Skip to content
Platform Strategy

An introduction to WebAuthn - a web standard enabling offline and passwordless authentication

Introduction

Trimble’s vision is delivering products and services that connect the physical and digital worlds. This involves connecting the field to the cloud. Field users rely heavily on mobile devices to access critical information and perform essential tasks. At Trimble, ensuring the security and accessibility of data for field users is of utmost importance. By adopting passwordless authentication, Trimble can significantly enhance security, simplify the user experience, and enable users to access data in the field.

Understanding Passwordless Authentication

Passwordless authentication represents a paradigm shift in verifying user identity without relying on traditional passwords. Instead of requiring users to remember and enter passwords, passwordless methods leverage other secure factors that include:

Biometric Authentication

Biometric authentication methods, such as fingerprint or facial recognition, verify users based on unique physical attributes. These are difficult to replicate, offering a secure and user-friendly way to authenticate. Users can leverage the biometric capabilities in modern smartphones and use it as a trusted device to authenticate and access a wide range of devices and applications securely.

Security Keys

Security keys are physical devices that users can plug into their mobile devices to prove their identity. Security keys can also be enabled with Near Field Communication (NFC) and can communicate wirelessly with other devices making the authentication process even more convenient.

One of the key technologies enabling Passwordless Authentication is WebAuthn (Web Authentication), which is an open standard developed by the World Wide Web Consortium (W3C) and supported by the FIDO (Fast Identity Online) Alliance. It has garnered widespread support from major technology leaders, including Microsoft, Google, AWS and Apple. This strong support underscores the credibility and potential of this open standard.

Trimble Identity and Passwordless Authentication

Trimble Identity (TID) is the centralized authentication service that provides single sign-on capability and handles the responsibility of authenticating the identity of the users across multiple products and APIs. Introducing passwordless authentication in Trimble Identity, offers the following benefits:

Streamlined Field User Experience

Field users often work in environments and devices with small form factors where the traditional password-based authentication is less than ideal:

  • A Truck Driver trying to get to the next delivery location
  • A Construction user with gloves using a field device to login to a Trimble app

It is crucial to provide a secure yet seamless authentication process. Passwordless authentication offers the following key advantages:

Accessibility and Efficiency

Passwordless authentication using security keys or biometrics enable quick and easy authentication, allowing field users to access Trimble’s applications promptly without recalling complex passwords.

Easy Device Handoff

Passwordless authentication using a mobile phone or security key allows field workers to securely access Trimble’s applications across multiple devices, ensuring easy continuity. This becomes important where the devices are shared across multiple users in the field.

Offline Authentication

Field users often encounter areas with limited or no internet connectivity, hindering their access to online authentication methods. Passwordless authentication can address this challenge by providing offline authentication options to maintain field user productivity.

Enhanced Security

Passwordless authentication offers security benefits that reduce the risks associated with passwords, such as password reuse across multiple accounts, phishing and credential stuffing using automated tools.

Strong Authentication

Combining passwordless authentication with Multi-Factor Authentication (MFA) creates a powerful and robust security approach that maximizes protection against unauthorized access and elevates the overall security posture.

No Shared Secrets

Traditional authentication relies on shared secrets (passwords) stored on servers, making them susceptible to breaches and insider threats. Passwordless authentication does not require the storage of any shared secrets, significantly reducing the risk of data exposure.

Timelines

  • Q2 2023 - A proof of concept was completed that included the following sample use cases:
    • A Trimble Field user using a Yubikey security key to login to TID using WebAuthn to access Trimble Field Link application on a Trimble T10X tablet
    • A Trimble Field user using an iris scan/Yubikey to login to TID using WebAuthn to access Trimble Field Link application on HoloLens
  • Q3 2023 - Building the core capability of WebAuthn in TID. This will not have a use case applied yet.
  • Q4 2023 - Discovery of Offline authentication using WebAuthn

Conclusion

Passwordless authentication is a game-changer for authenticating Trimble field users relying on mobile devices and requiring offline access. Trimble can strengthen security by providing passwordless authentication in TID while offering a streamlined and efficient user experience for field users.