For millennia, humans have been relying on passwords to secure access and prove their identity. While the first digital password was implemented 60 years ago by Fernando Corbató, verbal passwords were used as far back as in Ancient Rome and Medieval guilds. They even crop up in Shakespeare plays—you might notice the line “Give the word” in act four of King Lear, to which the answer is “sweet marjoram”.
Today, passwords are far more complicated than “sweet marjoram”. A truly secure password needs to be at least 12 characters in length, as well as contain a mix of uppercase and lowercase letters, numbers, and special symbols. And it seems only a matter of time until ancient Egyptian hieroglyphics are thrown into the mix!
It isn’t surprising that, on average, 80% of people reuse the same password across multiple accounts, with 10% using one of the 25 weakest passwords, like “123456”. Creating secure passwords has become so complex that asking employees to memorize dozens of unique, 12-character sequences has become impossible.
So, how can we combat this issue? Is the answer to address the problem at its root and simply do away with passwords altogether? And if so, can we imagine a world without passwords when we’ve been relying on them for thousands of years?
For some organizations, a passwordless future is laughable—for others, it’s already here. Depending on the needs of your business, passwordless authentication might not only be completely viable but a massive time-saving and security-strengthening benefit.
But what is passwordless authentication? And how can you go about achieving it?
What Is Passwordless Authentication?
Passwordless authentication is exactly what it sounds like. It enables users to verify their identity and gain access to systems, applications, and accounts without using passwords. You may assume achieving this is more complicated than simply using passwords, but in fact, passwordless authentication decreases complexity, while increasing security.
Passwordless authentication isn’t associated with a particular type of technology—rather, there are numerous methods and approaches that enable passwordless access to be achieved.
Some solutions might be considered semi-passwordless, and enable certain types of passwordless authentication to be used in conjunction with passwords as part of a multi-factor authentication (MFA) solution. Another way to achieve semi-passwordless authentication is by implementing single sign-on (SSO), which enables users to access all accounts with just one set of credentials, reducing the need to create and remember multiple passwords. A “true” passwordless authentication solution, however, completely eliminates passwords from the equation, enabling users to create and log in to their accounts without a single password, and instead, replaces them with alternative methods of authentication.
But before we delve into how the different types of passwordless authentication work, we first need to cover the types of authentication that can be used to verify users’ identities.
The three main factors of authentication are:
- Things users know. These are knowledge-based, and include passwords, answers to security questions, and PIN numbers.
- Things users have. These are possession-based, and include tokens, authentication apps, and card readers.
- Things users are. These are inherence-based, and can be collected using biometric technologies such as fingerprint scanners, voice recognition, iris scanners, and behavioral traits.
Passwords are, of course, things that users know. Implementing factors to measure things people have or are can technically be considered passwordless. Implementing these not only adds a layer of security, in that they stop criminals from being able to hack into an account just by getting ahold of a password, but can also provide greater assurance that the user attempting to gain access is who they say they are.
Let’s delve into this in a little more detail.
Multi-Factor Authentication (MFA)
Many organizations leverage types of passwordless authentication alongside passwords as part of their MFA solution. To do this, organizations can require users to enter something they know—a password—and then require proof of identity using something they have or are. An example of this might be entering a password followed by a push notification to an authentication app, or entering a password followed by a fingerprint scan. By adding an extra layer of security that isn’t password-based, organizations can ensure that even if a hacker were to discover an employee’s password, they couldn’t pass the second factor of authentication. Whereas if the password alone were protecting that account, they’d be in.
As well as this, some MFA vendors have implemented solutions that, by default, don’t require passwords. Instead, users can combine an SMS message with a fingerprint scan, for example, achieving a form of passwordless authentication while still utilizing the underlying password architecture. But because a password still exists and can be used to gain access to accounts, this type of solution can broadly be considered a form of password-free authentication but not quite true passwordless.
Unless using an MFA solution that doesn’t require passwords, this type of solution also doesn’t reduce the number of passwords that users need to remember in their day-to-day lives. So, in this sense, it can often be more of a benefit for the organization’s overall security than it is for the users themselves.
A solution that does benefit users by reducing the number of passwords that need to be remembered and managed, is Single Sign-On. Which brings us on nicely to our next segment.
Single Sign-On (SSO)
SSO comes under the umbrella of Federated Identity Management, which is a set of standards to help applications and organizations share user identities. While SSO, like MFA, isn’t what we would call “true” passwordless authentication, it’s commonly seen as the next step on the journey to achieving it.
SSO can provide a semi-passwordless experience by reducing the number of times a user must log in to just once. This means that a user only needs to log in to the SSO account—either using credentials, biometric scan, or something else—to seamlessly gain access to all associated accounts and applications. This means no more remembering dozens of complex passwords. Instead, there’s “one password to rule them all”, you could say.
Using SSO, users are automatically logged into all of their connected accounts once they have logged in to the SSO platform. Any accounts that aren’t configured and connected to the platform are not included—this is where SSO differs from password managers. SSO widely uses protocols such as Security Assertion Markup Language (SAML) to exchange data on authorization and authentication in XML format. This means users don’t need to enter a password for the application they’re attempting to access, because the service provider can check with the identity provider, according to OneLogin.
Implementing SSO introduces numerous benefits not only for the user, but security teams too. SSO improves the user experience by negating the need to remember dozens of passwords, as well as entering these credentials time after time—meaning users can spend less time creating and remembering complex passwords and logging in, and more time being productive. For security teams, SSO offers greater account controls and more granular security visibility.
