Types of Passwordless Authentication
Passwordless authentication can be achieved in many ways including:
- Biometric Authentication – uses unique physical traits to verify if a person is who they say they are, without requesting a password.
- Dedicated Hardware Security Tokens – authenticate the user’s identity and prevent unauthorized access.
- Certificate-Based Authentication – is a feature of the widely used SSL/TLS protocol, but is even found in many other internet security protocols.
The second tier of passwordless authentication methods aren’t necessarily bad; they’re just arguably not completely passwordless. These three methods are:
- One-Time Passcodes – similar to magic links but require users to input a code that you send them (via email or to their mobile device via SMS) instead of simply clicking a link. This process is repeated each time a user logs in.
- Magic Links – asks a user to enter their email address into the login box. An email is then sent to them, with a link they can click to log in. This process is repeated each time the user logs in.
- Authenticator Apps – used for two-factor authentication (also called dual-factor authentication, or two-step verification), which is a method of confirming users’ claimed identities by using a combination of 2 different factors.
How Does Passwordless Authentication Work?
The way passwordless authentication works is by replacing passwords with other authentication factors that are essentially safer. With password-based authentication, a user-provided password is matched against what is stored in the database.
In some passwordless systems, such as biometric authentication, the comparison happens is similar but instead of passwords, a user’s distinctive characteristics are compared. For example, a system captures a user’s face using facial recognition, it then extracts numerical data from it, and then compares it with verified data present in the database.
Other passwordless implementations include sending a one-time passcode to a user’s mobile, via SMS.
Passwordless authentication relies on the same principles as digital certificates such as a cryptographic key pair with a private and public key. Think of the public key as the padlock and the private key as the actual key that unlocks it.
Digital certificates work in a way in which there is only one key for the padlock and only one padlock for the key. A user wishing to create a secure account uses a tool (a mobile app, a browser extension, etc.) to generate a public-private key pair.
The private key is stored on the user’s local device and can only be accessed using an authentication factor, e.g., a fingerprint, PIN, or OTP. The public key is provided to the system on which the user wishes to have a secure account.
Is Passwordless Authentication Safe? (What does Passwordless Authentication Prevent?)
Depending on your definition of safe, that will determine whether passwordless authentication is safe. If you mean safe as harder to crack and less prone to the most common cyber attacks, then yes, passwordless authentication is considered safe.
If your definition of safe is protected from hacking, then no, it’s not safe. There’s no authentication system out there which can’t be hacked. There may not be an obvious way to hack, but that doesn’t mean that the most sophisticated hackers can’t work their way around its defenses.
Passwordless techniques are generally safer than passwords. To hack a password-based system, a bad actor may use a textbook attack, which is often considered the most basic hacking technique (keep trying different passwords until you get a match).
Even amateur hackers can perform a textbook attack. On the contrary, it takes a significantly higher level of hacking experience and sophistication to infiltrate a passwordless system.
The benefits of Passwordless Authentication
A smoother and more convenient customer experience
- Improved user experience, particularly on mobile applications, because users only need an email address or mobile phone number to sign up.
- No longer need to create and remember complex passwords
- Users can quickly authenticate
Recovered revenue from reduced customer attrition
- A third of customers will simply abandon their carts if they forget their passwords. If companies can reduce that margin by any amount, that’s revenue back in their pocket that they would have otherwise lost completely. Similarly, a more convenient identity experience will encourage customers to keep coming back thanks to its ease of use and mobile friendliness
Dramatically improved security that eliminates the threat vector of passwords
- It is impossible for hackers to crack passwordless biometrics. They can’t steal the biometric data nor can they trick a service into accepting it. Not only does the biometric data remain locally on a user’s device, but FIDO2-based solutions use cryptographic key pairs that are impenetrable to outsiders.
Long-term savings from the lower total cost of operation and reduce infrastructure
- A password based authentication system is expensive in terms of IT, and support and upkeep. Not only does it cost money to reset a user’s account, but it can also be a huge drain on resources to automate account recovery, staff call centers and maintain a support ticketing system. The long-term savings of eliminating passwords may easily be in the tens of millions for sizable companies.
