Network of Trusted Devices Example (Illustrations)

Below is an example of what a passwordless world via a network of trusted devices could look like. It follows Bob, a new employee of Foobar Corp, along with Alice, Foobar’s trusty head of IT. For more on a passwordless world, see the post Arriving At A Passwordless Future.

Bob’s First Day

bob_alice_computer_x2.jpg

On Bob’s first day Alice gives him a brand new MacBook with Touch ID. Alice tells Bob:

“Here at Foobar we’re a 100% passwordless company. Just follow the instructions on your computer and you’ll be setup in no time! Also your email/username is bob@foo.bar.”

Bob’s a little confused. He’s never worked at a 100% passwordless company before - Bob’s not even entirely sure what ‘passwordless’ means! He’s used to wrangling with passwords at work - generating unique passwords for every site, changing his passwords every 90 days, and resetting his passwords when he inevitably forgets them. But Bob opens his computer and jumps right in…

Registering Bob’s Laptop

laptop_register_example.jpg

Bob opens up his computer and is immediately asked to set up his corporate account. Bob enters his username (bob@foo.bar) but he’s a little confused - there’s no password field. Bob’s used to coming up with a password for his corporate account. He presses the Register button, and is prompted to scan his finger using the MacBook’s Touch ID sensor. He does this and all the sudden he’s registered!

Logging In On Bob’s Laptop

laptop_login_example.jpg

Bob’s computer brings him to a Login screen. Just like before he enters his username, presses the Login button, scans his finger, and he successfully logged in! Bob’s starting to understand this whole passwordless thing - instead of typing in a password every time he wants to log in on his computer, he simply scans his finger. And this doesn’t just work for Bob’s corporate account - if Bob’s trying to login to his corporate Google account, or Salesforce account, or Box account, all Bob has to do is scan his finger.

Bob’s computer is now the first trusted device in his account. Next Bob downloads Foobar’s corporate app on his iPhone.

Registering Bob’s Phone

mobile_register_example.jpg

Bob downloads Foobar’s app, opens it up, and sees the same Register screen he saw on his MacBook. Like before he enters his username, clicks login, only now the app asks him to scan his face. This makes sense, since his iPhone XS has a Face ID scanner, not a Touch ID scanner. Bob scans his face, only instead of being logged in, he sees a pop up on his computer asking if he’s trying to register an iPhone. On his computer Bob clicks ✅ (accept), and then scans his finger. After scanning his finger, the app says that he successfully registered his iPhone.

Bob’s a little puzzled at first, but eventually understands what just happened. There are two important things to note.

Trusted Devices For Administration

Technically anyone who knows Bob’s email can attempt to register their device to his account. If this were the case, any hacker could register their computer to Bob’s account and login as Bob - that would be bad. Instead, Foobar’s login system uses a previously registered, currently trusted device - Bob’s MacBook - and asks Bob through that trusted device whether he’s trying to register an iPhone. If he’s not, he simply presses deny (X), but if he is, he clicks accept (✓). If Bob clicks accept, he then has to prove he’s Bob to his computer by scanning his finger since this is a sensitive operation, and the computer wants to make sure it’s Bob and not some hacker who stole Bob’s computer.

Trusted Device, NOT Trusted Fingerprint

It’s important to note that Bob isn’t directly using his biometrics (fingerprint on his MacBook, face on his iPhone) to login to his accounts. Instead, Bob is using his devices to login to his accounts, and his biometrics to prove he’s Bob to those devices. This is an important distinction because in this login system, unlike passwords, there’s no database of fingerprints and faces some hacker can steal to break into Bob’s account. A hacker also can’t simply steal one of Bob’s trusted devices to break into his account. In order for a hacker to break into Bob’s account, a hacker would need to BOTH steal his device and circumvent the device’s biometric protections.

Bob’s New Security Key

bob_alice_security_key_x2.jpg

After Bob registers his MacBook and his iPhone, Alice comes back and gives Bob what’s called a hardware security key (such as a Yubikey or Google’s Titan Security Key). Alice explains:

“Hardware security keys (or just security keys) are devices with special security properties, like cryptographic capabilities and tamper resistance. You don’t have to worry about any of this, just know in order to use it, plug the security key into a device and tap the button on the security key”

Alice continues:

“Register your security key with your account and then put it somewhere secure, like in a safe or a locked drawer. Unlike your phone or computer which you’ll use to login into your account every day, at Foobar we use security keys for emergencies, like if you were to lose or break both your computer and phone”*

Registering Bob’s Security Key

security_key_register_example.jpg

Following Alice’s instructions Bob plugs in the security key to his computer, goes to his corporate account settings, clicks Register New Device, selects the security key, clicks register, and follows the instructions. Similar to registering his iPhone, Bob taps the security key, scans his finger on his MacBook, and successfully registers his security key. He then locks it in his super secure desk drawer at work.

Bob Logs In To An Untrusted Device

delegated_login_example.jpg

Now Bob’s on vacation in Hawaii, and he needs to login to his corporate account on a computer. There’s only one problem - Bob forgot his computer! He eventually finds a shared hotel computer. Bob goes to Foobar’s website, types in his username, and clicks login. He then get’s a notification on his phone asking whether he’s trying to login to a computer in Hawaii. Bob clicks ✅ (accept), scans his face (to prove it’s Bob) and he’s logged in!

Delegated Login

Let’s go over what just happened. Bob’s trying to login to his account through an untrusted device, he’s NOT trying to register/trust the device. This makes sense - Bob’s only staying at the hotel for a little, and if he registers this shared device, anyone who uses it could login to his account. When Bob tries to login, Foobar’s login system recognizes Bob’s account, sees he’s using an untrusted computer, but knows Bob has other trusted devices. So Foobar’s login system pings one of his trusted devices, his iPhone, and asks through the iPhone if he’s trying to login to the computer in Hawaii. This system of logging into one device (untrusted) through another (trusted) device is called delegated authentication, or delegated login.

Conclusion

We just went through an example of an employee at a company registering and logging into their account using passwordless login. More specifically, the passwordless login system uses a network of trusted devices that can perform native authentication (logging in through a trusted device) and delegated authentication (logging in through an untrusted device). This story isn’t merely fiction - it’s technology I’m currently helping to build through the company passwordless.consulting. If you’re curious about bringing this technology to your employees/customers, or just want to learn more about passwordless authentication, feel free to reach out to me at herbie@passwordless.consulting.

Notes

* in one setup, the IT department might generate their own security key for Bob so even if Bob loses his computer, phone, AND security key they can still recover Bob’s account