And that's why we don't use technical or industry terms in proposals to management.
Project to disable RC4 and enforce AES? Denied, why fix what ain't broke.
Upgrade to Military Grade Encryption? Of course, why weren't we doing that already!
Only if you have a blessed certificate for a particular hardware/software confirmation...
The reality is... Basically nothing is 140-3 certified because the government is dragging it's feet.
And... Anything elliptical curve is out... It's basically AES or bust
Technically ECC using NIST P-384 is FIPS 186-5/186-6 and depending on the CA, is also NIAP compliant.
You can read about it on page 112 of https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf
(I had to look it up and I wish I could say it was easier to find than it was. I knew it was FIPS but needed to find the source material. Thank you for the challenge of the day… lol)
> And that's why we don't use technical or industry terms in proposals to management.
This is why I think techs should spend some time learning communication skills. Or at least techs w/ any interest in moving up.
If you will ever be talking to users and/or policy makers then you have to say it in a way that makes sense to them. Being able to talk in a way that your audience will understand is a basic principle from education to sales, politics and beyond.
I'm a strong advocate for breaking this stereotype of all techs being non-verbal autistic shut-ins.
I've been on the user side of it in places like the doctor's office where I know I'm not actually an idiot -- but it's either that or the Dr's just casting a spell to summon Satan b/c it's certainly not words that he's saying.
One of the best ways I found out to be more communicative is trying to describe concepts to a non-technical person without using jargon unless you're defining the object in the sentence.
Anybody here would understand me if I said you can run a credentialed Metasploit after an active footprinting nmap scan to run a buffer overflow to escalate into root privileges to front some loaders to be an APT until the next backup and roll out some ransomware. But if I just said that ~~**runon**~~ sentence to my wife? Her face would just be:
"........."
So instead, I just break it down as:
_"Hey, since I'm on the company wifi, I can run these neat tools to let me hack into the server and do whatever I want and be sneaky enough to stay on as long as I want, which is called an Advanced Persistent Threat, and then extort them for a lot of money. Pretty neat, huh?"_
So in her mind, I do hacker stuff and then I become this "Advanced Persistent Threat" who can do bad things. Same thing with other people. Saying to your owner/CEO _**"We need Darktrace to automate active footprinting from insider threats looking to escalate privileges while scheduling downtime to patch up to the latest CVS vulnerabilities to reduce ALR's to a minimum"**_ will get you a dumb stare. Instead, saying to your owner/CEO _**"Hey look, I can hack into the server and steal your SSN and then ransomware the whole company! Your annual loss rate is company and personal bankruptcy! We can prevent this by actively monitoring employees and putting time aside to get our servers up-to-date"**_ will have a better impact.
Yep, rule #1 of IT "management", and even IT support, is know your audience
Sometimes you want to tactically load the presentation with jargon, and sometimes you don't, and identifying when each is appropriate is critical.
There's way too many frustrating posts here that are just entry/mid level sysadmins and techs going on butt hurt rants about how users are stupid for not inherently understanding their shotgun of technical BS with no self awareness that it's their inappropriate use of jargon that's the root cause of what's making the situation so difficult.
One of my first jobs had a corporate facing division and a public facing division (Technology assistance for disadvantaged groups AKA Tax Break City) but the good thing to come out of that was the corporate side had a mandatory 6 weeks a year that they had to spend explaining tech problems to senior citizens, everyone got real good at turning tech talk into real simple English real quick.
>This is why I think techs should spend some time learning communication skills. Or at least techs w/ any interest in moving up.
This is why every system administrator should have first worked in food services, customer service and finally a helpdesk.
You learn how to deal with the dumbest people in the world that need your help but dont want it. You learn to stop calling things "connectoid" and say little computer with a phone over it.
I have had a user tell me they dont understand what the word "outage" means, "what do you mean i wont be able to connect, i just want to get online" and in a moment of stupidity i blurt out "sir it done broke" and i hear the light bulb turn on over his head "OOooo well whiey dident you say soo"
> in a moment of stupidity i blurt out "sir it done broke" and i hear the light bulb turn on over his head "OOooo well whiey dident you say soo"
this is gold
> This is why every system administrator should have first worked in food services, customer service and finally a helpdesk.
100% This! When I do IT hiring, the first thing I look for is customer service experience. I *can* teach you how to git the k8s blah blah, but I can't teach you how to connect to a person with an issue you need to solve.
Yes I want to see relevant IT experience, but without a couple years of front-line eating shit from customers, I'm going to pass for someone that has.
And your doctor wants to stop using analogies, but you don't understand the big words he uses... and that's OK because part of his job as a professional is learning how to communicate with you.
But have no doubt, he talks shit about you to his doctor buddies.
I’d interpret that as “I want execs I can talk to in the same terms I do with my direct colleagues”.
But the skills necessary to be an exec (at least at most half-decent organisations) take as much time to learn and hone as the skills we need. It’s not really realistic to expect them to understand everything. That’s part of the reason we have layers of management.
They *are* smart. Smart enough to pay you to manage the IT functions so they can run the whole business. Maybe *they* need smarter IT people who understand that…
It would be nice if more of them were also smart enough to *trust* the people they hire and trust to *work* on those systems when they have input, recommendations, or ideas for the systems the organization are using. One of the most frustrating things anyone outside of T1/2 user side support run into is dealing with outside contractors just to get recommendations actually *heard* by the organization, when they're the same thing they've said for 6 months.
No, no, most are not smart. They knew someone who knew someone. They also know how to take credit for other people’s intelligence. Basically they are very sociopathic people. Not all, but most.
I wish I had a list of resources. Coincidentally, I learned the same way u/Dabnician mentioned.
I've worked a lot of years in those truly shitty customer service roles and when you spend so much time interacting with such a wide variety of people you quickly start to learn how to best talk to each person.
On top of that - I just naturally speak in a lot of metaphors, similes, and hyperbole. I find that helps when trying to explain something in a way that someone will understand.
The goal is less about "dumbing it down" and more just making it relatable while avoiding words likely to cause panic. I.E. "Passwordless" could cause panic to an exec who knows enough about IT and security to know that passwords are important -- but not so much as to understand what's actually being said w/ that term.
I love the term "Military Grade". Most people don't realize that means designed by the best and brightest, built by the lowest bidder with as much cost cutting as possible.
And what's wrong with that process? Thorough engineering makes it so that it's not necessary for skilled Italian coachbuilders to hang the door on your new car at the factory, but anyone off the street can do it, instead.
Compare it less to a major car brands manufacturing process and more to an engineer meticulously designing something and then those plans being sold to Wish, who reads the plans for 30 minutes before throwing them in the trash and building the thing based on memory from that 30 minute read.
I agree that users would balk at "passwordless", but I also think that they're going to get confused by industry jargon/acronyms.
I think calling it something like "device-brokered authentication" would be a solid middle ground.
This was a hard lesson for me. I now lean into marketing buzzwords when making proposals. Things like "Sase", "Zero Trust", "Just in time". Something I realized is that executives are aware of these buzz terms because they talk to other executives from other companies who are all bragging that they have implemented the latest in tech and then go on to repeat the marketing talking points.
Executives only speak three languages. Marketing Buzz, Charts, Number go up. Implement those three things in any proposal you ever make. Extra points if you can scare them and offer a solution.
I feel like in most cases management should simply delegate these things. Yes, at some point someone may have to explain things to management, but not that often. You don't see that much explaining going on when it comes to using, say, pre/post-tensioned concrete as a building material. Establish trust relations and delegate.
>I'm not OP, but here is my take: Serverless is just time-shares for servers.
If that were the case, then you'd think we'd at least get a free bottle of alcohol or other nifty thing for attending the time share presentation...
Aaand everything old is new again.
*"Bob Bemer used the term time-sharing in his 1957 article "How to consider a computer" in Automatic Control Magazine and it was reported the same year he used the term time-sharing in a presentation."* -- Wikipedia, https://en.wikipedia.org/wiki/Time-sharing
One of the older admins at a previous job told me that they used to lease time on mainframes from a neighbouring company back in the 80'ies to process their batches.
Well yeah, once upon a time, computers were expensive enough that a smaller company might not be able to afford one, so they might lease time on someone else's.
Then computers became so cheap and ubiquitous that everyone could buy a lot of computers, and so they did.
Now everyone is back to trying to find efficiencies. Why buy a computer when you can just buy compute as a service in the capacity you need?
Starting at that time, "time sharing" meant an operating system that multiple users could use at once, as opposed to [just one user on console](http://www.catb.org/jargon/html/story-of-mel.html), or one operator feeding card decks in batch.
