Over the years we have seen a series of attacks on systems due to passwords. Passwords are leaked, reused or phished – the vulnerable entry point into the system.
Ben Arent
Ben has been in developer tools for a decade, helping to deliver tools that have been used by over 100,000 developers. At Teleport, he thrives on helping keep enterprise and developer networks and machines secure.
The solution: get rid of passwords.
Password replacement is often called passwordless, but it’s a confusing term because it doesn’t describe what is replacing it. Basically, passwordless is an authentication method that combines proof of identity (biometrics / Touch ID) and proof of presence (attestation for Secure Enclave on Mac). Both of these are all integrated with modern web technologies such as Web Authentication (WebAuthn) to make things simpler and provide a smooth user experience for users. For example, when you sign in to your iPhone with Face ID, it’s password-free; You do not belive it.
In addition to user passwords, there are other password-type credentials scattered throughout your infrastructure. These are sometimes explicitly referred to as passwords, such as a username and password for a MySQL server, but can also take the form of long-running Kubernetes configurations that have a very long secret that is only ‘a password. It can also be an SSH configuration, used by CI/CD servers to communicate with other machines. We’ll cover machine-to-machine communication and authentication later in this article.
Problems in Dev Paradise
In recent years, developers have been the target of multiple attacks, as most developers need access to simulation, construction or production environments. Having access to sensitive systems, they are prime targets for hackers or even nation-state attacks. The SolarWinds hack showed “phenomenal craftsmanship” – once the attacker gained a foothold in the system, a backdoor was placed in the build system and then eventually deployed to customers.
Other companies such as Twilio and Cisco have been attacked with sophisticated attacks that can even bypass single sign-on (SSO) and multi-factor authentication (MFA). Cisco recently observed advanced circumvention of MFA via voice phishing or “vishing”. These incidents highlight that even SSO and MFA might not be strong enough to protect against the most persistent attacks.
Developers’ dirty secrets
In the daily work of developers, they come across many secrets. These can range from API keys for services to AWS credentials and kubeconfigs. There are two problems with most of these secrets:
- Most are long-lived credentials.
- They are stored on disk.
Long-lived credentials can pose many risks. For example, a developer might have a Twilio API key that sends SMS, but is it the same key as production? Is this API key rotated when someone leaves the company? Having long-lived credentials opens up the possibility of lateral movement and possible privilege escalation. Two open source solutions for managing secrets are Blackbox and sops. These tools encrypt secrets, which means that even if they are leaked, attackers will not be able to use them.
Using short-lived, temporary credentials is ideal for protecting developer accounts. AWS users can use temporary security credentials in IAM in combination with AWS SSO and profiles, aws sso login --profile, to retrieve short-lived credentials. If a machine was compromised, there would be a limited window in which an attacker could actually use a secret. Another interesting open source project, aws-vault, helps solve this problem in development environments.
Finally, it is important to use a dedicated service account for machine-to-machine communication. For example, a CI/CD service should have its own service account with limited permissions and credentials. It’s worth evaluating whether you can completely remove secrets, such as using OIDC for GitHub workflows to eliminate the need to store long-lived secrets. For other systems, it’s worth investigating the open source Teleport Machine ID as a system that will continuously obtain short-lived certificates for server, Kubernetes, and database access.
How does passwordless work?
The basics of passwordless rely on a few standard web standards. For a deep dive, I highly recommend this article, “How Passwordless Works,” for an in-depth look at how WebAuthn works as well as Passwordless. An interesting detail that makes passwordless secure is the fact that identity verification, either through biometrics or a personal identification number (PIN), never leaves the user’s device. This makes remote phishing attempts impossible, as the attacker would need access to the device.
What makes developers unique?
It goes without saying that developers are experienced users of their work machines. They often switch between integrated development environments (IDEs) and terminals to do their jobs. They use command-line tools rather than browser-based applications, and these CLI tools often require some form of authentication.
This is where the password can get tricky. WebAuthn was primarily designed for browsers, and some security features such as attestation are not fully implemented. For example, Chrome relies on self-attestation for Touch ID because it can’t safely use a different format.
The next issue is being able to support passwordless authentication methods in the CLI. When developing the open source tsh client, the binary needed to be packaged with the correct provisioning profile in order to work. For other open source developers, this means an Apple developer account is required to create a Touch ID compatible CLI.
Why Developers Need Passwordless
This article has described some of the risks associated with passwords and points us to a future in which passwords are a thing of the past. By switching to passwordless authentication methods, the risk of attacks is greatly reduced. Teleport is one of the first developer-focused tools to bring a password to the terminal without the need for a username or password.
Call to Action for Passwordless for Developer
Audit your developers and systems: To better understand your current security posture, it’s helpful to identify all of the different authentication tools and methods used for developers and developer-related services. If you’re using a centralized password manager, it might be worth researching the date the password was last rotated and exploring other options.
Upgrade U2F to WebAuth: If you are working on a product that provides authentication, start by upgrading your old U2F and second factor to WebAuth; Several libraries are available to facilitate this:
Invest in hardware tokens: Start by purchasing your team’s hardware tokens, either YubiKeys, Google Titans, or SoloKeys
Upgrade machine-to-machine communication without password: Look for ways to remove infrastructure service passwords. For example, if you currently use Postgres username and password, consider switching to using TLS to connect to your MySQL, then use certificates instead of passwords.
The future of passwordless with access keys
Apple, Google, and Microsoft have collaborated to improve the passwordless user experience for the general public. Currently, users must register and enroll each device they have. For example, a Touch ID registration made on your MacBook will not transfer to your iPhone.
Passkeys is the solution to this problem, a FIDO2 enhancement that will allow users to easily and securely access passwordless systems on all devices and operating systems. FIDO2 authentication standards are based on public key cryptography for more secure authentication than SMS passwords and one-time passwords. FIDO2 authentication helps replace password-only logins with secure and fast login experiences on websites and apps.
The owner of TNS, Insight Partners, is an investor in: Teleport.
Feature image via Pixabay.