Below is an example of what a passwordless world via a network of trusted devices could look like. It follows Bob, a new employee of Foobar Corp, along with Alice, Foobar’s trusty head of IT. For more on a passwordless world, see the post Arriving At A Passwordless Future.
Bob’s First Day
On Bob’s first day Alice gives him a brand new MacBook with Touch ID. Alice tells Bob:
“Here at Foobar we’re a 100% passwordless company. Just follow the instructions on your computer and you’ll be setup in no time! Also your email/username is firstname.lastname@example.org.”
Bob’s a little confused. He’s never worked at a 100% passwordless company before - Bob’s not even entirely sure what ‘passwordless’ means! He’s used to wrangling with passwords at work - generating unique passwords for every site, changing his passwords every 90 days, and resetting his passwords when he inevitably forgets them. But Bob opens his computer and jumps right in…
Registering Bob’s Laptop
Bob opens up his computer and is immediately asked to set up his corporate account. Bob enters his username (email@example.com) but he’s a little confused - there’s no password field. Bob’s used to coming up with a password for his corporate account. He presses the
Register button, and is prompted to scan his finger using the MacBook’s Touch ID sensor. He does this and all the sudden he’s registered!
Logging In On Bob’s Laptop
Bob’s computer brings him to a Login screen. Just like before he enters his username, presses the
Login button, scans his finger, and he successfully logged in! Bob’s starting to understand this whole passwordless thing - instead of typing in a password every time he wants to log in on his computer, he simply scans his finger. And this doesn’t just work for Bob’s corporate account - if Bob’s trying to login to his corporate Google account, or Salesforce account, or Box account, all Bob has to do is scan his finger.
Bob’s computer is now the first trusted device in his account. Next Bob downloads Foobar’s corporate app on his iPhone.
Registering Bob’s Phone
Bob downloads Foobar’s app, opens it up, and sees the same Register screen he saw on his MacBook. Like before he enters his username, clicks login, only now the app asks him to scan his face. This makes sense, since his iPhone XS has a Face ID scanner, not a Touch ID scanner. Bob scans his face, only instead of being logged in, he sees a pop up on his computer asking if he’s trying to register an iPhone. On his computer Bob clicks ✅ (accept), and then scans his finger. After scanning his finger, the app says that he successfully registered his iPhone.
Bob’s a little puzzled at first, but eventually understands what just happened. There are two important things to note.
Trusted Devices For Administration
Technically anyone who knows Bob’s email can attempt to register their device to his account. If this were the case, any hacker could register their computer to Bob’s account and login as Bob - that would be bad. Instead, Foobar’s login system uses a previously registered, currently trusted device - Bob’s MacBook - and asks Bob through that trusted device whether he’s trying to register an iPhone. If he’s not, he simply presses deny (X), but if he is, he clicks accept (✓). If Bob clicks accept, he then has to prove he’s Bob to his computer by scanning his finger since this is a sensitive operation, and the computer wants to make sure it’s Bob and not some hacker who stole Bob’s computer.
Trusted Device, NOT Trusted Fingerprint
It’s important to note that Bob isn’t directly using his biometrics (fingerprint on his MacBook, face on his iPhone) to login to his accounts. Instead, Bob is using his devices to login to his accounts, and his biometrics to prove he’s Bob to those devices. This is an important distinction because in this login system, unlike passwords, there’s no database of fingerprints and faces some hacker can steal to break into Bob’s account. A hacker also can’t simply steal one of Bob’s trusted devices to break into his account. In order for a hacker to break into Bob’s account, a hacker would need to BOTH steal his device and circumvent the device’s biometric protections.
Bob’s New Security Key
“Hardware security keys (or just security keys) are devices with special security properties, like cryptographic capabilities and tamper resistance. You don’t have to worry about any of this, just know in order to use it, plug the security key into a device and tap the button on the security key”
“Register your security key with your account and then put it somewhere secure, like in a safe or a locked drawer. Unlike your phone or computer which you’ll use to login into your account every day, at Foobar we use security keys for emergencies, like if you were to lose or break both your computer and phone”*
Registering Bob’s Security Key
Following Alice’s instructions Bob plugs in the security key to his computer, goes to his corporate account settings, clicks
Register New Device, selects the security key, clicks register, and follows the instructions. Similar to registering his iPhone, Bob taps the security key, scans his finger on his MacBook, and successfully registers his security key. He then locks it in his super secure desk drawer at work.
Bob Logs In To An Untrusted Device
Now Bob’s on vacation in Hawaii, and he needs to login to his corporate account on a computer. There’s only one problem - Bob forgot his computer! He eventually finds a shared hotel computer. Bob goes to Foobar’s website, types in his username, and clicks login. He then get’s a notification on his phone asking whether he’s trying to login to a computer in Hawaii. Bob clicks ✅ (accept), scans his face (to prove it’s Bob) and he’s logged in!
Let’s go over what just happened. Bob’s trying to login to his account through an untrusted device, he’s NOT trying to register/trust the device. This makes sense - Bob’s only staying at the hotel for a little, and if he registers this shared device, anyone who uses it could login to his account. When Bob tries to login, Foobar’s login system recognizes Bob’s account, sees he’s using an untrusted computer, but knows Bob has other trusted devices. So Foobar’s login system pings one of his trusted devices, his iPhone, and asks through the iPhone if he’s trying to login to the computer in Hawaii. This system of logging into one device (untrusted) through another (trusted) device is called delegated authentication, or delegated login.
We just went through an example of an employee at a company registering and logging into their account using passwordless login. More specifically, the passwordless login system uses a network of trusted devices that can perform native authentication (logging in through a trusted device) and delegated authentication (logging in through an untrusted device). This story isn’t merely fiction - it’s technology I’m currently helping to build through the company passwordless.consulting. If you’re curious about bringing this technology to your employees/customers, or just want to learn more about passwordless authentication, feel free to reach out to me at firstname.lastname@example.org.
* in one setup, the IT department might generate their own security key for Bob so even if Bob loses his computer, phone, AND security key they can still recover Bob’s account