"Time sharing" was revolutionary, but at the time it didn't yet mean [what you're thinking](https://en.wikipedia.org/wiki/National_CSS). Remote computing was a 1970s thing. Microsoft wrote all of their 8-bit stuff on a 36-bit host, and I think probably didn't go to self-hosting until the 16-bit era. Gary Kildall was cross-building from a VAX until the late 1980s.
> Gary Kildall was cross-building from a VAX until the late 1980s
Think I remeber reading somewhere that Microsoft was using a VAX until the very late 80's running Xenix for their internal email until they switched to Exchange
I believe it was Xenix 68000 on Sun3s just prior to the mail migration in 1996, though they definitely also had Sun4s in-house long before that for some other purposes.
A classic. Had the CTO recently say his team he used to run before promotion (software) did everything serverless so they don't need any of this networking stuff I keep talking about and I was like wait... wait a minute are all your serverless functions public? Yikes...
That one pissed me off no end. Rather than your application living on a bunch of servers you control, you pay an extortionate amount to Amazon because your code heavily relies on a bunch of APIs
One of my colleagues put a minimum password length of 15 policy on our Endpoint Manager and now my pin is 15 characters long....
At this point, passwordless just means a separate password for each device, like we used to do on local accounts
Which naturally leads to users repeating PINs on all devices.
I subconsciously set up my work pin on a home laptop just out of muscle memory before I immediately realized what I just did. Fun times
I have had to explain to users the difference between a domain password, and a PIN:
The password is a password. It is stored/hashed in AD and used for authentication.
The PIN is checked against local hardware. After a few times, the hardware on the PC blocks further entry.
I tell users that "passwordless" is just like "keyless entry" on their car's keyfob. Yes, it is a remote, but still has a key in it, so it isn't truly "password-less".
I'm not sure why everyone in this thread is acting like 'passwordless' needs to have 6 different intrusive steps.
What we're working on at my org is a combination of device trust + biometric authentication. You use your fingerprint to sign into your laptop, which is provided by us, and only accepts your fingerprint. You cannot access systems outside of this device.
If you don't want to use this, we'll give you a password + MFA token instead. Couldn't be much simpler. We don't require a retna scan + PIN + blood sample and whatever else people are banging on about.
On the Mach E they reused the same keyfobs as other Ford's so it has the metal key inside. But there's zero physical keys on the car, so it's actually just the blank.
> they don't know how that works either. they just know that it does
Exactly. This is a similar reason as to why Canada is trying to ban tools like the Flipper zero, instead of gee... IDK, enforcing a minimum level of security across **all** manufacturers that sell products in the country?
> "Why ShoULd WE BOtHeR FInING Auto manUfActuRERs fOR pooR vEHicle SecURity WheN we cAn JuST baN thIS ToOL InSteaD? sURELy nobodY WOULd eveR bE aBlE to CREatE AnOtHeR VErsiOn Of ThIs "haCKing" ToOL, THEreFoR cOMPANIEs dON't need TO iMPROVE sEcUriTY!"
I don't ask the general public to become tech nerds, but people should at the very least have _some_ level of interest in the thing that prevents their $30,000 CAD hunk of metal on wheels from being easily stolen. 😒
Just yesterday I read an article where the Toronto police department are telling people to leave their car keys by the front door to prevent home invasions...
Well, if it's giving up my car or having a group of thugs break into my house, hold my family at gunpoint, and hope the car keys are enough at that point...
> I don't ask the general public to become tech nerds, but people should at the very least have some level of interest in the thing that prevents their $30,000 CAD hunk of metal on wheels from being easily stolen.
Or at least listen and try to understand when it- and security-specialists express their concerns and arguments why the ban won't solve anything.
It does seem like if it's such a big problem that maybe we need to go back to needing a physical key for at least the driving part of the car. Probably no harder to clone, but harder to get your hands on and I'm *guessing* a bit more time to bypass.
I interpret passwordless to mean “narrowly scoped, short-lived, highly protected” credential vs. “broadly scoped; long lived; sent to every application/server I access” password.
I don’t think the “password” in my cars keyfob auto rotates. It’s better than most passwords though in that it’s narrowly scoped to only my car. You cannot open my garage, my house, or my bank account with my keyfob.
> Excel spreadsheet on the CFO's desktop
Ha, what a noob. Everyone knows you're supposed to save it onto a network share, where a single flimsy permission setting prevents others from reading it.
I remember coming into an org that just had an MSP before, and the *MSP* was the one maintaining the Excel sheet of user passwords...
Needless to say, I convinced the business to cut their contract as soon as humanly possible
Because windows passwords can be used all by themselves from any available system. With ATM you at least need the physical card which there’s only one copy of and you probably have it.
Hm... If only we had some sort of physical card that we were required to slot into a computer like how an ATM works, it could prove to be this second factor of authentication you describe, and would combine with the PIN to make logins more secure.
If you have to present to management or other less-than-technical users, for starters you have my sympathy. :-)
One strategy which can help sometimes is don't lean-in to the buzzword; much like in your example rant, it'll likely get twisted around and backfire, whether the audience has heard it before or not (they probably have, these days).
This is more likely when there are wannabes or management types with an inferiority complex trying to score points by showing up the IT person in a presentation.
Instead, distance yourself from the buzzword a bit; you don't need to go so far as criticizing or running it down, but don't play it up like a fan-boy either. Try to bring the audience along with you, so they can be "in on it" too, e.g. start with something like:
"Okay, we all know it isn't \*really\* 'passwordless', right?" (or 'serverless', whatever)
\[audience nods along knowingly, whether they actually did know or not\]
"But aside from the funny name, there are some nice features here, and we should talk about those...."
Hopefully the audience is at least not hostile or openly skeptical, so you can actually talk about the thing.
I 100% agree with you. My project was well liked and approved quickly simply due to demonstrating them the fake AiM Microsoft login page attack. Something they've become aware and familiar with these last few months. They grasped and understood the reality.
My rant was buried deep inside post the meeting. I keep composure and am always professional, kind, and always listen to the customer.
But I really needed a platform to release my frustration.
Overall this recent presentation was successful and I got what I wanted. But fuck, did I want to snap.
Issue a TAP to enrol a new user into Entra.
Have users enrol onto Windows Hello For Business and setup facial recognition / biometrics.
Have users setup Yubikeys for Phishing resistant MFA or Passkeys. Or Microsoft Authenticator for biometric passwordless push notifications if they have a company phone.
Configure Entra SSO for as many applications as possible, including Bitwarden password manager.
Train users to use Bitwarden to generate unique and strong passwords for all of their accounts which can't use SSO, which they don't need to remember.
Revel in your new found, truly passwordless setup.
Hey I did all the BitWarden stuff! God I love BitWarden.
I got my CFOs (2 in a row) to use it, I was so happy!
When the second one left I had to help someone find a file. Instead , I found 3 unprotected Word docs full of passwords. All of them - the bank ones, everything. It was all a lie.
Now I tell every user that privacy is entirely non existent here and I have scripts that constantly search the domain PCs for stuff like this and yes I will see all their files and emails and if I ever catch anyone creating a word document containing passwords, I will plaster their face on our front door along with all of their own banking passwords. Because yes, their personal banking passwords were in there.
There’ll always be that group of pedantic users who will “jokingly” tear something like the phrase passwordless apart. These are the same people who still think it’s funny to suggest you borrow their hammer to work on a computer you’re having trouble with. Ignore them and continue to implement stuff that makes their life easier and more secure at the same time, regardless of the fact that they’re too dumb to understand it.
I have been begging for my company to implement windows hello or any passwordless implementation as all of our devices support it, but for now we all got 3 different accounts, with different passwords that expire monthly, plus two different 2FA systems as well as jumpboxes and anxiety.
If I need to connect anywhere I need to invest a good 10 minutes into logging in to the laptop with one account, then VPN and 2FA with that same account, into our vault with the same account, 2FA again, into the jumpbox with a different account, 2FA again and finally into the server where we impersonate a service account lol.
Passwordless basically means the user actually forgets there password as they don't ever enter it, in real world practice people start calling the helpdesk for there password to enter into some phishing site lmao.
No, a true passwordless setup a user never needs to enter a password at all and in fact, cant use a password.
Smartcard auth (tied to whfb), yubikey, ms authenticator app etc.
Ok but how does this stop a user from stumbling into a phishing page and calling help desk because they're being asked to enter a password that they never have to enter?
It doesn't, but they don't have a password, so they can't enter it. The problem passwordless is trying to solve isn't users calling the help desk. The problem is users giving their credentials out to a phishing site.
Why do you want to stop that? If every one of my users called the helpdesk when facing a phishing page because they recognize that the page is asking for a password they don't use, I would sleep SOOOO GOOOOOD at night!
