Root Causes 220: The Difference Between OTP and Passwordless

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

May 2, 2022

"Passwordless" is a hot term in the industry, and as a result many technology vendors are attaching their solutions to this term. In this episode we clarify the difference between OTP services and passwordless authentication.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanToday we want to talk about passwordless. We’ve had a few episodes lately where we’ve discussed this topic, and I definitely recommend going back and looking at those if you’re in to the topic. Today, we want to drill down on a real specific subject which is essentially the difference between one-time password and passwordless.

Jason SorokoAnd there is a difference, believe it or not.

Tim CallanDifference is one. I know arithmetic. No, sorry, Jay. What’s the difference?

Jason SorokoIt’s not about being clever here. This is about just calling out some of what we’re seeing in some popular marketing, and I can’t blame people for wanting to be part of the zeitgeist, but let’s get really, really real.

Part of what we said in this podcast in the past, Tim, is that there seems to be some wide-ranging opinions about what passwordless is. Not many people haven’t talked about what it really isn’t, and this is an area that I really do want to talk about. And we have talked about things like very, very large, complicated password managers that are kind of acting like passwordless.

Tim CallanIn a way, in terms of user experience.

Jason SorokoI’ve even seen, Tim, and this is what kind of scares me. Folks who have technology that is squarely in the realm of one-time pass codes as second factor, calling themselves passwordless, and I can’t even figure out why or how.

Tim CallanYou kind of jumped to my question, which would be to say, well, what is their rationale or what’s their argument? How does one portray it that way.

Jason SorokoI think, Tim, somehow, they want to have the leap of faith from the buyer of a technology like that or somebody or people who already have that technology, to say to themselves, well, it’s not just passwords, so we’ll call it passwordless.

Tim CallanSee, cause I’m thinking about – I understand how you and I have talked in previous episodes, which, again I do recommend. We’ve talked about how there are technologies that do a subset of what you get out of passwordless and sometimes doing very well. It’s things like password managers, it’s things like Single Sign-On and a lot of the benefits of passwordless are benefits that you can also get from these other technologies. Now there’s some you can’t. And so you see where when they say passwordless they’re kind of changing the meaning of it a little. They’re saying you as a user no longer need to engage with passwords, and therefore in terms of what you remember and what you type, that is now passwordless.

But in the case of a 2FA OTP, it is a way second factor, and I suppose there’s no rule that says the first time factor has to be a shared secret, but pragmatically, it always is. So, that’s why I’m a little confused.

Jason SorokoThat’s right, Tim. I think here are two scenarios how some people are getting away with it, and it does have to do with the user experience more than it has to do with the underlying - what we would call or define as passwordless. One is, a lot of people have enjoyed the fact that a lot of password managers will do the copy and paste or if you really want to call it, the insertion, of the password for you in to whatever form you’re being challenged with for the authentication.

So the actual physical typing in of a password is being done by something else, and there may not even be a change in the legacy form. It’s merely something filling in the form for you. You have to then finish off the authentication by using the OTP challenge going to your phone of whatever other mechanism you’re being asked to look at.

The second one is similar, but it’s in the Single Sign-On scenario, which is - there are I believe some vendors who will – they’re kind of specialists in Single Sign-On, and that’s great, or it’s something that’s a part of what they’re offering, and because of the fact that the Single Sign-On is taking care of the password entry, all you have to do is make sure you do the second factor challenge correctly to authenticate the fact that you’re not having to enter that password every single time. Some of those types of technologies are now also being called passwordless. Even though, of course, there is an underlying password in both of what I just talked about.

Tim CallanSo, you’re saying, let me play this back, because I would use this broader definition of passwordless – let’s call it passwordless prime – passwordless prime means you as the user do not need to remember and type in your passwords. There are benefits to that like they can be more complex, and you can have them be unique, and reuse isn’t a proper and all these things that we kind of like about passwordless and like about even these solutions. Because this is potential second factor that I would use potentially in conjunction with those kinds of password management solutions, therefore I’m construing that I’m part of your passwordless solution. Is that correct?

Jason SorokoThat’s right, Tim. It’s really all about the very, very handy smoke and mirrors of bettering the user experience and because you’re not physically typing in a password in some scenarios, that somehow is being labeled as passwordless.

Tim CallanNow that seems though even more stretched. We talked about the rationale between calling these other things passwordless, that I just made up the word passwordless prime, because there is still an underlying password inside the architecture, and we’ve talked in the past about why that’s an important distinction, and it is meaningful from a security perspective. However, in this case, if you really are a 2FA vendor, whether you’re OTP or something else, you’re not necessarily forced to a password manager/Single-Sign-On-type scenario. You could be using this MFA with a good-old fashion just type in the form. Just you and your fingers and your memory. If that’s the case, then even that argument, even passwordless prime is not true. So, what I’m struggling with here is it’s like saying, I’m trying to come up with an analogy, but it’s like, let’s say I sold you a set of cutlery, and I said this is vegetarian cutlery because you could use it with vegetarian food. Well, sure, but you could also use it with meat. There’s nothing special about this cutlery that makes it vegetarian. I’m just claiming this as one of – I’m calling it vegetarian because I want to get that word in there, and it’s just part of the full set of suite of things you might do with it. Am I misunderstanding, Jay, or is that an accurate analogy?

