In the past few months, we've seen passwordless authentication take off, with services like Medium and Yahoo! as the driving forces behind this movement.
We spoke with Jon Gelsey, CEO of Auth0, a company specialized in providing zero-friction authentication and authorization services. Mr. Gelsey has been the Chief Executive Officer for Auth0 for the past two years, and has helped the company create its Lock and Passwordless services, both high-level, complete tools that greatly simplify the user authentication process, by removing passwords out of the equation.
Your company has recently launched a Passwordless Authentication system. You obviously don't believe this is a fad in terms of online security. How would you convince a user that this is a safer route when compared to password managers and 2FA (2-Factor Authentication)?
JG: Probably the easiest way to convince a user this is an easier route than a password is just have them use it. It’s actually a really nice user experience not to have to remember passwords.
But to convince them it’s a safer route I’d point out that passwordless means you no longer have a password that can be stolen. Everybody understands how much more secure that is.
Passwordless Authentication greatly reduces the threat of human error or attacks by black hats. Passwordless allows users to bypass the traditional username/password phase of logging in, and instead allows users to log in by responding to a push notification on their phone, through Touch ID, by using a short-lived, one-time link or secret code sent through SMS, push notification or email to a pre-authorized device or phone number.
Most people fear data breaches, especially where weak security practices leave a company's user database at risk. Is the technical side of passwordless authentication a safer route, or is it complicating things even more?
JG: Passwordless authentication is safer than traditional username/password authentication. It’s safer because there are no passwords to be compromised. It’s also safer because the user is proactively notified with every login. Auth0 already greatly simplifies the implementation of authentication and authorization for software developers, passwordless extends that “Auth0 makes things simple” ethos to include a simpler way to log in for end users.
Many of the headline data breaches of the last few years, where massive numbers of usernames and passwords were stolen from large, sophisticated enterprises, would have been non-events if those users were authenticated with Auth0 passwordless, because there wouldn’t have been any passwords to steal. Passwordless is both more secure for the enterprise and also less hassle for users - what’s not to like?
Where do you see passwordless authentication catching on first? (Why?)
JG: Two places: consumer apps, and Internet of Things (IoT).
We already are seeing consumer sites like Yahoo, Medium, and others utilize passwordless, because it’s a much friendlier experience for the user, and hence reduces subscriber attrition. What website owner wouldn’t want to eliminate that extra 5 minutes of hassling with “what was this password? I’ve forgotten it, guess I need to reset it.”
Passwordless is particularly compelling for IoT devices, many of which, at least for consumers, have either a crippled keyboard or none at all. Who wouldn’t prefer to log in to, say, their home lighting controller or their home security system with Touch ID instead of keying in some obscure code? Passwordless is a boon to the usability of IoT devices, and provides additional freedom to IoT designers by avoiding the need to create a login UX directly on the device.
Would passwordless authentication make a difference for the "still insecure" IoT environment?
JG: Passwordless is poised to make a lasting impact on the IoT space. Many applications, especially in the connected home, have a minimal interface that makes it challenging for developers to implement traditional password-based authentication in a strong way, leading to vulnerabilities. By implementing passwordless authentication, authentication is a simple matter of Touch ID or a one-time passcode sent via email, SMS or push notification.
From your own experience, the push for passwordless authentication comes from companies or end users?
JG: The answer is and should be, both. As end users begin to request and adopt passwordless authentication for their account security, companies are beginning to recognize that this shift toward passwordless and MFA solutions will help to not only make the user experience simpler and more enjoyable, but also to reduce the frustration and concern associated with the constant stream of data-breaches we see in today’s headlines.
There is no doubt that passwords have become more and more vulnerable in recent years, and this has left both the enterprise and consumer asking for a better alternative. In recent years, black hats around the world have become large, organized and profitable criminal organizations, and major brands have seen breaches because of weak passwords, phishing attacks or “small” vulnerabilities in their security architecture.
In light of the recent JP Morgan, Home Depot, Anthem Health, Ashley Madison, Target and other major breaches, large-scale cyber-attacks have become obvious as a very real problem for the enterprise, and in turn for their customers. Passwordless aims to eradicate the threat of authentication vulnerabilities due to compromised passwords.
Softpedia would like to thank Mr. Gelsey for taking the time to answer our questions.