World Password(less) Day

Today is World Password Day. What’s your favorite password? That’s a trick question–hopefully you use unique, strong passwords for anything that requires one. In addition to briefly touching on password hygiene, we’d like to talk about alleviating the need for end users to enter passwords in support of zero trust. 

The cost of password resets is high–with both end users and IT paying the price. How much is it costing you? 

Password hygiene

What’s in a password? Hopefully not a lot of personal information, e.g. pets’ names and your date of birth. Following CISA best practices, passwords should be long – at least 16 characters – and unique for every service or account you use. A more secure approach is to generate random, complex passwords using a reputable password manager, which can also help you store and manage each unique credential safely. Using unique passwords for each login protects your accounts such that if one password is compromised, your other accounts remain secure.

For your master password (the one securing your password manager), avoid using personal information such as names or dates, since these are easily guessed or found online. Instead, you can create a memorable passphrase by forming a sentence then substituting some letters with special characters or numbers. This makes the password both lengthy and difficult to crack (e.g. “No parking on the dance floor, you” becomes “NoP@rk!ng> D@ncef1**r,U”). This increases your protection against brute-force and dictionary attacks. 

Passwordless authentication

Passwordless technologies simplify the end user experience while increasing security. In passwordless implementations, end users authenticate to a service in a way that differs from simply entering a user-created password, PIN, or passphrase.  For passwordless authentication, a trust relationship is established between the user and a central authentication source. This trust relationship employs cryptographic proof to authenticate the user. Omnissa can enrich authentication with information such as device posture, device location, time of use, and threat level.

Why is passwordless authentication better than traditional passwords?

• Users do not have to remember long and complex strong passwords. Fewer password resets are required, and more consistent (yet segmented) access to apps and resources happens across the enterprise.
• Furthermore, when you move away from passwords to passwordless authentication, users often do not even know their passwords. This reduces the likelihood of credential theft.
• Strong authentication, including multi-factor authentication increases your ability to address login risk.
• Passwordless can be included in zero trust implementations. Single sign on (SSO) can be employed to grant access to all apps, then policies can be applied to verify status and check privileges.
• Security policies can be tailored to various levels of risk. Appropriate policies can be created that consider device ownership; level of security clearance and data access; and locations of work.

How is passwordless implemented?

Omnissa supports a variety of technologies so that you can authenticate to physical devices, virtual desktops and applications, native apps, and web apps. 

Our platform supports authentication via MobileSSO, certificates, smart cards, and FIDO2 frameworks. We also support legacy authentication including Radius. More information:

MobileSSO
Offers a highly seamless authentication experience on mobile devices. This enhanced security, touch-free authentication tool is easy to set up and manage via the Workspace ONE UEM console, where we automate the full certificate management process for MobileSSO. 

Certificates
With certificates, a seamless experience similar to MobileSSO can be delivered across all major desktop operating systems. Certificate-based authentication allows for more secure authentication to a variety of apps that would not be traditionally addressed by many authentication technologies. 

Third-party IDP integrations
We support integration using standards such as SAML and OpenID Connect, allowing for simple integration with identity providers (IDPs) such as Google, Microsoft Entra ID, Okta, Ping Identity, and any other standards-based IDP.

Smart cards
Smart cards provide another means of authentication. Omnissa supports traditional smartcards and also offers PIV-D, an application-based alternative to smart cards. PIV-D offers a more secure way to transfer and store credentials on mobile devices.

WebAuthN  with FIDO2 and passkeys
Anything leveraging WebAuthN with FIDO2 and passkeys can be used as an authenticator. This includes security keys, passkeys, and authenticator apps. More information on Omnissa FIDO2 configuration is available here. 

FIDO2 authentication via passkeys also allows for more secure storage of private keys on end user devices, eliminating the need for a separate security key. Compared with passwords, passkeys are phishing resistant, support multiple devices, and provide stronger security and a simplified user experience. Passkeys have been adopted mainly for private use, because it is more secure to bind a passkey to a specific device. Passkeys are not bound to devices by design, and can be transferred through keychains, Bluetooth, and QR codes. This can make them difficult to use in enterprise scenarios. But hold on, we have a solution (keep reading). 

So what about passkeys for corporate use?

Omnissa makes it possible to bind the use of passkeys to a specific device via policy. For specific applications, we can enforce passkey use on a specific device via Omnissa Access. By making application access contingent upon having a valid managed device, risk related to unbound passkeys is reduced. 

Step-up authentication via MFA
Multi-factor authentication provides an extra layer of protection when critical data is being accessed, or when device posture or behavior points to an elevated level of risk. We have our own MFA solution, Hub Verify; we also support third-party solutions such as Okta Verify, DUO 2FA, and YubiKey.

What about SMS? 
While SMS and one-time code generation does exist as a technology for generating a security key, we prefer other options. To quote this NIST blog post(about Special Publication 800-63-3 “Digital Authentication Guidelines”): “While a password coupled with SMS has a much higher level of protection relative to passwords alone, it doesn't have the strength of device authentication mechanisms inherent in the other authenticators….”  

Happy Password(less) day! 

Sometimes the best password is no password. If you would like to boost end user experience and increase the security of access to applications and resources, please reach out to us. The Omnissa platform is designed to make more secure, risk-based access simple to implement and manage. Read more about what we do here.