But as with all things, SSO has its risks. As you might have guessed, protecting all accounts with one singular password introduces the risk that if a hacker were to discover the password, they could gain access to every account connected. It’s for this reason that the SSO solution should support policy-based access to set up authentication and conditional access. As well as this, most vendors add MFA to their SSO solution, meaning it’s never just one password that grants access to the suite of accounts and applications.
So, while achieving “true” passwordless authentication can be a huge leap for organizations currently relying on password-centric modes of authentication, by implementing MFA and SSO, organizations are in a better position to transition to full passwordless authentication further down the line.
So now that we’ve covered MFA and SSO, what exactly is “true” passwordless authentication?
“True” Passwordless Authentication
“True” passwordless authentication eliminates the need for passwords altogether. While solutions like SSO and password managers still require passwords to be stored in the system—even if users log on without entering them—the passwords themselves still exist. A “true” passwordless solution, on the other hand, should eliminate passwords from the process from the very beginning. Account creation and log-in should rely on passwordless methods of proving identity—a password shouldn’t exist at any point, or even come into the equation.
To be truly passwordless, a solution should authenticate users using authenticator apps, security keys/cards, or similar types of technology. In this sense, things users have play a key role in passwordless authentication. Many solutions complement this by requiring something users are, by using biometric technologies.
So passwords can be eliminated, passwordless solutions need to be both scalable and based on specific standards. Solutions implementing “true” passwordless authentication commonly rely on the FIDO2 standard. Let’s explore this further.
FIDO2 Security Keys
FIDO2 is an umbrella term for the set of specifications laid out by FIDO Alliance, and enables users to easily use their devices to authenticate their identities in both mobile and desktop environments. The two key components of this standard include World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).
FIDO2 enables users to log in using FIDO security keys or biometric technologies that are built into their devices—such as fingerprint scanners and facial recognition—instead of entering a password.
“True” passwordless authentication often uses FIDO2’s public key cryptography. This consists of a cryptographic pair of keys that work together to authenticate a user—these include a public FIDO2 key and a private key. The private key essentially functions as a password, or the key to the lock, while the public key is the lock itself.
When a user registers with an online service or website, this generates a new key pair on the specific device that they’re using. The public key is registered in the web service’s key database while the private key is stored on the user’s particular device that they registered with. The private key is only visible on that device—in fact, it’s stored within the most secure parts and never leaves the device during the authentication process.
Once the keys are registered, the user can then use their private key to log in to the service or webpage they’ve registered with. To generate a private key, the user needs to prove their identity by performing an action—actions include entering their FIDO2 token, pressing a button, or using a biometric scan. Passwords are completely eliminated from the process.
The benefits of using public key cryptography are that users can’t be tricked into giving away their credentials in a social engineering attack or have them stolen in a password attack, because they don’t know the credentials themselves. As well as this, it can help speed up the authentication process from having to type in a password to a simple gesture.
Challenges and Recommendations
So, is passwordless authentication right for your organization?
If your organization is looking to implement more secure methods of authentication and reduce the risks tied to passwords, then passwordless authentication is a great option. But bear in mind there are an array of considerations and challenges you should be aware of before starting your transformation to passwordless.
Full-scale passwordless authentication will likely take your organization multiple years to achieve and, is best implemented as part of a phased approach as opposed to a big bang implementation.
Eliminating passwords from your organization’s security culture can be extremely complex and, at times, impossible, due to legacy systems relying on passwords. As well as this, users can be reluctant to move away from the use of passwords, as these are what some might feel most secure in using. In fact, 74% of security professionals believe their end-users would prefer to use passwords as these are what they’re familiar with, according to a survey by LastPass.
Because of this, the coexistence of passwords with passwordless authentication is something that you should factor into any migration plans. Password management will still be a vital component of your security solution for years to come—during your transition to passwordless and likely beyond.
Some further challenges that come with implementing passwordless authentication include:
- Budgetary restraints and the need for a high initial financial investment
- Time required to implement
- Complexity of migration and implementation
- Gaps in employee skills and/or knowledge
To address some of these challenges, we recommend taking a phased approach and trialing the solution in your environment before implementing it. As well as this, you should assign technical experts to your migration to support throughout and help address potential issues.
Password authentication is not a “one size fits all” solution, and the modes of authentication that are best suited to your organization will depend on specific use cases. We recommend that before implementing you evaluate your specific use cases, so you can decide the passwordless modes of authentication that would work best for your users and areas of business. Many vendors allow implementing multiple methods of authentication at once, each suited to different use cases, so you can tailor your solution to suit your business needs.
A passwordless authentication solution would benefit organizations of all sizes—but due to the high cost as well as level of complexity and support required to implement, it’s best suited for enterprise organizations. While also well suited across all industries, organizations handling confidential and secure data—such as those in healthcare, finance, and business and professional services—will likely benefit most from passwordless solutions.
The road to passwordless is paved with SSO. We recommend starting your transformation to passwordless authentication by implementing password-free methods of authentication—if you haven’t already. Once you have these in place, the transition to “real” passwordless authentication will be far easier. Take a look at our guide on the top SSO providers for business to find out more.
Remember, no solution is 100% secure, but implementing passwordless authentication is one of the best ways for you to protect your organization against password-related attacks and improve user experience.