What Is Passwordless Authentication? (How It Works and More)
- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
In this article, we dive into passwordless authentication and some of the implications of using this verification method. You’ll learn about examples of passwordless authentication solutions, whether they're secure, and how it's different from multi-factor authentication (MFA). After reading this article, you’ll have a full understanding on how passwordless authentication works and how it can address today’s cybersecurity and access management challenges.
What is Passwordless Authentication?
Passwordless authentication is a verification method in which a user gains access to a network, application, or system without a knowledge-based factor such as a password, security question, or PIN. Rather than using a set of information for authentication, the user would provide something they possess, such as biometric evidence or a piece of hardware.
Passwordless authentication provides organizations and IT management teams with an alternative solution for identity verification because of the security and user-friendliness of its process. It’s generally used with other authentication processes such as MFA or single sign-on (SSO) and is becoming an increasingly popular substitute to the traditional username and password methods.
History of Passwordless Authentication
The idea of a “passwordless world'' was teased numerous times in the last two decades before becoming the relatively standard paradigm it is today. Technology leaders like Bill Gates and top-ranking members of market-leading firms such as Google, IBM, and Gartner have acknowledged the idea that passwords create system vulnerabilities and come with user-experience issues.
Going as far back as the 1980s, we saw the first true passwordless security solution in the form of a fob, which held built-in authentication components to access computer systems. Since then, tons of progress has been made in the advancement of passwordless technology and how it's been incorporated into other types of solutions and organizational cybersecurity programs.
Passwordless Technology Progression
Going into the 1990s, we saw engineering feats that expanded the original physical fob from storing a one-time password to new capabilities, including time-based and hash-based protocols. Later that same decade, as SSO was being popularized, the physical fob and hardware tokens remained as common passwordless verification options, which evolved later into smart card technology by the 2000s.
Once AT&T patented the first MFA tool, companies got into an “arms race” for passwordless technology. Advocating for the technology, Microsoft helped design the tamper-resistant biometric ID card in 2004. Then, 2005 saw an increase in biometric and token-based authentication innovations as a result of the Federal Financial Institutions Examination Council’s (FFIEC) new security guidelines that required new multiple-factor authentication measures, including a few passwordless methods.
Fast forward to 2013, when Google became entirely passwordless and made MFA procedures the new standard. That same year, Apple brought to market biometric technology like Touch ID, which later evolved into Face ID. In 2020, Apple announced they would incorporate their biometric verification functions for use in the WebAuthn authenticator.
Benefits of Passwordless Authentication
There is a clear and apparent reason why 92% of businesses believe going passwordless is the future of system-access security — the benefits outweigh the costs. While passwords, in theory, seem like a constructive layer for securing organizational data and applications, they actually lead to additional access points to be exploited by cybercriminals.
For instance, common attacks such as phishing, credential stuffing, brute force algorithms, and keylogging only work on the premise that the threat actor can first acquire the login credentials like a password or other piece of information — then use that to access a valuable technology asset or data system. By going passwordless, you eliminate that whole component of the equation and strengthen your security posture.
Much of the vulnerability of passwords are tied to the tedious process employees need to undergo for secure password management. To be effective, they must follow certain best practices for designing, storing, updating, and sharing their infinite number of account passwords. All of these strict parameters lead to password fatigue and a higher susceptibility to negligent password management. This type of solution eliminates this problem and improves the overall user experience — especially when paired with a passwordless SSO.
Cost-Friendliness of Passwordless
When evaluating for the long term, passwordless authentication is better in terms of both direct financial and indirect operational costs. Because no password management is required, an organization can save money by not investing in password management software tools or frequent security training on how to best design and store a password.
Furthermore, IT management resources are freed up for other initiatives because they are no longer burdened with enforcing company-wide password policies, monitoring anomalous password shares, or resetting forgotten and misplaced login credentials. When it's all said and done, it's estimated that organizations can save roughly $1.9 million by going passwordless.
Challenges of Passwordless Authentication
Just like any type of cybersecurity solution, there are drawbacks to implementing passwordless authentication, which make it not well-suited for certain businesses. For instance, while the long-term costs for any company looking to make this change are very appealing, the initial costs of implementation are burdensome. Incorporating this solution into your directory service is long, complicated, and comes with major expenses for purchasing the essential hardware and software required.
There are also challenges with fully adopting the technology — particularly when referring to the end user. For years, employees have become comfortable with the idea of usernames and passwords for logging into their applications, which would suddenly come to an end with this type of solution. There would also need to be plenty of training for the employees who will use the authentication methods as well as the IT security staff who will administer it.
