OCI IAM - The What, Why, and How of Passwordless Authentication

The Problem Statement

In today's world, most of the web application users are forced to memorize and track their passwords. Many of them try to keep the same or similar password for all the applications. Sometimes they use weak passwords or repeated passwords or write or save the password to a file or on some sticky note which leads to an increased risk of possible breaks from bad actors. In most cases, hackers or attackers can guess or steal credentials to gain access to sensitive information by using Keylogging, Phishing, Brute Force, or by the Man in middle attacks. Further, these attacks account for most data breaches, with more than 82% stemming from stolen passwords, phishing, misuse, and errors.

 OCI IAM Domains offers a feature called "Passwordless authentication" that helps to overcome this problem. In this blog, we are going to explore Passwordless Authentication in more details:

Introduction / Overview

Passwordless authentication is a technique that allows a user to bypass the standard web-form-based authentication to gain access to a web application or IT system without entering a password or by answering security questions or any other secret. Passwords have been considered not to be safe for a very long time. As the passwords are hard to remember and they can be easily misplaced.

Getting Started

Passwordless Authentication can be achieved in many ways but following are the most common ones:

1. One-time passwords (OTPs)
2. Hardware Tokens or Software Tokens
3. Authenticator Apps
4. Biometrics

Advantages:

• Improved user experience and productivity
• Better or greater security
• Reduced helpdesk costs

Disadvantages:

• Dependency on the device or authenticator apps where you get your one-time password.
• Single point of failure if a user has only "mobile" factor configured. You can't login into applications if you do NOT have access to your mobile device where you get/see OTP and do push notifications (ex: device switch off, poor cell reception, lost or stolen).

The Confusion:

Passwordless authentication is sometimes confused with Multi-factor Authentication (MFA). Both MFA and Passwordless Authentication use a wide variety of authentication factors, but MFA is often used as an extra layer of security on top of regular password-based authentication. Whereas Passwordless authentication doesn't require a memorized secret and usually uses just one secure factor to authenticate identity, making it faster and simpler for users.

Steps to enable Passwordless Authentication in OCI IAM Identity Domains.

1. Log into OCI Console as Identity domain administrator role and go to the respective Identity Domain under which you want to enable Passwordless Authentication. From the OCI Console screen click on the “Menu option on the top left  “Identity & Security” -> Domains

Note: Select the correct compartment to display “Domains”. Please see the below snippet for reference

2. Click on the <DomainName>  “Security”  MFA and Enable the respective MFA factors (or any other factor) that you will use as an alternative for password. In this blog, Email is used as the factor.

2. “Enable Username first flow” i.e., Change the setting on the sign-in page to change to only display the “username” field as shown below. Click on the <DomainName>  Settings  “Session Settings”  select “Enable username first flow”  Save changes.

Enabling "Enable User Name First" option allows the use of passwordless authentication. This setting changes the conventional username and password login to user name, followed by additional factor to log in.

3. Create or Update the “Identity Provider (IdP) policy to include the rule for Passwordless Authentication. Click on the <DomainName>  Security  “IdP Policies”  “Default Identity Provider Policy”  Click on “Add IdP rule”  “Assign identity providers”  select Conditions(if any)  once done click on “Add IDP rule” as shown below

Note: I am using any user who is part of the “Domain Readers” group to trigger Passwordless Authentication.

4. Modify or Edit the “Identity Provider rule” by placing the “PasswordLess Authenticate rule” on the top as shown below:

Note: Optional: Select the Apps if you want to enable the rule for only those applications.

Praveen Hanchate

Principal Cloud Architect

GK (Gopi Krishna) Goalla

Master Cloud Architect - Security @ OCI

GK Goalla is a security Pre-sales expert who currently serves as a Master Cloud Security Architect at Oracle. GK brings in his 17 years of security experience to help organizations achieve their security and compliance goals by advising them with the best-in-class security solutions and offering guidance on optimal security practices. His extensive background encompasses cloud security, data security, identity governance & access management, and IT compliance.  Multiple industry and Oracle certifications underscores his proficiency and expertise across various security domains. GK is very passionate about learning new technologies and staying updated with the latest trends and best practices in the security industry.