Passwordless Authentication is a type of Multi-Factor Authentication (MFA) that enables users to verify their identities and access accounts, applications, and networks, password-free. There is no particular technology tied to passwordless authentication—rather, it’s an outcome that can be achieved through various methods and solutions.
Many organizations begin their journey to full passwordless access by implementing Single Sign-On (SSO) to enable to users to sign into all connected accounts via one centralized portal, thereby reducing the number of passwords that users need to use and remember. This, of course, doesn’t eliminate the password itself but it does reduce the stress on users to create and remember complicated secure passwords—this is what we at Expert Insights call “semi” passwordless. Implementing MFA is another “semi” passwordless way that organizations can reduce stress on users and increase security. While the password still exists, MFA enables users to log in using alternative methods to passwords—for example, possession-based factors, such as security keys, or inherence-based factors, such as built-in biometrics scanners on their devices.
“True” passwordless authentication, on the other hand, eliminates the password entirely. For a solution to be “true” passwordless, it means that the user’s account would have been created without a password, and so a password never existed at any point. This type of authentication heavily relies on open standards such as FIDO2 and public key cryptography. To achieve this, when a user creates an account with a service, a new cryptographic key pair is generated on the device they’re using—a private key, that’s stored on that device, and a public key, that’s stored in the provider’s database. From that point onwards, to gain access to their account the user needs to unlock their private key and sign in using it. And often, private keys can be unlocked using the device’s built-in biometric scanners.
Implementing passwordless authentication not only brings numerous benefits for users, but for security teams too. For users, passwordless authentication provides a better user experience, by reducing or eliminating the need to create and remember complex secure passwords and speeding up the log-in process. For admins, passwordless authentication decreases the time and complexity involved in managing passwords, while increasing security, reducing the risk of password-related breaches and attacks, providing complete visibility over identity and access, and reducing total cost of ownership.