Passwordless Authentication — Moving away from Yubikeys

The security industry has come a long way from traditional username/password authentication. Password managers such as LastPass and 1Password prevent attacks such as password guessing/brute force while decreasing the blast radius in the event of credential compromise. We also saw the introduction of Multi-Factor Authentication (MFA) such as Timed One-Time Password (TOTP), app-based push notifications, and email magic links.

Unfortunately, all these MFA mechanisms share the same vulnerability; they can be stolen just like traditional passwords. If an attacker can trick a user into sharing their password, they can undoubtedly trick them into sharing their MFA code. This is precisely how "0ktapus" targeted 130 organizations and 10,000+ individuals in a massive phishing campaign.

The FIDO Alliance

MFA vulnerabilities are why industry leaders like Microsoft, Google, and Apple joined forces to create a standardized authentication solution called Fast Identity Online (FIDO). FIDO utilizes hardware keys to authenticate the user instead of passwords. The key never leaves the physical device, so an attacker can't steal it. The best part; FIDO keys provide a better authentication experience because a user no longer has to care or worry about passwords, timed codes, etc. All they need to do is tap a button.

Enabling FIDO key authentication is one of the best things an organization could do to protect its users and improve its security posture.

No Purchase Necessary

Contrary to popular belief, organizations can achieve passwordless authentication without purchasing hardware keys such as Yubikey.

In fact, most devices these days have FIDO keys built right into them! Apple's FaceID/TouchID, Windows Hello, and Android Fingerprint are all FIDO keys that organizations can use to protect their employees.

If a device has any of these biometric authentication methods, then it likely uses FIDO key technology.

Enrollment Instructions

At Pipe, we use Okta as our identity provider. Our internal sites and services use Okta to manage accounts and permissions. Okta includes functionality to register and enforce FIDO authentication. When a user is prompted to enroll their FIDO key, they can enroll their laptop and smartphone in a few steps.

Laptop Enrollment

Once entered the FIDO key enrollment process, simply follow the steps and authenticate yourself with TouchID/Windows Hello when prompted.

Smartphone Enrollment

After registering a laptop FIDO key, the user can enroll another key. Chrome will display a QR code which can be scanned by a compatible iPhone or Android device. Now, the user can use their smartphone to authenticate themselves.

Migration Strategy

At Pipe, we successfully onboarded every employee to FIDO authentication with minimal disruption. We did this by first making FIDO enrollment optional and providing employees with enrollment instructions, and then gradually enforced the policy onto employees until we hit 100%. The period for optional registration meant employees could enroll on their own time, and the IT team could give general support and document FAQs without being overwhelmed. We used the Okta API to track enrollment and was pleased to see that ~40% of employees self-enrolled without any enforcement.

Edge Cases & Issues

Unsupported Laptops or Smartphones

There were a few cases where an employee's workstation was not FIDO key enabled. In this scenario, we ship them a Yubikey.

Firefox

Firefox has yet to support device-enabled FIDO key authentication. If your team or users rely on Firefox, they must be shipped a Yubikey.

Multiple Browsers

Unlike Yubikeys, device-enabled FIDO keys such as TouchID or Windows Hello have a unique registration per browser. Users must enroll their FIDO key for each browser if they use multiple browsers for work, such as Chrome and Safari.

In-App Browsers

Some in-app browsers, such as Microsoft Office on Windows Devices, do not support FIDO key authentication. In our experience, using in-app browsers is only used once and does not happen often. In this scenario, the IT team verifies the employee via Zoom and grants them the temporary ability to authenticate via another MFA method.

Conclusion

Overall, our migration caused minimal disruption or overhead and required no additional hardware or costs. It took the IT and Security team 90 days to onboard 100% of the company from start to finish. More importantly, employee credentials are as protected as ever, and we provide our employees with the best authentication experience possible.

We are proud to give our customers and employees the best-in-class security. If you want to join us on our mission to transform the future of finance and become an industry leader in cybersecurity, we are hiring!