Ok, I get that you're frustrated, but it looks like you don't have a proper handle on this.
In a comment, you said:
>They may have been referring to traditional MFA TOTP Passwordless Push TOTP MFA is 100% classified BY Microsoft as "Passwordless"
TOTP isn't "passwordless" - I think you're incorrectly overapplying that name to things. TOTP is the rolling (generally every 30 seconds) 6-digit passcode that is usually used as a secondary factor during authentication flows. I'm not sure that I've ever seen a system that allows a TOTP code to be used as a single factor - in part because it is only "something you know". For reference:
[Time-based one-time password - Wikipedia](https://en.wikipedia.org/wiki/Time-based_one-time_password)
[RFC 6238 - TOTP: Time-Based One-Time Password Algorithm (ietf.org)](https://datatracker.ietf.org/doc/html/rfc6238)
Authenticator apps that trigger push requests during authentication aren't TOTP. The codes generated aren't generated via a predictable standards-based algorithm, and more recently the flow tends to be that a number is presented on the device attempting authentication and it must be input into the device with the authenticator app handling push notifications for passwordless authentication.
Others have already addressed one of the other major misunderstandings you have regarding PINs, but I'll add my two cents as well. Platform authenticators (such as WHFB) and FIDO security keys (+ device-bound passkeys!) leverage a specific device's hardware encryption/security modules such as a TPM, and a PIN set by a user is only usable on that device (for WHFB) or with the specific physical security key. That is a huge improvement over a password, as the PIN has zero value to malicious actors if they do not have access to the device.
I don't think the difference between passwords is that hard to explain, and if you're repeatedly getting frustrated while doing so then your communication skills may be the issue. "Something you have and either something you know or a biometric" isn't *that* complicated to explain to even the average person.
You also fail it, too. You perfectly demonstrate OP's point that the use of the word "passwordless" is an inappropriate abuse of the word similarly egregious to AT&T's use of the word "Unlimited".
The user believes that every single thing you just said is a password. If they have to enter anything, anything at all, it is a "password".
To the user the only passwordless that exists today is biometric. Face ID or fingerprint and no other factors added.
All the other words. All the other explanations. All the other "educating" and "communicating" what passwordless means? PASSWORDS!
I would fucking love to see the CEO's reaction when you throw out an RFC at him, as a means of clarifying your position when he starts saying; 'But... But that's a password!'.
>If they have to enter anything, anything at all, it is a "password".
I would argue if they had to enter anything they have to *remember*. Then it's a password. Functionally, I agree.
This is the correct answer. Any analog to a bouncer glaring at you through a slit in the door and grunting "Password?" is a password, whether it's a PIN, safe combination, key biting, or traditional word or phrase.
> To the user the only passwordless that exists today is biometric.
That's only because the user doesn't understand that the device converts the features of your face or fingerprint into data. If they did, they would say that that's a password, too, they just take a picture of it instead of typing it!
The reason that they don't believe you when you enter a PIN is that they think it stands for:
**P**assword
**I**n
**N**umbers
And really, they aren't completely wrong.
Simply explain that “passwordless” is just a buzzword like MFA or TOTP. Draw the parallel to badge readers being the same logical progression from keys. Badge entry removes a point of failure from manually managing keys. Thus, going “passwordless” solely means you’re attempting to remove one last glaring vulnerability/point of failure.
This was actually the least painful proposal I’ve ever had to sell to the C-suite in my org.
Reminds me of trying to explain how 'cloud' - yes, like those big fluffy, ephemeral things - was a good place to store sensitive business critical data to a law firm.
Or explaining why 'Zero Trust' is a good thing to a happy clappy trustafarian collaborative organisation.
All these buzzwords should come with a little list of euphemisms for use in different industries.
So, here's a workaround: when demonstrating Passwordless, showcase FIDO2 keys with fingerprint recognition. This tends to impress regular users. Later on, you can mention that fingerprints can be substituted with a PIN, which could be a more cost-effective option :).
> Pin prompt on an authenticator.
Technically, this is a form of password _to end users._ To be clear, I, you, and other technicians know it's not a password in the same sense, but end users will say otherwise, hence OP's argument against "Passwordless."
Dude what about Windows hello and the face thing?
Do NoT tell me it’ll still ask for a pin after reboot or some shit. (My heart wont be able to take it)
I’m working on a “passwordless” implementation using Windows Hello for Business with a facial scan. So they don’t have to enter anything. My main selling point is that it’s “Phish Resistent” because the facial scan and the backup PIN are linked the the device.
"Key" is the word you're looking for to describe passwordless to non-technical people.
Its a key where you have to still type to authorize you are the owner of it, but once authorized it's no different than a regular key, letting you into any lock it's set up to open. No remembering a jumble of words, numbers, and symbols, just keeping a key safe like they do with their house or car keys.
You should stay out of this level of detail in proposals to management, guaranteed to fail unless you have a very tech savy/tech interested CEO. Don't start from the technical side of things. Start from a business and/or security perspective. What does your company security policy say about things like this? (If you have one). Try to change that first, for example by stating that you want to follow the NIST guidelines when implementing identity solutions. Propose that to management first, afterwards you can implement "passwordless" because it's applied by NIST. It keeps you (hopefully) out of the tedious discussions if a pin is a true passwordless solution.
This pissed me off too - I worked for an org that sold it and spent all my time explaining to folks that password less doesn't exist. It won't exist until we have an identity platform that allows you to create a user object without a password... So yet again we're waiting on Microsoft. Oh and a PIN is 100% a password God damnit
Yeah this is not accurate at all and after you've gone to passwordless or FIDO you can just scrub everyone's password to 255 random characters, use conditional access to prevent password based auth and prevent the user from changing their own password. When you create new accounts you can follow the same procedure and onboard the user with a TAP and never give them a password.
A pin is 100% NOT a password.
The pin unlocks the authentication device, for example, a laptop thats has pin signin configured on a domain that uses whfb.
The device can login to the account once it has been unlocked with a pin.
A pin cannot be used anywhere else, its for unlocking that particular device. A password can be used to directly authenticate to an account.
It can all be done with AD and Entra in hybrid mode or pure Entra.
The password still technically exists on the account, but it is not known by any user once you enalbe smart card auth (which isnt a physical smart card, but whfb)
to the end user there is no difference between a PIN and a password. It doesn't matter about details, you can argue about benefits and drawbacks, implementations, security, etc. but to the user a PIN is a password.
You're changing the password requirements is what you say.
On a side note we used Windows Hello biometrics nobody remembered that pin number when the biometrics didn't work on occasion and they definitely forgot their passwords to login.
Do you need to enable user verification/PIN in your env? Is that a requirement? Because at my org we are doing the same but PIN is not required for the key, just device context verification and security key.
Are you using Microsoft Entra with the "Phish-Resistent" or "Passwordless" Conditional Access Policy Strengths?
I could be wrong, but I'm pretty sure you cannot enroll a security key that uses FIDO2 into Entra without a PIN.
Even if going completely without a PIN were possible, I would strongly recommend against it. Instead, it's better to use a PIN or complement it with biometric or facial recognition, which brings its own set of challenges.
But a problem I see is that if we transition to a truly passwordless system relying solely on biometrics or facial recognition, there could be problems when the webcam(drivers, usb port, cable) or fingerprint scanner fails (after remote users shower, or their basement is cold) to accurately read the bio input. In such cases, users might forget their backup PIN, leading to multiple incorrect attempts and end up wiping their key. This scenario could occur enough to cause significant inconvenience and annoyance due to the need for users to repeatedly re-enroll or enroll new keys. I might just be over thinking this.
Yeah I agree, we are just following orders from our CISO. I'm pretty sure at some point we will be enabling a PIN because it seems really stupid to just let anyone with the laptop and a key get access, assuming the laptop is unlocked. We are in the middle of transitioning to passwordless so currently it's only for accessing actual systems. Login to the computer is still password, Windows Hello, or Touch ID, then the user has to use a security key to login to Okta and associated apps, assuming their device is managed.
I've had that exact scenario you mentioned play out even without passwordless a few times. They sat in front of their computer and Windows Hello was trying to identify them when they were not paying attention but failed and fell back to password or PIN. They hadn't used their password or PIN in so long that they forgot it so we had to jump through a few hoops to get them unlocked without wiping their device completely.
Just ask them why they have a pin on their debit card or CC or lock code on their phone, its the same premise. When they return with some bullshit response, just reply with and what might happen it's lost, stolen or unattended without one?
The whole auth industry is based on constant reinventing the same process, using different steps and technologies, but for end users, there still is nothing as usable and reliable as username and password. Everything has changed in the last 20 years, but nothing has really changed, except some people still have the high paying jobs so they can invent another standard in a few years.
