Centrify has announced that it is leveraging the FIDO2 Web Authentication API to enable passwordless authentication for administrators. With the new capabilities, Centrify customers can replace passwords with stronger factors of authentication such as fingerprint or facial recognition, ensuring a frictionless user experience with a higher level of security.
Enforcing FIDO2-based authentication for privileged administrator logins based on risk makes Centrify a single source of truth for privileged users to access and manage hybrid infrastructure, achieving stronger security balanced with better productivity. FIDO2 is the newest set of specifications from the FIDO Alliance, enabling users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
FIDO2 supports biometric methods like Apple’s Touch ID electronic fingerprint recognition, Apple Face ID facial recognition, and Microsoft’s Windows Hello, which lets Windows 10 users authenticate to their devices, apps, online services, and networks with just a fingerprint, iris scan, or facial recognition. Ultimately, FIDO2 makes security stronger and less disruptive because it can eliminate passwords, which is critically important given that 81% of security breaches involve weak, stolen, default, or otherwise compromised passwords, according to Verizon.
Passwordless authentication ensures that login credentials are unique across every website, never stored on a server, and never leave the user’s device. This security model helps eliminate the risks of phishing, as well as all forms of password theft and replay attacks. “Centrify’s support for the FIDO2 standard, along with our existing multi-factor authentication and real-time analytics capabilities, now offer stronger authentication factors to verify privileged user identities, greatly reducing the risk of security breaches that might exploit weak, default, or stolen passwords,” said Jeremy Stieglitz, Vice President of Product Management at Centrify. “The reality is that out-of-sync passwords can hamper employee productivity, interrupt IT operations, and compromise security. Our new biometric support adds an additional roadblock for attackers while removing barriers for administrators to authenticate without the need for passwords.”
Centrify has supported FIDO for years and is a member of the FIDO alliance. In providing support for FIDO2, Centrify further enables organizations to move away from passwords, which are often the target for external and internal threat actors. Centrify has been using passwordless access to systems using ephemeral tokens as part of its Privileged Access Service for a number of years, and this support for FIDO2 further builds on that vision that passwords are the weak point in security.
Using biometrics eliminates the risk of credential theft techniques and provides better alignment with NIST 800-53 high-assurance authentication controls. Centrify also leverages on-device authenticators that register new devices and tie them directly to the user’s identity. Once new devices are registered and authenticated, they can be used for multi-factor authentication.