From a security standpoint, there are a few limitations, such as the idea of a single point of failure. For example, if an employee was using a push notification to their phone or a hardware token to verify their identity and either lost their phone or token, they wouldn’t be able to gain access. Plus, issues arise if a biometric factor such as a voice command was replicated using a recording of the user or if a hardware authenticator is lost or stolen.
How Does Passwordless Authentication Work?
Passwordless authentication works by using something the user “has” or something the user “is” to verify their identity and give them system access to a website, application, or network. This would be in contrast to a traditional password login, which would be something the user “knows.”
Typically, a passwordless login starts with the user going onto a device, entering a session, or opening an application and entering some type of identifiable information like their name, phone number, email address, or designated username. From there, they need to verify their identity by inserting something they “have” such as a hardware token, smart card, fob, or clicking a link sent to a mobile device. If the identifiable information or registered device matches a given factor’s information in the authenticating database, they are given access permission.
Alternatively, they could use something the user “is,” which would be the equivalent of a biometric factor. So, when they try to enter a device or account on an application, they could be prompted to insert identifiable information in addition to voice recognition or a fingerprint, eye, or facial scan.
Passwordless Authentication and Public-Key Cryptography
Passwordless authentication uses public-key cryptography to securely store and manage the authentication factors required. When the user registers an account or device, they are assigned a public-private key combination. The public key of the system they wish to log in to can only be accessed using the private key that’s associated with that user’s device. In this case, the private key is linked to the passwordless authentication method (biometric or hardware factor).
Passwordless Authentication Methods
Organizations need to carefully assess passwordless authentication tools to find the one that works best with their overall identity security posture. Some of the most popular passwordless authentication methods available include:
1. Native options
Some applications or systems that many companies already use—like Google or Microsoft—offer embedded passwordless authentication tools. For example, Google Chrome now allows users to log in to applications or websites via a USB security key or an on-screen QR code that links with a user’s mobile device. Organizations may combine such tools into their overall MFA process.
Biometric logins can include fingerprint, voice or facial recognition, or retina scanning. In these methods, advanced scanners or sensors capture the biometric and compare it to data saved in the database to grant or deny access. In some cases, the user’s smartphone may serve as a biometric authentication device.
3. Hardware token
A hardware token is a small electronic device, such as a fob or USB device. A USB device works through a physical connection to the computer, while some hard tokens, such as fobs, do not. A fob generates a new passcode each time a user pushes a button, which the user enters into an on-screen prompt to gain access.
4. Software token
A software token is a digital token sent to a requester’s smartphone, computer, or tablet. It typically consists of a one-time password, usually a 6-8 digit code, which the user must enter, often along with a second authentication factor, to gain access. Authenticator apps typically rely on a shared secret key and support OATH event-based (HOTP) and time-based (TOTP) algorithms.
5. Magic link
A “magic link” allows a user to log in to an account with a one-time URL sent via email or SMS. Once opened, an authentication application in the background matches the device to a token in a database.
6. Smart card
Smart card authentication relies on a physical card, card reader, and enabling software to grant users access to workstations or applications. Smart cards often rely on a data-containing chip and RFID wireless connectivity to grant access privileges.
7. Third-party identity provider
Anyone who’s signed into an application with Google or Facebook has used a third-party IdP. The quick, simple process looks like this: The user enters credentials from a third-party login; the IdP verifies the user and their privileges with their company’s IT; and finally, the user gains access to the application or resource.
8. Persistent cookie
A persistent cookie is a file stored on a particular device. It can remember the device user’s sign-on credentials and determine whether they are logged in, using that info to grant access to applications. A persistent cookie can remain on a computer permanently or until a predetermined expiration date.
Examples of Passwordless Authentication
Passwordless authentication examples can be divided into two main categories of ownership factors: possession and biometrics. Examples of possession-based authentication factors include a mobile device, smart card, hardware token, USB device, fob, badge, or software token. Additionally, while some might consider what’s known as a “magic link” as a third ownership category, it could also fall under “possession” as it's a link sent to a device via email in which, once opened, the application will match the device to a token in the database for authentication.
Examples of biometric authentication would be anything involving the unique physical characteristics of a person, such as eye or fingerprint scanning, as well as voice and facial recognition. For instance, with newer iPhones, whenever someone wishes to log into their device, they could use thumbprint scanning or facial recognition to verify themselves and gain access.
Is Passwordless Authentication Safe?
The short answer regarding the physical safety of passwordless authentication is yes, it is safe. There is a very low possibility that even an invasive process like using a biometric scanning device will actually harm its users. In terms of security, this authentication method is only as strong as the infrastructure and program built around the solution.