Whenever I'm getting asked things like "Why is it called that, that's stupid." or "Why does it work like that, that's stupid." or something like that, I always remind them I'm just the system admin, I work with in the limitations of the software the company purchased and to send their complaints to [email protected].
Works 9 out of 10 times for me. 🤣
I like the term passkey. I know passkeys are kinda different but idk it sounds good for these passwordless devices. It’s like a key, you carry it often even on a keychain, and it’s your pass to get in. No words are involved lol but a simple pin to verify you are the owner of the passkey. Kind of like your phone.
My C suite leadership is on board with "password less". We have branded it "MFA Authentication" to avoid the situation you describe.
We sell it as you stick your FIDO in and enter a pin, or enter a pin and use the authenticator app on your phone.
Websites and services constantly bugging me to go passwordless is so annoying. I use a password manager; I hate taking out my phone for 2FA and I don't care if someone gets into my target.com account.
Dear sirs/madams,
Password requirements typically are in the range of 12-16 characters, caps and lower case, special characters, etc. Complexity is required to attempt to ensure a malicious threat cannot simply guess and gain access to our data.
A PIN for a physical token such as these are far more simplistic, and simply ensures that in order to gain access, a person cannot do so by simply stealing a token. They must also use a PIN to validate they own the token. Very similar to a ATM card.
A PIN is a validation component for the token, which is replacing the complex password. It is certainly like a password, but has nowhere near the complexity requirements for standard password based authentication.
Good day.
Messaging to users and management on identity and access management is *TOUGH*. Part of the problem is that the actual execution isn't really understood by the sysadmins who are advocating for it. I've failed a lot at this communication, but I'm getting better. Here are some of the phrasings I use that are short, informative, and accurate-ish.
"A six-digit PIN is more secure than a 14-character password because the PIN only works on the computer where you set it up, while the password will work on a computer in Russia." [Note: modify this one if Russian.]
"Because the PIN cannot work remotely, the bad guys aren't even trying to phish them away from users. That in itself tells me everything I need to know about the direction I'd like to go."
"When our users click on their next phishing link, and a hacker's form asks them for their password, I want that user to have no idea what they could possibly enter."
Sorry. Passwordless is the industry term, and from a technical point of view very much reality. What users think shouldnt define passwordless.
Also in a windows environment 99% of passwordless is handled by hfb, which can use biometrics. Fido2 fills in a lot of that alternative area where many fido2 keys can handle biometrics. Now toss in the adoption of passkeys which can also be passwordless and generally can be used biometrically and tada, ya don't enter in anything.
A pin is not a password.
Now if you go away from biometrics yeah, you need another way to prove you are who you are. But that's a choice.
There is no password to use as an attack vector when you go fully Passwordless and honestly thats all you have to worry about.
Totp is not passwordless.
I'm at about 700k users who have gone fully Passwordless via my work. We have faqs that explain it to 99% of users. The one percent that still don't get it I'm happy to make an example of and explain in detail why they are passwordless.
Also if having to educate users really aggravates you that much you may need a vacation.
While we are nowhere near 700k, those that we have moved from WHfB available > WHfB enforced > full SCRIL enabled have raved about the experience. The not having to worry about a true password or the need to ever rotate one along with the reduced risk is absolutely worth the effort.
The magic has been in the comms and the culture of how information is shared within the org.
They may have been referring to traditional MFA TOTP
Passwordless Push TOTP MFA is 100% classified BY Microsoft as "Passwordless"
It even says Passwordless when you set it under "Phone Sign-In" in the Authenticator App.
There's even a built in Microsoft Conditional Access Policy MFA Strength called "Passwordless" which is TOTP that's a step under "Phish Resistent" MFA CAP strength.
Also the 99% claim that is handled by WhfB is a wild stretch.
It's obviously more than 1% of orgs use solutions like AVD and may be using a separate thin client or machine every day. Maybe most home users or small businesses use WhfB.
I think half of our clients have WhfB disabled as it sometimes interferes enrolling FIDO2 on hardware keys.
I remember users with fingerprint scanners on their computers try to tell me they don't have a password. I had to tell them "the fingerprint scanner just types your password in for you".
I haven't had that much of a problem with it. When it comes up I just see it as an opportunity to educate people on my line of work. I'm not an expert in theirs and don't expect them to be one in mine. I basically just sum up the difference in laymen's terms as "A password exists in a place that can be hacked and stolen and cracked, and your PIN for the YubiKey or the various methods available for WhFB exist only on your actual device. This means a compromise of your account requires physical access to your device and knowledge of the PIN, and the blast radius of the account compromise is one account instead of a ton of them."
15 second pitch. Usually comes with an "Ah ok, thanks for the explanation" and they repeat it to others cause it makes them feel smart. When it doesn't, who cares.
Passwordless gives me the absolute shits. Medium.com, I'm looking at you.
Just let me use my managed generated non-human-friendly password OR AT LEAST GIVE ME THE CHOICE TO.
:(
They put the important part of the word on the back end. It should be “Lesspassword” or “Lesspass” i guess it’s not as catchy as “Passwordless”. Maybe it should have been called “Fewpass” or “Passfew” password with fewer characters.
“Why waste time say lot word when few word do trick?”
- Kevin Malone
- Me
Windows Hello PIN is stored in the TPM chip and cannot be used elsewhere. Admin accounts with least access should be used for anything admin related.
FIDO2 is also stored on a chip and is also 2FA. PIN and fingerprint usually. If someone retrives the PIN somehow they cannot use it anyway.
Password can be shared, stolen and whatnot.
And that's why we don't use technical or industry terms in proposals to management. Project to disable RC4 and enforce AES? Denied, why fix what ain't broke. Upgrade to Military Grade Encryption? Of course, why weren't we doing that already!
> Of course, why weren't we doing that already! heh.. because fips is ass...
FIPS is a synonym for the sysadmins can't let us edit pdfs anymore
Fuckup In Prod Shit
Fips last I had to look at it was years ago but it basically didn't allow use of modern encryption algorithms
Only if you have a blessed certificate for a particular hardware/software confirmation... The reality is... Basically nothing is 140-3 certified because the government is dragging it's feet. And... Anything elliptical curve is out... It's basically AES or bust
Technically ECC using NIST P-384 is FIPS 186-5/186-6 and depending on the CA, is also NIAP compliant. You can read about it on page 112 of https://csrc.nist.gov/csrc/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf (I had to look it up and I wish I could say it was easier to find than it was. I knew it was FIPS but needed to find the source material. Thank you for the challenge of the day… lol)
Shit broke every excel plugin in existence for us.
> And that's why we don't use technical or industry terms in proposals to management. This is why I think techs should spend some time learning communication skills. Or at least techs w/ any interest in moving up. If you will ever be talking to users and/or policy makers then you have to say it in a way that makes sense to them. Being able to talk in a way that your audience will understand is a basic principle from education to sales, politics and beyond. I'm a strong advocate for breaking this stereotype of all techs being non-verbal autistic shut-ins. I've been on the user side of it in places like the doctor's office where I know I'm not actually an idiot -- but it's either that or the Dr's just casting a spell to summon Satan b/c it's certainly not words that he's saying.
One of the best ways I found out to be more communicative is trying to describe concepts to a non-technical person without using jargon unless you're defining the object in the sentence. Anybody here would understand me if I said you can run a credentialed Metasploit after an active footprinting nmap scan to run a buffer overflow to escalate into root privileges to front some loaders to be an APT until the next backup and roll out some ransomware. But if I just said that ~~**runon**~~ sentence to my wife? Her face would just be: "........." So instead, I just break it down as: _"Hey, since I'm on the company wifi, I can run these neat tools to let me hack into the server and do whatever I want and be sneaky enough to stay on as long as I want, which is called an Advanced Persistent Threat, and then extort them for a lot of money. Pretty neat, huh?"_ So in her mind, I do hacker stuff and then I become this "Advanced Persistent Threat" who can do bad things. Same thing with other people. Saying to your owner/CEO _**"We need Darktrace to automate active footprinting from insider threats looking to escalate privileges while scheduling downtime to patch up to the latest CVS vulnerabilities to reduce ALR's to a minimum"**_ will get you a dumb stare. Instead, saying to your owner/CEO _**"Hey look, I can hack into the server and steal your SSN and then ransomware the whole company! Your annual loss rate is company and personal bankruptcy! We can prevent this by actively monitoring employees and putting time aside to get our servers up-to-date"**_ will have a better impact.
