Unlocking passwordless Mac authentication

Every Info Sec profession has seen the dreaded list that elicits an audible, impulsive groan. The list of Top 10 most used passwords. Even thinking of our users protecting their devices and data with “password123”, “qwerty”, “1234567890”, or “p@ssword1!”, is enough to send most into a tizzy and induce panic attacks. Fortunately, most have put in place measures that generally prevent this from happening and demand something far more complex — and yet, over time we have been shown in the data, that it may still not be enough.

One of the top security problems for organizations today? Stolen login credentials. Surprised?

What about the fact that 80% of all data breaches involve stolen or weak passwords? Single-word passwords or ones involving personal information are often the most culpable. Even with the enforcement of stronger passcodes, server breaches, phishing scams, and brute force attacks can expose passwords and thus, corporate and employee information. Additionally, enforcement only goes so far in terms of password protection. With complex passwords comes a rise in naive users jotting these passwords down in notes to remember their usage of numbers and special characters — a liability on a physical level.

The uptick in security needs to prevent attacks against companies and protect company and customer data, due to remote/hybrid work environments seeing employees working from different locations, has meant enterprise security budgets are increasing. Yet the breaches increase as well and the allocation of funds going toward preventing compromised password breaches isn’t proportionate to the problem they pose. In fact, less than 10% is spent on eliminating compromised credentials but is where greater than 80% of all breaches originate.

Admins and security teams are faced with the enormous challenge of keeping a remote and hybrid workforce secure and protected, while also providing a seamless end user experience. Finding methods that allow IT to require rotating, complex passwords while offering users a way to avoid the friction created by these password mandates is no easy task. Enter passwordless workflows — a modern solution for authentication.

Passwordless Authentication

By 2022, Gartner predicts 60% of large and global enterprises, and 90% of mid-sized enterprises, will implement passwordless methods in more than 50% of use cases.

Passwordless authentication is a form of multi-factor authentication (MFA) that replaces passwords with two or more verification factors secured and encrypted on a user’s device, such as a fingerprint, facial recognition, a device pin, or a cryptographic key. Face ID and Touch ID are two forms of biometric verification that Apple users will be very familiar with. Both of these passwordless authentication methods offer easy user experiences that are incredibly hard to fake and replicate, reducing security risks.

When it comes to using a PIN for verification, many view a PIN and password as one in the same, however, the usage of a PIN is often to authenticate you locally as it is tied to a specific device which means it remains local, thus reducing the breach potential because attackers would likely need physical access to your device or knowledge of the PIN beforehand, given PINs usually only allow so many failures before locking down. The con of pins, when user-created like passwords and non-rotating, is that careless behavior from the user could still grant unwanted access to a device and encrypted files.

Passwordless workflows like these are not new, nor are many of these authentication methods. However, there hasn’t been much focus on a passwordless workflow specific to Apple. In theory, a passwordless authentication method could allow a company’s users to leverage a form of authentication like Face ID or Touch ID on a separate, trusted device to act as a second form of authentication that supersedes the need to input a user’s password to unlock their Mac — which is exactly what Jamf Connect can now do!

Jamf Unlock

Jamf Unlock is a Jamf Connect workflow and supports certificate-based authentication by issuing a certificate to your device giving users the power to securely leverage their cloud identity to unlock the Mac, using Face ID, Touch ID, or a rotating PIN on their iPhone, to gain immediate access to the resources they need to be productive.

During setup of Jamf Unlock, the user is generating a certificate for themselves in the Secure Enclave of the iOS device to authenticate to their cloud identity provider. This identity and request generates a certificate which is stored locally on the device and exclusive for that iPhone or iPad. It can’t be exported. This public key has been shared with and tied to the user’s Mac so that each time a user tries to authenticate to your user account, it requires the phone to go through the authentication process.

This will let your Mac know that a sign-in request is coming from a trusted device and allow you to securely sign into your Mac. Once on the computer, you will have the same experience you’ve always had with Jamf Connect, gaining access to all of your apps and resources without having to sign in to each one. The result is the ability to use the device you always have with you to unlock secure productivity, no passwords required.

Because Jamf Unlock, and Jamf Connect, are tied to your cloud IdP, it’s easier to manage and more secure for your remote workforce. Much like the benefits of SSO, from the user perspective, this eliminates password fatigue or forgotten passwords which helps reduce password reset IT support tickets. It also achieves MFA goals to help reduce the risk have having passwords compromised without the introduction of and investment into extra hardware. Simply leveraging the iPhone that most users have at any given moment, grants them a seamless, passwordless workflow.

Benefits of Jamf Unlock:

• You get all the value of Jamf Connect for Mac with just-in-time account provisioning, identity management capabilities and a single cloud identity to access the Mac and resources.
• Passwords are no longer a secure method to access resources and accounts. Jamf Unlock eliminates the need for a password and instead uses a passwordless workflow, tied to the cloud identity, with MFA to access Mac.
• Jamf Unlock acts as a smart card for improved security without the extra cost of hardware and one more thing to manage. And because there is no password, there is reduction of IT help desk password resets.
• Employees can utilize the hardware they always have with them, their phone, to securely unlock access to their Mac, with or without a network connection, eliminating forgotten passwords and fatigue of multiple logins per day.

Improve security, improve end-user experience, and Reduce IT Tickets – all from the Jamf Connect account you already have linked with your identity provider. Eliminate the downside of passwords while keeping all the upside with Jamf Unlock.

FAQ:

• What is passwordless authentication?
  Passwordless authentication is a form of multi-factor authentication (MFA) that replaces passwords with two or more verification factors secured and encrypted on a user’s device, such as a fingerprint, facial recognition, a device pin, or a cryptographic key. The credentials never leave the device, eliminating the risk of phishing. These alternatives are based on new industry standards developed by members of the Fast ID Online (FIDO) Alliance. *By 2022, Gartner predicts 60% of large and global enterprises, and 90% of mid-sized enterprises, will implement passwordless methods in more than 50% of use cases
• Does a customer need Jamf Connect to use Jamf Unlock?
  Yes, Jamf Connect still needs to be deployed on each Mac in order to use Jamf Unlock, however, an organization does not need to use the same MDM for the Mac and the iPhone to use Jamf Unlock, they can be different. Jamf Connect must already be set up on a Mac and the user should have already signed in once with their cloud identity credentials. During the pairing process, the Mac then recognizes the iPhone has the same cloud identity credentials and is paired.
• Is Jamf Unlock an additional charge, separate from Jamf Connect?
  No, Jamf Unlock is not an additional charge - it is an application that users can get from the Apple App Store.
• Is Jamf Unlock included in the Business Plan?
  Yes. Learn more about Business Plan
• Does the iPhone need to be managed to use Jamf Unlock?
  Yes, an App Configuration must be pushed to the iOS device to tell it how to behave.
• How does the user get the Jamf Unlock app?
  The admin can either push the Jamf Unlock app to the device or make it available in Self Service.
• Will the Jamf Unlock app be available to use on an iPad?
  Yes, it will - same workflow.