SUGGESTED SEARCHES
Is Toronto the Next Silicon Valley? Borderless AI CEO Suggests ‘Yes’ Interview
How ChatGPT is Revolutionizing Smart Contract and Blockchain Cryptocurrency
When is Pi Network's Expected Launch Date? Pioneer's Mainnet 'Lands in Q1 2025' Blockchain

Passwordless Authentication

Why Trust Techopedia

What Does Passwordless Authentication Mean?

Passwordless is an authentication scheme that uses possession factors (something the user has) and inherence factors (something the user is) instead of knowledge factors (something the user knows) to verify someone’s identity. Popular possession factors include smart phones and security tokens. Popular inherence factors include physical and behavioral biometric data from fingerprints and keystroke patterns.

The goal of passwordless authentication is to reduce the cyber risks associated with password use. This is important because the majority of security breaches today involve some type of credential theft. The danger is that once an attacker has stolen someone’s password by using social engineering or brute force strategies, they can move laterally through the target and look for ways to escalate access privileges.

Besides password manager solutions, tier-1 vendors such as Apple, Google, and Microsoft have all announced plans to support FIDO2 passwordless authentication.

Techopedia Explains Passwordless Authentication

Passwords have always been the weakest security link because weak passwords can be easy to guess, and strong passwords can be difficult to recall.

Benefits

A passwordless approach to authentication makes it more difficult — and expensive — for attackers to steal identities, breach networks, and carry out advanced persistent threats (APTs). It significantly reduces the chance of a password-based attack being successful by preventing credentials from being stolen through malware, phishing, or business email compromise (BEC) attacks.

How Passwordless Authentication Works

In the enterprise, passwordless authentication is sometimes deployed in conjunction with single sign-on (SSO) so employees can use the same proximity badges, security tokens, and authentication apps to access all their enterprise applications and services.

Approaches to passwordless authentication include:

Magic Links
Instead of a password, the user is asked to enter their email address or mobile phone number, after which they are sent an email or SMS message that contains a “magic” link. Magic links are time-sensitive URLs that, when clicked on, verify the user’s identity and grant access.

One-time Passcodes
During the authentication process, the user is sent a time-sensitive numerical code to use instead of a password. Sometimes the code will have to be copied and pasted manually, and sometimes the code will be hyperlinked and function like a magic link.

Authenticator Apps
When the end user wants to log into a computing resource registered with an authenticator app, they start by entering their username as usual. This action prompts the user to open the authentication app and receive a one-time passcode or magic link.

Security Tokens
A security token is a small physical device that the user has to connect to their computing device’s USB Type-C port. Once plugged in, the token will generate a one-time passcode for the end user to enter in place of a password.

Passkeys
When the user initially signs into a website or app that supports cryptographic passkeys, their computing device will generate a public and private key. The public key is sent to the website or app’s server, and the private key is stored on the device in a secure area of the operating system. The next time the user logs in, the server will send the device a decryption challenge that requires the private key to solve. Passkeys may or may not be supported by two-factor authentication (2FA).

Adoption Challenges

Although passwordless authentication is generally considered to be a more secure type of authentication mechanism than passwords, there can still be obstacles that are preventing its widespread adoption. They include:

  • Incompatibility with legacy applications
  • Too many implementation options that require additional capital expenditures (CAPEX)
  • Lack of end-user trust
  • Privacy concerns about device tracking
  • Concerns about quantum computing and the future of public key cryptography (PKC).

Related Terms

Tech Dictionary
SUGGESTED SEARCHES
Is Toronto the Next Silicon Valley? Borderless AI CEO Suggests ‘Yes’ Interview
How ChatGPT is Revolutionizing Smart Contract and Blockchain Cryptocurrency
When is Pi Network's Expected Launch Date? Pioneer's Mainnet 'Lands in Q1 2025' Blockchain
Margaret Rouse
Technology Expert
Margaret Rouse
Technology Expert

Margaret is an award-winning technical writer and teacher known for her ability to explain complex technical subjects to a non-technical business audience. Over the past twenty years, her IT definitions have been published by Que in an encyclopedia of technology terms and cited in articles by the New York Times, Time Magazine, USA Today, ZDNet, PC Magazine, and Discovery Magazine. She joined Techopedia in 2011. Margaret's idea of a fun day is helping IT and business professionals learn to speak each other’s highly specialized languages.

Related Features

The Digital ID Headache Caused by Fragmentation & AI
Cybersecurity

The Digital ID Headache Caused by Fragmentation & AI

 Nicole Willing 4 months
Why Zero Trust Needs MFA to Succeed: Expert Analysis
Identity & Access Governance

Why Zero Trust Needs MFA to Succeed: Expert Analysis

 Linda Rosencrance 7 months
How Secure Is My Password? Strength Checklist, Tips & Tricks
Identity & Access Governance

How Secure Is My Password? Strength Checklist, Tips & Tricks

 John Meah 10 months
Should 23andMe Be Blaming Its Users for DNA Heist Hack?
Cybersecurity

Should 23andMe Be Blaming Its Users for DNA Heist Hack?

 Ray Fernandez 1 year
5 ways Generative AI Can Redefine Identity Access Management
Artificial Intelligence

5 ways Generative AI Can Redefine Identity Access Management

 Franklin Okeke 1 year
Is 2024 the Year of the Government Digital ID Card?
Cybersecurity

Is 2024 the Year of the Government Digital ID Card?

 Neil C. Hughes 1 year
eIDAS 2.0 Controversies: A Real Threat to Internet Freedom?
Cybersecurity

eIDAS 2.0 Controversies: A Real Threat to Internet Freedom?

 Claudio Buttice 1 year
The Challenges and Rewards of Blockchain Identity Management
Blockchain

The Challenges and Rewards of Blockchain Identity Management

 Arthur Cole 2 years
Popular Categories
Show All
Artificial Intelligence icon
Artificial Intelligence
Business Software icon
Business Software
Cybersecurity icon
Cybersecurity
Cryptocurrency icon
Cryptocurrency
Data Management icon
Data Management
Gaming icon
Gaming
Network icon
Network
Personal Tech icon
Personal Tech
Advertisements