Red Hat Enterprise Linux 9.4 introduces the ability for centrally managed users to authenticate through passwordless authentication with a passkey, meaning it's an enterprise Linux distribution with Fast Identity Online 2 (FIDO2) authentication for centrally managed users! This is all built on the Identity Management solution already in Red Hat Enterprise Linux, but enhances product security by enabling passwordless, Multi-Factor Authentication (MFA), and Single Sign-On (SSO).
What is Passkey?
A passkey is aFIDO2 compatible device that can be used for user authentication. FIDO2 is an open authentication standard based onpublic-key cryptography. It is more secure than passwords and one-time passwords, and simpler to use. It is usually provided as a hardware security token like a small Universal Serial Bus (USB) and Near Field Communication (NFC) based device. There are several brands of FIDO2 compliant keys, including NitroKey and SoloKey v2, and we'vecollaborated with Yubico to create a more seamless integration between RHEL and Yubikey.
The use of new tools to authenticate users, such as FIDO2 and External Identity Providers, is becoming increasingly popular because it improves the security authentication process.
Passwordless authentication is a paradigm shift in authentication. It aims to eliminate the need for traditional passwords, and in this article I outline its benefits compared to traditional password-based authentication.
Password-based authentication
Password authentication poses security risks, including brute force attacks, password reuse, phishing attacks, and more. From a user experience perspective, passwords are cumbersome to remember and prone to user error. Users often use the same password for multiple accounts, or else they rotate between a few different ones, and rarely invent entirely new passwords. Companies attempt to mitigate this by enforcing password policies, rotation, and management. It's up to users to not share accounts and passwords, intentionally or otherwise.
Password managers can help, but many users either aren’t aware of them or find them too complicated to use. This often leads to passwords on sticky-notes or changing passwords by just adjusting a few characters.
It's not uncommon to look at the news and see a major data breach reported by a major company, revealing that malicious actors got access to millions of passwords. As a countermeasure, the company forces its users to reset credentials. That, of course, only displaces the problem and solves nothing!
User authentication terminology
In modern authentication methods, there are some important terms you must understand:
- Two-factor authentication (2FA): Two distinct forms of identification are needed to authenticate. One of them is usually a password, and the other a code or a biometric reading, such as a fingerprint. The classic adage is, "Something you know, and something you have"
- Multi-Factor Authentication (MFA): Two or more distinct forms of identification are needed to authenticate. This is similar to 2FA, but in this case it requests two or more factors
- One-time password (OTP): A password that's valid for only one authentication process. They are often used as a second authentication factor in 2FA/MFA. Two shortcomings are that they can feasibly be intercepted, and they're susceptible to phishing attacks
- Single Sign-On (SSO): An authentication scheme allowing a user to log in with a single ID to several services and applications
- Passwordless: An authentication method that allows access to a system without entering a password or answering security questions. Instead, the user provides some other form of evidence, such as a fingerprint, proximity badge, or hardware token code. It's often used alongside MFA and SSO to improve the user experience, strengthen security, and reduce IT operations expense and complexity
Passkey authentication in Identity Management on RHEL
Passkey is a combination of passwordless and MFA mechanism. Furthermore, MFA is provided by requesting a Personal Identification Number (PIN) to unlock the token to process the authentication request. Passwordlessness is provided by using public key cryptography (a key pair is generated during the registration process).
Additionally, as long as the device implements it, other authentication factors (such as a fingerprint) are requested. Finally, along with authentication, a Kerberos ticket is granted. This can be used for further identification on network resources, which enables SSO.
All this together eliminates the need for passwords and enables strong authentication. In addition, it can reduce the risk of a data breach, because passwords aren’t reused, the public key pair is generated for each service, and the private key resides inside the token.
Why is it important?
Passwordless authentication aligns with regulatory requirements for data protection and security, such as General Data Protection Regulation (GDPR) and Payment Service Directive (PSD2). By implementing strong authentication methods, organizations can better safeguard sensitive information and comply with regulatory standards.
A memorandum from theU.S. Government establishes new policies to enhance security by enforcing passwordless authentication, combined with MFA standards and SSO:
- “Enterprise identity management must be compatible with common applications and platforms. As a general matter, users should be able to sign in once and then directly access other applications and platforms within their agency’s IT infrastructure.” (page 6)
- “Fortunately, there are phishing-resistant approaches to MFA that can defend against these attacks. The Federal Government’s Personal Identity Verification (PIV) standard is one such approach. The World Wide Web Consortium (W3C)’s open “Web Authentication” standard, 8 another effective approach, is supported today by nearly every major consumer device and an increasing number of popular cloud services…” (page 7)
Passwordless authentication leverages modern technologies such as biometrics, cryptographic keys, and device-based authentication. These technologies offer higher levels of security and scalability compared to traditional password-based authentication methods.
Passwords are vulnerable to numerous security threats that are challenging to overcome using technology and strategies in use today. The main purpose of the passkey feature is to strengthen security, and at the same time to provide a pleasant user experience. This is achieved by using open and well-established standards that enable passwordlessness, MFA, and SSO.
With passkey functionality, users require only a hardware device, and another authentication factor, such as a PIN or a fingerprint, to eliminate the reliance on passwords while elevating security standards. Additionally, issuing a Kerberos ticket alongside the authentication enables SSO capabilities. By integrating these features all together, the risk of data breaches, phishing threats, man-in-the-middle attacks, and other security threats can be significantly reduced, positioning your organization well on its security journey.
What next?
Identity Management in Red Hat Enterprise Linux 9.4 now offers the passkey feature to leverage all these capabilities: passwordless, MFA, and SSO.
The good news is that it's so easy to use that there are no excuses to not use it! Watch this quick demonstration to see for yourself:
Red Hat solutions architects and sales teams are ready, and more than happy, to guide your organization through this security journey.
