Docker Joins Movement To Dump Passwords for Security
Docker is depreciating password logins on its command-line interface with Docker single-sign-on interface enforcement.
For as long as I’ve been writing about tech, I’ve been writing stories about how to use passwords successfully. I failed. People never learn. According to password security company NordPass, 2024’s most popular password is not “password”, it’s “123456.”
Password, all lowercase naturally, is number seven. We are so bad at this! The answer: Switch to another approach. That’s what Docker is doing.
Docker joined other companies in depreciating password logins on the Docker Command Line Interface (CLI).
As of Sept. 16, 2024, Docker will enforce Single Sign-On (SSO) for CLI access, discontinuing the use of passwords in favor of Personal Access Tokens (PATs) when SSO is enforced. This move is part of Docker’s broader strategy to enhance security and streamline authentication processes across its platform.
I should add that this is mandatory. If you’re using SSO, you won’t be able to use passwords anymore. Deal with it.
SSO enforcement was initially introduced by Docker in 2022 for Business subscriptions. It enabled organizations to mandate authentication through their Identity Provider (IdP). This approach not only enhances security but also simplifies the user experience by eliminating the annoyance of multiple passwords.
With the deprecation of password logins, Docker ensures a unified and secure authentication process across its services, including Docker Desktop, Docker Hub, Docker Scout, and Docker Build Cloud.
Passwords are fast becoming a legacy technology. It’s a technology debt that we all should pay off as quickly as possible.
Docker’s move away from password-based authentication aligns with a broader industry trend toward passkeys and zero-trust security models.
Passkeys, developed by the FIDO Alliance. with support from major tech companies like Apple, Google, and Microsoft, offer a more secure and user-friendly alternative to traditional passwords. They utilize cryptographic key pairs, making them resistant to phishing and other online attacks.
Zero trust assumes that threats could be internal or external and requires strict verification for every access request. Organizations can better protect their resources and data by eliminating passwords, which are a security weak link.
Zero trust’s basic rule is “trust no one.” Attackers can come from inside or outside your network. No users or systems should ever be automatically trusted. With this stance, you eliminate many of the attack vectors crooks constantly use to grab passwords, steal data, install ransomware, and do all those other things that make IT life miserable.
Besides Docker, GitHub’s recent push to get users to use passkeys has been highly successful. 95% of GitHub’s developers have adopted two-factor authentication (2FA) passkeys.
It’s not just developers who have finally gotten on the passkey/zero-trust security bandwagon. As TheNewStack author Susan Holt recently pointed out, “Google is using passkeys in Gmail; Shopify has made it the primary option for Shop Pay; WhatsApp has rolled out passkey support on Android; and Amazon has made passkeys available in browsers, with support for Android and iOS in the works.”
Stytch, a startup devoted to making it easier for developers to add passwordless authentication to their applications, CEO Reed McGinley-Stempel also told Holt, “[Developers] want it to be easy to integrate. If they want to be able to handle edge cases. There are still worlds where you can lose all of your devices or your passkey, so account recovery matters a lot. And then they want to be able to integrate it the way they want into the application so that they can own the UX and design.”
In short, it’s easier than ever to adopt newer, better ways to replace passwords and introduce stronger, more reliable security. It’s time for you to join Docker and GitHub and lock down both your programming tools and your team’s products.
