User Authentication

What Is Passwordless Authentication?

Are we heading towards a passwordless future, and what would that look like?

Article thumbnail image

For millennia, humans have been relying on passwords to secure access and prove their identity. While the first digital password was implemented 60 years ago by Fernando Corbató, verbal passwords were used as far back as in Ancient Rome and Medieval guilds. They even crop up in Shakespeare plays—you might notice the line “Give the word” in act four of King Lear, to which the answer is “sweet marjoram”.

Today, passwords are far more complicated than “sweet marjoram”. A truly secure password needs to be at least 12 characters in length, as well as contain a mix of uppercase and lowercase letters, numbers, and special symbols. And it seems only a matter of time until ancient Egyptian hieroglyphics are thrown into the mix.

It isn’t surprising that, on average, 80% of people reuse the same password across multiple accounts—with 10% using one of the 25 weakest passwords, like “123456”. Creating secure passwords has become so complex that asking employees to memorize dozens of unique, 12-character sequences has become impossible.

So, how can we combat this issue? Is the answer to address the problem at its root and simply do away with passwords altogether? And if so, can we imagine a world without passwords when we’ve been relying on them for thousands of years?

For some organizations, a passwordless future is laughable—for others, it’s already here. Depending on the needs of your business, passwordless authentication might not only be completely viable but a massive time-saving and security-strengthening benefit.

But what is passwordless authentication? And how can you go about achieving it?

What Is Passwordless Authentication?

Passwordless authentication enables users to verify their identity and gain access to systems, applications, and accounts without using passwords. And, while it might sound like achieving this is more complicated than simply using passwords, passwordless authentication actually decreases complexity, while increasing security.

Passwordless authentication isn’t associated with any particular type of technology—rather, there are numerous methods and approaches that enable passwordless access to be achieved. In this article, we’re going to cover three key approaches to implementing passwordless authentication—multi-factor authentication (MFA), single sign-on (SSO), and “true” passwordless.

MFA and SSO are what we consider semi-passwordless. While they might help enable users to log in password-free, their accounts are actually still password-protected—users just aren’t physically entering their passwords on login.

A “true” passwordless authentication solution, however, eliminates passwords from the equation entirely. This means that users create their accounts without using a password—they might instead use a biometric scan or security token. And since there’s no password in the first place, users can then continue to log in password-free using whichever method they used to sign up with.

The Three Approaches To Passwordless Authentication

Factors that can be used to verify user identity come under three key categories:

  • Things users know. These are knowledge-based, and include passwords, answers to security questions, and PIN numbers.
  • Things users have. These are possession-based, and include tokens, authentication apps, and card readers.
  • Things users are. These are inherence-based, and can be collected using biometric technologies such as fingerprint scanners, voice recognition, iris scanners, and behavioral traits.

Passwords are, of course, things that users know. Implementing factors to measure things people have or are can technically be considered passwordless.

Implementing these not only adds a layer of security, in that they stop criminals from being able to hack into an account just by getting ahold of a password, but can also provide greater assurance that the user attempting to gain access is who they say they are.

So, let’s delve into the three key ways that you can implement passwordless authentication for your users.

Multi-Factor Authentication (MFA)

MFA is a security system that requires users to verify their identities using two or more factors before granting them access to their accounts. This is usually via a combination of things users know, have, and are, to create a well-rounded and secure system.

For example, users might be required to enter a password followed by a push notification or fingerprint scan. By adding a factor that isn’t password-based, organizations can ensure that even if a hacker were to discover an employee’s password, they couldn’t pass the second factor of authentication.

Some MFA vendors have implemented solutions that don’t require passwords at all. Instead, users can combine an SMS message with a fingerprint scan, for example, achieving a form of passwordless authentication while still utilizing the underlying password architecture.

But because a password still exists and can be used to gain access to accounts, this type of solution can broadly be considered a form of password-free authentication but not quite true passwordless.

Single Sign-On (SSO)

SSO comes under the umbrella of Federated Identity Management, which is a set of standards to help applications and organizations share user identities. While SSO, like MFA, isn’t what we would call “true” passwordless authentication, it’s commonly seen as the next step on the journey to achieving it.

SSO can provide a semi-passwordless experience by enabling users to log into their SSO accounts—either using their credentials, a biometric scan, or something else—to automatically and seamlessly gain access to all associated accounts and applications. This means no more remembering or entering complex passwords for every account, and they can log on password-free.

How this works is that SSO uses protocols such as Security Assertion Markup Language (SAML) to exchange data on authorization and authentication in XML format. This means users don’t need to enter a password for the application they’re attempting to access because the service provider can instead check with the identity provider, according to OneLogin. For more detail, check out our article: How Does Single Sign-On Work?

But as with all things, SSO has its risks. Protecting all accounts with one singular password introduces the risk that if a hacker were to discover the password, they could gain access to every account connected. It’s for this reason that SSO solutions should support policy-based access to set up authentication and conditional access.

As well as this, most vendors add MFA to their SSO solution as an extra layer of security, meaning it’s never just one password that grants access to the suite of accounts and applications.