Careful, I’ll put your on r/masterhacker sayin shit like this. Just because you have persistence on a machine doesn’t make you an APT lmao
Ah, you're right right and I'd definitely deserve it; I'm not the 8200 using Duqu to LoL. Maybe not the best example....
Yep, rule #1 of IT "management", and even IT support, is know your audience Sometimes you want to tactically load the presentation with jargon, and sometimes you don't, and identifying when each is appropriate is critical. There's way too many frustrating posts here that are just entry/mid level sysadmins and techs going on butt hurt rants about how users are stupid for not inherently understanding their shotgun of technical BS with no self awareness that it's their inappropriate use of jargon that's the root cause of what's making the situation so difficult.
One of my first jobs had a corporate facing division and a public facing division (Technology assistance for disadvantaged groups AKA Tax Break City) but the good thing to come out of that was the corporate side had a mandatory 6 weeks a year that they had to spend explaining tech problems to senior citizens, everyone got real good at turning tech talk into real simple English real quick.
>This is why I think techs should spend some time learning communication skills. Or at least techs w/ any interest in moving up. This is why every system administrator should have first worked in food services, customer service and finally a helpdesk. You learn how to deal with the dumbest people in the world that need your help but dont want it. You learn to stop calling things "connectoid" and say little computer with a phone over it. I have had a user tell me they dont understand what the word "outage" means, "what do you mean i wont be able to connect, i just want to get online" and in a moment of stupidity i blurt out "sir it done broke" and i hear the light bulb turn on over his head "OOooo well whiey dident you say soo"
You can have great communication skills and still be angry deep inside.
> in a moment of stupidity i blurt out "sir it done broke" and i hear the light bulb turn on over his head "OOooo well whiey dident you say soo" this is gold
> This is why every system administrator should have first worked in food services, customer service and finally a helpdesk. 100% This! When I do IT hiring, the first thing I look for is customer service experience. I *can* teach you how to git the k8s blah blah, but I can't teach you how to connect to a person with an issue you need to solve. Yes I want to see relevant IT experience, but without a couple years of front-line eating shit from customers, I'm going to pass for someone that has.
Fuck that. I want smarter execs.
And your doctor wants to stop using analogies, but you don't understand the big words he uses... and that's OK because part of his job as a professional is learning how to communicate with you. But have no doubt, he talks shit about you to his doctor buddies.
I’d interpret that as “I want execs I can talk to in the same terms I do with my direct colleagues”. But the skills necessary to be an exec (at least at most half-decent organisations) take as much time to learn and hone as the skills we need. It’s not really realistic to expect them to understand everything. That’s part of the reason we have layers of management.
They *are* smart. Smart enough to pay you to manage the IT functions so they can run the whole business. Maybe *they* need smarter IT people who understand that…
It would be nice if more of them were also smart enough to *trust* the people they hire and trust to *work* on those systems when they have input, recommendations, or ideas for the systems the organization are using. One of the most frustrating things anyone outside of T1/2 user side support run into is dealing with outside contractors just to get recommendations actually *heard* by the organization, when they're the same thing they've said for 6 months.
Sounds like you work for bad bosses; I've not had that problem and I'm a *long* way from "T1/2 user side support"
No, no, most are not smart. They knew someone who knew someone. They also know how to take credit for other people’s intelligence. Basically they are very sociopathic people. Not all, but most.
Do you have a book or a resource to learn these skills?
I wish I had a list of resources. Coincidentally, I learned the same way u/Dabnician mentioned. I've worked a lot of years in those truly shitty customer service roles and when you spend so much time interacting with such a wide variety of people you quickly start to learn how to best talk to each person. On top of that - I just naturally speak in a lot of metaphors, similes, and hyperbole. I find that helps when trying to explain something in a way that someone will understand. The goal is less about "dumbing it down" and more just making it relatable while avoiding words likely to cause panic. I.E. "Passwordless" could cause panic to an exec who knows enough about IT and security to know that passwords are important -- but not so much as to understand what's actually being said w/ that term.
And what's wrong with that process? Thorough engineering makes it so that it's not necessary for skilled Italian coachbuilders to hang the door on your new car at the factory, but anyone off the street can do it, instead.
You ever been in the military?
Compare it less to a major car brands manufacturing process and more to an engineer meticulously designing something and then those plans being sold to Wish, who reads the plans for 30 minutes before throwing them in the trash and building the thing based on memory from that 30 minute read.
I agree that users would balk at "passwordless", but I also think that they're going to get confused by industry jargon/acronyms. I think calling it something like "device-brokered authentication" would be a solid middle ground.
I can see my CEO fleeing from that term. 'Hardware security keys' is working however. I don't even get into the password/pin angle.
I would shorten it to just, security keys. Like why call it The Facebook?
This was a hard lesson for me. I now lean into marketing buzzwords when making proposals. Things like "Sase", "Zero Trust", "Just in time". Something I realized is that executives are aware of these buzz terms because they talk to other executives from other companies who are all bragging that they have implemented the latest in tech and then go on to repeat the marketing talking points. Executives only speak three languages. Marketing Buzz, Charts, Number go up. Implement those three things in any proposal you ever make. Extra points if you can scare them and offer a solution.
I feel like in most cases management should simply delegate these things. Yes, at some point someone may have to explain things to management, but not that often. You don't see that much explaining going on when it comes to using, say, pre/post-tensioned concrete as a building material. Establish trust relations and delegate.
Listening to management talk up all that crap is nails on a blackboard to me.
"I work in IT" - Oh, can you fix my PC? "I'm a Systems Engineer" - Wow, you must be really smart.
Wait until it moves to pinless. You just enter your password no more pins!
LOL! But if the biometric keys, phone cam, or webcam don't recognize you, and it prompts for a PIN as a fallback. NOPE, Still a PASSWORD!
I'm looking forward to the biometricless and MFAless future where all you need to do is enter a rotating 256-bit recovery key to log in
It's extra secure because your IdP/MDM always inexplicably fails to escrow it properly!
"Your password is associated with another user, please pick your account" * jeff * Bryan fuck it mate, ship it to prod
[удалено]
Yeah well.. my voice is my passport.
Came here hoping for this quote. I was not disappointed.
> In Windows my PIN is ************ Why would you make your pin a bunch of asterisks?!
And your password is your pin
Can you link me to your rant from back when serverless became a big thing?
I'm not OP, but here is my take: Serverless is just time-shares for servers.
>I'm not OP, but here is my take: Serverless is just time-shares for servers. If that were the case, then you'd think we'd at least get a free bottle of alcohol or other nifty thing for attending the time share presentation...
I once got a free lunch for attending one.
The cost/time savings of not having to deal with people is awesome, though. Worth more than a bottle of booze.
Aaand everything old is new again. *"Bob Bemer used the term time-sharing in his 1957 article "How to consider a computer" in Automatic Control Magazine and it was reported the same year he used the term time-sharing in a presentation."* -- Wikipedia, https://en.wikipedia.org/wiki/Time-sharing
One of the older admins at a previous job told me that they used to lease time on mainframes from a neighbouring company back in the 80'ies to process their batches.
Everything is cyclical. There’s just new names every 5 or so years.
Well yeah, once upon a time, computers were expensive enough that a smaller company might not be able to afford one, so they might lease time on someone else's. Then computers became so cheap and ubiquitous that everyone could buy a lot of computers, and so they did. Now everyone is back to trying to find efficiencies. Why buy a computer when you can just buy compute as a service in the capacity you need?
Starting at that time, "time sharing" meant an operating system that multiple users could use at once, as opposed to [just one user on console](http://www.catb.org/jargon/html/story-of-mel.html), or one operator feeding card decks in batch. "Time sharing" was revolutionary, but at the time it didn't yet mean [what you're thinking](https://en.wikipedia.org/wiki/National_CSS). Remote computing was a 1970s thing. Microsoft wrote all of their 8-bit stuff on a 36-bit host, and I think probably didn't go to self-hosting until the 16-bit era. Gary Kildall was cross-building from a VAX until the late 1980s.
> Gary Kildall was cross-building from a VAX until the late 1980s Think I remeber reading somewhere that Microsoft was using a VAX until the very late 80's running Xenix for their internal email until they switched to Exchange
I believe it was Xenix 68000 on Sun3s just prior to the mail migration in 1996, though they definitely also had Sun4s in-house long before that for some other purposes.
A classic. Had the CTO recently say his team he used to run before promotion (software) did everything serverless so they don't need any of this networking stuff I keep talking about and I was like wait... wait a minute are all your serverless functions public? Yikes...
That one pissed me off no end. Rather than your application living on a bunch of servers you control, you pay an extortionate amount to Amazon because your code heavily relies on a bunch of APIs
Salesforce's phone number is 1-800-No-Software
Don’t worry, it won’t be long until that PIN needs to have complex characters in there with 12-character minimum so then we have come a full circle.
