Passwordless authentication and why offline MFA is your friend

Mike VanDelinder, Jamf Connect Product Manager, and Sean Rabbit, a Senior Consulting Engineer at Jamf, set out to help people define “passwordless’ and better understand passwordless authentication — especially as it relates to Mac. To do this, they wanted to discuss passwordless authentication — its limitations and capabilities — to look at some different passwordless solutions that already exist for the Mac, and take a look at Jamf’s solution to passwordless workflows, Jamf Unlock.

What is “Passwordless authentication”?

By definition, passwordless authentication is an authentication method in which a user can log in to a computer system without entering a password or any other knowledge-based secret. macOS is built upon the core fundamentals of Unix, explain Sean Rabbit, and that means local user accounts with local passwords. Combined with FileVault and the need for a password to decrypt, we are probably looking at macOS devices requiring passwords long into the future.

But what is interesting, is that macOS has had “passwordless” authentication for a while now. Introduced into OS X 10.4, TokenD was able to use a Smart card or PIV (personal identity verification) card to authenticate users. OS X 10.12 introduced a CryptoTokenKit driver and functionality to manage smart cards through an MDM solution. In 2016, Apple introduced a MacBook Pro with a Touch ID system, a secondary passwordless authentication system that could be used after entering a password from a full power on or decrypting FileVault.

When the Apple Watch was released, a new feature allowed a user to unlock their mac simply by having their watch nearby. Features like TouchID and Unlock with Apple Watch were enabled by a feature called a plugin authentication module or PAM which could delegate authentication but only after at least one password was entered and would timeout after a specific time. So, for now, there will be things to supplement a password, but there will not be a complete elimination of a password.

Why should we care about passwordless?

There were three startling stats put on the screen to kick off this section:

• Stolen login credentials are the #1 security problem for organizations today
• 80% of all data breaches involve stolen or weak passwords
• Less than 10% of budgets are spent on eliminating compromised credentials

It’s a huge disconnect. Number one issue but gets so little attention. While a password reset may not be the most complex of help desk tickets to resolve, they become tedious for any IT admin hired to work on loftier IT goals than password management aid. To go a step further, having your IT team spend their precious time resolving menial tickets costs you money. A single password reset costs companies an average of $70. And when you add up all the time spent on these tickets, it’s a shockingly large amount of money for some enterprise organizations.

Login credentials have long been a problem for security at organizations of all sizes and types, and there is some movement in the industry towards eliminating the password from accessing services. This introduces new problems, however, as legacy systems need to be updated and some systems just absolutely need a password.

Jamf Connect and Jamf Unlock

Jamf Unlock is built upon the foundation of Jamf Connect’s core: just-in-time account creation, provisioning accounts with rights determined by the identity provider and ongoing password sync. Jamf Unlock adds the ability to remove the password from the Mac in almost every place by replacing it with native macOS Smartcard or PIV support, provided by the Jamf Unlock app on your iOS or iPadOS device.

Jamf Unlock requires no additional software on the Mac if you are already using Jamf Connect, so a user will link an iOS or iPadOS device to their Mac with a pairing request and, from there, their Mac works as though they have a SmartCard that needs to be inserted for authentication. The added bonus is that the Jamf Unlock app can work with a rotating PIN, unlike a physical smartcard, or it can operate with no PIN needed at all. And, unlike other SmartCard solutions, you need no additional hardware beyond the iPhone you already have and use at your organization.

For Jamf Unlock to work, it does require the user authenticates with the organization’s identity provider and the Jamf Connect app on their device. This proves that they are authorized to use the application and establishes a trusted certificate, shared with the Mac.

The goal of Jamf Unlock is to simply make a better end-user experience for Mac. It eliminates password fatigue for those users who are always authenticating or unlocking their Mac, especially at organizations with complicated password requirements. And it uses something that is almost never forgotten by users anymore — their iPhone.

For IT Admins, there's no extra hardware involved, authentication is still done through an identity provider, and the iPhone acts as a second factor of authentication. To go a step further, And network connectivity is not required - the multicast protocol used by Jamf Connect and Jamf Unlock does not require a network connection to authenticate, so you have offline MFA.

Integrating Passwordless Authentication into macOS

As we explore more of passwordless on a system that inherently has been built around passwords, it’s important to educate your users on how the Jamf Unlock PIN works with macOS.

Authentication requests will trigger a request for a PIN. If you as an administrator have mandated a PIN, teach your users to open the Jamf Connect application to receive the PIN. If you have NOT enabled PIN, teach your users to simply hit return and look at their iPhone. The iPhone will show a push notification, or the user can simply open the Jamf Unlock app to do a face ID and authenticate. Any place that requires authentication will work the same way.

One exception to this is the FileVault unlock screen. On macOS devices with an Intel processor, the FileVault unlock screen is actually done in an EFI Firmware level before the macOS operating system has started. So on machines with FileVault enabled, we’re still going to need a password to decrypt the drive much in the same way you need a passcode to unlock your iPhone or iPad from a full power down.

When it comes to the technologies that Jamf Unlock is built on, you understand why it is Apple-specific.

CyptoTokenKit

CryptoTokenKit allows the iPhone to appear as a smartcard to the macOS device and can sign, decrypt and exchange keys like a “normal” smart card can.

Multipeer Connectivity

Multipeer Connectivity allows two Apple devices to communicate with one another over an ad-hoc network. You may be familiar with AirDrop. In Jamf Unlock’s case, the two devices use Wi-Fi to beacon to connect and open secure, encrypted lines of communication to one another without prior configuration.

CoreBluetooth

CoreBluetooth is used when the iPhone is locked and the Mac acts as a Bluetooth beacon to wake the phone and show a notification on the lock screen.

Because Jamf Unlock can use Multipeer Connectivity, this passwordless workflow remains encrypted and secure. Ephemeral keys are used for each connection between the Mac and iPhone. And, a PIN can be used in addition to biometrics on the iPhone.

Sean and Mike ended the session by talking about how an organization would go about setting up Jamf Unlock, the deployment process, app configurations and settings, the Jamf Connect configuration side and ended with a demo of it all in action.

If you are someone using Jamf Connect looking to bring on and incorporate passwordless workflows, you really can’t miss this session. Jamf Unlock is in the app store for you to get your hands on today!