Ditching the password is a trend that’s gaining steam in the enterprise world—and encrypted password manager Bitwarden is jumping on the wagon, ZDNet reported.
In a blog post, Bitwarden Senior Product Marketing Manager Ryan Luibrand wrote that the company would now be integrating the passwordless single sign-on (SSO) option. That’s the authentication method that allows users to use one set of credentials for multiple services by establishing trust relationships with an identity provider.
While SSO streamlines the process of using the innumerable apps many enterprises rely on for day-to-day operations, it also has some inherent security risks. If a user account is compromised, SSO can allow a malicious party to access any services that account can access. Weak passwords, or falling for a phishing attack, can be the brittle link in that chain.
Bitwarden’s passwordless offering aims to solve that by enabling users to store their SSO master decryption key on a trusted device such as a phone.
“When logging in, there is both an authentication process and a decryption process,” Luibrand wrote. “These are handled simultaneously but separately when a user logs in. When set up with an identity provider (IdP) service, it authenticates the user through SSO. Then, the data is separately decrypted with the account encryption key and made available to the user.”
SSO via trusted devices means users will only need to be authenticated by the SSO provider to gain access to their encrypted data. Bitwarden’s passwordless offering, which is available to enterprise organizations and its Password and Secrets Managers, enables a “workflow where it is possible for employees to create accounts without ever setting a Bitwarden password,” Luibrand wrote. (That isn’t necessarily recommended, though, because it limits account recovery options.)
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“For IT administrators and security professionals who are helping roll these things out in the organization, the more convenient that you can make it for end users, the better,” Gary Orenstein, Bitwarden’s chief customer officer, told IT Brew. “But the other thing that happens in this bigger picture with SSO is the ability to cover all the applications in an enterprise.”
There are numerous reasons for enterprises to ditch passwords, which are inherently prone to theft. Other methods like FIDO multi-device credentials (passkeys), which use alternative verifiers like biometrics or PINs, or trusted device authentication, are more phishing resistant as they add factors that are much more difficult for attackers to work around.
“Passwords have been trying to be dead for a really long time, and we’re finally at a point where I think that can really happen,” 1Password Head of Passwordless Anna Pobletts told IT Brew at RSA Conference 2023.
However, certain biometrics like fingerprints may be vulnerable to brute forcing, as demonstrated by recent research from Zhejiang University and the Tencent Security Xuanwu Lab. A poll by Ping Identity and Yubico earlier this year found that while 84% of the global IT leaders they surveyed found passwords to be a “deceptively weak” form of security, 97% predicted barriers to replacing them.
“What we’ve seen in talking to some of the world’s largest companies is they all adopted single sign-on over the last decade,” Orenstein told IT Brew. “Because the rise in cloud applications was so voluminous, so quickly…but then they’re also realizing that SSO is not enough for complete protection across the enterprise.”