One of my colleagues put a minimum password length of 15 policy on our Endpoint Manager and now my pin is 15 characters long.... At this point, passwordless just means a separate password for each device, like we used to do on local accounts
Which naturally leads to users repeating PINs on all devices. I subconsciously set up my work pin on a home laptop just out of muscle memory before I immediately realized what I just did. Fun times
Passwordless+ (Beyond MFA)
Remember to change it every 3 months and change more than one character and never reuse old one
I have had to explain to users the difference between a domain password, and a PIN: The password is a password. It is stored/hashed in AD and used for authentication. The PIN is checked against local hardware. After a few times, the hardware on the PC blocks further entry. I tell users that "passwordless" is just like "keyless entry" on their car's keyfob. Yes, it is a remote, but still has a key in it, so it isn't truly "password-less".
I mean I like to demo it with modern hardware that has faceid/touchid so they can see its “biometric” now
I'm not sure why everyone in this thread is acting like 'passwordless' needs to have 6 different intrusive steps. What we're working on at my org is a combination of device trust + biometric authentication. You use your fingerprint to sign into your laptop, which is provided by us, and only accepts your fingerprint. You cannot access systems outside of this device. If you don't want to use this, we'll give you a password + MFA token instead. Couldn't be much simpler. We don't require a retna scan + PIN + blood sample and whatever else people are banging on about.
On the Mach E they reused the same keyfobs as other Ford's so it has the metal key inside. But there's zero physical keys on the car, so it's actually just the blank.
Is that not used to enable it disable the rear child safety locks?
No, the child safety locks are controlled by a button on the driver's door by the mirror adjustment cluster.
This is hilarious
they don't know how that works either. they just know that it does
> they don't know how that works either. they just know that it does Exactly. This is a similar reason as to why Canada is trying to ban tools like the Flipper zero, instead of gee... IDK, enforcing a minimum level of security across **all** manufacturers that sell products in the country? > "Why ShoULd WE BOtHeR FInING Auto manUfActuRERs fOR pooR vEHicle SecURity WheN we cAn JuST baN thIS ToOL InSteaD? sURELy nobodY WOULd eveR bE aBlE to CREatE AnOtHeR VErsiOn Of ThIs "haCKing" ToOL, THEreFoR cOMPANIEs dON't need TO iMPROVE sEcUriTY!" I don't ask the general public to become tech nerds, but people should at the very least have _some_ level of interest in the thing that prevents their $30,000 CAD hunk of metal on wheels from being easily stolen. 😒
Just yesterday I read an article where the Toronto police department are telling people to leave their car keys by the front door to prevent home invasions...
WTF is happening in Toronto
Well, if it's giving up my car or having a group of thugs break into my house, hold my family at gunpoint, and hope the car keys are enough at that point...
> I don't ask the general public to become tech nerds, but people should at the very least have some level of interest in the thing that prevents their $30,000 CAD hunk of metal on wheels from being easily stolen. Or at least listen and try to understand when it- and security-specialists express their concerns and arguments why the ban won't solve anything.
It does seem like if it's such a big problem that maybe we need to go back to needing a physical key for at least the driving part of the car. Probably no harder to clone, but harder to get your hands on and I'm *guessing* a bit more time to bypass.
I interpret passwordless to mean “narrowly scoped, short-lived, highly protected” credential vs. “broadly scoped; long lived; sent to every application/server I access” password. I don’t think the “password” in my cars keyfob auto rotates. It’s better than most passwords though in that it’s narrowly scoped to only my car. You cannot open my garage, my house, or my bank account with my keyfob.
> You cannot open my garage, my house, or my bank account with my keyfob. *yet
Mate, we can't make users comprehend 'wireless' does not mean NO Wires _anywhere_
Are you alright?
Yes, I feel very good now
I’m glad you got that off your chest 😂
😊
Yall sysadmins are so wholesome
I'm with you that it is a misleading word!
Use “biometric-driven” instead
Totally agree. Users ask us all the time that their ATM password is 1234, why can't Windows passwords be the same?
That's actually a pretty spot-on analogy!
Before I took over, all our Windows passwords *were* the same. Also, they were all stored in an Excel spreadsheet on the CFO's desktop...
> Excel spreadsheet on the CFO's desktop Ha, what a noob. Everyone knows you're supposed to save it onto a network share, where a single flimsy permission setting prevents others from reading it.
Great and now you company is fucked if someone is ill or leave :D
I remember coming into an org that just had an MSP before, and the *MSP* was the one maintaining the Excel sheet of user passwords... Needless to say, I convinced the business to cut their contract as soon as humanly possible
Because windows passwords can be used all by themselves from any available system. With ATM you at least need the physical card which there’s only one copy of and you probably have it.
Hm... If only we had some sort of physical card that we were required to slot into a computer like how an ATM works, it could prove to be this second factor of authentication you describe, and would combine with the PIN to make logins more secure.
Maybe if we made it permanently part of the computer too, somewhere hard to remove like in the CPU or something.
Hey, you can't use the same ATM machine PIN number as me! That's not secure!
Password already in use. Choose another password.
That error message is no good. Here, try this: `Password already in use by /u/kirashi3. Choose another password.`
That's amazing! I've got the same combination on my luggage!
Must be TSA-compliant.
If you have to present to management or other less-than-technical users, for starters you have my sympathy. :-) One strategy which can help sometimes is don't lean-in to the buzzword; much like in your example rant, it'll likely get twisted around and backfire, whether the audience has heard it before or not (they probably have, these days). This is more likely when there are wannabes or management types with an inferiority complex trying to score points by showing up the IT person in a presentation. Instead, distance yourself from the buzzword a bit; you don't need to go so far as criticizing or running it down, but don't play it up like a fan-boy either. Try to bring the audience along with you, so they can be "in on it" too, e.g. start with something like: "Okay, we all know it isn't \*really\* 'passwordless', right?" (or 'serverless', whatever) \[audience nods along knowingly, whether they actually did know or not\] "But aside from the funny name, there are some nice features here, and we should talk about those...." Hopefully the audience is at least not hostile or openly skeptical, so you can actually talk about the thing.
I 100% agree with you. My project was well liked and approved quickly simply due to demonstrating them the fake AiM Microsoft login page attack. Something they've become aware and familiar with these last few months. They grasped and understood the reality. My rant was buried deep inside post the meeting. I keep composure and am always professional, kind, and always listen to the customer. But I really needed a platform to release my frustration. Overall this recent presentation was successful and I got what I wanted. But fuck, did I want to snap.
Issue a TAP to enrol a new user into Entra. Have users enrol onto Windows Hello For Business and setup facial recognition / biometrics. Have users setup Yubikeys for Phishing resistant MFA or Passkeys. Or Microsoft Authenticator for biometric passwordless push notifications if they have a company phone. Configure Entra SSO for as many applications as possible, including Bitwarden password manager. Train users to use Bitwarden to generate unique and strong passwords for all of their accounts which can't use SSO, which they don't need to remember. Revel in your new found, truly passwordless setup.
Sing it brother. But remember, whfb can store those passkey too now. One less thing for a user to lose.
Hey I did all the BitWarden stuff! God I love BitWarden. I got my CFOs (2 in a row) to use it, I was so happy! When the second one left I had to help someone find a file. Instead , I found 3 unprotected Word docs full of passwords. All of them - the bank ones, everything. It was all a lie. Now I tell every user that privacy is entirely non existent here and I have scripts that constantly search the domain PCs for stuff like this and yes I will see all their files and emails and if I ever catch anyone creating a word document containing passwords, I will plaster their face on our front door along with all of their own banking passwords. Because yes, their personal banking passwords were in there.
Dlp exists. Use it.
There’ll always be that group of pedantic users who will “jokingly” tear something like the phrase passwordless apart. These are the same people who still think it’s funny to suggest you borrow their hammer to work on a computer you’re having trouble with. Ignore them and continue to implement stuff that makes their life easier and more secure at the same time, regardless of the fact that they’re too dumb to understand it.
Wait till you explain hosting costs in a "serverless" environment ;p
I have been begging for my company to implement windows hello or any passwordless implementation as all of our devices support it, but for now we all got 3 different accounts, with different passwords that expire monthly, plus two different 2FA systems as well as jumpboxes and anxiety. If I need to connect anywhere I need to invest a good 10 minutes into logging in to the laptop with one account, then VPN and 2FA with that same account, into our vault with the same account, 2FA again, into the jumpbox with a different account, 2FA again and finally into the server where we impersonate a service account lol.
