9 Key Takeaways from Ask Us Anything: Passwordless Tips & Tricks
Duo Passwordless is now in public preview for applications federated via single sign-on, like our own Duo Single Sign-On or third-party solutions. To help you make the most of this new offering, Duo Product Manager Chris Demundo and Product Marketing Manager Ted Kietzman recently hosted the webinar Ask Us Anything: Passwordless Tips & Tricks, answering passwordless questions crowdsourced from our Duo Community public forum.
Let’s look back on some highlights from the webinar:
What’s the problem with passwords?
Passwords cause a lot of friction and frustration both for the people who use them and the people who manage them. They’re cumbersome and costly, as issues like password resets and lost or stolen credentials account for 20-50% of helpdesk tickets. They provide a suboptimal user experience, with users having to remember passwords, rotate them and meet complexity requirements. And passwords are easily compromised, as 81% of breaches typically involve weak or stolen credentials.
What is passwordless authentication?
Passwordless promises two big benefits at the same time:
Reducing user friction — With passwordless, you can authenticate using a simple gesture rather than having to remember, rotate, or reset your password
Increasing security — With passwordless, you replace a shared secret with something stronger, like asymmetric keys
Passwordless authentication establishes a strong assurance of a user’s identity without relying on passwords, allowing users to authenticate using biometrics, security keys or a mobile device.
Why should I choose Duo for passwordless?
It’s simple to try. Because passwordless is a new technology, we know you want to try it before you rip and replace all of the authentication in your environment. Duo Passwordless is available to try as part of our MFA edition, the simplest paid edition we offer — no add-ons or hidden costs.
It’s easy to deploy and use. Duo Passwordless takes minutes to configure, is intuitive for enrolling and authenticating users, and works on any device.
It’s seamless and secure. As you transition toward passwordless, we don’t want you to strip away your other secure forms of authentication. We make it easy for you to move from one stage to another, whether securely falling back to MFA or increasing passwordless logins over time.
What authentication methods does Duo Passwordless support?
Windows Hello on compatible Windows devices
Touch ID on compatible macOS devices
Face ID or Touch ID on compatible iOS and iPadOS devices
Android Biometrics, such as Pixel fingerprint or facial recognition, or Samsung fingerprint or facial recognition
WebAuthn FIDO2 security keys with biometric or PIN verification, like those from Yubico or Feitian
Still ahead: Duo Mobile smartphone app
Can you implement passwordless with risk-based authentication?
Duo is currently working on both passwordless and risk-based authentication, with passwordless in public preview and risk-based authentication in private preview. Our long-term goal is to bring them together. Risk-based authentication targets understanding signals of risk around an authentication and being able to either force the user to step up and take an additional action, or cancel an existing long-lived session and ask them to re-authenticate because we noticed something risky during that session.
Example: A laptop is stolen and someone tries to authenticate into it, somehow managing to pass biometrics. Duo Trust Monitor then highlights anomalous activity, like logging in from an unfamiliar IP address, taking action outside of normal time, or accessing an application they’ve never accessed before.
Is there a device trust component to passwordless? For example, if I wanted a user to be able to log in from their enrolled device and not their personal device, would I be able to do that?
Device trust is part of the Duo Beyond edition, allowing you to implement device trust checks as a user authenticates to an app. This functionality will also exist for passwordless in the future. If device trust is important to you and you want to scope passwordless only to managed devices, you can do that using Device Trust and Policy Engine so that only trusted devices can use it. We don’t make it a requirement because we heard from many customers that they want to have the option to support passwordless even if they don’t control the device.
How does Duo Passwordless work for a public system, like classroom computers where different faculty are moving between rooms often, or lab computers where you have a shared machine?
To see in action how Duo Passwordless supports a shared environment use case, watch the webinar featuring Chris Demundo’s demo using Windows Hello.
Duo Passwordless is not user-agnostic as someone moves among devices; it’s predicated on username. That means as long as the user has registered and enrolled on that device, Duo can authenticate them.
Going further with the example in the question, there might be difficulty if your school wants to use Windows Hello but you have a faculty member who uses many different devices, because it could be frustrating for them to enroll in biometrics for each device. And that’s a great example of why it’s a critical priority for us to offer Duo Mobile as a passwordless authentication method as we move forward — you can simply use it as a consolidated point of authentication as you move from device to device.
If an organization’s policy requires users to have two-factor authentication, is passwordless still considered a form of that?
From our perspective, using something like Windows Hello or Touch ID is strong multi-factor authentication. It combines multiple factors (something they are, something they have) into a single step, while making it easier for end users.
That said, this answer varies based on the regulations and compliance you’re working with. If you have specific questions about how Duo Passwordless applies to your organization’s standards, please contact us. Our compliance team can help explain how passwordless technology works for different industries and how it fits in with your security requirements as you look to adopt these new methods in your environment.
Where can I learn more about Duo Passwordless?
We received tons of great questions that we didn’t have time to cover in the webinar, so we’re keeping the conversation going. Visit the Duo Community, where Community Manager Amy Reyes will follow up with more questions and answers, and open up more discussion around passwordless. We’d love to hear from you!
For more insights on Duo’s new Passwordless solution — including use cases, benefits, best practices, and more — watch the webinar Ask Us Anything: Passwordless Tips & Tricks.