Passwordless Authentication

What Does Passwordless Authentication Mean?

Passwordless is an authentication scheme that uses possession factors (something the user has) and inherence factors (something the user is) instead of knowledge factors (something the user knows) to verify someone’s identity. Popular possession factors include smart phones and security tokens. Popular inherence factors include physical and behavioral biometric data from fingerprints and keystroke patterns.

Advertisements

The goal of passwordless authentication is to reduce the cyber risks associated with password use. This is important because the majority of security breaches today involve some type of credential theft. The danger is that once an attacker has stolen someone’s password by using social engineering or brute force strategies, they can move laterally through the target and look for ways to escalate access privileges.

Besides password manager solutions, tier-1 vendors such as Apple, Google, and Microsoft have all announced plans to support FIDO2 passwordless authentication.

Techopedia Explains Passwordless Authentication

Passwords have always been the weakest security link because weak passwords can be easy to guess, and strong passwords can be difficult to recall.

Benefits

A passwordless approach to authentication makes it more difficult — and expensive — for attackers to steal identities, breach networks, and carry out advanced persistent threats (APTs). It significantly reduces the chance of a password-based attack being successful by preventing credentials from being stolen through malware, phishing, or business email compromise (BEC) attacks.

How Passwordless Authentication Works

In the enterprise, passwordless authentication is sometimes deployed in conjunction with single sign-on (SSO) so employees can use the same proximity badges, security tokens, and authentication apps to access all their enterprise applications and services.

Approaches to passwordless authentication include:

Magic Links
Instead of a password, the user is asked to enter their email address or mobile phone number, after which they are sent an email or SMS message that contains a “magic” link. Magic links are time-sensitive URLs that, when clicked on, verify the user’s identity and grant access.

One-time Passcodes
During the authentication process, the user is sent a time-sensitive numerical code to use instead of a password. Sometimes the code will have to be copied and pasted manually, and sometimes the code will be hyperlinked and function like a magic link.

Authenticator Apps
When the end user wants to log into a computing resource registered with an authenticator app, they start by entering their username as usual. This action prompts the user to open the authentication app and receive a one-time passcode or magic link.

Security Tokens
A security token is a small physical device that the user has to connect to their computing device’s USB Type-C port. Once plugged in, the token will generate a one-time passcode for the end user to enter in place of a password.

Passkeys
When the user initially signs into a website or app that supports cryptographic passkeys, their computing device will generate a public and private key. The public key is sent to the website or app’s server, and the private key is stored on the device in a secure area of the operating system. The next time the user logs in, the server will send the device a decryption challenge that requires the private key to solve. Passkeys may or may not be supported by two-factor authentication (2FA).

Adoption Challenges

Although passwordless authentication is generally considered to be a more secure type of authentication mechanism than passwords, there can still be obstacles that are preventing its widespread adoption. They include:

  • Incompatibility with legacy applications
  • Too many implementation options that require additional capital expenditures (CAPEX)
  • Lack of end-user trust
  • Privacy concerns about device tracking
  • Concerns about quantum computing and the future of public key cryptography (PKC).
Advertisements

Related Terms

Latest Cybersecurity Terms

Related Reading

Margaret Rouse
Margaret Rouse

Margaret Rouse is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical, business audience. Over the past twenty years her explanations have appeared on TechTarget websites and she's been cited as an authority in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine and Discovery Magazine.Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages. If you have a suggestion for a new definition or how to improve a technical explanation, please email Margaret or contact her…

Related News

dummy_img
Artificial Intelligence

The Role AI Can Play in Pharmaceutical Discovery

Nicole Willing3 months
dummy_img
Cryptocurrency

Friend.Tech SIM Swap Attacks: Analysis and Protective Measures

Sam Cooling3 months
dummy_img
Trading

Admirals Is Helping UK Traders Trade More For Less With Extended Hours And Tight Spreads

Yash Majithia3 monthsEditor
dummy_img
Cyber Threats

Cybersecurity Awareness Month: Four Safety Steps to Take Today

Neil C. Hughes3 monthsSenior Tech Writer
dummy_img
Business Intelligence (BI)

How the Metaverse Can Transform the Service Industry

Assad Abbas3 monthsAssociate Professor of Computer Science
dummy_img
Artificial Intelligence

How Google DeepMind’s OPRO Transforms LLMs into Problem-Solving Tools

Dr. Tehseen Zia3 monthsTenured Associate Professor

Popular Categories
Show All

Antivirus
Antivirus
Artificial Intelligence
Artificial Intelligence
Audio
Audio
CRM
CRM
Cryptocurrency
Cryptocurrency
Gambling
Gambling
Gaming
Gaming
HR
HR
Laptops
Laptops
Network
Network
Password Managers
Password Managers
Project Management
Project Management
Spy
Spy
Trading
Trading
VoIP
VoIP
VPN
VPN