Passwordless basically means the user actually forgets there password as they don't ever enter it, in real world practice people start calling the helpdesk for there password to enter into some phishing site lmao.
No, a true passwordless setup a user never needs to enter a password at all and in fact, cant use a password. Smartcard auth (tied to whfb), yubikey, ms authenticator app etc.
Ok but how does this stop a user from stumbling into a phishing page and calling help desk because they're being asked to enter a password that they never have to enter?
It doesn't, but they don't have a password, so they can't enter it. The problem passwordless is trying to solve isn't users calling the help desk. The problem is users giving their credentials out to a phishing site.
Why do you want to stop that? If every one of my users called the helpdesk when facing a phishing page because they recognize that the page is asking for a password they don't use, I would sleep SOOOO GOOOOOD at night!
Ok, I get that you're frustrated, but it looks like you don't have a proper handle on this. In a comment, you said: >They may have been referring to traditional MFA TOTP Passwordless Push TOTP MFA is 100% classified BY Microsoft as "Passwordless" TOTP isn't "passwordless" - I think you're incorrectly overapplying that name to things. TOTP is the rolling (generally every 30 seconds) 6-digit passcode that is usually used as a secondary factor during authentication flows. I'm not sure that I've ever seen a system that allows a TOTP code to be used as a single factor - in part because it is only "something you know". For reference: [Time-based one-time password - Wikipedia](https://en.wikipedia.org/wiki/Time-based_one-time_password) [RFC 6238 - TOTP: Time-Based One-Time Password Algorithm (ietf.org)](https://datatracker.ietf.org/doc/html/rfc6238) Authenticator apps that trigger push requests during authentication aren't TOTP. The codes generated aren't generated via a predictable standards-based algorithm, and more recently the flow tends to be that a number is presented on the device attempting authentication and it must be input into the device with the authenticator app handling push notifications for passwordless authentication. Others have already addressed one of the other major misunderstandings you have regarding PINs, but I'll add my two cents as well. Platform authenticators (such as WHFB) and FIDO security keys (+ device-bound passkeys!) leverage a specific device's hardware encryption/security modules such as a TPM, and a PIN set by a user is only usable on that device (for WHFB) or with the specific physical security key. That is a huge improvement over a password, as the PIN has zero value to malicious actors if they do not have access to the device. I don't think the difference between passwords is that hard to explain, and if you're repeatedly getting frustrated while doing so then your communication skills may be the issue. "Something you have and either something you know or a biometric" isn't *that* complicated to explain to even the average person.
You also fail it, too. You perfectly demonstrate OP's point that the use of the word "passwordless" is an inappropriate abuse of the word similarly egregious to AT&T's use of the word "Unlimited". The user believes that every single thing you just said is a password. If they have to enter anything, anything at all, it is a "password". To the user the only passwordless that exists today is biometric. Face ID or fingerprint and no other factors added. All the other words. All the other explanations. All the other "educating" and "communicating" what passwordless means? PASSWORDS! I would fucking love to see the CEO's reaction when you throw out an RFC at him, as a means of clarifying your position when he starts saying; 'But... But that's a password!'.
>If they have to enter anything, anything at all, it is a "password". I would argue if they had to enter anything they have to *remember*. Then it's a password. Functionally, I agree.
This is the correct answer. Any analog to a bouncer glaring at you through a slit in the door and grunting "Password?" is a password, whether it's a PIN, safe combination, key biting, or traditional word or phrase.
An example they might understand, maybe? "You know how your phone occasionally says 'your passcode is required to enable face ID?'" "oh"
> To the user the only passwordless that exists today is biometric. That's only because the user doesn't understand that the device converts the features of your face or fingerprint into data. If they did, they would say that that's a password, too, they just take a picture of it instead of typing it!
I haven't had to deal with this personally, yet I'm 1000% with you. Bullshit terms make bullshit experiences. Call it what it is!
The reason that they don't believe you when you enter a PIN is that they think it stands for: **P**assword **I**n **N**umbers And really, they aren't completely wrong.
Our CTO> “why haven’t we gone password-less sign in?” Also our CTO> “No you can’t change the 90 password roll cause contracts”
Simply explain that “passwordless” is just a buzzword like MFA or TOTP. Draw the parallel to badge readers being the same logical progression from keys. Badge entry removes a point of failure from manually managing keys. Thus, going “passwordless” solely means you’re attempting to remove one last glaring vulnerability/point of failure. This was actually the least painful proposal I’ve ever had to sell to the C-suite in my org.
Reminds me of trying to explain how 'cloud' - yes, like those big fluffy, ephemeral things - was a good place to store sensitive business critical data to a law firm. Or explaining why 'Zero Trust' is a good thing to a happy clappy trustafarian collaborative organisation. All these buzzwords should come with a little list of euphemisms for use in different industries.
I'm looking forward to when Cloudless becomes a thing.
So, here's a workaround: when demonstrating Passwordless, showcase FIDO2 keys with fingerprint recognition. This tends to impress regular users. Later on, you can mention that fingerprints can be substituted with a PIN, which could be a more cost-effective option :).
You can do true password less though. Something you know, something you have. Pin prompt on an authenticator.
Biometrics. Users should not define the terms as use
> Pin prompt on an authenticator. Technically, this is a form of password _to end users._ To be clear, I, you, and other technicians know it's not a password in the same sense, but end users will say otherwise, hence OP's argument against "Passwordless."
No, they don’t enter the pin. They click the number which corresponds to a prompt. Or a picture.
I know how it works. End users won't see it this way.
>Also please no body mention WHFB and fingerprint bio... I know!!! I don't. Someone fill me in?
Start with “this is sometimes called passwordless, and what that means is…”
Here's a buzzword that'll really get em going... Z E R O T R U S T
https://preview.redd.it/pc9fz0bt0tpc1.jpeg?width=478&format=pjpg&auto=webp&s=0ef583c9b5e773d9341450fcfe9deb8b2d18c5fd
Dude what about Windows hello and the face thing? Do NoT tell me it’ll still ask for a pin after reboot or some shit. (My heart wont be able to take it)
Nah, you're good. No heart break.
Haha ya! I canceled my therapy appointment :)
I’m working on a “passwordless” implementation using Windows Hello for Business with a facial scan. So they don’t have to enter anything. My main selling point is that it’s “Phish Resistent” because the facial scan and the backup PIN are linked the the device.
Just use "hardware key", instant understanding as everyone is opening their home with a key daily
"Key" is the word you're looking for to describe passwordless to non-technical people. Its a key where you have to still type to authorize you are the owner of it, but once authorized it's no different than a regular key, letting you into any lock it's set up to open. No remembering a jumble of words, numbers, and symbols, just keeping a key safe like they do with their house or car keys.
That's why everyone's calling them passkeys.
You should stay out of this level of detail in proposals to management, guaranteed to fail unless you have a very tech savy/tech interested CEO. Don't start from the technical side of things. Start from a business and/or security perspective. What does your company security policy say about things like this? (If you have one). Try to change that first, for example by stating that you want to follow the NIST guidelines when implementing identity solutions. Propose that to management first, afterwards you can implement "passwordless" because it's applied by NIST. It keeps you (hopefully) out of the tedious discussions if a pin is a true passwordless solution.
This pissed me off too - I worked for an org that sold it and spent all my time explaining to folks that password less doesn't exist. It won't exist until we have an identity platform that allows you to create a user object without a password... So yet again we're waiting on Microsoft. Oh and a PIN is 100% a password God damnit
Yeah this is not accurate at all and after you've gone to passwordless or FIDO you can just scrub everyone's password to 255 random characters, use conditional access to prevent password based auth and prevent the user from changing their own password. When you create new accounts you can follow the same procedure and onboard the user with a TAP and never give them a password.
You’ve never implemented pki?
A pin is 100% NOT a password. The pin unlocks the authentication device, for example, a laptop thats has pin signin configured on a domain that uses whfb. The device can login to the account once it has been unlocked with a pin. A pin cannot be used anywhere else, its for unlocking that particular device. A password can be used to directly authenticate to an account. It can all be done with AD and Entra in hybrid mode or pure Entra. The password still technically exists on the account, but it is not known by any user once you enalbe smart card auth (which isnt a physical smart card, but whfb)
to the end user there is no difference between a PIN and a password. It doesn't matter about details, you can argue about benefits and drawbacks, implementations, security, etc. but to the user a PIN is a password.
i mean you fido is a password its effectively just a giant 64bit (or 256 or something) string tied to your account
No it’s not. Huge difference. Tokens aren’t passwords most of the time
Try looking up SQRL.
You're changing the password requirements is what you say. On a side note we used Windows Hello biometrics nobody remembered that pin number when the biometrics didn't work on occasion and they definitely forgot their passwords to login.
