Bitwarden and the passwordless security revolution

- Blog
- Bitwarden and the passwordless security revolution
Bitwarden started with a vision to help create a world where no one gets hacked. That vision includes passwords and extends to make everyone’s online experiences more secure. Unlike other password managers, the Bitwarden name does not include the word password. This was intentional and meant to reflect a broader approach that goes beyond passwords to sensitive information.
Broadly, this means providing the best online security solutions to everyone, wherever they are. Specifically, it means embracing passwordless authentication as a method to eliminate passwords and remove them as a potential vulnerability for cybercriminals, unlike traditional password-based authentication.
Passwordless authentication is the future. Although multifactor authentication (MFA) is still viable, it's not as strong and reliable as the authentication factor found in passwordless authentication. It’s true; currently, passwords are integral to security procedures, but poorly managed passwords can result in significant security breaches, which is why passwordless security has been pushed to the center of cybersecurity efforts.
The largest ransomware attacks of 2021 were related to stolen or compromised passwords. SolarWinds encountered a devastating nation-state attack that compromised up to 18,000 businesses, and a cyberattack on the Colonial Pipeline forced the company to shut down its gasoline supplies.
Weak or reused passwords are vulnerable until everyone, including companies and individuals, implements strong and unique passwords and then securely stores them in an end-to-end encrypted password manager.
Bitwarden includes passkeys, biometric login, Bitwarden passwordless SSO integration, and Bitwarden security key support, with more capabilities planned to help companies accelerate their adoption of passwordless authentication methods. A member of the FIDO Alliance, Bitwarden offers cross-platform solutions that are compliant with WebAuthn FIDO2, furthering its commitment to developing secure authentication methods. The following goals ground the Bitwarden approach to passwordless security.
Passwordless authentication is a verification method that allows users to access a network, application, or system without needing a traditional password. Instead, it leverages alternative forms of validation, such as passkeys, biometric authentication, magic links, or authenticator apps, to verify a user’s identity. This approach enhances security and simplifies the authentication process, making it more user-friendly.
In essence, passwordless authentication shifts the focus from something the user knows to something the user has, or something the user is. This strategic direction in security has varying adoption speeds depending on an organization's specific security context. As companies and individuals embark on this journey, they move towards a more secure and streamlined authentication process.
Passwordless authentication verifies a user’s identity using methods other than passwords. It relies on two primary factors: something the user has and something the user is. These are part of the three generally accepted authentication factors:
Knowledge: Something only the user knows (eg, passwords, security questions).
Possession: Something only the user has (eg, a hardware token, a smart card).
Inherence: Something only the user is (eg, biometric characteristics, such as fingerprints or facial recognition).
Biometrics changes the authentication process and how users interact with devices. For example, using facial recognition to sign into our mobile devices, fingerprint scanners to access our computers, and voice recognition to launch digital assistants. Bitwarden currently offers fast and secure biometric unlocking across multiple clients. Customers can enhance both true passwordless security and ease of use for their Bitwarden authentication by using Touch ID, Face ID, Windows Hello, or Android Login with Biometrics.
Passkeys are a secure, passwordless authentication method that uses cryptographic technology to verify a user's identity. They consist of a pair of cryptographic keys: a private key, which is securely stored on the user's device, and a public key, which is stored on the server of the website or app being accessed. During the login process, the server sends a challenge to the user's device, which is signed using the private key. The server then verifies this signature with the public key to grant access.
Passkeys offer several advantages, including enhanced security against phishing attacks and the elimination of the need to remember unique passwords for every account. Major platforms support them and can be used across devices, providing a seamless and secure login experience. Passkeys are developed with standards set by the FIDO Alliance and are supported by many tech companies, including Bitwarden.
By utilizing public-key cryptography, passwordless authentication securely manages these authentication factors. Users are assigned a public-private key pair when they register an account or device. The private key remains securely stored on the user’s device, while the public key is registered with the service. During authentication, the service sends a challenge that can only be answered using the private key, thereby verifying the user’s identity without requiring a password.
Read more about how passkeys work and how to use passkeys with Bitwarden.
Physical security keys for two-factor authentication play a critical role in the passwordless authentication era, especially as hybrid work becomes the norm and the digital threat surface increases. By using a hardware-based key, not replicable without the key itself, users can ensure no one else logs into their account without access to the same physical key. Today, all Bitwarden customers can set up two-step login for their Bitwarden Vault with authenticator applications and email. Paid customers can add security keys, Duo Security, Yubico, and FIDO2 solutions.
Layering in passwordless authentication methods offers stronger protection than relying on passwords alone. Eliminating passwords, as well as the time lost to password resets, removes the risk of password-related security incidents, such as phishing attacks, password theft, and credential stuffing. This significantly reduces the likelihood of account breaches and identity theft, as passwords are often weak, reused across multiple services, or susceptible to phishing attacks.
However, while passwordless authentication enhances security, it is not without its challenges, as several factors must be taken into account for authentication. Biometric authentication methods, for instance, can be vulnerable to spoofing attacks, and hardware tokens can be lost or stolen. To mitigate these risks, it is crucial to implement other security measures, such as regular security audits and end user training. These measures ensure that passwordless authentication remains a safe and reliable method for protecting user identities and data.
By understanding and addressing these potential vulnerabilities, organizations can confidently adopt passwordless authentication solutions, knowing they are enhancing their security posture while providing a more seamless user experience.
Bitwarden is shaping the future of passwordless authentication and helping everyone, from individuals to the largest enterprises, stay safe. The approach to security is evolving, especially as companies adopt a cloud-first strategy for new projects, services, and data. As it evolves, Bitwarden remains committed to its mission of empowering individuals, teams, and organizations to access and share sensitive data easily and securely online.
Whether you’re embracing the latest in biometrics, FIDO2 authentication, or modern passwordless integrations, Bitwarden stands ready to help you begin your passwordless journey. Bitwarden is the only open source enterprise password manager that offers zero knowledge, end-to-end encryption, and cross-platform support, so your company data is completely secure. Register for a free individual account or start a free Enterprise trial today.