Ping Identity launches passwordless authentication system

Ping's new suite of authentication features looks to secure accounts and login processes by eliminating the need for usernames and passwords, which are often reused and an easy target.

Ping Identity launched a passwordless authentication suite that's designed to elimination traditional login processes and improve users' experiences while strengthening security.

The new PingZero service, which is based on the FIDO2 open standard and Ping's Intelligent Identity platform, aims to achieve "zero passwords and zero user friction." While the most common uses for passwordless authentication include logging into websites, mobile devices and laptops, PingZero can also be used for online banking transactions and customer service support calls.

PingZero features a QR-based sign-on flow and can authenticate users through device and browser settings and biometrics. The suite also provides covert risk signal tracking that detects significant changes in geolocation, IP address and device posture that could indicate suspicious activity. In addition, PingZero can be deployed across all enterprise resources including mobile, SaaS and legacy applications.

Derick Townsend, vice president of product marketing for Ping, said the suite has been in the works for several years.

"When you're trying to create a passwordless solution, there's a lot of ways to do it. For example, you can increase session length and do certain things so you don't have to enter in a password as many times. We've done that for over a decade, but now we have new standards like FIDO2 that have come out in the last year or so that are really powerful," he said.

Ping, which is a member of the FIDO alliance, adopted FIDO2 because it uses private and public key encryption which makes it nearly impossible for phishing or man-in-the-middle attacks, said Townsend. "It's available in our products. Not all our competitors have it yet, but over time I think [FIDO2] will be the de facto standard."

Getting rid of passwords altogether benefits everyone, said Townsend.

"It's the number one threat vector of people guessing a password or hacking a password or getting it from another site, and if you can do authentication in a way where now the company doesn't have to store passwords or risk getting breached and leaking those passwords, even better still," he said.

According to Townsend, Ping Zero features can be integrated into zero-trust networks and act like a SSO system but without passwords.

"You should be able to apply the passwordless solution when and where you'd like. For organizations that want to adopt it broadly, it's complementary to the way they're doing single sign-on today. It's complementary to the way they're implementing their zero-trust models," he said. "If it's an organization that wants to only provide passwordless capabilities for a small subset of their resources, we believe they should have that option."

Townsend said PingZero customers don't have to abandon passwords completely; they can still opt to deploy the suite with passwords enabled. However, he doesn't recommend it because using passwordless authentication is more secure than memorizing passwords, which are used for multiple websites or digital properties in addition to corporate devices and applications.

"If you think about it that way, it's a lot more secure because you're in possession of those devices and they're using biometrics directly tied to you. We already use this technology today, we just haven't extended it out to logging into websites or other digital properties," Townsend said.

Townsend also said there are multiple uses for PingZero beyond just logging in, including online banking transactions. "Another case is dealing with a customer service support person over the phone. That's subject to social engineering and hacking. You can use the same technology to use biometrics in your mobile device to prove to a customer service person you are who you say you are."

Ant Allan, vice president of research at Gartner, says passwordless authentication isn't a discrete thing.

"The label tells us only what we don't use, not what we do use. It's an aspiration, not a destination," he said in an email to SearchSecurity. "There are many ways of providing authentication methods without passwords, many of which are decades old. For example biometric methods, out-of-band SMS as the sole authenticator factor, or PIN-protected smart cards."

Allan says there has been increasing support for FIDO2 authentication protocols, but those aren't necessarily passwordless. "But many access management vendors now offer passwordless authentication flows as an option without introducing any new methods as such. Thus, in cases where the complete authentication flow can be fully handed off to an authentication or AM tool which includes SaaS and web applications, ZTNA [zero-trust network access] and some VPN tools, passwordless authentication is available by many enterprises without new investments and we see enterprises making that move."

However, legacy use cases where password prompts are baked into the authentication flow remain problematic, according to Allan.

"Security and UX are key drivers. Most passwordless approaches improve security -- but some novel 'knowledge' methods (using picture or patterns), or some consumer-grade biometric methods might not be robust. Taking passwords of out of the user/customer journey is usually seen as enhancing UX, but (based on personal experience) not every passwordless approach yields a net improvement."

Next Steps

Microsoft makes passwordless push in Azure Active Directory

Dig Deeper on Identity and access management

Enterprise Desktop
Cloud Computing