A peek at the passwordless future

Twice in the last week, I’ve had a glimpse of the passwordless future…

Keycloak

Everyone’s favourite open source identity and access management system has shipped a version (26.4) which includes passkey support out of the box. All you need to do is turn on a couple of settings, and users can sign up with their Yubikey, or indeed the face/fingerprint unlock and TPM on their newish laptop/phone. Or use 1password (other, less good password managers are available) to store the passkey.

I remain a bit concerned about civilians managing their passkeys correctly, but for the techies among us, just start using them. They work and they’re a jump forward.

Azure Managed Identity

I like bashing Microsoft as much as the next man, but having been exposed more heavily to Azure lately, I’ve got to admit they’ve got some cool stuff going on.

Indeed, the biggest crime they’re committing is messy marketing and rebranding (is it Active Directory? Or Entra? Or something else next week). Their Cosmos database appears to support every Cassandra feature Amazon’s rival is lacking, a fact that I would be making much more hay out of if I were them.

Meanwhile, I have somewhat got to grips with Azure Managed Identity. This is a way of allowing your apps to connect to databases and other resources without needing a password configured/stored somewhere. Instead, servers/containers can prove their identity to the Azure mother ship via automatically distributed cryptographic keys, and a small helper library hooked into your code uses this to request credentials for the database (or whatever) which are issued in a short-lived and locked to the session in question manner.

The documentation is spread all over the shop and this is clearly a fast moving and relatively young area. However, making it work with a standard Spring Boot + Liquibase app? Took about half an hour including setting up my test database on Azure.

There were no code changes, just that helper library and a couple of settings. That Microsoft has gone to the trouble of making first class support for Spring/Spring Boot is excellent and shows how far they’ve come from the bad old days.

The way you can use the Azure command line client to make your laptop a temporary player in the Managed Identity universe so you can test all this stuff locally in your IDE is really nice, and Managed Identity works so well it actually simplifies your deployment and configuration. No more sensitive stuff in version control / separate secret management.

Credit where it’s due, Microsoft are doing their bit for the shiny passwordless future on the server side. Put it together with passkeys and I’d like to see an almost total absence of passwords at work in five years’ time, certainly on server setups and preferably for sign in to my day to day.