assessor’s and Consultant’s expertise.
If you’re already using passwordless, you may have some options, but be prepared to make some tough decisions about navigating your compliance waters.
At some point, passwordless authentication will likely be an option for security standards. Until then, make sure you stay informed about best practices. TCT can help you navigate the waters of compliance with confidence.
Get equipped with insider expertise
Subscribe to the TCT blog