What is passwordless authentication?

Passwordless authentication is a way to identify your identity without using a password. Instead, it uses more secure alternatives like possession factors (OTPs) or biometrics (touch ID, fingerprints, retina scans).

The problem with passwords

Today, we rely on countless applications that require passwords. This often leads to risky behaviors like password reuse or weak passwords. This leaves organizations vulnerable to cyberattacks and data breaches.

30%

of internet users have experienced a data breach because of a weak password

59%

of US adults use birthdays or names in their passwords

66%

of Americans use the same password across multiple accounts

The most commonly used password is “123456.”

Simple username and password logins are inherently insecure, as attackers can exploit various techniques to steal credentials, including:

  • Brute force attacks: Software generates random password combinations or targets common weak passwords.
  • Credential stuffing: Attackers often use stolen login information from one account to break into others.
  • Phishing: Deceptive messages trick victims into revealing their login information.
  • Keylogging: Malware secretly records keystrokes, capturing usernames and passwords.
  • Man-in-the-middle attacks: Attackers intercept communications to steal credentials in transit.

These security risks highlight the need for more robust authentication measures to protect sensitive data and systems.

How does passwordless authentication work?

Passwordless authentication enhances security by replacing traditional passwords with inherently safer alternatives. In password-based authentication, a user enters a password, and the system checks it against a stored version.

Passwordless systems use various methods for verification. Biometric systems, for instance, compare a user’s unique physical traits (like facial features) to stored data. In this case, a system might capture a user’s face, convert it into numerical data, and compare it to a verified record.

Other passwordless implementations employ different approaches. For example, a system could send a one-time passcode to a user’s mobile phone. The user then enters this code to gain access, and the system verifies it against the sent code.

At the heart of passwordless authentication lies the same principle as digital certificates: a pair of cryptographic keys, one private and one public. Think of the public key as a padlock and the private key as the only key that can open it.

Each digital certificate has a unique public-private key pair. A user creates a secure account using a tool (like an authenticator app) that generates this essential pair. The private key is stored securely on the user’s device and is accessible only with an authentication factor (fingerprint, PIN, etc.). Public key cryptography is shared with the system to allow the user to access a secure account.

Types of passwordless authentication

Passwordless authentication offers various secure alternatives to traditional passwords:

  • Biometrics: Leveraging unique physical traits like fingerprints or behavioral patterns like typing style for identification. While AI advancements have made some physical biometrics vulnerable, behavioral ones remain challenging to replicate.
  • Possession factors: Relying on something the user possesses, such as:
    • a smartphone generating authentication codes (i.e., Microsoft authenticator)
    • one-time passwords (OTPs) sent via SMS
    • a dedicated hardware token
  • Magic links: This is a simple process where users enter their email address to receive a unique login link. This way, users don’t need to remember complex passwords.

Benefits of passwordless authentication

Passwordless authentication enhances security for you and your users, offers significant cost savings, and can potentially increase sales.

Strengthened security

  • Reduced data breach risk: Eliminating passwords drastically reduces over 84% of data breaches caused by compromised credentials. This eliminates the threat of credential stuffing, where attackers use stolen credentials to access other accounts.
  • Protection against phishing: Modern passwordless methods, like FIDO-compliant devices, make your organization less susceptible to phishing attacks, which account for 36% of data breaches. Without passwords, users cannot inadvertently provide attackers with access to their accounts.

Cost reduction and potential sales increase

  • Password reset costs: Eliminating passwords saves an average of 12.6 minutes per week by removing the need for resets. Additionally, this eliminates the need to maintain password databases.
  • Improved user experience: Reducing login friction can be a deciding factor for users choosing your services over competitors.
  • Potential sales boost: Research indicates that eliminating passwords can increase sales. Almost half of the IT professionals surveyed have abandoned transactions due to forgotten passwords.

Passwordless authentication enhances security and streamlines user experience, leading to significant cost savings and potential revenue growth.

Challenges of passwordless authentication

Implementing passwordless authentication presents several challenges that organizations must consider:

Initial cost

While passwordless authentication can lead to long-term cost savings, the upfront investment can be substantial. Integrating this technology into existing directory services often involves complex processes and requires purchasing the necessary hardware and software.

User adoption and training

Employees may resist transitioning away from familiar username and password logins. Comprehensive training ensures smooth adoption for end-users utilizing new authentication methods and IT security staff managing the system.

Security and access concerns

  • Single point of failure: Relying on a single device or method for authentication can create vulnerabilities. For example, losing a phone with push notifications or a hardware token could lock users out of their accounts.
  • Biometric spoofing: While advanced, biometric authentication isn’t foolproof. Attackers can replicate voice commands and spoof some physical biometrics.
  • Lost or stolen authenticators: Hardware tokens, if lost or stolen, could provide unauthorized access to malicious actors.

These challenges highlight the importance of careful planning and consideration before adopting passwordless authentication. Organizations must weigh the potential benefits against these obstacles to determine if this solution aligns with their needs.

MFA vs passwordless authentication

Passwordless authentication eliminates passwords, relying on alternative methods like biometrics or possession factors for user verification. In contrast, multi-factor authentication (MFA) adds an extra layer of security by requiring multiple authentication factors, often combining:

  • something the user knows (password)
  • something they have (e.g., OTP)
  • what they are (e.g., fingerprint)

For instance, an MFA system might use a fingerprint scan as the initial authentication step, followed by an SMS OTP.

Confusion sometimes arises because passwordless methods are often incorporated into traditional password-based systems as a secondary authentication factor. This integration blurs the lines between passwordless authentication and MFA, leading to their interchangeable use.

However, it’s important to distinguish that passwordless authentication completely removes passwords. On the other hand, MFA enhances security by layering additional factors on top of existing password systems.

How do I implement passwordless authentication?

Implementing passwordless authentication relies on these key steps:

Choose your authentication factor: Decide on your preferred method, whether biometrics (fingerprints, retina scans) or other options like magic links or hardware tokens.

Determine the number of factors: Enhance security by using multiple authentication factors, even in a passwordless system. Relying on a single factor, regardless of its perceived safety, is not advised.

Acquire necessary hardware/software: Depending on your chosen method, you may need to purchase equipment (for biometrics) or software (for magic links, OTPs).

Register users: Begin enrolling individuals in your authentication system. This might involve scanning faces for facial recognition systems, for example.

While implementing passwordless authentication internally is possible, it can be complex and time-consuming. Many organizations outsource this process to third-party Identity and Access Management (IAM) providers (like OneLogin) to accelerate implementation and reduce maintenance burdens.

Is the future passwordless?

Organizations worldwide still use passwords, and password-based logins remain the easiest and cheapest to implement. However, many companies now recognize that passwords are the primary cause of data breaches, resulting in enormous financial losses.

Even though passwordless authentication methods are a significant improvement, they are still imperfect. Biometrics are vulnerable to spoofing, one-time passcodes can be intercepted, and hardware tokens can be lost or stolen. That is why you need a system that goes beyond authentication factors to verify identity.

Adaptive authentication uses machine learning to establish models of typical user behavior. When login attempts deviate from these established patterns, the system flags them as potentially risky and implements additional security measures.

FAQs

Jun 6th, 2024
7 min read