“True” Passwordless Authentication

“True” passwordless authentication eliminates the need for passwords altogether.

While solutions like SSO and password managers still require passwords to be stored in the system—even if users log on without entering them—the passwords themselves still exist. A “true” passwordless solution, on the other hand, should eliminate passwords from the process from the very beginning. Account creation and log-in should rely on passwordless methods of proving identity—a password shouldn’t exist at any point, or even come into the equation.

To be truly passwordless, a solution should authenticate users using authenticator apps, security keys/cards, or similar types of technology. In this sense, things users have play a key role in passwordless authentication, as well as something users are, which can be proven using biometric technologies.

So that passwords can be eliminated, passwordless solutions need to be both scalable and based on specific standards. Solutions implementing “true” passwordless authentication commonly rely on the FIDO2 standard.

FIDO2 Security Keys

FIDO2 is an umbrella term for the set of specifications laid out by FIDO Alliance, and enables users to easily use their devices to authenticate their identities in both mobile and desktop environments. The two key components of this standard include World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).

FIDO2 enables users to log in using FIDO security keys or biometric technologies that are built into their devices—such as fingerprint scanners and facial recognition—instead of entering a password.

“True” passwordless authentication often uses FIDO2’s public key cryptography. This consists of a cryptographic pair of keys that work together to authenticate a user—these include a public FIDO2 key and a private key. The private key essentially functions as a password, or the key to the lock, while the public key is the lock itself.

When a user registers with an online service or website, this generates a new key pair on the specific device that they’re using. The public key is registered in the web service’s key database while the private key is stored on the user’s particular device that they registered with. The private key is only visible on that device—in fact, it’s stored within the most secure parts and never leaves the device during the authentication process.

Once the keys are registered, the user can then use their private key to log in to the service or webpage they’ve registered with. To generate a private key, the user needs to prove their identity by performing an action—actions include entering their FIDO2 token, pressing a button, or using a biometric scan. Passwords are completely eliminated from the process.

The benefits of using public key cryptography are that users can’t be tricked into giving away their credentials in a social engineering attack or have them stolen in a password attack, because they don’t know the credentials themselves. As well as this, it can help speed up the authentication process from having to type in a password to a simple gesture.

Challenges and Recommendations

So, is passwordless authentication right for your organization?

If your organization is looking to implement more secure methods of authentication and reduce the risks tied to passwords, then passwordless authentication is a great option. But you should consider that there are an array of considerations and challenges to be aware of before starting your transformation to passwordless.

Challenges

Full-scale passwordless authentication will likely take your organization multiple years to achieve and, is best implemented as part of a phased approach as opposed to a big bang implementation.

Eliminating passwords from your organization’s security culture can also be extremely complex and, at times, impossible, due to legacy systems relying on passwords.

As well as this, users can be reluctant to move away from the use of passwords, as these are what some might feel most secure in using. In fact, 74% of security professionals believe their end-users would prefer to use passwords as these are what they’re familiar with.

Because of this, the coexistence of passwords with passwordless authentication is something that you should factor into any migration plans. Password management will still be a vital component of your security solution for years to come—during your transition to passwordless and likely beyond.

Some further challenges that come with implementing passwordless authentication include:

  • Budgetary restraints and the need for a high initial financial investment
  • Time required to implement
  • Complexity of migration and implementation
  • Gaps in employee skills and/or knowledge

To address some of these challenges, we recommend taking a phased approach and trialing the solution in your environment before implementing it. As well as this, you should assign technical experts to your migration to support throughout and help address potential issues.

Recommendations

Password authentication is not a “one size fits all” solution, and the modes of authentication that are best suited to your organization will depend on specific use cases.

No solution is 100% secure, but implementing passwordless authentication is one of the best ways for you to protect your organization against password-related attacks and improve user experience.

We recommend that before implementing, you evaluate your specific use cases to determine the passwordless approach that would work best for your users and areas of business.

Many vendors allow implementing multiple methods of authentication at once, each suited to different use cases, so you can tailor your solution to suit your business needs.

A passwordless authentication solution would benefit organizations of all sizes—but due to the high cost as well as level of complexity and support required to implement, it’s best suited for enterprise organizations. While also well suited across all industries, organizations handling confidential and secure data—such as those in healthcare, finance, and business and professional services—will likely benefit most from passwordless solutions.

To find out more about finding the right passwordless solution for your organization, take a look at our guide on The Top 10 Passwordless Authentication Solutions.

But, we acknowledge that achieving “true” passwordless authentication can feel like a huge leap for organizations currently relying on password-centric modes of authentication. So, by implementing MFA or SSO, you can place yourself in a better position to transition to full passwordless authentication further down the line.

The road to passwordless is paved with SSO. We recommend starting your transformation to passwordless authentication by implementing password-free methods of authentication—if you haven’t already. Once you have these in place, the transition to “real” passwordless authentication will be far easier.

Take a look at our guide, The Top SSO Providers For Business, to find out more.