Significantly decreased complexity in the identity stack, making it easier to add and manage elements
- A big issue for CISOs and IT departments is the complexity of increasing security on a password-based authentication system. Due to evolving security requirements, many companies have been forced to adopt a bolt-on approach in which they add piecemeal elements to their identity stack one by one. This usually results in a difficult-to-manage and unwieldy authentication system. Passwordless solutions make achieving MFA and meeting regulatory requirements simpler, meaning fewer elements are needed to obtain the same results.
The Problems With Passwords
Simple authentication methods that require only username and password combinations are inherently vulnerable. Attackers can guess or steal credentials and gain access to sensitive information and IT systems using a variety of techniques, including:
- Brute force methods – using programs to generate random username/password combinations or exploit common weak passwords like 123456. Brute force attacks involve repeated login attempts using every possible letter, number, and character combination to guess a password.
- Credential stuffing – using stolen or leaked credentials from one account to gain access to other accounts (people often use the same username/password combination for many accounts). Credential stuffing is a type of cyberattack where stolen account credentials, typically consisting of lists of usernames and/or email addresses and their corresponding passwords, are used to gain unauthorized access to user accounts.
- Phishing – using bogus emails or text messages to trick a victim into replying with their credentials. Phishing hacks are a form of cyberattacks designed with the aim of getting a user to divulge compromising information. As its name would imply, phishing is a targeted attack against a particular user or set of users based on their unique profile.
- Keylogging – installing malware on a computer to capture username/password keystrokes. A Keylogger Attack involves the illicit use of a keystroke logging program to record and capture passwords. Hackers can infect a machine with a keylogger by planting them in legitimate websites or in phishing messages.
- Man-in-the-middle attacks – intercepting communications streams (over public WiFi, for example) and replaying credentials.
How To Implement Passwordless Authentication
Here’s how to approach implementing passwordless authentication:
- Pick your mode: The first step is choosing your preferred authentication factor. Available options range from fingerprints and retina scans to magic links and hardware tokens.
- How many factors: It’s recommended to use multiple authentication factors with or without passwordless. Reliance on one factor, regardless of how safe it may seem, is not recommended.
- Buy required hardware/software: You may have to buy equipment to implement biometric-based passwordless authentication. For other modes, like magic links or mobile OTPs, you may only have to procure software.
- Provision users: Start registering people on your authentication system. E.g., for a face recognition system, you will need to scan the faces of all your employees.
MFA vs Passwordless Authentication
Passwordless authentication simply replaces passwords with a more suitable authentication factor. On the other hand, MFA (multi-factor authentication) uses more than one authentication factor to verify a user’s identity.
Multi-factor authentication is a term used to describe authentication that requires two or more factors. Normally, this includes both a one-time passcode and a regular password.
Many passwordless solutions use some form of multi-factor authentication (MFA), to prevent threat actors from stealing and using the device associated with a passwordless account. To achieve MFA without a complicated authentication process, device fingerprinting provides a second, invisible factor that ensures only registered devices can be authenticated. When you combine biometrics with device fingerprinting, it is effectively impossible for a hacker to impersonate a user. While technically passwordless, it still adds an extra layer of protection than just a password.
Is The Future Passwordless?
The primary reason why passwords are still being used is because a password-based login system is the easiest and the cheapest to implement. However, it is expected that passwordless authentication will take over soon.
In the last two years, there have been more cyberattacks than ever before. This is setting off alarm bells in many companies, with more and more investments being made into biometrics and adaptive authentication.
Many companies have now realized that only using passwords as a form of authentication is the primary reason for data breaches. The cost of implementing passwordless authentication into their organization is nothing compared to the fines and losses incurred due to a data breach.
Last but not least, passwords are a nuisance for users. Hard to remember and a pain to reset. On the other hand, passwordless techniques, like biometrics, are convenient and much more user-friendly.