Jason SorokoI think it’s accurate, Tim. So therefore, the crux of this podcast is about, listen, if whoever’s listening to this, and you and Tim and I were sitting around a booth at RSA conference, just that kind of scenario. What we could probably talk about and have a few jokes and smiles about is the fact that I think some of these marketing terms, zero trust being one of them, and passwordless being a very recent one, I’ve noticed in the Twittersphere and I’ve noticed in people’s blogs and I’ve noticed just in conversation, which hopefully we’ll a lot more in the future at some point face-to-face, I think that there has been a lot of expression of fatigue of some of these marketing terms mostly because, my goodness, I’ve never seen black being called white and purple being called blue as often as things have occurred to this day. You’re absolutely right, Tim. People have stretched it to the point of you really got to use your imagination to even understand why they would call it that, but that it’s simply because they want to get the SEO points and get you to look at their stuff.

Tim CallanSure. What’s funny in this case is password is actually in the name. So my analogy wasn’t quite right. It’s not vegetarian cutlery, it’s a vegetarian steak knife is what it is. I’m selling a steak knife, but I want to sell to vegetarians, so I call it a vegetarian steak knife, because you could cut other stuff with it. This happens when a word gets cache, people try to pile onto it. I remember the last time that I was at the RSA conference, physically in person, laughing with a friend of mine that you could walk to any random place on the show floor, open your eyes, and without moving your head, you would see the word zero trust. We said, how come everybody suddenly is a zero trust vendor? How did that occur? And I think you’re seeing a similar thing happening here. But in this case, it’s a little extreme how far the nomenclature is being pushed.

Jason SorokoSo, Tim, I thought about this a few days ago, and maybe it’s time for us to just to say it outright here. Because sometimes in this podcast we really do our, we’re kind of news reporters, and sometimes we get opinionated, and I think it’s, it’s, and here’s the opinionated piece of this, which is I am also very sympathetic to anybody who is struggling with real world cybersecurity problems. You are trying to defend your enterprise. You’re trying to defend yourself, your family from various kinds of threats, and yet, you’ve got vendors who are playing pretty loose and loosey-goosey with definitions of what things are, and you could very easily get cynical. There’s a lot of things in life that are like that, especially nowadays. But I think in this realm of security, it’s very, very true. But let me tell you, the reason why we continue to use those – I continue to use those terms – is because there is underlying value to the principles underneath them. And getting away from passwords will yield you benefits regardless of how you invest. We’ve talked on this podcast about several flavors of how you can legitimately invest in it, and I think we’ve done a pretty good job of helping people to do procurement in passwordless. I think in zero trust, I mean, Tim, you and I call ourselves the gray beards for a reason. We’ve been around a long time. A lot of the concepts and principles in zero trust have been around a long time, and therefore, giving it a new marketing term was kind of funny, for those of us who want to be cynical about it. But here’s the thing we shouldn’t be cynical about, which is some of those principles were really important back in the day. They’re even more important now, and my goodness, very few people got it entirely right. So, whoever is casting stones, we can all laugh at the marketing term, but let’s not laugh at the underlying principles. And I think, Tim, I’ve seen this in the past.

Here’s my final point, and then I’ll give it back. I’ve been in rooms with extremely stressed out people who were responsible for security of enterprises. You could just tell that their job was hard, and they weren’t given enough resources, and here I was as just another vendor trying to either (a) create fear or (b) try to invent something new that was old, and, what I find interesting is that what a lot of those people had in common was a defeatist attitude that was so bad that they actually tried to downplay the risks that they were facing. Therefore, when you start to get really, really cynical about a term like passwordless, because of the reasons we just talked about, please, please, like, what to do with that is put your money, put your next piece of effort into the right thing for your organization, but for heaven sakes don’t let a defeatist attitude and don’t let a cynicism about the way that marketing sometimes, unfortunately, will work stop you from making the right decisions and see the risks that you face very, very clearly. Because if I trace my experiences talking to enterprises and my experiences in that world for many years, I’m still not seeing entirely correct emphasis on certain kinds of risk, and some of it is because of arguments about technology, but some of it now is just purely coming out of cynicism, Tim, and I think this is part of where it’s coming from, and you know what, maybe it’s time for us all to just sit down together again and have a conversation about what are we missing here, and from the vendor side and from the procurement side. Because I think we’ve got a lot of work to do. The bad guys have had it too easy for too long, and there are some very unfortunate circumstances that have caused that. It’s time to get over it, guys.

Tim CallanWe definitely moved from the front page to the opinion page on that one. That was good. I think that is a good point, and well expressed.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!