This article has been indexed from The Duo Blog
Part of our Administrator’s Guide to Passwordless blog series
See the video at the blog post.
In some ways, the term “passwordless” is a misnomer. Yes, it’s a password-less authentication method, greatly streamlining the login experience, and while that’s a great incentive to use passwordless for logging in, it’s not an improvement in authentication security in and of itself.
Passwordless uses multiple factors in one step. Unlocking authenticator devices locally removes the threats of credential reuse and shared secrets. But on top of all of that, passwordless should also raise the bar by substantially reducing or even eliminating the risk of phishing attacks. Any “passwordless” solution that cannot meet this bar is simply inferior.
That isn’t to say that every password-less solution needs to be phish-proof. There may be other properties of an authentication solution you’re considering that make it a better fit for your environment, and you may be able to mitigate the risk of phishing using additional authentication factors. While not every solution will use the same mechanisms to prevent phishing, there are some properties that will be common to every solution that is truly phish-proof.
To prevent phishing, there are a few general properties that your authentication solution needs:
No Shared Secrets is the property that secrets are never shared and are always kept local to the authenticator device. The authenticator will use these secrets to sign messages, which can be verified by the other party to only have been able to come from the authenticator device. Unlike passwords or other shared secret-based approaches, the solution should guarantee that the secret used for one website is distinct and separate from any secrets used for other websites.
Origin Binding is the property that the site you (as a user) are attempting to log in to must match the domain, or origin, of the site you’re actually on. The history of active phishing has taught us that this is not something that the user can be relied upon to do, so any solution must avoid
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Administrator’s Guide, Part 3: What Makes Passwordless, Dare We Say It, Phish-Proof?