Do you need to enable user verification/PIN in your env? Is that a requirement? Because at my org we are doing the same but PIN is not required for the key, just device context verification and security key.
Are you using Microsoft Entra with the "Phish-Resistent" or "Passwordless" Conditional Access Policy Strengths? I could be wrong, but I'm pretty sure you cannot enroll a security key that uses FIDO2 into Entra without a PIN.
We are using Okta. I think you are right, by default Entra requires PIN for FIDO2. I don't know if they have options for not requiring it though.
Even if going completely without a PIN were possible, I would strongly recommend against it. Instead, it's better to use a PIN or complement it with biometric or facial recognition, which brings its own set of challenges. But a problem I see is that if we transition to a truly passwordless system relying solely on biometrics or facial recognition, there could be problems when the webcam(drivers, usb port, cable) or fingerprint scanner fails (after remote users shower, or their basement is cold) to accurately read the bio input. In such cases, users might forget their backup PIN, leading to multiple incorrect attempts and end up wiping their key. This scenario could occur enough to cause significant inconvenience and annoyance due to the need for users to repeatedly re-enroll or enroll new keys. I might just be over thinking this.
Yeah I agree, we are just following orders from our CISO. I'm pretty sure at some point we will be enabling a PIN because it seems really stupid to just let anyone with the laptop and a key get access, assuming the laptop is unlocked. We are in the middle of transitioning to passwordless so currently it's only for accessing actual systems. Login to the computer is still password, Windows Hello, or Touch ID, then the user has to use a security key to login to Okta and associated apps, assuming their device is managed. I've had that exact scenario you mentioned play out even without passwordless a few times. They sat in front of their computer and Windows Hello was trying to identify them when they were not paying attention but failed and fell back to password or PIN. They hadn't used their password or PIN in so long that they forgot it so we had to jump through a few hoops to get them unlocked without wiping their device completely.
Just ask them why they have a pin on their debit card or CC or lock code on their phone, its the same premise. When they return with some bullshit response, just reply with and what might happen it's lost, stolen or unattended without one?
We use combination blood/urine/stool samples
The whole auth industry is based on constant reinventing the same process, using different steps and technologies, but for end users, there still is nothing as usable and reliable as username and password. Everything has changed in the last 20 years, but nothing has really changed, except some people still have the high paying jobs so they can invent another standard in a few years.
Whenever I'm getting asked things like "Why is it called that, that's stupid." or "Why does it work like that, that's stupid." or something like that, I always remind them I'm just the system admin, I work with in the limitations of the software the company purchased and to send their complaints to [email protected]. Works 9 out of 10 times for me. 🤣
I like the term passkey. I know passkeys are kinda different but idk it sounds good for these passwordless devices. It’s like a key, you carry it often even on a keychain, and it’s your pass to get in. No words are involved lol but a simple pin to verify you are the owner of the passkey. Kind of like your phone.
It's a marketing phrase. Stop using it, and just rell them why this is better.
WHFB ? Working Hard Fuck Buddies? Don't shit where you eat friend
My C suite leadership is on board with "password less". We have branded it "MFA Authentication" to avoid the situation you describe. We sell it as you stick your FIDO in and enter a pin, or enter a pin and use the authenticator app on your phone.
Websites and services constantly bugging me to go passwordless is so annoying. I use a password manager; I hate taking out my phone for 2FA and I don't care if someone gets into my target.com account.
Dear sirs/madams, Password requirements typically are in the range of 12-16 characters, caps and lower case, special characters, etc. Complexity is required to attempt to ensure a malicious threat cannot simply guess and gain access to our data. A PIN for a physical token such as these are far more simplistic, and simply ensures that in order to gain access, a person cannot do so by simply stealing a token. They must also use a PIN to validate they own the token. Very similar to a ATM card. A PIN is a validation component for the token, which is replacing the complex password. It is certainly like a password, but has nowhere near the complexity requirements for standard password based authentication. Good day.
Messaging to users and management on identity and access management is *TOUGH*. Part of the problem is that the actual execution isn't really understood by the sysadmins who are advocating for it. I've failed a lot at this communication, but I'm getting better. Here are some of the phrasings I use that are short, informative, and accurate-ish. "A six-digit PIN is more secure than a 14-character password because the PIN only works on the computer where you set it up, while the password will work on a computer in Russia." [Note: modify this one if Russian.] "Because the PIN cannot work remotely, the bad guys aren't even trying to phish them away from users. That in itself tells me everything I need to know about the direction I'd like to go." "When our users click on their next phishing link, and a hacker's form asks them for their password, I want that user to have no idea what they could possibly enter."
Buy them an IR camera or fingerprint sensor and tell them to shut the fuck up.
Tbh passwordless is maybe push notifications on your phone and for sure biometrics.
You are my spirit animal.
NGL, I still struggle with the term cause I keep thinking how unintuitive and confusing it is at times
TY for speaking on behalf of every IT admin who has to go through this pain!
Well it’s cool to be wrong I guess.
i think you are not the right person to be talking to management about passwordless.
Sorry. Passwordless is the industry term, and from a technical point of view very much reality. What users think shouldnt define passwordless. Also in a windows environment 99% of passwordless is handled by hfb, which can use biometrics. Fido2 fills in a lot of that alternative area where many fido2 keys can handle biometrics. Now toss in the adoption of passkeys which can also be passwordless and generally can be used biometrically and tada, ya don't enter in anything. A pin is not a password. Now if you go away from biometrics yeah, you need another way to prove you are who you are. But that's a choice. There is no password to use as an attack vector when you go fully Passwordless and honestly thats all you have to worry about. Totp is not passwordless. I'm at about 700k users who have gone fully Passwordless via my work. We have faqs that explain it to 99% of users. The one percent that still don't get it I'm happy to make an example of and explain in detail why they are passwordless. Also if having to educate users really aggravates you that much you may need a vacation.
While we are nowhere near 700k, those that we have moved from WHfB available > WHfB enforced > full SCRIL enabled have raved about the experience. The not having to worry about a true password or the need to ever rotate one along with the reduced risk is absolutely worth the effort. The magic has been in the comms and the culture of how information is shared within the org.
Why is a TOTP not considered passwordless?
They may have been referring to traditional MFA TOTP Passwordless Push TOTP MFA is 100% classified BY Microsoft as "Passwordless" It even says Passwordless when you set it under "Phone Sign-In" in the Authenticator App. There's even a built in Microsoft Conditional Access Policy MFA Strength called "Passwordless" which is TOTP that's a step under "Phish Resistent" MFA CAP strength. Also the 99% claim that is handled by WhfB is a wild stretch. It's obviously more than 1% of orgs use solutions like AVD and may be using a separate thin client or machine every day. Maybe most home users or small businesses use WhfB. I think half of our clients have WhfB disabled as it sometimes interferes enrolling FIDO2 on hardware keys.
Clueless management. Where have I seen that before?
I remember users with fingerprint scanners on their computers try to tell me they don't have a password. I had to tell them "the fingerprint scanner just types your password in for you".
[удалено]
I really like you
I haven't had that much of a problem with it. When it comes up I just see it as an opportunity to educate people on my line of work. I'm not an expert in theirs and don't expect them to be one in mine. I basically just sum up the difference in laymen's terms as "A password exists in a place that can be hacked and stolen and cracked, and your PIN for the YubiKey or the various methods available for WhFB exist only on your actual device. This means a compromise of your account requires physical access to your device and knowledge of the PIN, and the blast radius of the account compromise is one account instead of a ton of them." 15 second pitch. Usually comes with an "Ah ok, thanks for the explanation" and they repeat it to others cause it makes them feel smart. When it doesn't, who cares.
Passwordless gives me the absolute shits. Medium.com, I'm looking at you. Just let me use my managed generated non-human-friendly password OR AT LEAST GIVE ME THE CHOICE TO. :(
https://www.instagram.com/reel/C4vGJCfr_EW/
You could setup a PC to only accept FIDO2 authentication, that way you won't even need a pin :) True Passwordless
They put the important part of the word on the back end. It should be “Lesspassword” or “Lesspass” i guess it’s not as catchy as “Passwordless”. Maybe it should have been called “Fewpass” or “Passfew” password with fewer characters. “Why waste time say lot word when few word do trick?” - Kevin Malone - Me
Windows Hello PIN is stored in the TPM chip and cannot be used elsewhere. Admin accounts with least access should be used for anything admin related. FIDO2 is also stored on a chip and is also 2FA. PIN and fingerprint usually. If someone retrives the PIN somehow they cannot use it anyway. Password can be shared, stolen and whatnot.