In other words, it will keep your company secure from the intended threats and vulnerabilities it's designed to mitigate against. The most notable is any type of attack that involves or is sourced from the password itself. By not using passwords to authenticate users, attacks such as credential-harvesting phishing scams and brute force attacks will be made obsolete and force cybercriminals to employ different tactics.
Passwordless or Password-Based Authentication: Which One is More Secure?
Deciding between passwordless or password-based authentication really comes down to organizational preferences, their current security program, resources available, and any compliance requirements they might fall under. Regardless, to keep a layered security approach, neither of these options should be used on their own. Both work best when paired with at least one other factor — otherwise known as multi-factor authentication.
While many experts today argue that passwordless is more secure, it really just depends on the organization’s infrastructure and security culture. A passwordless system both alleviates and creates security issues. To give an example, if you decided to transition to passwordless by only using smart cards for network access, you are managing your expectations on the assumption that those smart cards won’t end up in the wrong hands.
Passwordless Authentication vs. MFA
Many people confuse passwordless authentication with MFA (multi-factor authentication) when in fact, they’re completely different but related concepts. MFA is a verification process that requires at least two factors of authentication. This can be any combination of knowledge-based (like a password), possession-based (like a token), or biometric (such as a retinal scan).
This is not to be confused with two-step verification (2SV) which would require users to do exactly two of the same factors, such as entering a password and then a PIN (both knowledge-based). Passwordless authentication would occur anytime you verify a user or device using anything but a knowledge-based factor.
Passwordless is a Function of MFA
The way these methods are related is that passwordless often falls within a multi-factor authentication in that it might be used as the additional verification requirement. Let's say that a remote employee, for instance, is trying to log into their organization’s network from their home computer. Due to MFA requirements established by their IT security department, that employee is required first to enter a username and password and then verify their credentials with a separate factor like a thumbprint.
How to Choose a Good Passwordless Authentication Solution?
Even if you know for sure that you want to shift into a passwordless environment, it's often difficult to navigate through the many passwordless authentication companies out there. Ultimately, everything will come down to your unique infrastructure, current security tools, budget, and preferences. For example, if your operation is mostly cloud-based and has personnel working remotely, biometric devices will be more difficult to install and implement than, say, a hardware token or magic email link.
Once you have the type of ownership factor narrowed down, you can browse the security products available and narrow down options that fit your budget. You should also evaluate your current technology stack to see if there are any native options. For instance, Google and Microsoft offer many access management tools that are passwordless and would pair well with systems you might already be using.
Lastly, you should evaluate the various solutions based on the practicality of implementation and the end user experience. If the new authentication solution is going to require an entirely new and expensive redesign of your architecture, it might not be worth pursuing. To go further, if there is going to be a huge learning curve or a tedious verification process for the end users, you should reconsider your product selection.
Best Practices for Implementing Passwordless Authentication
Similar to adopting any type of new technology stack, there are some best practices you should follow to ensure user adoption is high and that the solution serves its purpose. First and foremost, take advantage of trials and beta programs to test out specific passwordless products and see how well certain employees adapt to the change.
You also want to include your users and IT department in the decision-making process by obtaining their feedback and thoughts on the company’s courses of action. After all, these are the personnel that will be using and managing the solution. As the passwordless authentication platforms are rolled out, keep enforcement high with top-down commitment from your executives and procedural changes that constantly require verification for your systems.
Encourage user adoption by providing plenty of resources such as:
- user guides
- training modules
- one-on-one assistance from your security team to get them comfortable using the systems
- incentives such as gift cards or bonuses to incentivize your employees, motivate them to complete training sessions, and fully adopt the new authentication process
What’s the Future of Passwordless Authentication Look Like?
The future of passwordless authentication is best presented by its market revenue projections. By 2025, it is expected to hit $25.2 billion and progressively increase to nearly $53.6 by 2030. With that said, it's likely that the entire cybersecurity industry will adapt to this kind of environment by offering more passwordless product options, designing new security frameworks that incorporate this type of authentication, and improving the current selection of passwordless tools by enhancing their security functions.
We most likely will see new regulatory and security-compliance requirements adapt to a passwordless world — especially in high-risk industries like finance, healthcare, and manufacturing. In short, those within these industries and overseeing them will embrace the passwordless approach to improve the security of individual organizations and their consumers.
Passwordless Authentication in Closing
Passwordless authentication protects many of the common threats we see in today’s cybersecurity landscape by verifying a user or device without a password. Its popularity is on the rise, and it’s expected to be a new norm moving forward as a result of modern-day complexities associated with password sprawl.
Want to learn more? See how you can use passwordless and password-based authentication solutions within your access management platform to protect your business by scheduling a no-BS demo today.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.