Q&A

Yubico Shares Expertise on How To Get to Passwordless

• 08/24/2023

With FIDO2, will government agencies give up their PIV cards?
Hanson: I don't know that giving up the PIV card is necessarily the right angle. Many government agencies have years invested in their certificate-based infrastructures, which do secure their applications. But they need a more usable solution because those certs, smart cards and badges don't work on mobile phones -- there are just all sorts of challenges. And so, for the foreseeable future, large organizations like U.S. federal departments, likely will see a blending of the certificates and the PIV cards with the adoption of new FIDO-based authentication.

The PIV cards for the government use cases do so much more than just sign the user into the computer. They're actually the identification documents that show whether or not you're eligible to even have a credential to sign in. The PIV card largely follows the old authentication model in NIST 800-163, which combined "who are you" with "how you signed in." It's referred to as "levels of assurance." And that was changed in NIST 800-163 Rev. 3, and in the current draft of Rev. 4, where we're seeing how you sign in, and who you are, are two different things. The government is going to need to make a long-term investment to decouple identification and authentication, which will allow their employees, their contractors and everyone else to have greater flexibility on how they actually sign in.

Is it easy for IT pros to set up FIDO2 keys for their environment?
Parkkonen: We do have guides and professional services that can help, but I think it is getting to the point where it's technically easy to enable it for many organizations. IT Pros can set up a demo with just a few clicks and enable the features for a small pilot group of users. However, before getting far in the journey, IT pros should look at the full lifecycle for their users. You have this massive rollout of FIDO2 passwordless and how are you going to do that? Will you ship hardware, such as YubiKeys, and how are you going to get those keys into the hands of the users? How will you do the training? Users can have keys in hand, but they're just too busy and haven't taken the time to figure out how to use them.

Conditional access control is another consideration. Start putting those enforcement mechanisms into place to break users' habits by using conditional access. This will get them to stop using their passwords and One-Time Passcodes and start using phishing-resistant auth instead. Account recovery is another important area. Make sure that you can recover if your users have lost their authenticators.

Setting up self-service account recovery is probably the best way to reduce help desk costs for your IT organization. If using security keys, the best way to support self-service is by registering more than one key. Evaluate what recovery looks like without self-service and if you lost your only authentication method. If you are using a knowledge-based recovery mechanism, such as answering questions from the helpdesk, would it really be secure enough for your organization? And also think about how will the user continue to be productive while they wait for a new authenticator to be issued to them. Make sure the user is using phishing-resistant auth through all aspects of recovery.

Do the Microsoft Authenticator App and the Yubico Authenticator App perform the same functions?
Parkkonen: In general, the Microsoft Authenticator App can be used as a passwordless sign-in mechanism, or as a second factor on top of a password, via a mobile push notification. Yubico Authenticator has similar second-factor MFA capabilities. We support OTP [One-Time Passcode] protocols with Yubico Authenticator using TOTP, which is a time-based rolling code that changes every 30 seconds as a second factor for passwords. Yubico Authenticator offers a great way to fill in those gaps that we talked about before where FIDO2 passwordless isn't supported yet. You can have your users using the same key to support OTP and FIDO2.

For FIDO2 passwordless, those two Authenticator apps aren't required at all. For Certificate-Based Authentication, however, there may be some dependencies for deployment when using mobile devices.

Did the work-from-home shift over the last couple of years have an effect on the adoption of passwordless technologies?
Hanson: It fundamentally changed how IT administrators considered deploying technology. Onboarding used to be a time when you came into the office, met with HR and then went to your desk to connect. IT departments perhaps didn't know what to do when they had to onboard a remote employee. Now they have to be able to onboard anyone anywhere and get them a laptop with Windows Autopilot setups. As for getting YubiKeys to employees, Yubico has a couple of services to help IT administrators deliver them to specific addresses, which we announced in the first months of the pandemic.